The following Fedora EPEL 7 Security updates need testing:
Age URL
11
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-044df87bd4
rust-1.51.0-3.el7
7
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-3c8a5a400b
p7zip-16.02-20.el7
6
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-a46e72f139
radare2-5.2.1-1.el7
6
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-3370d4396b
ansible-2.9.20-1.el7
5
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-255f12d77d
zarafa-7.1.14-5.el7
4
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-b6ffea264a
perl-Image-ExifTool-12.16-3.el7
3
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-9cfa4ffd25
java-latest-openjdk-16.0.1.0.9-1.rolling.el7
3
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-9cf47c841c
python-yara-4.1.0-1.el7 yara-4.1.0-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
libopenmpt-0.5.8-1.el7
rpminspect-data-fedora-1.5-1.el7
sympa-6.2.62-1.el7
xrdp-0.9.16-1.el7
Details about builds:
================================================================================
libopenmpt-0.5.8-1.el7 (FEDORA-EPEL-2021-23a46d718e)
C/C++ library to decode tracker music module (MOD) files
--------------------------------------------------------------------------------
Update Information:
libopenmpt 0.5.8 (2021-04-11) ============================= * [Sec] Possible
null-pointer dereference read caused by a sequence of `openmpt::module::read`,
`openmpt::module::set_position_order_row` pointing to an invalid pattern, and
another `openmpt::module::read` call. To trigger the crash, pattern 0 must not
exist in the file and the tick speed before the position jump must be lower than
the initial speed of the module. (r14530) * [Bug] `libopenmpt.pc` did not list
required system libraries `ole32.lib` and `rpcrt4.lib` on Windows in
`Libs.Private` field for static builds. * [Bug] libopenmpt 0.5.7 broke seeking
in some subsongs. * The built-in LFO plugin did not load the correct initial
LFO frequency. * IT command S7x (instrument control) is now supported when
seeking with sample sync enabled. * libopenmpt_ext `play_note` was cutting of
channels even when there were plenty of free channels to use. * mpg123: Update
to v1.26.5 (2021-03-22).
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 30 2021 Michael Schwendt <mschwendt(a)fedoraproject.org> - 0.5.8-1
- update to 0.5.8 (security release for the 0.5 series)
--------------------------------------------------------------------------------
================================================================================
rpminspect-data-fedora-1.5-1.el7 (FEDORA-EPEL-2021-c60773d95c)
Build deviation compliance tool data files
--------------------------------------------------------------------------------
Update Information:
Upgrade to rpminspect-1.5
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 30 2021 David Cantrell <dcantrell(a)redhat.com> - 1.5-1
- Add a 'rawhide' profile to disable a lot of inspections
- Add missing ID value to the npsl license entry
- /usr/lib/dracut and /usr/lib/udev are valid paths
- Update fedora.yaml with all current configuration file changes
- Explain size_threshold can be 'info'
* Wed Feb 24 2021 David Cantrell <dcantrell(a)redhat.com> - 1.4-1
- Increment the development tree version to 1.4.
- Document the release process and add another helper target to the
Makefile
- 'make koji' skips branches that lack Koji build targets
- Set VENDORBLD to the vendor build too in submit-koji-builds.sh
- Add NPSL
- Update fedora.yaml for the new 'badfuncs' inspection.
- The badfuncs inspection is in rpminspect >= 1.3, update spec file
- Add MIT-0 license
- Add runpath section to fedora.yaml
--------------------------------------------------------------------------------
================================================================================
sympa-6.2.62-1.el7 (FEDORA-EPEL-2021-3f4ec3ba2a)
Powerful multilingual List Manager
--------------------------------------------------------------------------------
Update Information:
- Update to 6.2.62. See upstream release notes :
https://github.com/sympa-
community/sympa/blob/6.2.62/NEWS.md - Fixes CVE-2020-26880.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Apr 27 2021 Xavier Bachelot <xavier(a)bachelot.org> 6.2.62-1
- Update to 6.2.62
- Fixes CVE-2020-26880 (RHBZ#1886232 - RHBZ#1886233)
- Unbundle jquery-ui
- Unbundle jquery on EL8
* Tue Mar 2 2021 Zbigniew J��drzejewski-Szmek <zbyszek(a)in.waw.pl> - 6.2.60-2.1
- Rebuilt for updated systemd-rpm-macros
See
https://pagure.io/fesco/issue/2583.
* Wed Feb 17 2021 Xavier Bachelot <xavier(a)bachelot.org> 6.2.60-2
- Prepare for jquery-ui retirement in F34
- Remove conditionals for F31
* Wed Jan 27 2021 Fedora Release Engineering <releng(a)fedoraproject.org> -
6.2.60-1.1
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1886232 - CVE-2020-26880 sympa: local privilege escalation by modifying
sympa.conf configuration file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1886232
[ 2 ] Bug #1886233 - CVE-2020-26880 sympa: local privilege escalation by modifying
sympa.conf configuration file [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1886233
--------------------------------------------------------------------------------
================================================================================
xrdp-0.9.16-1.el7 (FEDORA-EPEL-2021-bded019a13)
Open source remote desktop protocol (RDP) server
--------------------------------------------------------------------------------
Update Information:
Release notes for xrdp v0.9.15 (2020/12/28) New features - Allow token sign in
without autologon for SSO (#1667 #1668) - Norwegian keyboard support (#1675) -
Improved config support for chansrv (#1635) - Unified chansrv, sesman and
libxrdp logging (#1633 #1708 #1738) - thanks to @aquesnel - Support SUSE move to
/usr/etc (#1702) - Parameters may now be specified for user-specified shell
(#1270 #1695) - xrdp executables now allow alternative config files to be
specified with -c (#1588 #1650 #1651) - sesrun improvements (#1741) - Drive
redirection location can now be specified (#1048) - Now compiles on RISC-V
(#1761) Bug fixes - Additional buffer overflow checks (#1662) - FUSE support
now builds on 32-bit platforms (#1682) - genkeymap array size conflict fixed
(#1691) - Buffering issue with neutrinordp over a slow link fixed (#1608 1634) -
Various documentation fixes (#1704 #1741 #1755 #1759) - Prevent PAM info message
from causing authentication failure (#1727) - Cosmetic fixes for minor issues
(#1751 #1755 #1749) - Try harder to clean up socket files on session exit (#1740
#1756) - xrdp-chansrv become defunct in docker while file copy (#1658) Internal
changes - Compilation warnings with newer compilers (#1659 #1680) -
Continuation Integration checks on 32-bit platforms now include FUSE support
(#1682) - Continuation Integration builds now default to the Ubuntu Focal
platform (#1666) - FUSE type tidy-ups (#1686) - Switch from Travis CI to GitHub
Actions (#1728 #1732) - Easier to set up console logging for utilities (#1711)
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 1 2021 Bojan Smojver <bojan(a)rexurive.com> - 1:0.9.16-1
- Bump up to 0.9.16
* Thu Jan 28 2021 Fedora Release Engineering <releng(a)fedoraproject.org> -
1:0.9.15-4
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
--------------------------------------------------------------------------------