The following Fedora EPEL 7 Security updates need testing: Age URL 4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-eeac45f79c clamav-0.103.7-1.el7

The following builds have been pushed to Fedora EPEL 7 updates-testing

golang-1.17.12-1.el7 proftpd-1.3.5e-12.el7

Details about builds:

================================================================================ golang-1.17.12-1.el7 (FEDORA-EPEL-2022-ced30d9530) The Go Programming Language -------------------------------------------------------------------------------- Update Information:

Update to 1.17.12, security fixes for CVE-2022-30629, CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-28131, CVE-2022-30633, CVE-2022-30632, CVE-2022-30635, CVE-2022-30630, CVE-2022-1962 -------------------------------------------------------------------------------- ChangeLog:

* Mon Aug 1 2022 Dave Dykstra dwd@fedoraproject.org - 1.17.12-1 - Update to 1.17.12 by doing the equivalent changes as centos8-stream. -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add https://bugzilla.redhat.com/show_bug.cgi?id=2092793 [ 2 ] Bug #2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read https://bugzilla.redhat.com/show_bug.cgi?id=2107342 [ 3 ] Bug #2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob https://bugzilla.redhat.com/show_bug.cgi?id=2107371 [ 4 ] Bug #2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header https://bugzilla.redhat.com/show_bug.cgi?id=2107374 [ 5 ] Bug #2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions https://bugzilla.redhat.com/show_bug.cgi?id=2107376 [ 6 ] Bug #2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working https://bugzilla.redhat.com/show_bug.cgi?id=2107383 [ 7 ] Bug #2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob https://bugzilla.redhat.com/show_bug.cgi?id=2107386 [ 8 ] Bug #2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode https://bugzilla.redhat.com/show_bug.cgi?id=2107388 [ 9 ] Bug #2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip https://bugzilla.redhat.com/show_bug.cgi?id=2107390 [ 10 ] Bug #2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal https://bugzilla.redhat.com/show_bug.cgi?id=2107392 --------------------------------------------------------------------------------

================================================================================ proftpd-1.3.5e-12.el7 (FEDORA-EPEL-2022-2eb0ae90f4) Flexible, stable and highly-configurable FTP server -------------------------------------------------------------------------------- Update Information:

This update contains a fix for mod_vroot that prevents it from hiding some files under some circumstances when DefaultRoot is used. * https://github.com/proftpd/proftpd/issues/1491 * https://github.com/Castaglia/proftpd-mod_vroot/pull/37 * https://bugzilla.redhat.com/show_bug.cgi?id=2104972 -------------------------------------------------------------------------------- ChangeLog:

* Mon Aug 1 2022 Paul Howarth paul@city-fan.org - 1.3.5e-12 - Fix unexpected filtering behaviour with mod_vroot (#2104972, GH#1491) -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2104972 - proftpd hides entries in root directory beginning with a DefaultRoot value https://bugzilla.redhat.com/show_bug.cgi?id=2104972 --------------------------------------------------------------------------------