The following Fedora EPEL 7 Security updates need testing:
Age URL
703
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-3c9292b62d
condor-8.6.11-1.el7
442
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-bc0182548b
bubblewrap-0.3.3-2.el7
152
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-fa8a2e97c6
python-waitress-1.4.3-1.el7
92
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-19d171a465
python34-3.4.10-5.el7
12
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-28cc1451e0
python-gnupg-0.4.6-2.el7
11
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-0f25da8099
python-rsa-3.4.2-1.el7
8
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-8dd45257ad
seamonkey-2.53.3-1.el7
3
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-2f9c63b80c
php-horde-kronolith-4.2.29-1.el7
2
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-dab5d98f39
cacti-1.2.13-1.el7 cacti-spine-1.2.13-1.el7
2
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-07adc005e6
mbedtls-2.7.16-1.el7
2
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-30513f3084
singularity-3.6.0-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
clamav-0.102.4-1.el7
hostapd-2.9-3.el7
matio-1.5.17-3.el7
python-idstools-0.6.3-14.el7
rust-1.45.0-1.el7
Details about builds:
================================================================================
clamav-0.102.4-1.el7 (FEDORA-EPEL-2020-3d8bba637d)
End-user tools for the Clam Antivirus scanner
--------------------------------------------------------------------------------
Update Information:
ClamAV 0.102.4 is a bug patch release to address the following issues:
CVE-2020-3350 <
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350>
Fixed a vulnerability a malicious user could exploit to replace a scan target's
directory with a symlink to another path to trick clamscan, clamdscan, or
clamonacc into removing or moving a different file (such as a critical system
file). The issue would affect users that use the --move or --remove options for
clamscan, clamdscan and clamonacc. For more information about AV quarantine
attacks using links, see RACK911 Lab's report
<
https://www.rack911labs.com/research/exploiting-almost-every-antivirus-
software>. CVE-2020-3327 <
https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2020-3327> Fixed a vulnerability in the ARJ archive-
parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS)
condition. Improper bounds checking resulted in an out-of-bounds read that could
cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete.
This fix correctly resolves the issue. CVE-2020-3481
<
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481> Fixed a
vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could
cause a denial-of-service (DoS) condition. Improper error handling could cause a
crash due to a NULL pointer dereference. This vulnerability is mitigated for
those using the official ClamAV signature databases because the file type
signatures in daily.cvd will not enable the EGG archive parser in affected
versions.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 17 2020 Orion Poplawski <orion(a)nwra.com> - 0.102.4-1
- Update to 0.102.4 (bz#1857867,1858262,1858263,1858265,1858266)
- Security fixes CVE-2020-3327 CVE-2020-3350 CVE-2020-3481
* Thu May 28 2020 Orion Poplawski <orion(a)nwra.com> - 0.102.3-2
- Update clamd README file (bz#1798369)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1858261 - CVE-2020-3350 clamav: malicious user exploit to replace scan
target's directory with symlink
https://bugzilla.redhat.com/show_bug.cgi?id=1858261
[ 2 ] Bug #1858264 - CVE-2020-3481 clamav: improper error handling causing crash due to
NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1858264
--------------------------------------------------------------------------------
================================================================================
hostapd-2.9-3.el7 (FEDORA-EPEL-2020-192ef0b5e1)
IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
--------------------------------------------------------------------------------
Update Information:
Fix CVE-2020-12695 (UPnP SUBSCRIBE misbehavior in hostapd WPS AP)
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 17 2020 John W. Linville <linville(a)redhat.com> - 2.9-3
- Fix CVE-2020-12695 (UPnP SUBSCRIBE misbehavior in hostapd WPS AP)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1846006 - CVE-2020-12695 hostapd: UPnP SUBSCRIBE misbehavior in WPS AP
https://bugzilla.redhat.com/show_bug.cgi?id=1846006
--------------------------------------------------------------------------------
================================================================================
matio-1.5.17-3.el7 (FEDORA-EPEL-2020-2c80eb66b5)
Library for reading/writing Matlab MAT files
--------------------------------------------------------------------------------
Update Information:
Update to 1.5.17 fixing several CVEs (see bugs)
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jun 25 2020 Orion Poplawski <orion(a)cora.nwra.com> - 1.5.17-3
- Rebuild for hdf5 1.10.6
* Wed Jan 29 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.5.17-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Dec 23 2019 Gwyn Ciesla <gwync(a)protonmail.com> - 1.5.17-1
- 1.5.17
* Thu Jul 25 2019 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.5.15-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sat Mar 30 2019 Orion Poplawski <orion(a)nwra.com> - 1.5.15-1
- Update to 1.5.15
* Sat Mar 16 2019 Orion Poplawski <orion(a)nwra.com> - 1.5.14-1
- Update to 1.5.14
* Fri Feb 1 2019 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.5.7-10
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.5.7-9
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Feb 12 2018 Sandro Mani <manisandro(a)gmail.com> - 1.5.7-8
- Rebuild (hdf5)
* Thu Feb 8 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.5.7-7
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug 3 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.5.7-6
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.5.7-5
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Feb 10 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.5.7-4
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Dec 6 2016 Orion Poplawski <orion(a)cora.nwra.com> - 1.5.7-3
- Rebuild for hdf5 1.8.18
* Fri Jul 1 2016 Dan Hor��k <dan[at]danny.cz> - 1.5.7-2
- fix build on big endian arches
* Wed Jun 29 2016 Orion Poplawski <orion(a)cora.nwra.com> - 1.5.7-1
- Update to 1.5.7
* Thu Feb 4 2016 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.5.3-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1683942 - CVE-2019-9033 matio: stack-based buffer over-read in function
ReadNextCell() in mat5.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1683942
[ 2 ] Bug #1683947 - CVE-2019-9034 matio: stack-based buffer over-read for a memcpy in
function ReadNextCell() in mat5.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1683947
[ 3 ] Bug #1683986 - CVE-2019-9035 matio: stack-based buffer over-read in function
ReadNextStructField() in mat5.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1683986
[ 4 ] Bug #1683990 - CVE-2019-9036 matio: heap-based buffer overflow in function
ReadNextFunctionHandle() in mat5.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1683990
[ 5 ] Bug #1683993 - CVE-2019-9037 matio: buffer over-read in function Mat_VarPrint() in
mat.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1683993
[ 6 ] Bug #1684002 - CVE-2019-9038 matio: out-of-bounds read with SEGV in function
ReadNextCell() in mat5.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1684002
[ 7 ] Bug #1684009 - CVE-2019-9026 matio: heap-based buffer overflow in function
InflateVarName() in inflate.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1684009
[ 8 ] Bug #1684014 - matio: CVE-2019-02-9027 matio: heap-based buffer overflow in
function ReadNextCell() in mat5.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1684014
[ 9 ] Bug #1684017 - CVE-2019-9028 matio: stack-based buffer over-read in the function
InflateDimensions() in inflate.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1684017
[ 10 ] Bug #1684020 - CVE-2019-9029 matio: out-of-bounds read with SEGV in function
Mat_VarReadNextInfo5() in mat5.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1684020
[ 11 ] Bug #1684025 - CVE-2019-9030 matio: stack-based buffer over-read in
Mat_VarReadNextInfo5() in mat5.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1684025
[ 12 ] Bug #1684041 - CVE-2019-9032 matio: out-of-bounds write in function Mat_VarFree()
in mat.c resulting in SEGV [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1684041
[ 13 ] Bug #1685379 - CVE-2019-9031 matio: null pointer dereference in function
Mat_VarFree() in mat.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1685379
[ 14 ] Bug #1728478 - CVE-2019-13107 matio: multiple interger overflow in mat.c, mat4.c,
mat5.c, mat73.c and matvar_struct.c [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1728478
--------------------------------------------------------------------------------
================================================================================
python-idstools-0.6.3-14.el7 (FEDORA-EPEL-2020-670ec19c02)
Snort and Suricata Rule and Event Utilities
--------------------------------------------------------------------------------
Update Information:
Restore python2 build by reverting changes merged from rawhide
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 17 2020 Marcin Dulak <Marcin.Dulak(a)gmail.com> - 0.6.3-14
- Restore python2 build by reverting changes merged from rawhide
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1856314 - python2-idstools disappeared from EPEL7
https://bugzilla.redhat.com/show_bug.cgi?id=1856314
--------------------------------------------------------------------------------
================================================================================
rust-1.45.0-1.el7 (FEDORA-EPEL-2020-5d276d9c22)
The Rust Programming Language
--------------------------------------------------------------------------------
Update Information:
Update to Rust 1.45.0: - Fixing unsoundness in casts - Stabilizing function-
like procedural macros in expressions, patterns, and statements - Library
changes See the [blog post](https://blog.rust-
lang.org/2020/07/16/Rust-1.45.0.html) and [release
notes](https://github.com/rust-
lang/rust/blob/master/RELEASES.md#version-1450-2020-07-16) for more details.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jul 16 2020 Josh Stone <jistone(a)redhat.com> - 1.45.0-1
- Update to 1.45.0.
* Wed Jul 1 2020 Jeff Law <law(a)redhat.com> - 1.44.1-2
- Disable LTO
--------------------------------------------------------------------------------