The following Fedora EPEL 5 Security updates need testing:
Age URL
412
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3....
307
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6608/Django-1.1....
113
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-0366/openconnect...
46
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5517/git-1.8.2.1...
14
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5968/transifex-c...
10
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5990/mod_securit...
10
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5991/cgit-0.9.2-...
10
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5996/socat-1.7.2...
6
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6047/nrpe-2.14-3...
3
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6086/libguestfs-...
2
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6089/ssmtp-2.61-...
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10388/perl-Modul...
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10389/rrdtool-1....
The following builds have been pushed to Fedora EPEL 5 updates-testing
perl-Module-Signature-0.73-1.el5
python-virtualenv-1.7.2-2.el5
rrdtool-1.2.27-4.el5
Details about builds:
================================================================================
perl-Module-Signature-0.73-1.el5 (FEDORA-EPEL-2013-10388)
CPAN signature management utilities and modules
--------------------------------------------------------------------------------
Update Information:
This update ensures that digest modules are only loaded from absolute paths in @INC,
avoiding a potential arbitrary code execution problem (CVE-2013-2145).
There are also a variety of internal package clean-ups.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jun 7 2013 Paul Howarth <paul(a)city-fan.org> - 0.73-1
- Update to 0.73
- Support for gpg under these alternate names: gpg gpg2 gnupg gnupg2
- Don't check gpg version if gpg does not exist
- Constrain the user-specified digest name to /^\w+\d+$/
- Only allow loading Digest::* from absolute paths in @INC (CVE-2013-2145)
- This release by AUDREYT -> update source URL
- Include Andreas Koenig's GPG key in the SRPM and import it in %prep so
that we don't need to get it from a keyserver in %check
- Make building non-interactive
- Specify all dependencies
- Don't need to remove empty directories from the buildroot
- Drop %defattr, redundant since rpm 4.4
- Use %{_fixperms} macro rather than our own chmod incantation
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #971096 - CVE-2013-2145 perl-Module-Signature: arbitrary code execution when
verifying SIGNATURE
https://bugzilla.redhat.com/show_bug.cgi?id=971096
--------------------------------------------------------------------------------
================================================================================
python-virtualenv-1.7.2-2.el5 (FEDORA-EPEL-2013-10396)
Tool to create isolated Python environments
--------------------------------------------------------------------------------
Update Information:
* Switch to an older version of virtualenv because the 1.9.x branch doesn't work with
python-2.4
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #969395 - virtualenv does not work anymore because Python 2.4 support was
dropped in virtualenv 1.9
https://bugzilla.redhat.com/show_bug.cgi?id=969395
--------------------------------------------------------------------------------
================================================================================
rrdtool-1.2.27-4.el5 (FEDORA-EPEL-2013-10389)
Round Robin Database Tool to store and display time-series data
--------------------------------------------------------------------------------
Update Information:
This is an update that adds explicit check to the imginfo format. It may prevent
crash/exploit of user space applications which pass user supplied format to the library
call without checking.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #969311 - CVE-2013-2131 rrdtool: crashes on format string exploit [epel-5]
https://bugzilla.redhat.com/show_bug.cgi?id=969311
--------------------------------------------------------------------------------