Fedora EPEL 6 updates-testing report - epel-devel - Fedora mailing-lists

13 Jan 2017


      The following Fedora EPEL 6 Security updates need testing:
 Age  URL
 554  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7031   python-virtualenv-12.0.7-1.el6
 548  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7168   rubygem-crack-0.3.2-2.el6
 480  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8156   nagios-4.0.8-1.el6
 438  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-e2b4b5b2fb   mcollective-2.8.4-1.el6
 410  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-35e240edd9   thttpd-2.25b-24.el6
 140  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8594ed3a53   chicken-4.11.0-3.el6
  20  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-e3e50897ac   libbsd-0.8.3-2.el6
  12  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-62450e4e38   libpng10-1.0.67-1.el6
  10  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-284a1cc356   exim-4.88-1.el6
   5  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-8c6c7bf06e   dbus-sharp-0.7.0-16.el6 dbus-sharp-glib-0.5.0-14.el6 mono-4.2.4-9.el6
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-7d479b3940   php-PHPMailer-5.2.22-1.el6
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-50bd111169   icoutils-0.31.1-1.el6
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4e597458f1   php-ZendFramework2-2.2.10-3.el6
   1  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-c29445aed4   gnutls30-3.5.8-1.el6
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-418df7d00a   wordpress-4.7.1-1.el6
The following builds have been pushed to Fedora EPEL 6 updates-testing
drupal7-honeypot-1.22-1.el6
    golang-github-go-ini-ini-1.21.1-0.1.git6e4869b.el6
    golang-github-hashicorp-errwrap-0-0.5.git7554cd9.el6
    golang-github-hashicorp-go-multierror-0-0.9.gitd30f099.el6
    golang-github-jtolds-gls-0-0.7.git9a4a02d.el6
    golang-github-smartystreets-assertions-1.6.0-0.3.git287b434.el6
    golang-github-smartystreets-goconvey-1.6.1-0.3.gitbf58a9a.el6
    hitch-1.4.4-2.el6
    pcre2-10.21-12.el6
    perl-PHP-Serialization-0.34-16.el6
    prosody-0.9.12-1.el6
    python-cvss-1.7-1.el6
    wordpress-4.7.1-1.el6
Details about builds:
================================================================================
 drupal7-honeypot-1.22-1.el6 (FEDORA-EPEL-2017-02467410ea)
 Mitigates spam form submissions using the honeypot method
--------------------------------------------------------------------------------
Update Information:
Honeypot uses both the honeypot and timestamp methods of deterring spam bots
from completing forms on your Drupal site (read more here). These methods are
effective against many spam bots, and are not as intrusive as CAPTCHAs or other
methods which punish the user [YouTube].  The module currently supports enabling
for all forms on the site, or particular forms like user registration or
password reset forms, webforms, contact forms, node forms, and comment forms.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1100973 - Review Request: drupal7-honeypot - Honeypot uses both the honeypot and timestamp methods of deterring spam bots
        https://bugzilla.redhat.com/show_bug.cgi?id=1100973
--------------------------------------------------------------------------------
================================================================================
 golang-github-go-ini-ini-1.21.1-0.1.git6e4869b.el6 (FEDORA-EPEL-2017-e3e7e68a5b)
 Package ini provides INI file read and write functionality in Go
--------------------------------------------------------------------------------
Update Information:
Bump to upstream 6e4869b434bd001f6983749881c7ead3545887d8
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1412590 - Tracker for golang-github-go-ini-ini
        https://bugzilla.redhat.com/show_bug.cgi?id=1412590
--------------------------------------------------------------------------------
================================================================================
 golang-github-hashicorp-errwrap-0-0.5.git7554cd9.el6 (FEDORA-EPEL-2017-d3104cf125)
 Errwrap is a Go (golang) library for wrapping and querying errors
--------------------------------------------------------------------------------
Update Information:
Polish the spec file  ----  First package for Fedora
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1412620 - Tracker for golang-github-hashicorp-errwrap
        https://bugzilla.redhat.com/show_bug.cgi?id=1412620
--------------------------------------------------------------------------------
================================================================================
 golang-github-hashicorp-go-multierror-0-0.9.gitd30f099.el6 (FEDORA-EPEL-2017-630f157dc3)
 Package for representing a list of errors as a single error
--------------------------------------------------------------------------------
Update Information:
Polish the spec file  ----  Update spec file to spec-2.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1250466 - Tracker for golang-github-hashicorp-go-multierror
        https://bugzilla.redhat.com/show_bug.cgi?id=1250466
--------------------------------------------------------------------------------
================================================================================
 golang-github-jtolds-gls-0-0.7.git9a4a02d.el6 (FEDORA-EPEL-2017-17002f1a08)
 Goroutine local storage
--------------------------------------------------------------------------------
Update Information:
Polish the spec file  ----  Update spec file to spec-2.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1250490 - Tracker for golang-github-jtolds-gls
        https://bugzilla.redhat.com/show_bug.cgi?id=1250490
--------------------------------------------------------------------------------
================================================================================
 golang-github-smartystreets-assertions-1.6.0-0.3.git287b434.el6 (FEDORA-EPEL-2017-95e40200ee)
 Fluent assertion-style functions
--------------------------------------------------------------------------------
Update Information:
Polish the spec file
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1250509 - Tracker for golang-github-smartystreets-assertions
        https://bugzilla.redhat.com/show_bug.cgi?id=1250509
--------------------------------------------------------------------------------
================================================================================
 golang-github-smartystreets-goconvey-1.6.1-0.3.gitbf58a9a.el6 (FEDORA-EPEL-2017-874610b6b6)
 Behavioral testing in the browser, integrates with go test
--------------------------------------------------------------------------------
Update Information:
Polish the spec file
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1250511 - Tracker for golang-github-smartystreets-goconvey
        https://bugzilla.redhat.com/show_bug.cgi?id=1250511
--------------------------------------------------------------------------------
================================================================================
 hitch-1.4.4-2.el6 (FEDORA-EPEL-2017-df71990a9f)
 Network proxy that terminates TLS/SSL connections
--------------------------------------------------------------------------------
Update Information:
New upstream release. A bugfix and comptibility release.  From the upstream
changelog:  * OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully
supported with Hitch. * Fix a bug in the OCSP refresh code that could make it
loop with immediate refreshes flooding an OCSP responder. * Force the
SSL_OP_SINGLE_DH_USE setting. This protects against an OpenSSL vulnerability
where a remote attacker could discover private DH exponents (CVE-2016-0701).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1405948 - OSCP stapling not working by default
        https://bugzilla.redhat.com/show_bug.cgi?id=1405948
--------------------------------------------------------------------------------
================================================================================
 pcre2-10.21-12.el6 (FEDORA-EPEL-2017-7f94ea5689)
 Perl-compatible regular expression library
--------------------------------------------------------------------------------
Update Information:
This release fixes compiling a class with Unicode properties and without UTF
mode. It also fixes an ouf-of-bound read in pcre2test tool within POSIX mode.
--------------------------------------------------------------------------------
================================================================================
 perl-PHP-Serialization-0.34-16.el6 (FEDORA-EPEL-2017-4c960a85be)
 Converts between PHP's serialize() output and the equivalent Perl structure
--------------------------------------------------------------------------------
Update Information:
Perl 5.24 rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1412422 - Plans for EPEL 6 & 7
        https://bugzilla.redhat.com/show_bug.cgi?id=1412422
--------------------------------------------------------------------------------
================================================================================
 prosody-0.9.12-1.el6 (FEDORA-EPEL-2017-bcb85bf2f8)
 Flexible communications server for Jabber/XMPP
--------------------------------------------------------------------------------
Update Information:
Prosody 0.9.12 ==============  A summary of changes in this release:    *
Dependencies: Fix certificate verification failures when using LuaSec 0.6 (fixes
#781)   * mod_s2s: Lower log message to 'warn' level, standard for remotely-
triggered protocol issues   * certs/Makefile: Remove -c flag from chmod call (a
GNU extension)   * Networking: Prevent writes after a handler is closed (fixes
#783)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1412102 - prosody-0.9.12 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1412102
--------------------------------------------------------------------------------
================================================================================
 python-cvss-1.7-1.el6 (FEDORA-EPEL-2017-d2c6c8a4e6)
 CVSS2/3 library with interactive calculator
--------------------------------------------------------------------------------
Update Information:
- New release v1.7 - Fixes regression introduced in v1.5. Interactive calculator
failed for CVSS3 as it did not provide mandatory prefix.  ----  - New release
v1.6. - Fix to ensure cvss2 score is never negative.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1402174 - python-cvss-v1.6 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1402174
  [ 2 ] Bug #1412158 - python-cvss-v1.7 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1412158
--------------------------------------------------------------------------------
================================================================================
 wordpress-4.7.1-1.el6 (FEDORA-EPEL-2017-418df7d00a)
 Blog tool and publishing platform
--------------------------------------------------------------------------------
Update Information:
**WordPress 4.7.1** Security and Maintenance Release  This is a security release
for all previous versions and we strongly encourage you to update your sites
immediately.  WordPress versions 4.7 and earlier are affected by eight security
issues:  *    Remote code execution (RCE) in PHPMailer ��� No specific issue
appears to affect WordPress or any of the major plugins we investigated but, out
of an abundance of caution, we updated PHPMailer in this release. This issue was
reported to PHPMailer by Dawid Golunski and Paul Buonopane. *    The REST API
exposed user data for all users who had authored a post of a public post type.
WordPress 4.7.1 limits this to only post types which have specified that they
should be shown within the REST API. Reported by Krogsgard and Chris Jean. *
Cross-site scripting (XSS) via the plugin name or version header on update-
core.php. Reported by Dominik Schilling of the WordPress Security Team. *
Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by
Abdullah Hussam. *    Cross-site scripting (XSS) via theme name fallback.
Reported by Mehmet Ince. *    Post via email checks mail.example.com if default
settings aren���t changed. Reported by John Blackbourn of the WordPress Security
Team. *    A cross-site request forgery (CSRF) was discovered in the
accessibility mode of widget editing. Reported by Ronnie Skansing. *    Weak
cryptographic security for multisite activation key. Reported by Jack.  Thank
you to the reporters for practicing responsible disclosure.  In addition to the
security issues above, WordPress 4.7.1 fixes 62 bugs from 4.7. For more
information, see the [release notes](https://codex.wordpress.org/Version_4.7.1)
or consult the [list of
changes](https://core.trac.wordpress.org/query?milestone=4.7.1).
--------------------------------------------------------------------------------