The following Fedora EPEL 6 Security updates need testing: Age URL 1019 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5620/bugzilla-3.4.1... 109 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3434/pylint-1.3.1-1... 84 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-4008/cross-binutils... 72 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-4242/facter-1.6.18-... 61 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-4485/python-tornado... 43 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-4884/mapserver-6.0.... 40 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-4918/dokuwiki-0-0.2... 22 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0232/chicken-4.9.0.... 12 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0363/polarssl-1.3.2... 12 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0407/seamonkey-2.28... 9 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0436/privoxy-3.0.23... 6 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0557/clamav-0.98.6-... 6 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0560/websvn-2.3.3-8... 5 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0566/pigz-2.3.3-1.e... 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0631/puppetlabs-std... 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0644/perl-Gtk2-1.24... 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0630/roundcubemail-... 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0641/moodle-2.6.8-1...
The following builds have been pushed to Fedora EPEL 6 updates-testing
RackTables-0.20.10-1.el6 beakerlib-1.10-2.el6 minised-1.15-1.el6 moodle-2.6.8-1.el6 perl-Crypt-PasswdMD5-1.3-0.6.el6 perl-Gtk2-1.2495-1.el6 perl-MCE-1.600-1.el6 puppetlabs-stdlib-4.5.1-2.20150121git7a91f20.el6 python-networkx-1.8.1-12.el6 roundcubemail-1.0.5-1.el6 s3cmd-1.5.1.2-4.el6
Details about builds:
================================================================================ RackTables-0.20.10-1.el6 (FEDORA-EPEL-2015-0640) A data-center asset management system -------------------------------------------------------------------------------- Update Information:
Rebase to v0.20.10 Rebase to v0.20.9 -------------------------------------------------------------------------------- ChangeLog:
* Thu Feb 5 2015 Colin Coe colin.coe@gmail.com - 0.20.10-1 - Rebase to v0.20.10 * Fri Jan 16 2015 Colin Coe colin.coe@gmail.com - 0.20.9-1 - Rebase to v0.20.9 * Fri Jun 6 2014 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 0.20.4-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Fri Aug 2 2013 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 0.20.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Thu Jul 18 2013 Petr Pisar ppisar@redhat.com - 0.20.4-2 - Perl 5.18 rebuild -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1186291 - RackTables-0.20.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=1186291 [ 2 ] Bug #977277 - RackTables-0.20.9 is available https://bugzilla.redhat.com/show_bug.cgi?id=977277 --------------------------------------------------------------------------------
================================================================================ beakerlib-1.10-2.el6 (FEDORA-EPEL-2015-0642) A shell-level integration testing library -------------------------------------------------------------------------------- Update Information:
remount if mounting already mounted mount point with options, -------------------------------------------------------------------------------- ChangeLog:
* Wed Feb 4 2015 Dalibor Pospisil dapospis@redhat.com - 1.10-2 - remount if mounting already mounted mount point with options, fixes bug 1173623 --------------------------------------------------------------------------------
================================================================================ minised-1.15-1.el6 (FEDORA-EPEL-2015-0629) A smaller, cheaper, faster SED implementation -------------------------------------------------------------------------------- Update Information:
The 1.15 version fixes some Kleene star operator relates bugs and includes some code cleanups. -------------------------------------------------------------------------------- ChangeLog:
* Tue Jan 20 2015 Christopher Meng rpm@cicku.me - 1.15-1 - Update to 1.15 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1150999 - minised-1.15 is available https://bugzilla.redhat.com/show_bug.cgi?id=1150999 --------------------------------------------------------------------------------
================================================================================ moodle-2.6.8-1.el6 (FEDORA-EPEL-2015-0641) A Course Management System -------------------------------------------------------------------------------- Update Information:
The following security notifications have now been made public:
============================================================================== MSA-15-0001: Insufficient access check in LTI module
Description: Absence of capability check in AJAX backend script could allow any enrolled user to search the list of registered tools Issue summary: mod/lti/ajax.php security problems Severity/Risk: Minor Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Petr Skoda Issue no.: MDL-47920 CVE identifier: CVE-2015-0211 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&...
============================================================================== MSA-15-0002: XSS vulnerability in course request pending approval page
Description: Course summary on course request pending approval page was displayed to the manager unescaped and could be used for XSS attack Issue summary: XSS in course request pending approval page (Privilege Escalation?) Severity/Risk: Serious Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Skylar Kelty Issue no.: MDL-48368 Workaround: Grant permission moodle/course:request only to trusted users CVE identifier: CVE-2015-0212 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&...
============================================================================== MSA-15-0003: CSRF possible in Glossary module
Description: Two files in the Glossary module lacked a session key check potentially allowing cross-site request forgery Issue summary: Multiple CSRF in mod glossary Severity/Risk: Serious Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Ankit Agarwal Issue no.: MDL-48106 CVE identifier: CVE-2015-0213 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&...
============================================================================== MSA-15-0004: Information leak through messaging functions in web-services
Description: Through web-services it was possible to access messaging-related functions such as people search even if messaging is disabled on the site Issue summary: Messages external functions doesn't check if messaging is enabled Severity/Risk: Minor Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Juan Leyva Issue no.: MDL-48329 Workaround: Disable web services or disable individual message-related functions CVE identifier: CVE-2015-0214 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&...
============================================================================== MSA-15-0005: Insufficient access check in calendar functions in web-services
Description: Through web-services it was possible to get information about calendar events which user did not have enough permissions to see Issue summary: calendar/externallib.php lacks self::validate_context($context); Severity/Risk: Minor Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Petr Skoda Issue no.: MDL-48017 CVE identifier: CVE-2015-0215 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&...
============================================================================== MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask
Description: Users with capability to grade in Lesson module were not reported as users with XSS risk but their feedback was displayed without cleaning Issue summary: mod/lesson:grade capability missing RISK_XSS but essay feedback is displayed with noclean=true Severity/Risk: Minor Versions affected: 2.8 to 2.8.1 Versions fixed: 2.8.2 Reported by: Damyon Wiese Issue no.: MDL-48034 CVE identifier: CVE-2015-0216 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&...
============================================================================== MSA-15-0007: ReDoS possible in the multimedia filter
Description: Not optimal regular expression in the filter could be exploited to create extra server load or make particular page unavailable Issue summary: ReDOS in the multimedia filter Severity/Risk: Serious Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Nicolas Martignoni Issue no.: MDL-48546 Workaround: Disable multimedia filter CVE identifier: CVE-2015-0217 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&...
============================================================================== MSA-15-0008: Forced logout through Shibboleth authentication plugin
Description: It was possible to forge a request to logout users even when not authenticated through Shibboleth Issue summary: Forced logout via auth/shibboleth/logout.php Severity/Risk: Serious Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions Versions fixed: 2.8.2, 2.7.4 and 2.6.7 Reported by: Petr Skoda Issue no.: MDL-47964 Workaround: Deny access to file auth/shibboleth/logout.php in webserver configuration CVE identifier: CVE-2015-0218 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&...
============================================================================== -------------------------------------------------------------------------------- ChangeLog:
* Thu Feb 5 2015 Jon Ciesla limburgher@gmail.com - 2.6.8-1 - 2.6.8, fix for security issues. -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1183695 - CVE-2015-0218 CVE-2015-0212 CVE-2015-0213 CVE-2015-0211 CVE-2015-0216 CVE-2015-0217 CVE-2015-0214 CVE-2015-0215 moodle: new update fixes several security issues [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1183695 [ 2 ] Bug #1183694 - CVE-2015-0218 CVE-2015-0212 CVE-2015-0213 CVE-2015-0211 CVE-2015-0216 CVE-2015-0217 CVE-2015-0214 CVE-2015-0215 moodle: new update fixes several security issues [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1183694 --------------------------------------------------------------------------------
================================================================================ perl-Crypt-PasswdMD5-1.3-0.6.el6 (FEDORA-EPEL-2015-0646) Provides interoperable MD5-based crypt() functions -------------------------------------------------------------------------------- Update Information:
This is a clone of the RHEL-6 perl-Crypt-PasswdMD5 package (with a 0-prefixed release tag to ensure that EL-6 users will get the official EL-6 package rather than the EPEL-6 one). It is provided for the benefit of ppc64 users, as EL-6 does not include perl-Crypt-PasswdMD5 on that architecture. -------------------------------------------------------------------------------- References:
[ 1 ] Bug #783740 - perl-Crypt-PasswdMD5 not available in RHEL 6 PPC64 https://bugzilla.redhat.com/show_bug.cgi?id=783740 --------------------------------------------------------------------------------
================================================================================ perl-Gtk2-1.2495-1.el6 (FEDORA-EPEL-2015-0644) Perl interface to the 2.x series of the Gimp Toolkit library -------------------------------------------------------------------------------- Update Information:
Update to 1.2495 to resolve an incorrect memory management issue in Gtk2::Gdk::Display::list_devices, which can potentially lead to arbitrary code execution. -------------------------------------------------------------------------------- ChangeLog:
* Wed Feb 4 2015 Tom Callaway spot@fedoraproject.org - 1.2495-1 - update to 1.2495 * Mon Jan 5 2015 Tom Callaway spot@fedoraproject.org - 1.2494-1 - update to 1.2494 * Wed Dec 10 2014 Tom Callaway spot@fedoraproject.org - 1.2493-1 - update to 1.2493 * Mon Sep 1 2014 Jitka Plesnikova jplesnik@redhat.com - 1.2492-3 - Perl 5.20 rebuild * Sun Aug 17 2014 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 1.2492-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild * Tue Jul 8 2014 Tom Callaway spot@fedoraproject.org - 1.2492-1 - update to 1.2492 * Tue Jun 24 2014 Tom Callaway spot@fedoraproject.org - 1.2491-1 - update to 1.2491 * Sat Jun 7 2014 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 1.249-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Thu Dec 12 2013 Tom Callaway spot@fedoraproject.org - 1.249-1 - update to 1.249 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1188219 - perl-Gtk2: incorrect memory management in Gtk2::Gdk::Display::list_devices https://bugzilla.redhat.com/show_bug.cgi?id=1188219 --------------------------------------------------------------------------------
================================================================================ perl-MCE-1.600-1.el6 (FEDORA-EPEL-2015-0636) Many-core Engine for Perl providing parallel processing capabilities -------------------------------------------------------------------------------- Update Information:
A new enhancement and bugfix release of MCE is available. See http://cpansearch.perl.org/src/MARIOROY/MCE-1.600/CHANGES for the summary of changes in this release. -------------------------------------------------------------------------------- ChangeLog:
* Wed Feb 4 2015 Petr Šabata contyk@redhat.com - 1.600-1 - 1.600 bump -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1188820 - perl-MCE-1.600 is available https://bugzilla.redhat.com/show_bug.cgi?id=1188820 --------------------------------------------------------------------------------
================================================================================ puppetlabs-stdlib-4.5.1-2.20150121git7a91f20.el6 (FEDORA-EPEL-2015-0631) Puppet Labs Standard Library -------------------------------------------------------------------------------- Update Information:
Install metadata.json for Puppet to pick stdlib release when "puppet module list" is called Security fix for CVE-2015-1029 Security fix for CVE-2015-1029 Security fix for CVE-2015-1029 -------------------------------------------------------------------------------- ChangeLog:
* Wed Feb 4 2015 Andrea Veri averi@fedoraproject.org - 4.5.1-2.20150121git7a91f20 - Make sure metadata.json gets installed correctly for Puppet to actually recognize the module release version. Thanks Simon Lukasik for the patch. * Wed Jan 21 2015 Andrea Veri averi@fedoraproject.org - 4.5.1-1.20150121git7a91f20 - New upstream release. (Fixes CVE-2015-1029, Red Hat's BZ #1182578) * Sat Jun 7 2014 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 4.2.1-2.20140510git08b00d9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1182578 - CVE-2015-1029 puppetlabs-stdlib: local information leakage and local privilege escalation vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=1182578 --------------------------------------------------------------------------------
================================================================================ python-networkx-1.8.1-12.el6 (FEDORA-EPEL-2015-0634) Creates and Manipulates Graphs and Networks -------------------------------------------------------------------------------- Update Information:
- First version without python-networkx-geo or python-networkx-drawing support -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1189066 - python-networkx EL-6 branch missing https://bugzilla.redhat.com/show_bug.cgi?id=1189066 --------------------------------------------------------------------------------
================================================================================ roundcubemail-1.0.5-1.el6 (FEDORA-EPEL-2015-0630) Round Cube Webmail is a browser-based multilingual IMAP client -------------------------------------------------------------------------------- Update Information:
Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5 version.
http://roundcube.net/news/2015/01/24/security-update-1.0.5/ http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5 http://trac.roundcube.net/ticket/1490227
CVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3 -------------------------------------------------------------------------------- ChangeLog:
* Thu Feb 5 2015 Jon Ciesla limburgher@gmail.com - 1.0.5-1 - Fix for security issues. -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1188203 - CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1188203 [ 2 ] Bug #1188202 - CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1188202 --------------------------------------------------------------------------------
================================================================================ s3cmd-1.5.1.2-4.el6 (FEDORA-EPEL-2015-0645) Tool for accessing Amazon Simple Storage Service -------------------------------------------------------------------------------- Update Information:
upstream 1.5.1.2, mostly bug fixes upstream 1.5.0 final upstream 1.5.0-rc1 upstream 1.5.0-beta1 plus even newer upstream fixes upstream 1.5.0-beta1 plus newer upstream fixes -------------------------------------------------------------------------------- ChangeLog:
* Wed Feb 4 2015 Matt Domsch mdomsch@fedoraproject.org - 1.5.1.2-4 - upstream 1.5.1.2, mostly bug fixes - remove ez_setup, add dependency on python-setuptools * Mon Jan 12 2015 Matt Domsch mdomsch@fedoraproject.org - 1.5.0-1 - upstream 1.5.0 final * Tue Jul 1 2014 Matt Domsch mdomsch@fedoraproject.org - 1.5.0-0.7.rc1 - put back dropped dist tag * Tue Jul 1 2014 Matt Domsch mdomsch@fedoraproject.org - 1.5.0-0.6.rc1 - upstream 1.5.0-rc1 * Sun Jun 8 2014 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 1.5.0-0.5.gitb196faa5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Sun Mar 23 2014 Matt Domsch mdomsch@fedoraproject.org - 1.5.0-0.4.git - upstream 1.5.0-beta1 plus even newer upstream fixes * Sun Feb 2 2014 Matt Domsch mdomsch@fedoraproject.org - 1.5.0-0.3.git - upstream 1.5.0-beta1 plus newer upstream fixes * Wed May 29 2013 Matt Domsch mdomsch@fedoraproject.org - 1.5.0-0.2.gita122d97 - more upstream bugfixes - drop pyxattr dep, that codepath got dropped in this release * Mon May 20 2013 Matt Domsch mdomsch@fedoraproject.org - 1.5.0-0.1.gitb1ae0fbe - upstream 1.5.0-alpha3 plus fixes - add dep on pyxattr for the --xattr option * Tue Jun 19 2012 Matt Domsch mdomsch@fedoraproject.org - 1.1.0-0.4.git11e5755e - add local MD5 cache * Mon Jun 18 2012 Matt Domsch mdomsch@fedoraproject.org - 1.1.0-0.3.git7de0789d - parallelize local->remote syncs * Mon Jun 18 2012 Matt Domsch mdomsch@fedoraproject.org - 1.1.0-0.2.gitf881b162 - add hardlink / duplicate file detection support * Fri Mar 9 2012 Matt Domsch mdomsch@fedoraproject.org - 1.1.0-0.1.git2dfe4a65 - build from git for mdomsch patches to s3cmd sync --------------------------------------------------------------------------------
epel-devel@lists.fedoraproject.org
-
updates@fedoraproject.org