The following Fedora EPEL 7 Security updates need testing:
Age URL
24
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2c81054303
remctl-3.14-1.el7
13
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-4d3c4577da
gsoap-2.8.16-10.el7
8
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-cae67a6aed
knot-resolver-2.3.0-1.el7
5
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-e4a3d0e9ef
drupal7-7.59-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
libgit2-0.26.3-1.el7
mock-core-configs-28.4-1.el7
python-neomodel-3.2.8-1.el7
python-pygit2-0.26.4-1.el7
quassel-0.12.5-1.el7
roundcubemail-1.1.12-1.el7
Details about builds:
================================================================================
libgit2-0.26.3-1.el7 (FEDORA-EPEL-2018-5ae7f0e7c7)
C implementation of the Git core methods as a library with a solid API
--------------------------------------------------------------------------------
Update Information:
Update to libgit2 0.26.3, fixing CVE-2018-8099 CVE-2018-8098. Update to python-
pygit2 0.26.4.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 30 2018 Pete Walter <pwalter(a)fedoraproject.org> - 0.26.3-1
- Update to 0.26.3
- Include previous ABI version for temporary binary compatibility
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1469187 - 0013533: pygit2/libgit2 incorrect results while diff'ing 2
commits
https://bugzilla.redhat.com/show_bug.cgi?id=1469187
[ 2 ] Bug #1554367 - CVE-2018-8099 CVE-2018-8098 libgit2: denial of service (DoS) via
crafted repository index files [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1554367
--------------------------------------------------------------------------------
================================================================================
mock-core-configs-28.4-1.el7 (FEDORA-EPEL-2018-949d4b69db)
Mock core config files basic chroots
--------------------------------------------------------------------------------
Update Information:
- Add initial openSUSE distribution targets - provide fedora-29 configs as
symlinks to fedora-rawhide - use correct url for local repos for s390x for F27+
[RHBZ#1553678] - add CentOS SCL repositories to EPEL 7 (aarch64 & ppc64le)
--------------------------------------------------------------------------------
ChangeLog:
* Wed May 2 2018 Miroslav Such�� <msuchy(a)redhat.com> 28.4-1
- requires distribution-gpg-keys with opensuse keys
- Add initial openSUSE distribution targets (ngompa13(a)gmail.com)
- provide fedora-29 configs as symlinks to fedora-rawhide
- use cp instead of install to preserve symlinks
- use correct url for local repos for s390x for F27+ [RHBZ#1553678]
- add CentOS SCL repositories to EPEL 7 (aarch64 & ppc64le)
(tmz(a)pobox.com)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1553678 - mock: Incorrect local repository for fedora-rawhide-s390x
https://bugzilla.redhat.com/show_bug.cgi?id=1553678
--------------------------------------------------------------------------------
================================================================================
python-neomodel-3.2.8-1.el7 (FEDORA-EPEL-2018-67638c285f)
A Python OGM for Neo4j
--------------------------------------------------------------------------------
Update Information:
Update to v3.2.8 ---- Updated to 3.2.7
--------------------------------------------------------------------------------
ChangeLog:
--------------------------------------------------------------------------------
================================================================================
python-pygit2-0.26.4-1.el7 (FEDORA-EPEL-2018-5ae7f0e7c7)
Python bindings for libgit2
--------------------------------------------------------------------------------
Update Information:
Update to libgit2 0.26.3, fixing CVE-2018-8099 CVE-2018-8098. Update to python-
pygit2 0.26.4.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Mar 26 2018 Pete Walter <pwalter(a)fedoraproject.org> - 0.26.4-1
- Update to 0.26.4
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1469187 - 0013533: pygit2/libgit2 incorrect results while diff'ing 2
commits
https://bugzilla.redhat.com/show_bug.cgi?id=1469187
[ 2 ] Bug #1554367 - CVE-2018-8099 CVE-2018-8098 libgit2: denial of service (DoS) via
crafted repository index files [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1554367
--------------------------------------------------------------------------------
================================================================================
quassel-0.12.5-1.el7 (FEDORA-EPEL-2018-996cb2153b)
A modern distributed IRC system
--------------------------------------------------------------------------------
Update Information:
Security update to 0.12.5
--------------------------------------------------------------------------------
ChangeLog:
* Tue May 1 2018 Christian Dersch <lupinix(a)mailbox.org> - 0.12.5-1
- new version
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1573320 - quassel: multiple vulnerabilities fixed in 0.12.5 [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1573320
--------------------------------------------------------------------------------
================================================================================
roundcubemail-1.1.12-1.el7 (FEDORA-EPEL-2018-ce811a54c9)
Round Cube Webmail is a browser-based multilingual IMAP client
--------------------------------------------------------------------------------
Update Information:
**Version 1.1.12** This is a follow-up to the recent security update for the
stable version 1.1. It fixes a regression that sneaked in with the IMAP command
injection protection which unintentionally disabled actions that operate on all
selected messages (e.g. mark all as junk). We recommend to update all
productive installations of Roundcube 1.1.11. Please do backup your data before
updating! CHANGELOG * Fix regression where IMAP commands with '*' uidset
argument wasn't working ---- **Version 1.1.11** This is a security update to
the stable version 1.1. It fixes a recently reported vulnerability allowing IMAP
command injection via a GET parameters. More details about this are published
under CVE-2018-9846. The second fix is about a missed remote content blocking
on HTML messages with specially crafted image and style tags. We strongly
recommend to update all productive installations of Roundcube 1.1.x. Please do
backup your data before updating! CHANGELOG * Don't ignore (global)
userlogins/sendmail logs in per_user_logging mode * Fix security issue in
remote content blocking on HTML image and style tags (#6178) * Fix
check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238) *
Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
--------------------------------------------------------------------------------
ChangeLog:
* Wed May 2 2018 Remi Collet <remi(a)remirepo.net> - 1.1.12.1
- update to 1.1.12
* Thu Apr 19 2018 Remi Collet <remi(a)remirepo.net> - 1.1.11.1
- update to 1.1.11
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1566744 - CVE-2018-9846 roundcubemail: MX injection in archive.php
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1566744
--------------------------------------------------------------------------------