The following Fedora EPEL 7 Security updates need testing:
Age URL
757
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-1087
dokuwiki-0-0.24.20140929c.el7
520
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-dac7ed832f
mcollective-2.8.4-1.el7
222
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-e8f4ff76b3
chicken-4.11.0-3.el7
102
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-04bc9dd81d
libbsd-0.8.3-1.el7
18
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-05ac8b1dc4
php-onelogin-php-saml-2.10.5-1.el7
12
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-3d518cd4b9
libgit2-0.24.6-1.el7
12
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5794ee2486
moodle-3.1.5-1.el7
11
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-7e4f45cad3
tcpreplay-4.2.1-1.el7
3
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-e9e451db03
chromium-57.0.2987.133-1.el7
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-99c7c2f382
xorgxrdp-0.2.1-1.el7 xrdp-0.9.2-3.el7
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-1ae79d206b
ReviewBoard-2.5.10-1.el7
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d9e3bfe77d
php-horde-Horde-Crypt-2.7.6-1.el7
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-7889b3b509
libupnp-1.6.21-1.el7
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d241156dfe
mod_cluster-1.3.3-10.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
ReviewBoard-2.5.10-1.el7
apache-commons-fileupload-1.3.2-3.1.el7
colm-0.13.0.4-2.el7
geronimo-interceptor-1.0.1-16.el7
hibernate-commons-annotations-5.0.1-3.el7
hibernate-jpa-2.0-api-1.0.1-20.el7
hibernate-jpa-2.1-api-1.0.0-3.el7
jboss-logging-tools-2.0.1-5.el7
libglvnd-0.2.999-14.20170308git8e6e102.el7
libupnp-1.6.21-1.el7
maven-processor-plugin-2.2.4-8.el7
mod_cluster-1.3.3-10.el7
nodejs-6.10.1-2.el7
php-composer-spdx-licenses-1.1.6-1.el7
php-horde-Horde-Crypt-2.7.6-1.el7
python-xml2rfc-2.5.2-1.el7
xorgxrdp-0.2.1-1.el7
xrdp-0.9.2-3.el7
Details about builds:
================================================================================
ReviewBoard-2.5.10-1.el7 (FEDORA-EPEL-2017-1ae79d206b)
Web-based code review tool
--------------------------------------------------------------------------------
Update Information:
*
https://www.reviewboard.org/docs/releasenotes/reviewboard/2.5.10/ * Addresses
an XSS vulnerability
--------------------------------------------------------------------------------
================================================================================
apache-commons-fileupload-1.3.2-3.1.el7 (FEDORA-EPEL-2017-a73d7e35e2)
API to work with HTML file upload
--------------------------------------------------------------------------------
Update Information:
This update brings back obsoletes for jakarta-commons-fileupload.
--------------------------------------------------------------------------------
================================================================================
colm-0.13.0.4-2.el7 (FEDORA-EPEL-2017-d17ec283a8)
Programming language designed for the analysis of computer languages
--------------------------------------------------------------------------------
Update Information:
Rebuilt for
https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
geronimo-interceptor-1.0.1-16.el7 (FEDORA-EPEL-2017-7e8558deda)
Java EE: Interceptor API v3.0
--------------------------------------------------------------------------------
Update Information:
Rebuilt for
https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
hibernate-commons-annotations-5.0.1-3.el7 (FEDORA-EPEL-2017-5a8f735a2e)
Hibernate Annotations
--------------------------------------------------------------------------------
Update Information:
Disable doclint
--------------------------------------------------------------------------------
================================================================================
hibernate-jpa-2.0-api-1.0.1-20.el7 (FEDORA-EPEL-2017-26479d119f)
Java Persistence 2.0 (JSR 317) API
--------------------------------------------------------------------------------
Update Information:
Disable doclint
--------------------------------------------------------------------------------
================================================================================
hibernate-jpa-2.1-api-1.0.0-3.el7 (FEDORA-EPEL-2017-76f9e631a1)
Java Persistence 2.1 (JSR 338) API
--------------------------------------------------------------------------------
Update Information:
Disable doclint
--------------------------------------------------------------------------------
================================================================================
jboss-logging-tools-2.0.1-5.el7 (FEDORA-EPEL-2017-a9cb1f17d0)
JBoss Logging I18n Annotation Processor
--------------------------------------------------------------------------------
Update Information:
Invocation of plugins for target configured to 1.7 and doclint disabling
--------------------------------------------------------------------------------
================================================================================
libglvnd-0.2.999-14.20170308git8e6e102.el7 (FEDORA-EPEL-2017-26a97d4743)
The GL Vendor-Neutral Dispatch library
--------------------------------------------------------------------------------
Update Information:
* Fix conditionals for _without_mesa_glvnd_default * Fix other RHEL-
conditionals, too * Update RPM filters for private libraries (includes GLX,
fixes RHEL 6). * Update to latest snapshot, remove upstreamed patches. * Update
release to packaging guidelines format. * Make sure that for Fedora 24 and RHEL
the libraries are always private.
--------------------------------------------------------------------------------
================================================================================
libupnp-1.6.21-1.el7 (FEDORA-EPEL-2017-7889b3b509)
Universal Plug and Play (UPnP) SDK
--------------------------------------------------------------------------------
Update Information:
Long standing security bugs fixed through update to version 1.6.21.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1437143 - Plans for EPEL 6
https://bugzilla.redhat.com/show_bug.cgi?id=1437143
[ 2 ] Bug #1388774 - CVE-2016-8863 libupnp: Heap buffer overflow in the create_url_list
function [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1388774
[ 3 ] Bug #1358614 - CVE-2016-6255 libupnp: Unhandled POSTs can write to the filesystem
by default [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1358614
[ 4 ] Bug #1358352 - libupnp: Upload arbitrary file via POST [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1358352
[ 5 ] Bug #1146033 - libupnp: security and critical bug fixes [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1146033
[ 6 ] Bug #905578 - CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961
CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 ibupnp: Multiple stack-based
buffer overflows in unique_service_name() by processing specially-crafted SSDP request
(VU#922681) [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=905578
--------------------------------------------------------------------------------
================================================================================
maven-processor-plugin-2.2.4-8.el7 (FEDORA-EPEL-2017-1fe03ca888)
Maven Processor Plugin
--------------------------------------------------------------------------------
Update Information:
Disable doclint
--------------------------------------------------------------------------------
================================================================================
mod_cluster-1.3.3-10.el7 (FEDORA-EPEL-2017-d241156dfe)
Apache HTTP Server dynamic load balancer with Wildfly and Tomcat libraries
--------------------------------------------------------------------------------
Update Information:
Upgrade to 1.3.3 (current rawhide) and patch to change catalina deps
--------------------------------------------------------------------------------
================================================================================
nodejs-6.10.1-2.el7 (FEDORA-EPEL-2017-9d4f011d75)
JavaScript runtime
--------------------------------------------------------------------------------
Update Information:
Fix a segfault with SSL and the placement of manpages ---- Update to 6.10.1
----
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#
2017-02-21-version-6100-boron-lts-mylesborins ---- Update to v6.9.5(security)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1436445 - Segfault with ssl with 6.10.1 el7
https://bugzilla.redhat.com/show_bug.cgi?id=1436445
[ 2 ] Bug #1433403 - npm man pages appearing in the nodejs package
https://bugzilla.redhat.com/show_bug.cgi?id=1433403
--------------------------------------------------------------------------------
================================================================================
php-composer-spdx-licenses-1.1.6-1.el7 (FEDORA-EPEL-2017-13087e70ed)
SPDX licenses list and validation library
--------------------------------------------------------------------------------
Update Information:
**Version 1.1.6** - 2017-04-03 * Changed: updated licenses list.
--------------------------------------------------------------------------------
================================================================================
php-horde-Horde-Crypt-2.7.6-1.el7 (FEDORA-EPEL-2017-d9e3bfe77d)
Horde Cryptography API
--------------------------------------------------------------------------------
Update Information:
**Horde_Crypt 2.7.6** * [mjr] SECURITY: Fix remote code execution vulnerability
(**CVE-2017-7413**, and **CVE-2017-7414**).
--------------------------------------------------------------------------------
================================================================================
python-xml2rfc-2.5.2-1.el7 (FEDORA-EPEL-2017-60dfbde5b7)
Convert IETF RFC-2629 XML into txt format
--------------------------------------------------------------------------------
Update Information:
Updated to 2.5.2
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1438375 - xml2rfc: incorrect dependencies
https://bugzilla.redhat.com/show_bug.cgi?id=1438375
--------------------------------------------------------------------------------
================================================================================
xorgxrdp-0.2.1-1.el7 (FEDORA-EPEL-2017-99c7c2f382)
Implementation of xrdp backend as Xorg modules
--------------------------------------------------------------------------------
Update Information:
New upstream version of xorgxrdp and xrdp: New features in xrdp: - RemoteFX
codec support is now enabled by default. - Bitmap updates support is now enabled
by default. - TLS ciphers suites and version is now logged. - Connected computer
name is now logged. - Switched to Xorg (xorgxrdp) as the default backend now. -
Miscellaneous RemoteFX codec mode improvements. - Socket directory is
configurable at the compile time. Bugfixes in xrdp: - Parallels client for
MacOS / iOS can now connect (audio redirection must be disabled on client or
xrdp server though). - MS RDP client for iOS can now connect using TLS security
layer. - MS RDP client for Android can now connect to xrdp. - Large resolutions
(4K) can be used with RemoteFX graphics. - Multiple RemoteApps can be opened
throguh NeutrinoRDP proxy. - tls_ciphers in xrdp.ini is not limited to 63 chars
anymore, it's variable-length. - Fixed an issue where tls_ciphers were ignored
and rdp security layer could be used instead. - Kill disconnected sessions
feature is working with Xorg (xorgxrdp) backend. - Miscellaneous code cleanup
and memory issues fixes. Rebuild of xrdp requiring both xorgxrdp and tigervnc-
minimal. VNC is still the default.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1433958 - CVE-2017-6967 xrdp: Incorrect placement of auth_start_session()
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1433958
--------------------------------------------------------------------------------
================================================================================
xrdp-0.9.2-3.el7 (FEDORA-EPEL-2017-99c7c2f382)
Open source remote desktop protocol (RDP) server
--------------------------------------------------------------------------------
Update Information:
New upstream version of xorgxrdp and xrdp: New features in xrdp: - RemoteFX
codec support is now enabled by default. - Bitmap updates support is now enabled
by default. - TLS ciphers suites and version is now logged. - Connected computer
name is now logged. - Switched to Xorg (xorgxrdp) as the default backend now. -
Miscellaneous RemoteFX codec mode improvements. - Socket directory is
configurable at the compile time. Bugfixes in xrdp: - Parallels client for
MacOS / iOS can now connect (audio redirection must be disabled on client or
xrdp server though). - MS RDP client for iOS can now connect using TLS security
layer. - MS RDP client for Android can now connect to xrdp. - Large resolutions
(4K) can be used with RemoteFX graphics. - Multiple RemoteApps can be opened
throguh NeutrinoRDP proxy. - tls_ciphers in xrdp.ini is not limited to 63 chars
anymore, it's variable-length. - Fixed an issue where tls_ciphers were ignored
and rdp security layer could be used instead. - Kill disconnected sessions
feature is working with Xorg (xorgxrdp) backend. - Miscellaneous code cleanup
and memory issues fixes. Rebuild of xrdp requiring both xorgxrdp and tigervnc-
minimal. VNC is still the default.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1433958 - CVE-2017-6967 xrdp: Incorrect placement of auth_start_session()
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1433958
--------------------------------------------------------------------------------