The following Fedora EPEL 7 Security updates need testing:
Age URL
4
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-0286a0e93a
python-bottle-0.12.21-1.el7
4
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-a9236c0113
oniguruma-6.8.2-2.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
dkms-3.0.4-1.el7
dmlite-1.15.2-7.el7
thc-ipv6-3.8-1.el7
unrealircd-6.0.4-1.el7
Details about builds:
================================================================================
dkms-3.0.4-1.el7 (FEDORA-EPEL-2022-46336bb574)
Dynamic Kernel Module Support Framework
--------------------------------------------------------------------------------
Update Information:
Various bugfixes.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Jun 18 2022 Simone Caronni <negativo17(a)gmail.com> - 3.0.4-1
- Update to 3.0.4.
* Thu Jan 20 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.0.3-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
dmlite-1.15.2-7.el7 (FEDORA-EPEL-2022-4130aae0ec)
Lcgdm grid data management and storage framework
--------------------------------------------------------------------------------
Update Information:
- Added new dependency on xrootd-voms - Fixed BDII ldif generation by new python
ldap3 module - Fixed main dCache config template
--------------------------------------------------------------------------------
ChangeLog:
* Sat Jun 18 2022 Petr Vokac <petr.vokac(a)cern.ch> - 1.15.2-7
- Added new dependency on xrootd-voms
- Fixed BDII ldif generation by new python ldap3 module
- Fixed main dCache config template
* Mon Jun 13 2022 Python Maint <python-maint(a)redhat.com> - 1.15.2-6
- Rebuilt for Python 3.11
--------------------------------------------------------------------------------
================================================================================
thc-ipv6-3.8-1.el7 (FEDORA-EPEL-2022-9cfd030219)
Toolkit for attacking the IPv6 protocol suite
--------------------------------------------------------------------------------
Update Information:
# THC IPv6 attack toolkit v3.8 * Fixed crash in `thcping6` with `-n 0` or
larger values * Fixed minor issues * Honors now `CC` and `CLAGS` environment
variables and compiles with `clang` * Fixed various issues * New code
indention # THC IPv6 attack toolkit v3.6 * Long interface names are now
supported * Added error check for openssl `BN_` functions * Added support
for global destinations for `dump_dhcp6` * Added new tool: `connect6`, useful
for tcp6 connect pings * Added `-i` microseconds interval option for `smurf6`
and `thcsyn6` * Added `-w` timeout option to `thcping6` # THC IPv6 attack
toolkit v3.4 * Added new function to thc-ipv6-lib:
`thc_send_raguard_bypass6()` bypass attack in one easy function * Added RA
guard bypass attack (`-F` option) to: - `fake_router26` -
`flood_router26` - `fake_advertise6` * Added new tool: `flood_unreach6`
(black nurse attack) * `fake_pim6`: - Added bootstrap and assert support
- Added loop mode - Added flood mode - Rewrote help output - Some
fixes * `fuzz_ip6`: Added PIM hello, bootstrap and assert support *
`alive6`: Fix for IPv6 address display for unreachable dst reason *
`implementation6`: Large fragmentation EH test added * `covert_send6d`: Fixed
receiving multiple packets * Better automatic source adress type selection *
Added patch to support the horrible openssl-1.1 release * Some minor
enhancements and fixes # THC IPv6 attack toolkit v3.2 * Added `toobigsniff6`:
Send ICMPv6 toobig messages for sniffed traffic * Added `alive2map.sh` Script
to create a network map (graphviz->jpg) from a list of alive hosts * `alive6`:
Fixed displaying right source of one packet type * `dump_router6`: Added `-S`
option to specify an IPv6 source address * `fake_router26`: New `-f` option to
specify the sending mac address * `thcsyn6`: Added `-f` and `-d` options *
`flood_router26`: - Added `-m` option to force DHCPv6 managed and other
configuration - Reduced lifetime for `-s` option to `1s` * `dnssecwalk`:
Added TCP mode (-t) * `dnsrevenum6`: Added TCP mode (`-t`) *
`fake_advertise6`: A second packet always was sent with no flags * `flood_rs6`
and `thcping6`: Small fixes * Re-enabled raw mode, works now with modern
kernels it seems * Small reliability patches * Added man page auto generator
* Small change to the `Makefile` to allow installation even if not everything
could be compiled (libraries missing) # THC IPv6 attack toolkit v3.0 *
`fragrouter6` (new tool) - Evade IDS easily and use all your favorite IPv6
attack tools * `connsplit6` (new tool) - Split up a connection so that
replies are sent to a different IPv6 address * `*.sh` - Added a lot of
shell helper scripted for zone transfers, creating maps, etc. -
`6to4test.sh`, `create_network_map.sh`, `extract_hosts6.sh`, `six2four.sh`,
`axfr-reverse.sh`, `axfr.sh`, `dnsrevenum6.sh`, `extract_networks6.sh`, `thc-
ipv6-setup.sh`, `dnssecwalk.sh`, `trace62list.sh`, `dos_mld6.sh`,
`local_discovery6.sh` * `alive6`: - `-r` renew option was accidently
always on by default - Added `-I /mask` random source option -
Restructured the `-h` help output * `fake_router26`: - Option `-X` removes
router entry from targets on exit * `flood_router26`: - Fix: the source
mac was always null bytes without evasion * `ndpexaust26`: - Option `-m`
generates maximum size packets * `dump_router6`: - Fixed route option
parsing - Support for new RA options * `dump_dhcp6`: - Added vendorID
support for request * `thcping6`: - Added `-O` TCP Fast Open cookie
request option * `fuzz_dhcps6`: - Enhancements to the help output -
Added `-w sec` wait between packets option - Added more options to the
solicitate request to fuzz * `thcping6`: - Added `-O` TCP Fast Open cookie
request option * `thcsyn6`: - Added `-O` TCP Fast Open fake cookie sending
option - Fixed memory leak * Renamed `dos_mld.sh` to `dos_mld6.sh` and
`local_discovery.sh` to `local_discovery6.sh` # THC IPv6 attack toolkit v2.6
* All `flood_*` tools: - Changed destination so that targets can be remote
* New tool: `fragrouter6` - IDS evasion plus script `fragrouter6.sh` * New
tool: `fuzz_dhcpc6` - DHCPv6 client fuzzer * Added new script: `alive2map.sh`
for magic network map generation * `alive6`: - Setting `-C` twice
increases the common address search space significantly - Fixed from-to
definition implementation - Added `-y step` option, to define the step range
when performing from-to scans (e.g. `2001:1::0-ff`), default step range is of
course 1, max is 256 - Selects the source IPv6 address for every new target
now; waiting, if no fitting IPv6 address is present on the interface until one
is - If you use `-s` for alive scanning, the new "one packet
fingerprinting"
functionality is automatically used - Error message if a packet can not be
send for > 50ms, and waiting for 60 seconds - Cleaned up help output and add
`-hh` more help/options output * `thcsyn6`: - Added `-m dstmac` option
(good for DOSing local, esp. hot standby addresses) - Added `-d dsthdr`
option - Documented `-a hbh-ra` option * `denial6`: - Added five more
test cases with HBH-RA and AH headers * `flood_router26`: - Added `-a`
hopbyhop with router alert option - Changed a default so the attacks do not
show up in Snort IDS * `flood_redir6`: - Added `-a` hopbyhop with router
alert option * `flood_solicitate6`: - Added query address parameter option
- Added `-a` hopbyhop with router alert option * `fuzz_ip6`: - Fixes for
HBH and DST EH fuzzing * `thcping6`: - Added `-x` flood option - Added
`-e` ethertype option - Added `-V` IP version option - Added `-L`
payload length option - Added `-N` next header option - Now prints
fragID of fragmented replies * `implementation6`: - A few more test cases
and fixes * `dump_dhcp6`: - More option decoding, better solicitate packet
- Added sending information request packet * `four2six`: - Support for
source port and ping ID (required for AFTR) * `trace6`: - Support for MTU
sizes > 2500 added * `implementation6`: - Fixed to test cases where the
wrong fragment nxt header was set * `inverse_lookup6`: - Fixed to display
only the IPv6 addresses (and not interpret other data as such) * thc-ipv6-lib:
- Global addresses are now prefered over unique local if no destination is set
- Fixed a bug in IPv4 CRC calculation function * `cppcheck` and Coverity
issues checked and fixed * Added spelling fixes by Debian maintainers
--------------------------------------------------------------------------------
ChangeLog:
* Sat Jun 18 2022 Robert Scheck <robert(a)fedoraproject.org> - 3.8-1
- Upgrade to 3.8 (#1902857)
- Spec file modernization including support for RHEL/CentOS 7
- Remove perl(Socket6) dependency (thanks to Michal Josef ��pa��ek)
* Sat Jan 22 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.4-11
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Sep 14 2021 Sahana Prasad <sahana(a)redhat.com> - 3.4-10
- Rebuilt with OpenSSL 3.0.0
* Fri Jul 23 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.4-9
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jan 27 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.4-8
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.4-7
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jan 31 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.4-6
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Jul 27 2019 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.4-5
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 3 2019 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.4-4
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Sat Jul 14 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.4-3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 9 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.4-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Jan 8 2018 Athmane Madjoudj <athmane(a)fedoraproject.org> - 3.4-1
- Update to 3.4 (rhbz #1531027)
- Fix build and add SSL support
* Thu Aug 3 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.0-5
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.0-4
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 11 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.0-3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Feb 5 2016 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.0-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Sat Dec 5 2015 Athmane Madjoudj <athmane(a)fedoraproject.org> 3.0-1
- Update to 3.0
- Add new deps
- Do not strip binaries
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> -
2.7-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon Jan 5 2015 Athmane Madjoudj <athmane(a)fedoraproject.org> 2.7-1
- Update to 2.7
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2080682 - Please build latest thc-ipv6 for EPEL 7, 8 and 9
https://bugzilla.redhat.com/show_bug.cgi?id=2080682
--------------------------------------------------------------------------------
================================================================================
unrealircd-6.0.4-1.el7 (FEDORA-EPEL-2022-14c13d561b)
Open Source IRC server
--------------------------------------------------------------------------------
Update Information:
# UnrealIRCd 6.0.4 This release comes with lots of features and enhancements. In
particular, security groups and mask items now allow you to write cleaner and
more flexible configuration files. There are also JSON logging enhancements and
several bug fixes. ## Enhancements * Show security groups in `WHOIS` * The
[
security-group](https://www.unrealircd.org/docs/Security-group_block) block has
been expanded and the same functionality is now available in [mask
items](https://www.unrealircd.org/docs/Mask_item) too: * This means the
existing options like `identified`, `webirc`, `tls` and `reputation-score` can
be used in `allow::mask` etc. * New options (in both security-group and
mask) are: * `connect-time`: time a user is connected to IRC *
`security-group`: to check another security group * `account`: services
account name * `country`: country code, as found by GeoIP *
`realname`: realname (gecos) of the user * `certfp`: certificate
fingerprint * Every option also has an exclude- variant, e.g. `exclude-
country`. If a user matches any `exclude-` option then it is considered not a
match. * The modules
[
connthrottle](https://www.unrealircd.org/docs/Connthrottle), [restrict-
commands](https://www.unrealircd.org/docs/Set_block#set::restrict-commands) and
[
antirandom](https://www.unrealircd.org/docs/Set_block#set::antirandom) now use
the new `except` sub-block which is a mask item. The old syntax (e.g.
`set::antirandom::except-webirc`) is still accepted by UnrealIRCd and converted
to the appropriate new setting behind the scenes
(`set::antirandom::except::webirc`). * The modules
[
blacklist](https://www.unrealircd.org/docs/Blacklist_block) and
[
antimixedutf8](https://www.unrealircd.org/docs/Set_block#set::antimixedutf8)
now also support the `except` block (a mask item). * Other than that the
extended functionality is available in these blocks: `allow`, `oper`, `tld`,
`vhost`, `deny channel`, `allow channel`. * Example of direct use in a
::mask item: ``` /* Spanish MOTD for Spanish speaking countries */ tld {
mask { country { ES; AR; BO; CL; CO; CR; DO; EC; SV; GT; HN; MX; NI; PA; PY; PE;
PR; UY; VE; } } motd "motd.es.txt"; rules "rules.es.txt"; }
``` *
Example of defining a security group and using it in a mask item later: ```
security-group irccloud { mask { ip1; ip2; ip3; ip4; } } allow { mask {
security-group irccloud; } class clients; maxperip 128; } except ban {
mask { security-group irccloud; } type { blacklist; connect-flood;
handshake-data-flood; } } ``` * Because the mask item is so powerful now, the
`password` in the [oper
block](https://www.unrealircd.org/docs/Oper_block) is
optional now. * We now support `oper::auto-login`, which means the user will
become IRCOp automatically if they match the conditions on-connect. This can be
used in combination with [certificate
fingerprint](https://www.unrealircd.org/docs/Certificate_fingerprint)
authentication for example: ``` security-group Syzop { certfp "1234etc."; }
oper
Syzop { auto-login yes; mask { security-group Syzop; } operclass
netadmin-with-override; class opers; } except ban { mask { security-
group Syzop; } type all; } ``` * For [JSON
logging](https://www.unrealircd.org/docs/JSON_logging) a number of fields were
added when a client is expanded: * `geoip`: with subitem `country_code`
(e.g. NL) * `tls`: with subitems `cipher` and `certfp` * Under subitem
`users`: * `vhost`: if the visible host differs from the realhost then
this is set (thus for both vhost and cloaked host) * `cloakedhost`: this
is always set (except for e.g. services users), even if the user is not cloaked
so you can easily search on a cloaked host. * `idle_since`: last time the
user has spoken (local clients only) * `channels`: list of channels
(array), with a maximum of 384 chars. * The JSON logging now also strips ASCII
below 32, so color- and control codes. * Support IRCv3 `+draft/channel-
context` * Add `example.es.conf` (Spanish example configuration file) * The
country of users is now communicated in the [message-
tag](https://www.unrealircd.org/docs/Message_tags) `unrealircd.org/geoip` (only
to IRCOps). * Add support for linking servers via UNIX domain sockets
(`link::outgoing::file`). ## Fixes * Crash in `except ban` with `~security-
group:xyz` * Crash if hideserver module was loaded but `LINKS` was not
blocked. * Infinite loop if one security-group referred to another. *
Duplicate entries in the `+beI` lists of `+P` channels. * Regular users were
able to `-o` a service bot (that has umode `+S`) * Module manager did not stop
on compile error * [`set::modes-on-
join`](https://www.unrealircd.org/docs/Set_block#set::modes-on-join) did not
work with `+f` + timed bans properly, e.g. `[3t#b1]:10` * Several log messages
were missing some information. * Reputation syncing across servers had a small
glitch. Fix is mostly useful for servers that were not linked to the network for
days or weeks. ## Changes * Clarified that UnrealIRCd is licensed as "GPLv2
or later" * Fix use of variables in [`set::reject-
message`](https://www.unrealircd.org/docs/Set_block#set::reject-message) and in
[`blacklist::reason`](https://www.unrealircd.org/docs/Blacklist_block):
previously short forms of variables were (unintentionally) expanded as well,
such as `$serv` for `$server`. This is no longer supported, you need to use the
correct full variable names. ## Developers and protocol * The `creationtime`
is now communicated of users. Until now this information was only known locally
(the thing that was communicated that came close was "last nick change" but
that
is not the same). This is synced via (early) moddata across servers. Module
coders can use `get_connected_time()`. * The `RPL_HOSTHIDDEN` is now sent from
`userhost_changed()` so you don't explicitly send it yourself anymore. * The
`SVSO` command is back, so services can make people IRCOp again. See `HELPOP
SVSO` or [the
commit](https://github.com/unrealircd/unrealircd/commit/50e5d91c79
8e7d07ca0c68d9fca302a6b6610786) for more information. * Due to last change the
`HOOKTYPE_LOCAL_OPER` parameters were changed. * Module coders can enhance the
[JSON
logging](https://www.unrealircd.org/docs/JSON_logging) expansion items for
clients and channels via new hooks like `HOOKTYPE_JSON_EXPAND_CLIENT`. This is
used by the geoip and tls modules.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Jun 18 2022 Robert Scheck <robert(a)fedoraproject.org> 6.0.4-1
- Upgrade to 6.0.4 (#2090417)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2090417 - unrealircd-6.0.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2090417
--------------------------------------------------------------------------------