Fedora EPEL 9 updates-testing report - epel-devel - Fedora mailing-lists

22 Dec 2023


      The following Fedora EPEL 9 Security updates need testing:
 Age  URL
   5  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-6a67ef6626   unrealircd-6.1.4-1.el9
   4  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-b19336b76b   tor-0.4.8.10-1.el9
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-7ff32fc746   podman-tui-0.15.0-2.el9
   1  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-b698d8c031   proftpd-1.3.8b-1.el9
   1  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-b300e89045   chromium-120.0.6099.129-1.el9
The following builds have been pushed to Fedora EPEL 9 updates-testing
cobbler3.2-3.2.2-15.el9
    fedora-license-data-1.37-1.el9
    java-latest-openjdk-21.0.1.0.12-4.rolling.el9
    lasso-epel-2.7.0-11.el9
    lemonldap-ng-2.18.1-1.el9
    perl-Authen-WebAuthn-0.002-1.el9
    php-pear-Auth-SASL-1.2.0-1.el9
    python-ogr-0.48.0-1.el9
    rpki-client-8.7-1.el9
    wavbreaker-0.16-1.el9
    xerces-c-3.2.5-1.el9
Details about builds:
================================================================================
 cobbler3.2-3.2.2-15.el9 (FEDORA-EPEL-2023-2ef7551bee)
 Boot server configurator
--------------------------------------------------------------------------------
Update Information:
Build for EPEL9
--------------------------------------------------------------------------------
ChangeLog:
* Wed Apr  5 2023 Orion Poplawski orion@nwra.com - 3.2.2-15
- Fix requires for cobbler-web/tests
* Sun Apr  2 2023 Orion Poplawski orion@nwra.com - 3.2.2-14
- Add upstream patches for EL8 and EL9 support
* Wed Aug 10 2022 Robby Callicotte rcallicotte@fedoraproject.org - 3.2.2-13
- Add upstream patch for reposync errors (bz#2117750)
* Fri Apr 22 2022 Xavier Bachelot xavier@bachelot.org - 3.2.2-12
- Add patch7:
  - fix ldap anonymous bind
  - sync distro signatures
  - support older anaconda boot line options
* Wed Mar 23 2022 Orion Poplawski orion@nwra.com - 3.2.2-11
- Add upstream patch for CVE-2022-0860 (bz#2066592)
* Wed Mar  2 2022 Orion Poplawski orion@nwra.com - 3.2.2-10
- More complete fix for CVE-2021-45083 - enforce permissions in %post
* Tue Mar  1 2022 Orion Poplawski orion@nwra.com - 3.2.2-9
- Apply fixes for CVE-2021-45082/3
- Remove BR on python3-coverage
* Mon Jan 24 2022 Orion Poplawski orion@nwra.com - 3.2.2-8
- Fix posttrans script
* Wed Jan 19 2022 Fedora Release Engineering releng@fedoraproject.org - 3.2.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Dec 23 2021 Orion Poplawski orion@nwra.com - 3.2.2-6
- Fix path to settings.yaml in scriptlet
* Thu Dec  9 2021 Orion Poplawski orion@nwra.com - 3.2.2-5
- Remove defunct get-loaders command
* Mon Nov 22 2021 Orion Poplawski orion@nwra.com - 3.2.2-4
- Add new keys to settings.yaml on migration or if missing
- Save original settings to settings.rpmorig
* Fri Oct  8 2021 Orion Poplawski orion@nwra.com - 3.2.2-3
- Fix dependencies (bz#2010567)
* Thu Sep 23 2021 Orion Poplawski orion@nwra.com - 3.2.2-2
- Migrate settings to settings.yaml
- Migrate pre-cobbler 3 data if needed
- Fix autoinstall_templates -> templates
* Thu Sep 23 2021 Orion Poplawski orion@nwra.com - 3.2.2-1
- Update to 3.2.2
- bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template Injection
- bz#2006897: CVE-2021-40324: Arbitrary file write via upload_log_data XMLRPC function
- bz#2006904: CVE-2021-40325: Authorization bypass allows modifying settings
* Wed Sep 22 2021 Orion Poplawski orion@nwra.com - 3.2.1-1
- Update to 3.2.1
* Wed Jul 21 2021 Fedora Release Engineering releng@fedoraproject.org - 3.2.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Jun  4 2021 Python Maint python-maint@redhat.com - 3.2.0-5
- Rebuilt for Python 3.10
--------------------------------------------------------------------------------
================================================================================
 fedora-license-data-1.37-1.el9 (FEDORA-EPEL-2023-d7b2ffea6b)
 Fedora Linux license data
--------------------------------------------------------------------------------
Update Information:
Automatic update for fedora-license-data-1.37-1.el9.  ##### **Changelog for
fedora-license-data**  ``` * Fri Dec 22 2023 Miroslav Such�� msuchy@redhat.com
1.37-1 - add license HPND-Kevlin-Henney - add license FSFAP-no-warranty-
disclaimer - add not allowed license LicenseRef-Nikto - add LicenseRef-Fedora-
Firmware  * Thu Dec 07 2023 Miroslav Such�� msuchy@redhat.com 1.36-1 - new
license: TCP-wrappers - new license: LicenseRef-Not-Copyrightable - new license:
SAX-PD-2.0 - new license: radvd  ```
--------------------------------------------------------------------------------
ChangeLog:
* Fri Dec 22 2023 Miroslav Such�� msuchy@redhat.com 1.37-1
- add license HPND-Kevlin-Henney
- add license FSFAP-no-warranty-disclaimer
- add not allowed license LicenseRef-Nikto
- add LicenseRef-Fedora-Firmware
* Thu Dec  7 2023 Miroslav Such�� msuchy@redhat.com 1.36-1
- new license: TCP-wrappers
- new license: LicenseRef-Not-Copyrightable
- new license: SAX-PD-2.0
- new license: radvd
--------------------------------------------------------------------------------
================================================================================
 java-latest-openjdk-21.0.1.0.12-4.rolling.el9 (FEDORA-EPEL-2023-9ece56b986)
 OpenJDK 21 Runtime Environment
--------------------------------------------------------------------------------
Update Information:
repack from single binary -
https://fedoraproject.org/wiki/Changes/BuildJdkOncePackEverywhere
--------------------------------------------------------------------------------
ChangeLog:
* Sat Dec 16 2023 Jiri Vanek jvanek@redhat.com - 1:21.0.1.0.12-4.rolling
* using generated sources from portables for final debuginfo
* Sat Dec  9 2023 Jiri Vanek jvanek@redhat.com - 1:21.0.1.0.12-3.rolling
- proeprly filing debugsources pkg
  by addedd symlinks restructuring the structure for original build sources
- according to logs, some are still missing
  probably generated during the build, and thus not existing in prep,
  when the sources subpkg is created after patching
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2233283 - Build JDKs once, repack everywhere
        https://bugzilla.redhat.com/show_bug.cgi?id=2233283
--------------------------------------------------------------------------------
================================================================================
 lasso-epel-2.7.0-11.el9 (FEDORA-EPEL-2023-b80695f129)
 Liberty Alliance Single Sign On
--------------------------------------------------------------------------------
Update Information:
Initial lasso-epel package to ship missing perl-lasso subpackage.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Dec 22 2023 Carl George carlwgeorge@fedoraproject.org - 2.7.0-11
- Convert to lasso-epel package to ship missing perl-lasso subpackage rhbz#2251952
* Wed Nov  9 2022 Tomas Halman thalman@redhat.com - 2.7.0-11
- Fixing changelog chronological order
- Related: rhbz#2117590 - release python3-lasso pkg
* Wed Nov  9 2022 Tomas Halman thalman@redhat.com - 2.7.0-10
- Publishing python binding package
- Resolves: rhbz#2117590 - release python3-lasso pkg
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2251952 - Review Request: lasso-epel - Liberty Alliance Single Sign On (lasso) perl bindings [EPEL only]
        https://bugzilla.redhat.com/show_bug.cgi?id=2251952
--------------------------------------------------------------------------------
================================================================================
 lemonldap-ng-2.18.1-1.el9 (FEDORA-EPEL-2023-4bf4c2a304)
 Web Single Sign On (SSO) and Access Management
--------------------------------------------------------------------------------
Update Information:
Upstream changelog: - https://gitlab.ow2.org/lemonldap-ng/lemonldap-
ng/-/releases/v2.18.1 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-
ng/-/releases/v2.18.0
--------------------------------------------------------------------------------
ChangeLog:
* Fri Dec 22 2023 Clement Oudot clem.oudot@gmail.com - 2.18.1-1
- Update to 2.18.1
* Wed Dec 20 2023 Clement Oudot clem.oudot@gmail.com - 2.18.0-1
- Update to 2.18.0
--------------------------------------------------------------------------------
================================================================================
 perl-Authen-WebAuthn-0.002-1.el9 (FEDORA-EPEL-2023-e9682a45f1)
 Library to add Web Authentication support to server applications
--------------------------------------------------------------------------------
Update Information:
New features: * Supported attestation types: none, packed, fido-u2f * Mandatory
attestation trust chain validation
--------------------------------------------------------------------------------
ChangeLog:
* Fri Dec 22 2023 Xavier Bachelot xavier@bachelot.org - 0.002-1
- Update to 0.002
- Convert License to SPDX
- Cleanup specfile
* Thu Jul 20 2023 Fedora Release Engineering releng@fedoraproject.org - 0.001-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jan 20 2023 Fedora Release Engineering releng@fedoraproject.org - 0.001-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Jul 22 2022 Fedora Release Engineering releng@fedoraproject.org - 0.001-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun  1 2022 Jitka Plesnikova jplesnik@redhat.com - 0.001-3
- Perl 5.36 rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2255628 - perl-Authen-WebAuthn-0.002 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2255628
--------------------------------------------------------------------------------
================================================================================
 php-pear-Auth-SASL-1.2.0-1.el9 (FEDORA-EPEL-2023-cf01d51ebd)
 Abstraction of various SASL mechanism responses
--------------------------------------------------------------------------------
Update Information:
**Version 1.2.0**  * feature: PHP8.2 ready * bugfix: scram-sha-224 broken #14 *
task: mark authentication methods cram-md5, digest-md5, and login as deprecated
#14
--------------------------------------------------------------------------------
ChangeLog:
* Fri Dec 22 2023 Remi Collet remi@remirepo.net - 1.2.0-1
- udpate to 1.2.0
--------------------------------------------------------------------------------
================================================================================
 python-ogr-0.48.0-1.el9 (FEDORA-EPEL-2023-7e4aa9117a)
 One API for multiple git forges
--------------------------------------------------------------------------------
Update Information:
Automatic update for python-ogr-0.48.0-1.el9.  ##### **Changelog for python-
ogr**  ``` * Thu Dec 21 2023 Packit hello@packit.dev - 0.48.0-1 - There is a
new get_pr_files_diff method supported for Pagure. (#826) - We have fixed a bug
that GithubRelease.url returned an API URL. (#824) - Resolves rhbz#2255524  ```
--------------------------------------------------------------------------------
ChangeLog:
* Thu Dec 21 2023 Packit hello@packit.dev - 0.48.0-1
- There is a new get_pr_files_diff method supported for Pagure. (#826)
- We have fixed a bug that GithubRelease.url returned an API URL. (#824)
- Resolves rhbz#2255524
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2255524 - python-ogr-0.48.0 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2255524
--------------------------------------------------------------------------------
================================================================================
 rpki-client-8.7-1.el9 (FEDORA-EPEL-2023-4c5a389665)
 OpenBSD RPKI validator to support BGP Origin Validation
--------------------------------------------------------------------------------
Update Information:
# rpki-client 8.7    - Add ability to constrain an RPKI Trust Anchor's effective
signing authority to a limited set of Internet numbers. This allows Relying
Parties to enjoy the potential benefits of assuming trust, but within a bounded
scope. This distribution includes curated constraints files. More information:
https://datatracker.ietf.org/doc/html/draft-snijders-constraining-rpki-trust...
anchors   - Following a 'failed fetch' (described in RFC 9286), emit a warning
and continue with a previously cached Manifest file, if present and still valid.
- Emit a warning when the same `manifestNumber` is re-used across multiple
issuances.   - Emit a warning when the remote repository presents a Manifest
with an unexpected `manifestNumber`. Purported new manifests are expected to
have a higher `manifestNumber` than previously validated manifests. Otherwise
fall back to the previously cached manifest, if it is still valid. This warning
can be indicative of manifest replays or of out-of-order publishing.   - Require
RPKI object files to be of a minimum of 100 bytes in both the RRDP and RSYNC
transports.   - No longer synchronize directory modtimes in the local cache to
align with remote RSYNC repository sources.   - Improved CRL extension checking.
- Experimental support for the P-256 signature algorithm.   - Various
refactoring work.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Dec 22 2023 Robert Scheck robert@fedoraproject.org 8.7-1
- Upgrade to 8.7 (#2255458)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2255458 - rpki-client-8.7 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2255458
--------------------------------------------------------------------------------
================================================================================
 wavbreaker-0.16-1.el9 (FEDORA-EPEL-2023-65244d7423)
 GUI tool to losslessly split WAV, MP2 and MP3 files into multiple parts
--------------------------------------------------------------------------------
Update Information:
Initial package for EPEL9
--------------------------------------------------------------------------------
ChangeLog:
* Thu Dec 21 2023 Benjamin A. Beasley code@musicinmybrain.net - 0.16-1
- Update to 0.16
* Thu Dec 21 2023 Benjamin A. Beasley code@musicinmybrain.net - 0.15-1
- Update to 0.15
* Thu Dec 21 2023 Benjamin A. Beasley code@musicinmybrain.net - 0.14-1
- Update to 0.14
* Thu Dec 21 2023 Benjamin A. Beasley code@musicinmybrain.net - 0.13-1
- Update to 0.13
* Thu Dec 21 2023 Benjamin A. Beasley code@musicinmybrain.net - 0.12-1
- Update to 0.12
* Sat Jul 22 2023 Fedora Release Engineering releng@fedoraproject.org - 0.10-30
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Sat Jan 21 2023 Fedora Release Engineering releng@fedoraproject.org - 0.10-29
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Sat Jul 23 2022 Fedora Release Engineering releng@fedoraproject.org - 0.10-28
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Sat Jan 22 2022 Fedora Release Engineering releng@fedoraproject.org - 0.10-27
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
 xerces-c-3.2.5-1.el9 (FEDORA-EPEL-2023-75bf3d635e)
 Validating XML Parser
--------------------------------------------------------------------------------
Update Information:
Update to 3.2.5, fixing CVE-2018-1311 and CVE-2023-37536
--------------------------------------------------------------------------------
ChangeLog:
* Fri Dec 22 2023 Kalev Lember klember@redhat.com - 3.2.5-1
- Update to 3.2.5, fixing CVE-2018-1311 and CVE-2023-37536
* Sat Jul 22 2023 Fedora Release Engineering releng@fedoraproject.org - 3.2.3-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Sat Jan 21 2023 Fedora Release Engineering releng@fedoraproject.org - 3.2.3-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Sat Jul 23 2022 Fedora Release Engineering releng@fedoraproject.org - 3.2.3-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Sat Jan 22 2022 Fedora Release Engineering releng@fedoraproject.org - 3.2.3-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1788472 - CVE-2018-1311 xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs
        https://bugzilla.redhat.com/show_bug.cgi?id=1788472
  [ 2 ] Bug #2243426 - CVE-2023-37536 xerces-c: An integer overflow issue that allows remote attackers to cause out-of-bound access via HTTP request
        https://bugzilla.redhat.com/show_bug.cgi?id=2243426
--------------------------------------------------------------------------------