The following Fedora EPEL 7 Security updates need testing:
Age URL
584
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-3c9292b62d
condor-8.6.11-1.el7
325
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-c499781e80
python-gnupg-0.4.4-1.el7
323
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-bc0182548b
bubblewrap-0.3.3-2.el7
33
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-fa8a2e97c6
python-waitress-1.4.3-1.el7
16
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-4fdca9429c
seamonkey-2.53.1-2.el7
11
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-b8f44a854a
weechat-2.7.1-1.el7
11
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-b467e9784b
php-horde-Horde-Form-2.0.20-1.el7
4
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-7e106e25f9
timeshift-20.03-1.el7
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-42d19f5f91
chromium-80.0.3987.149-1.el7
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-33500a2742
tor-0.3.5.10-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
ckeditor-4.14.0-1.el7
java-latest-openjdk-14.0.0.36-1.rolling.el7
msgpack-3.1.0-4.el7
ocserv-1.0.0-1.el7
php-behat-mink-1.8.1-1.el7
php-behat-mink-browserkit-driver-1.3.4-2.el7
php-theseer-autoload-1.25.9-1.el7
python-colander-1.7.0-2.el7
Details about builds:
================================================================================
ckeditor-4.14.0-1.el7 (FEDORA-EPEL-2020-7c64d8ca18)
WYSIWYG text editor to be used inside web pages
--------------------------------------------------------------------------------
Update Information:
## CKEditor 4.14 **Security Updates:** *
[
CVE-2020-9281](https://nvd.nist.gov/vuln/detail/CVE-2020-9281) Fixed XSS
vulnerability in the HTML data processor reported by [Micha��
Bentkowski](https://twitter.com/securitymb) of Securitum. Issue
summary: It was possible to execute XSS inside CKEditor after persuading the
victim to: (i) switch CKEditor to source mode, then (ii) paste a specially
crafted HTML code, prepared by the attacker, into the opened CKEditor source
area, and (iii) switch back to WYSIWYG mode or (i) copy the specially crafted
HTML code, prepared by the attacker and (ii) paste it into CKEditor in WYSIWYG
mode. * [
CVE-2020-9440](https://nvd.nist.gov/vuln/detail/CVE-2020-9440) Fixed
XSS vulnerability in the WebSpellChecker Dialog plugin reported by [Pham Van
Khanh](https://twitter.com/rskvp93) from Viettel Cyber Security. Issue
summary: It was possible to execute XSS using CKEditor after persuading the
victim to: (i) switch CKEditor to source mode, then (ii) paste a specially
crafted HTML code, prepared by the attacker, into the opened CKEditor source
area, then (iii) switch back to WYSIWYG mode, and (iv) preview CKEditor content
outside CKEditor editable area. **An upgrade is highly recommended!** New
features: * [#2374](https://github.com/ckeditor/ckeditor4/issues/2374): Added
support for pasting rich content from LibreOffice Writer with the [Paste from
LibreOffice](https://ckeditor.com/cke4/addon/pastefromlibreoffice) plugin. *
[#2583](https://github.com/ckeditor/ckeditor4/issues/2583): Changed
[
emoji](https://ckeditor.com/cke4/addon/emoji) suggestion box to show the
matched emoji name instead of an ID. *
[#3748](https://github.com/ckeditor/ckeditor4/issues/3748): Improved the [color
button](https://ckeditor.com/cke4/addon/colorbutton) state to reflect the
selected editor content colors. *
[#3661](https://github.com/ckeditor/ckeditor4/issues/3661): Improved the
[
Print](https://ckeditor.com/cke4/addon/print) plugin to respect styling
rendered by the [
Preview](https://ckeditor.com/cke4/addon/preview) plugin. *
[#3547](https://github.com/ckeditor/ckeditor4/issues/3547): Active
[
dialog](https://ckeditor.com/cke4/addon/dialog) tab now has the `aria-
selected="true"` attribute. *
[#3441](https://github.com/ckeditor/ckeditor4/issues/3441): Improved [`widget.ge
tClipboardHtml()`](https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITO...
ns_widget.html#method-getClipboardHtml) support for dragging and dropping
multiple [
widgets](https://ckeditor.com/cke4/addon/widget). Fixed Issues: *
[#3587](https://github.com/ckeditor/ckeditor4/issues/3587): [Edge, IE] Fixed:
[
Widget](https://ckeditor.com/cke4/addon/widget) with form input elements loses
focus during typing. *
[#3705](https://github.com/ckeditor/ckeditor4/issues/3705): [Safari] Fixed:
Safari incorrectly removes blocks with the [`editor.extractSelectedHtml()`](http
s://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_editor.html#method-
extractSelectedHtml) method after selecting all content. *
[#1306](https://github.com/ckeditor/ckeditor4/issues/1306): Fixed: The
[
Font](https://ckeditor.com/cke4/addon/font) plugin creates nested HTML `<span>`
tags when reapplying the same font multiple times. *
[#3498](https://github.com/ckeditor/ckeditor4/issues/3498): Fixed: The editor
throws an error during the copy operation when a
[
widget](https://ckeditor.com/cke4/addon/widget) is partially selected. *
[#2517](https://github.com/ckeditor/ckeditor4/issues/2517): [Chrome, Firefox,
Safari] Fixed: Inserting a new image when the selection partially covers an
existing [enhanced
image](https://ckeditor.com/cke4/addon/image2) widget throws
an error. * [#3007](https://github.com/ckeditor/ckeditor4/issues/3007): [Chrome,
Firefox, Safari] Fixed: Cannot modify the editor content once the selection is
released over a [
widget](https://ckeditor.com/cke4/addon/widget). *
[#3698](https://github.com/ckeditor/ckeditor4/issues/3698): Fixed: Cutting the
selected text when a [
widget](https://ckeditor.com/cke4/addon/widget) is
partially selected merges paragraphs. API Changes: *
[#3387](https://github.com/ckeditor/ckeditor4/issues/3387): Added the [CKEDITOR.
ui.richCombo.select()](https://ckeditor.com/docs/ckeditor4/latest/api/CKE...
i_richCombo.html#method-select) method. *
[#3727](https://github.com/ckeditor/ckeditor4/issues/3727): Added new
`textColor` and `bgColor` commands that apply the selected color chosen by the
[Color
Button](https://ckeditor.com/cke4/addon/colorbutton) plugin. *
[#3728](https://github.com/ckeditor/ckeditor4/issues/3728): Added new `font` and
`fontSize` commands that apply the selected font style chosen by the
[
Font](https://ckeditor.com/cke4/addon/colorbutton) plugin. *
[#3842](https://github.com/ckeditor/ckeditor4/issues/3842): Added the [`editor.g
etSelectedRanges()`](https://ckeditor.com/docs/ckeditor4/latest/api/CKEDI...
tor.html#method-getSelectedRanges) alias. *
[#3775](https://github.com/ckeditor/ckeditor4/issues/3775): Widget [mask](https:
//ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_plugins_widget.html#property-
mask) and [
parts](https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_plugin
s_widget.html#property-parts) can now be refreshed dynamically via API calls.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Mar 20 2020 Shawn Iwinski <shawn(a)iwin.ski> - 4.14.0-1
- Update to 4.14.0 (RHBZ #1810020)
- CVE-2020-9281 (RHBZ #1814825,1814826,1814827)
- CVE-2020-9440
* Tue Jan 28 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 4.13.1-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1814826 - CVE-2020-9281 ckeditor: XSS in the HTML Data Processor allows
remote attackers to inject arbitrary web script through a crafted "protected"
comment [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1814826
[ 2 ] Bug #1814827 - CVE-2020-9281 ckeditor: XSS in the HTML Data Processor allows
remote attackers to inject arbitrary web script through a crafted "protected"
comment [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1814827
[ 3 ] Bug #1810020 - ckeditor-4.14.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1810020
--------------------------------------------------------------------------------
================================================================================
java-latest-openjdk-14.0.0.36-1.rolling.el7 (FEDORA-EPEL-2020-71b5b7bd55)
OpenJDK Runtime Environment 14
--------------------------------------------------------------------------------
Update Information:
Update to OpenJDK 14, which was released 17.03.2020. The list of features can be
found at
https://jdk.java.net/14/.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Mar 13 2020 Petra Alice Mikova <pmikova(a)redhat.com> - 1:14.0.0.36-1.rolling
- update to jdk 14+36 ga build
- removed pack200 and unpack200 binaries, slaves, manpages and libunpack.so library
- added listings for jpackage binary, manpages and added slave records to alternatives
--------------------------------------------------------------------------------
================================================================================
msgpack-3.1.0-4.el7 (FEDORA-EPEL-2020-0cb190ad4a)
Binary-based efficient object serialization library
--------------------------------------------------------------------------------
Update Information:
New release for EPEL7
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 29 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.1.0-4
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.1.0-3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 1 2019 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.1.0-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Aug 22 2018 Daiki Ueno <dueno(a)redhat.com> - 3.1.0-1
- new upstream release
- cmake configuration files no longer rely on nonexistent static libraries
* Fri Jul 13 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.0.1-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jun 7 2018 Daiki Ueno <dueno(a)redhat.com> - 3.0.1-1
- new upstream release
* Thu Feb 8 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.4.2-5
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sat Feb 3 2018 Igor Gnatenko <ignatenkobrain(a)fedoraproject.org> - 1.4.2-4
- Switch to %ldconfig_scriptlets
* Thu Aug 3 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.4.2-3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.4.2-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Feb 21 2017 Daiki Ueno <dueno(a)redhat.com> - 1.4.2-1
- new upstream release
- avoid FTBFS with GCC7
* Fri Feb 10 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.4.1-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1793715 - Update to a recent release
https://bugzilla.redhat.com/show_bug.cgi?id=1793715
--------------------------------------------------------------------------------
================================================================================
ocserv-1.0.0-1.el7 (FEDORA-EPEL-2020-08a306f9dd)
OpenConnect SSL VPN server
--------------------------------------------------------------------------------
Update Information:
- Update to upstream 1.0.0 release
--------------------------------------------------------------------------------
ChangeLog:
* Fri Mar 20 2020 Nikos Mavrogiannopoulos <n.mavrogiannopoulos(a)gmail.com> - 1.0.0-1
- Update to upstream 1.0.0 release
--------------------------------------------------------------------------------
================================================================================
php-behat-mink-1.8.1-1.el7 (FEDORA-EPEL-2020-ce525d7280)
Browser controller/emulator abstraction for PHP
--------------------------------------------------------------------------------
Update Information:
1.8.1 / 2020-03-11 ================== Bug fixes: * Fixed the phpdoc of
`NodeElement::getValue`. This method actually returns `null` in some cases
(unchecked checkbox for instance) 1.8.0 / 2020-03-11 ================== New
features: * Auto-start the session on first call to `visit`.
`Mink::getSession()` will no longer start the session automatically. * Added
support for `symfony/css-selector` 4 and 5 Bug fixes: * Fixed the message when
reporting the deprecation of `ExpectationException::getSession()` * Fixed
support for XPath selectors using `|` inside strings or conditions rather than
as a top-level union * Fixed compatibility with PHP 7.2 not allowing to use
`count` on strings Testsuite: * Added PHP 7.1, 7.2, 7.3 and 7.4 in the CI *
Removed HHVM from CI as they stopped supporting PHP compatibility Driver
testsuite: * The driver testsuite is no longer part of this package. Use
`mink/driver-testsuite` to run driver tests instead. Misc: * Changed phpdoc
types from `Boolean` to `boolean` to be compatible with psalm type checking
--------------------------------------------------------------------------------
ChangeLog:
* Tue Mar 17 2020 Shawn Iwinski <shawn(a)iwin.ski> - 1.8.1-1
- Update to 1.8.1 (RHBZ #1812690)
- Obsolete test suite sub-package
- Testsuite as source to ensure proper version/commit
- Conditionally use range dependencies
- Conditionally drop Symfony 2 interoperability
- Conditionally use PHPUnit 7
* Thu Jan 30 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.7.1-10
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jul 26 2019 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.7.1-9
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sat Feb 2 2019 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.7.1-8
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.7.1-7
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 9 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.7.1-6
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Sep 22 2017 Shawn Iwinski <shawn(a)iwin.ski> - 1.7.1-5
- Fix autoloader for Symfony 3
* Thu Jul 27 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.7.1-4
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1812690 - php-behat-mink-1.8.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1812690
--------------------------------------------------------------------------------
================================================================================
php-behat-mink-browserkit-driver-1.3.4-2.el7 (FEDORA-EPEL-2020-237351e3ea)
Symfony BrowserKit driver for Mink framework
--------------------------------------------------------------------------------
Update Information:
1.3.4 / 2020-03-11 ================== BC Break: * Changed the return value for
`getValue` on a select without any options to an empty string rather than `null`
to respect the common contract between Mink drivers Bug fixes: * Changed
phpdoc types from `Boolean` to `boolean` to be compatible with psalm type
checking * Improved compatibility with the HTML5 parsing of the symfony/dom-
crawler component in 4.4+ * Removed usages of APIs deprecated in symfony/dom-
crawler 4.4 * Send the configured headers when submitting forms Testsuite: *
Removed HHVM from CI as they dropped support for PHP compatibility * Added CI on
PHP 7.2, 7.3 and 7.4 1.3.3 / 2018-05-02 ================== * Added Symfony 4.0
compatibility.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Mar 17 2020 Shawn Iwinski <shawn(a)iwin.ski> - 1.3.4-2
- Conditional Symfony 2 or not
- Fix autoloader for PHP < 5.4
- Add test suite BuildRequires
* Tue Mar 17 2020 Shawn Iwinski <shawn(a)iwin.ski> - 1.3.4-1
- Update to 1.3.4 (RHBZ #1574132)
- Testsuite as source to ensure proper version/commit
- Conditionally use range dependencies
- Drop Symfony 2 interoperability
* Thu Jan 30 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.3.2-9
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jul 26 2019 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.3.2-8
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sat Feb 2 2019 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.3.2-7
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.3.2-6
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 9 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.3.2-5
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.3.2-4
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1574132 - php-behat-mink-browserkit-driver-1.3.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1574132
--------------------------------------------------------------------------------
================================================================================
php-theseer-autoload-1.25.9-1.el7 (FEDORA-EPEL-2020-b6dc3c583d)
A tool and library to generate autoload code
--------------------------------------------------------------------------------
Update Information:
**Release 1.25.9** * Merge PR
[#89](https://github.com/theseer/Autoload/pull/89): Throw an exception if the
template file cannot be read * Update ConsoleTools, Fixes
[#91](https://github.com/theseer/Autoload/issues/91) - Zeta Components
ConsoleTools uses PHP syntax deprecated in PHP 7.4
--------------------------------------------------------------------------------
ChangeLog:
* Fri Mar 20 2020 Remi Collet <remi(a)remirepo.net> - 1.25.9-1
- update to 1.25.9
--------------------------------------------------------------------------------
================================================================================
python-colander-1.7.0-2.el7 (FEDORA-EPEL-2020-a105194954)
A simple schema-based serialization and deserialization library
--------------------------------------------------------------------------------
Update Information:
Add Requires for python2-iso8601. Fixes bug #1811130
--------------------------------------------------------------------------------
ChangeLog:
* Thu Mar 19 2020 Kevin Fenzi <kevin(a)scrye.com> - 1.7.0-2
- Add Requires for python2-iso8601. Fixes bug #1811130
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1811130 - Colander needs to require python-iso8601
https://bugzilla.redhat.com/show_bug.cgi?id=1811130
--------------------------------------------------------------------------------