The following Fedora EPEL 5 Security updates need testing:
Age URL
774
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3....
228
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11893/libguestfs...
108
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-0581/augeas-1.2....
7
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1515/check-mk-1....
4
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1544/python26-mo...
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1575/chkrootkit-...
The following builds have been pushed to Fedora EPEL 5 updates-testing
chkrootkit-0.49-9.el5
davix-0.3.1-1.el5
tomcat-native-1.1.30-1.el5
zabbix20-2.0.12-1.el5
Details about builds:
================================================================================
chkrootkit-0.49-9.el5 (FEDORA-EPEL-2014-1575)
Tool to locally check for signs of a rootkit
--------------------------------------------------------------------------------
Update Information:
A quoting issue was found in chkrootkit which would lead to a file in /tmp/ being
executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as
the root user. A local attacker could use this flaw to escalate their privileges.
The problematic part was:
file_port=$file_port $i
Which is changed to file_port="$file_port $i" to fix the issue. From the Debian
diff:
--- chkrootkit-0.49.orig/debian/patches/CVE-2014-0476.patch
+++ chkrootkit-0.49/debian/patches/CVE-2014-0476.patch
@@ -0,0 +1,13 @@
+Index: chkrootkit/chkrootkit
+===================================================================
+--- chkrootkit.orig/chkrootkit
++++ chkrootkit/chkrootkit
+@@ -117,7 +117,7 @@ slapper (){
+ fi
+ for i in ${SLAPPER_FILES}; do
+ if [ -f ${i} ]; then
+- file_port=$file_port $i
++ file_port="$file_port $i"
+ STATUS=1
+ fi
+ done
Acknowledgements:
Red Hat would like to thank Thomas Stangner for reporting this issue.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jun 4 2014 Jon Ciesla <limburgher(a)gmail.com> - 0.49-9
- Patch for CVE-2014-0476, BZ 1104456, 11044567.
- Reapply vendor tag for el5.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1104456 - CVE-2014-0476 chkrootkit: local privilege escalation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1104456
[ 2 ] Bug #1104457 - CVE-2014-0476 chkrootkit: local privilege escalation [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1104457
--------------------------------------------------------------------------------
================================================================================
davix-0.3.1-1.el5 (FEDORA-EPEL-2014-1578)
Toolkit for Http-based file management
--------------------------------------------------------------------------------
Update Information:
davix 0.3.1 release, see RELEASE-NOTES for changes
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jun 4 2014 Adrien Devresse <adevress at cern.ch> - 0.3.1-1
- davix 0.3.1 release, see RELEASE-NOTES for changes
* Tue Jun 3 2014 Adrien Devresse <adevress at cern.ch> - 0.3.0-1
- davix 0.3.0 release, see RELEASE-NOTES for changes
* Tue Jan 28 2014 Adrien Devresse <adevress at cern.ch> - 0.2.10-1
- davix 0.2.10 release, see RELEASE-NOTES for details
--------------------------------------------------------------------------------
================================================================================
tomcat-native-1.1.30-1.el5 (FEDORA-EPEL-2014-1569)
Tomcat native library
--------------------------------------------------------------------------------
Update Information:
Update to version 1.1.30 for Tomcat 7.0.54 compatibility.
http://tomcat.apache.org/native-doc/miscellaneous/changelog.html
--------------------------------------------------------------------------------
ChangeLog:
* Tue Apr 15 2014 Ville Skyttä <ville.skytta(a)iki.fi> - 1.1.30-1
- Update to 1.1.30
--------------------------------------------------------------------------------
================================================================================
zabbix20-2.0.12-1.el5 (FEDORA-EPEL-2014-1574)
Open-source monitoring solution for your IT infrastructure
--------------------------------------------------------------------------------
Update Information:
Release notes:
http://www.zabbix.com/rn2.0.12.php
This build contains a patch for ZBX-8238:
https://support.zabbix.com/browse/ZBXNEXT-3238
"logrt may continue reading an old file repeatedly."
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 3 2014 Volker Fröhlich <volker27(a)gmx.at> - 2.0.12-1
- New upstream release
- Patch for ZBX-8238 (logrt may continue reading an old file repeatedly)
* Tue Jun 3 2014 Volker Fröhlich <volker27(a)gmx.at> - 2.0.11-2
- Handle su directive in logrotate configuration properly (BZ1074318)
--------------------------------------------------------------------------------