Fedora EPEL 7 updates-testing report - epel-devel - Fedora mailing-lists

17 Jul 2020


      The following Fedora EPEL 7 Security updates need testing:
 Age  URL
 703  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-3c9292b62d   condor-8.6.11-1.el7
 442  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-bc0182548b   bubblewrap-0.3.3-2.el7
 152  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-fa8a2e97c6   python-waitress-1.4.3-1.el7
  92  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-19d171a465   python34-3.4.10-5.el7
  12  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-28cc1451e0   python-gnupg-0.4.6-2.el7
  11  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-0f25da8099   python-rsa-3.4.2-1.el7
   8  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-8dd45257ad   seamonkey-2.53.3-1.el7
   3  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-2f9c63b80c   php-horde-kronolith-4.2.29-1.el7
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-dab5d98f39   cacti-1.2.13-1.el7 cacti-spine-1.2.13-1.el7
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-07adc005e6   mbedtls-2.7.16-1.el7
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-30513f3084   singularity-3.6.0-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
clamav-0.102.4-1.el7
    hostapd-2.9-3.el7
    matio-1.5.17-3.el7
    python-idstools-0.6.3-14.el7
    rust-1.45.0-1.el7
Details about builds:
================================================================================
 clamav-0.102.4-1.el7 (FEDORA-EPEL-2020-3d8bba637d)
 End-user tools for the Clam Antivirus scanner
--------------------------------------------------------------------------------
Update Information:
ClamAV 0.102.4 is a bug patch release to address the following issues:
CVE-2020-3350 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350
Fixed a vulnerability a malicious user could exploit to replace a scan target's
directory with a symlink to another path to trick clamscan, clamdscan, or
clamonacc into removing or moving a different file (such as a critical system
file). The issue would affect users that use the --move or --remove options for
clamscan, clamdscan and clamonacc.  For more information about AV quarantine
attacks using links, see RACK911 Lab's report
https://www.rack911labs.com/research/exploiting-almost-every-antivirus-
software.  CVE-2020-3327 https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2020-3327 Fixed a vulnerability in the ARJ archive-
parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS)
condition. Improper bounds checking resulted in an out-of-bounds read that could
cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete.
This fix correctly resolves the issue.  CVE-2020-3481
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481 Fixed a
vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could
cause a denial-of-service (DoS) condition. Improper error handling could cause a
crash due to a NULL pointer dereference. This vulnerability is mitigated for
those using the official ClamAV signature databases because the file type
signatures in daily.cvd will not enable the EGG archive parser in affected
versions.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 17 2020 Orion Poplawski orion@nwra.com - 0.102.4-1
- Update to 0.102.4 (bz#1857867,1858262,1858263,1858265,1858266)
- Security fixes CVE-2020-3327 CVE-2020-3350 CVE-2020-3481
* Thu May 28 2020 Orion Poplawski orion@nwra.com - 0.102.3-2
- Update clamd README file (bz#1798369)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1858261 - CVE-2020-3350 clamav: malicious user exploit to replace scan target's directory with symlink
        https://bugzilla.redhat.com/show_bug.cgi?id=1858261
  [ 2 ] Bug #1858264 - CVE-2020-3481 clamav: improper error handling causing crash due to NULL pointer dereference
        https://bugzilla.redhat.com/show_bug.cgi?id=1858264
--------------------------------------------------------------------------------
================================================================================
 hostapd-2.9-3.el7 (FEDORA-EPEL-2020-192ef0b5e1)
 IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
--------------------------------------------------------------------------------
Update Information:
Fix CVE-2020-12695 (UPnP SUBSCRIBE misbehavior in hostapd WPS AP)
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 17 2020 John W. Linville linville@redhat.com - 2.9-3
- Fix CVE-2020-12695 (UPnP SUBSCRIBE misbehavior in hostapd WPS AP)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1846006 - CVE-2020-12695 hostapd: UPnP SUBSCRIBE misbehavior in WPS AP
        https://bugzilla.redhat.com/show_bug.cgi?id=1846006
--------------------------------------------------------------------------------
================================================================================
 matio-1.5.17-3.el7 (FEDORA-EPEL-2020-2c80eb66b5)
 Library for reading/writing Matlab MAT files
--------------------------------------------------------------------------------
Update Information:
Update to 1.5.17 fixing several CVEs (see bugs)
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jun 25 2020 Orion Poplawski orion@cora.nwra.com - 1.5.17-3
- Rebuild for hdf5 1.10.6
* Wed Jan 29 2020 Fedora Release Engineering releng@fedoraproject.org - 1.5.17-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Dec 23 2019 Gwyn Ciesla gwync@protonmail.com - 1.5.17-1
- 1.5.17
* Thu Jul 25 2019 Fedora Release Engineering releng@fedoraproject.org - 1.5.15-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sat Mar 30 2019 Orion Poplawski orion@nwra.com - 1.5.15-1
- Update to 1.5.15
* Sat Mar 16 2019 Orion Poplawski orion@nwra.com - 1.5.14-1
- Update to 1.5.14
* Fri Feb  1 2019 Fedora Release Engineering releng@fedoraproject.org - 1.5.7-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering releng@fedoraproject.org - 1.5.7-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Feb 12 2018 Sandro Mani manisandro@gmail.com - 1.5.7-8
- Rebuild (hdf5)
* Thu Feb  8 2018 Fedora Release Engineering releng@fedoraproject.org - 1.5.7-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug  3 2017 Fedora Release Engineering releng@fedoraproject.org - 1.5.7-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering releng@fedoraproject.org - 1.5.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Feb 10 2017 Fedora Release Engineering releng@fedoraproject.org - 1.5.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Dec  6 2016 Orion Poplawski orion@cora.nwra.com - 1.5.7-3
- Rebuild for hdf5 1.8.18
* Fri Jul  1 2016 Dan Hor��k <dan[at]danny.cz> - 1.5.7-2
- fix build on big endian arches
* Wed Jun 29 2016 Orion Poplawski orion@cora.nwra.com - 1.5.7-1
- Update to 1.5.7
* Thu Feb  4 2016 Fedora Release Engineering releng@fedoraproject.org - 1.5.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1683942 - CVE-2019-9033 matio: stack-based buffer over-read in function ReadNextCell() in mat5.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1683942
  [ 2 ] Bug #1683947 - CVE-2019-9034 matio: stack-based buffer over-read for a memcpy in function ReadNextCell() in mat5.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1683947
  [ 3 ] Bug #1683986 - CVE-2019-9035 matio: stack-based buffer over-read in function ReadNextStructField() in mat5.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1683986
  [ 4 ] Bug #1683990 - CVE-2019-9036 matio: heap-based buffer overflow in function ReadNextFunctionHandle() in mat5.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1683990
  [ 5 ] Bug #1683993 - CVE-2019-9037 matio: buffer over-read in function Mat_VarPrint() in mat.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1683993
  [ 6 ] Bug #1684002 - CVE-2019-9038 matio: out-of-bounds read with SEGV in function ReadNextCell() in mat5.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1684002
  [ 7 ] Bug #1684009 - CVE-2019-9026 matio: heap-based buffer overflow in function InflateVarName() in inflate.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1684009
  [ 8 ] Bug #1684014 - matio: CVE-2019-02-9027 matio: heap-based buffer overflow in function ReadNextCell() in mat5.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1684014
  [ 9 ] Bug #1684017 - CVE-2019-9028 matio: stack-based buffer over-read in the function InflateDimensions() in inflate.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1684017
  [ 10 ] Bug #1684020 - CVE-2019-9029 matio: out-of-bounds read with SEGV in function Mat_VarReadNextInfo5() in mat5.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1684020
  [ 11 ] Bug #1684025 - CVE-2019-9030 matio: stack-based buffer over-read in Mat_VarReadNextInfo5() in mat5.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1684025
  [ 12 ] Bug #1684041 - CVE-2019-9032 matio: out-of-bounds write in function Mat_VarFree() in mat.c resulting in SEGV [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1684041
  [ 13 ] Bug #1685379 - CVE-2019-9031 matio: null pointer dereference in function Mat_VarFree() in mat.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1685379
  [ 14 ] Bug #1728478 - CVE-2019-13107 matio: multiple interger overflow in mat.c, mat4.c, mat5.c, mat73.c and matvar_struct.c [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1728478
--------------------------------------------------------------------------------
================================================================================
 python-idstools-0.6.3-14.el7 (FEDORA-EPEL-2020-670ec19c02)
 Snort and Suricata Rule and Event Utilities
--------------------------------------------------------------------------------
Update Information:
Restore python2 build by reverting changes merged from rawhide
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 17 2020 Marcin Dulak Marcin.Dulak@gmail.com - 0.6.3-14
- Restore python2 build by reverting changes merged from rawhide
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1856314 - python2-idstools disappeared from EPEL7
        https://bugzilla.redhat.com/show_bug.cgi?id=1856314
--------------------------------------------------------------------------------
================================================================================
 rust-1.45.0-1.el7 (FEDORA-EPEL-2020-5d276d9c22)
 The Rust Programming Language
--------------------------------------------------------------------------------
Update Information:
Update to Rust 1.45.0:  - Fixing unsoundness in casts - Stabilizing function-
like procedural macros in expressions, patterns, and statements - Library
changes  See the [blog post](https://blog.rust-
lang.org/2020/07/16/Rust-1.45.0.html) and [release
notes](https://github.com/rust-
lang/rust/blob/master/RELEASES.md#version-1450-2020-07-16) for more details.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jul 16 2020 Josh Stone jistone@redhat.com - 1.45.0-1
- Update to 1.45.0.
* Wed Jul  1 2020 Jeff Law law@redhat.com - 1.44.1-2
- Disable LTO
--------------------------------------------------------------------------------