The following Fedora EPEL 6 Security updates need testing:
Age URL
617
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2011-4701/supybot-gri...
429
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5620/bugzilla-3....
24
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6034/heat-jeos-9...
18
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6090/ssmtp-2.61-...
13
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10418/python-fee...
10
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10445/fail2ban-0...
4
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10532/python-bug...
3
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10581/glpi-0.83....
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10586/rubygem-pa...
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10617/wordpress-...
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10621/openstack-...
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10623/ReviewBoar...
The following builds have been pushed to Fedora EPEL 6 updates-testing
ReviewBoard-1.7.10-1.el6
openstack-keystone-2012.2.4-5.el6
python-tahrir-api-0.2.2-1.el6
rubygem-gssapi-1.1.2-1.el6
sx-2.15-1.el6
tcpcopy-0.8.0-3.el6
wordpress-3.5.2-1.el6
Details about builds:
================================================================================
ReviewBoard-1.7.10-1.el6 (FEDORA-EPEL-2013-10623)
Web-based code review tool
--------------------------------------------------------------------------------
Update Information:
New upstream release 1.7.10
-
http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/
- Security Updates:
* Fixed an XSS vulnerability where users could trigger script errors under
certain conditions in auto-complete widgets
- Web API Changes:
* Added n ?order-by=<fieldname> query parameter for comment resources,
allowing ordering by fields such as line numbers (for diff comments)
* Added a filename field to screenshot resources, which provides the base
filename (without path) of the screenshot
* Added a review_url field to screenshot resources, which provides the URL
to the screenshot review page
* Added a thumbnail_url field to screenshot comment resources, which
provides the URL to the snippet of the screenshot being commented on
* Added a link_text field to file attachment comment resources, which shows
the text for any link pointing to the file. This may differ depending on
the comment
* Added a review_url field to file attachment comment resources, which
provides the URL to the review page for the file
* Added a thumbnail_html field to file attachment comment resources, which
provides HTML for rendering the thumbnail of the portion of the file
being rendered, if any
- UI Changes:
* Improved the look and feel of the issue summary table. It’s cleaner and
no longer looks odd with long comment text
- Bug Fixes:
* Fixed periodic but harmless JavaScript errors when removing elements with
relative timestamps
* Editing or reordering dashboard columns no longer breaks after the
dashboard reloads
* Relative timestamps in the dashboard no longer break after the dashboard
reloads
* The maximum size of the timezone has increased, allowing for longer
timezone strings
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 24 2013 Stephen Gallagher <sgallagh(a)redhat.com> - 1.7.10-1
- New upstream release 1.7.10
-
http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/
- Security Updates:
* Fixed an XSS vulnerability where users could trigger script errors under
certain conditions in auto-complete widgets
- Web API Changes:
* Added n ?order-by=<fieldname> query parameter for comment resources,
allowing ordering by fields such as line numbers (for diff comments)
* Added a filename field to screenshot resources, which provides the base
filename (without path) of the screenshot
* Added a review_url field to screenshot resources, which provides the URL
to the screenshot review page
* Added a thumbnail_url field to screenshot comment resources, which
provides the URL to the snippet of the screenshot being commented on
* Added a link_text field to file attachment comment resources, which shows
the text for any link pointing to the file. This may differ depending on
the comment
* Added a review_url field to file attachment comment resources, which
provides the URL to the review page for the file
* Added a thumbnail_html field to file attachment comment resources, which
provides HTML for rendering the thumbnail of the portion of the file
being rendered, if any
- UI Changes:
* Improved the look and feel of the issue summary table. It’s cleaner and
no longer looks odd with long comment text
- Bug Fixes:
* Fixed periodic but harmless JavaScript errors when removing elements with
relative timestamps
* Editing or reordering dashboard columns no longer breaks after the
dashboard reloads
* Relative timestamps in the dashboard no longer break after the dashboard
reloads
* The maximum size of the timezone has increased, allowing for longer
timezone strings
* Mon Jun 3 2013 Stephen Gallagher <sgallagh(a)redhat.com> - 1.7.9-1
- New upstream release 1.7.9
-
http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.9/
- API Changes:
* Added new blocks and depends_on fields to the Review Request resource
- Bug Fixes:
* Fixed the max_length of the new HostingServiceAccount.hosting_url field
* Fixed the documentation for the cgit configuration for Git
* Fixed the cgit URL for Fedora Hosted
* Mon Jun 3 2013 Stephen Gallagher <sgallagh(a)redhat.com> - 1.7.8.1-1
- New upstream release 1.7.8.1
-
http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.8.1/
- Bug Fixes:
* Fixed a regression with saving repositories that don't use hosting
services
- Misc. Changes:
* Compatibility changes for the upcoming PDF review plugin
- New upstream release 1.7.8
-
http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.8/
- New Features:
* Added Depends On and Blocks fields to review requests
* Added an improved support page
* Added the ability to set where Get Support takes users
* Added improved logging for many operations
- Performance Improvements:
* Reduced the upload time for many new diffs
* The templates used for rendering the various pages are now cached after
the first render, speeding up the rendering for any future renders. We've
seen speedups of ~100-120ms for review request pages
- Usability Improvements:
* The review request actions are now larger, making them more visible and
easier to hit, particularly on touch screens
* Clicking Fixed, Drop or Re-open now keeps the page in the same scroll
position
* The dashboard now reloads dynamically, without reloading the entire page
* The comment dialog now tells you when you can't make a comment (due to
being logged out or reviewing something that's part of a draft
- API Changes
* Fixed deleting pending replies to comments
* Fixed some issues returning certain lists of data
- Extensibility Improvements:
* Extensions can now customize their metadata directly in the Extension
class
* TemplateHooks can now render their own content by overriding
render_to_string()
* NavigationBarHook can now take a url_name parameter specifying the URL
name to link to
* Review UIs can now specify the link and link text for any comments on a
review by overriding get_comment_link_url() and get_comment_link_text()
* Custom hosting services can now be registered/unregistered by extensions
by using register_hosting_service() and unregister_hosting_service()
(from reviewboard.hostingsvcs.service)
* Added the ability to more easily write hosting services support that
works for self-installable services
- Bug Fixes:
* Added missing repository validation for Mercurial repositories
* Fixed replying to comments on file attachments that have since been
removed
* Fixed the display of the upload dialogs when viewing a file attachment
* Comments on file attachments in e-mails now link to the correct review UI
handling the file
* Worked around rare issues where a reset of the Open An Issue default for
a user would cause pages to break
- Misc Changes:
* E-mails now show the user’s full name instead of just their first name
* The New Review Request page now mentions RBTools instead of just
post-review
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #977423 - CVE-2013-2209 ReviewBoard: Stored XSS due improper sanitization of
user's full name in the reviews dropdown
https://bugzilla.redhat.com/show_bug.cgi?id=977423
--------------------------------------------------------------------------------
================================================================================
openstack-keystone-2012.2.4-5.el6 (FEDORA-EPEL-2013-10621)
OpenStack Identity Service
--------------------------------------------------------------------------------
Update Information:
Updated to stable folsom release 2012.2.4
Force simple Bind for authentication CVE-2013-2157
authtoken: Check token expiry CVE-2013-2104
Revoke tokens on user delete CVE-2013-2059
authtoken: Securely create signing_dir CVE-2013-2030
Avoid potential disclosure in log files CVE-2013-2006
Fix online revocation check for PKI tokens CVE-2013-1865
--------------------------------------------------------------------------------
ChangeLog:
* Sat Jun 22 2013 apevec(a)redhat.com 2012.2.4-5
- Force simple Bind for authentication CVE-2013-2157
* Wed Jun 12 2013 Alan Pevec <apevec(a)redhat.com> 2012.2.4-4
- authtoken: Check token expiry CVE-2013-2104
* Mon May 13 2013 Alan Pevec <apevec(a)redhat.com> 2012.2.4-3
- authtoken: Securely create signing_dir CVE-2013-2030
- Revoke tokens on user delete CVE-2013-2059
* Thu Apr 25 2013 Alan Pevec <apevec(a)redhat.com> 2012.2.4-2
- avoid potential disclosure in log files CVE-2013-2006
- restrict /var/log/keystone/ rhbz#956814
* Thu Apr 11 2013 Alan Pevec <apevec(a)redhat.com> 2012.2.4-1
- updated to stable folsom release 2012.2.4
* Fri Mar 29 2013 Alan Pevec <apevec(a)redhat.com> 2012.2.3-5
- Fix online revocation check for PKI tokens CVE-2013-1865
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #971884 - CVE-2013-2157 openstack-keystone: Authentication bypass when using
LDAP backend
https://bugzilla.redhat.com/show_bug.cgi?id=971884
[ 2 ] Bug #956474 - OpenStack keystone: /var/log/keystone/ is world readable
https://bugzilla.redhat.com/show_bug.cgi?id=956474
[ 3 ] Bug #965852 - CVE-2013-2104 OpenStack Keystone: Missing expiration check in
Keystone PKI token validation
https://bugzilla.redhat.com/show_bug.cgi?id=965852
[ 4 ] Bug #956007 - CVE-2013-2006 OpenStack keystone: DEBUG level LDAP password
disclosure in log files
https://bugzilla.redhat.com/show_bug.cgi?id=956007
[ 5 ] Bug #922230 - CVE-2013-1865 OpenStack keystone: online validation of Keystone PKI
tokens bypasses revocation check
https://bugzilla.redhat.com/show_bug.cgi?id=922230
--------------------------------------------------------------------------------
================================================================================
python-tahrir-api-0.2.2-1.el6 (FEDORA-EPEL-2013-10616)
An API for interacting with the Tahrir database
--------------------------------------------------------------------------------
Update Information:
Add alembic scripts.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Jun 23 2013 Ralph Bean <rbean(a)redhat.com> - 0.2.2-1
- Add alembic upgrade scripts.
- Add check section with tests.
* Sun Jun 23 2013 Ralph Bean <rbean(a)redhat.com> - 0.2.1-1
- Bugfix - stop leaking sqlalchemy sessions.
- API enhancement - can query for user by username, id, or email now.
* Thu Jun 20 2013 Ralph Bean <rbean(a)redhat.com> - 0.2.0-1
- API enhancements.
* Thu Jun 13 2013 Ralph Bean <rbean(a)redhat.com> - 0.1.8-6
- Use paste-deploy1.5 forward compat package.
- Use zope-interface4 forward compat package.
* Thu Jun 13 2013 Ralph Bean <rbean(a)redhat.com> - 0.1.8-5
- Added dep on zope.interface.
* Thu Jun 13 2013 Ralph Bean <rbean(a)redhat.com> - 0.1.8-4
- Conditional mako0.4 requirement for epel6.
* Thu Jun 13 2013 Ralph Bean <rbean(a)redhat.com> - 0.1.8-3
- More epel6 fixes.
* Thu Jun 13 2013 Ralph Bean <rbean(a)redhat.com> - 0.1.8-2
- Conditionalize sqlalchemy forward compat package for epel6.
* Fri Jun 7 2013 Ralph Bean <rbean(a)redhat.com> - 0.1.8-1
- New Invitations API.
- Bugfixes to other API functions.
- Relicense to GPLv3+
--------------------------------------------------------------------------------
================================================================================
rubygem-gssapi-1.1.2-1.el6 (FEDORA-EPEL-2013-10620)
A FFI wrapper around the system GSSAPI library
--------------------------------------------------------------------------------
Update Information:
Newly packaged gssapi ruby gem.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #975339 - Review Request: rubygem-gssapi - A FFI wrapper around the system
GSSAPI library
https://bugzilla.redhat.com/show_bug.cgi?id=975339
--------------------------------------------------------------------------------
================================================================================
sx-2.15-1.el6 (FEDORA-EPEL-2013-10622)
Tool to extract reports and run plug-ins against those extracted reports
--------------------------------------------------------------------------------
Update Information:
New upstream release to resolve bugs and add new features enhancements. No backward
compatibility issues known.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jun 20 2013 Shane Bradley <sbradley(a)redhat.com>- 2.15-0.0
- bz955343: There was incorrect labeling on cluster.py when there was no rpms
found, instead of being split by HA and RS, they are split by packages and
module-packages.
- Changed the chkconfig cluster service summary output to display enabled and
disabled services.
- Modified bonding mode check for clusterevaluator since there is some new
supported modes.
- A devicemapper parser error when libudev entries were in the files for
dmsetup_info and lvs.
- Fix all the urls since kcs changed.
- Added a catch all exception that will write a debug file if uncaught
exception is raised.
- Added a check and summary output for transport mode which includes:
broadcast, multicast, and updu.
- Added code to check all valid values for attributes that can be enabled and
disabled for /etc/cluster/cluster.conf.
- Fixed parsing of sos_commands/startup/chkconfig_--list for spanish words.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #977243 - Update to sx-2.15
https://bugzilla.redhat.com/show_bug.cgi?id=977243
--------------------------------------------------------------------------------
================================================================================
tcpcopy-0.8.0-3.el6 (FEDORA-EPEL-2013-10624)
An online request replication tool
--------------------------------------------------------------------------------
Update Information:
New RPM.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #967482 - Review Request: tcpcopy - An online request replication tool
https://bugzilla.redhat.com/show_bug.cgi?id=967482
--------------------------------------------------------------------------------
================================================================================
wordpress-3.5.2-1.el6 (FEDORA-EPEL-2013-10617)
Blog tool and publishing platform
--------------------------------------------------------------------------------
Update Information:
WordPress 3.5.2 is now available. This is the second maintenance release of 3.5, fixing 12
bugs. This is a security release for all previous versions and we strongly encourage you
to update your sites immediately. The WordPress security team resolved seven security
issues, and this release also contains some additional security hardening.
The security fixes included:
- Blocking server-side request forgery attacks, which could potentially enable an attacker
to gain access to a site.
- Disallow contributors from improperly publishing posts, reported by Konstantin
Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
- An update to the SWFUpload external library to fix cross-site scripting vulnerabilities.
Reported by mala and Szymon Gruszecki. (Developers: More on SWFUpload here.)
- Prevention of a denial of service attack, affecting sites using password-protected
posts.
- An update to an external TinyMCE library to fix a cross-site scripting vulnerability.
Reported by Wan Ikram.
- Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
- Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 24 2013 Remi Collet <rcollet(a)redhat.com> - 3.5.2-1
- version 3.5.2, various bug and security fixes:
CVE-2013-2173 CVE-2013-2199 CVE-2013-2200 CVE-2013-2201
CVE-2013-2202 CVE-2013-2203 CVE-2013-2204
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #976784 - CVE-2013-2199 CVE-2013-2200 CVE-2013-2201 CVE-2013-2202
CVE-2013-2203 CVE-2013-2204 CVE-2013-2205 wordpress: Multiple security flaws to be
corrected within upstream 3.5.2 version
https://bugzilla.redhat.com/show_bug.cgi?id=976784
[ 2 ] Bug #973254 - CVE-2013-2173 wordpress: DoS when computing user-input hash for
certain password protected blogs
https://bugzilla.redhat.com/show_bug.cgi?id=973254
--------------------------------------------------------------------------------