The following Fedora EPEL 6 Security updates need testing: Age URL 570 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7031 python-virtualenv-12.0.7-1.el6 564 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7168 rubygem-crack-0.3.2-2.el6 495 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8156 nagios-4.0.8-1.el6 454 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-e2b4b5b2fb mcollective-2.8.4-1.el6 426 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-35e240edd9 thttpd-2.25b-24.el6 156 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8594ed3a53 chicken-4.11.0-3.el6 36 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-e3e50897ac libbsd-0.8.3-2.el6 21 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-8c6c7bf06e dbus-sharp-0.7.0-16.el6 dbus-sharp-glib-0.5.0-14.el6 mono-4.2.4-9.el6 12 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-663073e313 pdns-recursor-3.7.4-1.el6 11 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-dbfb398104 ansible-2.2.1.0-1.el6 9 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-947f112da5 opus-1.1.3-2.el6 4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5bc0e8fa7d drupal7-title-1.0-0.7.alpha9.el6 4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-3931ee489b exim-4.88-2.el6 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0b96f86793 wordpress-4.7.2-1.el6

The following builds have been pushed to Fedora EPEL 6 updates-testing

euca2ools-3.4.1-1.el6 fail2ban-0.9.6-1.el6 fuse-encfs-1.7.4-25.el6 libidn2-0.16-1.el6 pam_mapi-0.3.1-1.el6 php-PsrLog-1.0.2-2.el6 python-boto-2.45.0-3.el6 python-httpretty-0.8.14-2.20161011git70af1f8.el6 wordpress-4.7.2-1.el6

Details about builds:

================================================================================ euca2ools-3.4.1-1.el6 (FEDORA-EPEL-2017-43f23133a2) Eucalyptus/AWS-compatible command line tools -------------------------------------------------------------------------------- Update Information:

This update adds support for NAT gateways, CloudFormation template attributes, new AWS regions, and more. For a complete list of changes, see the [upstream release notes](https://docs.eucalyptus.com/eucalyptus/4.3.1/#euca2ools-release- notes/rn_index_3.4.0.html). --------------------------------------------------------------------------------

================================================================================ fail2ban-0.9.6-1.el6 (FEDORA-EPEL-2017-29fc2c3aac) Ban IPs that make too many password failures -------------------------------------------------------------------------------- Update Information:

Update to 0.9.6: * Misleading add resp. enable of (already available) jail in database, that induced a subsequent error: last position of log file will be never retrieved (gh-795) * Fixed a distribution related bug within testReadStockJailConfForceEnabled (e.g. test-cases faults on Fedora, see gh-1353) * Fixed pythonic filters and test scripts (running via wrong python version, uses "fail2ban-python" now); * Fixed test case "testSetupInstallRoot" for not default python version (also using direct call, out of virtualenv); * Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512); * FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540) * Monit config: scripting is not supported in path (gh-1556) * `filter.d/apache-modsecurity.conf` - Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all replaced for safer match, unneeded catch-all anchoring removed, non-capturing * `filter.d/asterisk.conf` - Fixed to match different asterisk log prefix (source file: method:) * `filter.d/dovecot.conf` - Fixed failregex ignores failures through some not relevant info (gh-1623) * `filter.d/ignorecommands/apache-fakegooglebot` - Fixed error within apache-fakegooglebot, that will be called with wrong python version (gh-1506) * `filter.d/assp.conf` - Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494) * `filter.d/postfix-sasl.conf` - Allow for having no trailing space after 'failed:' (gh-1497) * `filter.d/vsftpd.conf` - Optional reason part in message after FAIL LOGIN (gh-1543) * `filter.d/sendmail-reject.conf` - removed mandatory double space (if dns-host available, gh-1579) * filter.d/sshd.conf - recognized "Failed publickey for" (gh-1477); - optimized failregex to match all of "Failed any- method for ... from <HOST>" (gh-1479) - eliminated possible complex injections (on user-name resp. auth-info, see gh-1479) - optional port part after host (see gh-1533, gh-1581) * New Actions: - `action.d/npf.conf` for NPF, the latest packet filter for NetBSD * New Filters: - `filter.d/mongodb- auth.conf` for MongoDB (document-oriented NoSQL database engine) (gh-1586, gh-1606 and gh-1607) * DateTemplate regexp extended with the word-end boundary, additionally to word-start boundary * Introduces new command "fail2ban- python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located): - allows to use the same version, fail2ban currently running, e.g. in external scripts just via replace python with fail2ban-python: ```diff -#!/usr/bin/env python +#!/usr/bin/env fail2ban-python ``` - always the same pickle protocol - the same (and also guaranteed available) fail2ban modules - simplified stand-alone install, resp. stand-alone installation possibility via setup (like gh-1487) is getting closer * Several test cases rewritten using new methods assertIn, assertNotIn * New forward compatibility method assertRaisesRegexp (normally python >= 2.7). Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged are test covered now * Jail configuration extended with new syntax to pass options to the backend (see gh-1408), examples: - `backend = systemd[journalpath=/run/log/journal/machine-1]` - `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]` - `backend = systemd[journalflags=2]` ---- Update to 0.9.5 - https://github.com/fail2ban/fail2ban/releases/tag/0.9.5 --------------------------------------------------------------------------------

================================================================================ fuse-encfs-1.7.4-25.el6 (FEDORA-EPEL-2017-d85acd2a5a) Encrypted pass-thru filesystem in userspace -------------------------------------------------------------------------------- Update Information:

Unretired package for el6. -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1398962 - rpm fuse-encfs is missing for el6 https://bugzilla.redhat.com/show_bug.cgi?id=1398962 --------------------------------------------------------------------------------

================================================================================ libidn2-0.16-1.el6 (FEDORA-EPEL-2017-a0badf9d34) Library to support IDNA2008 internationalized domain names -------------------------------------------------------------------------------- Update Information:

Libidn2 0.16 (released 2017-01-16) ================================== * build: Fix idn2_cmd.h build rule * API and ABI is backwards compatible with the previous version Libidn2 0.15 (released 2017-01-14) ================================== * Fix out-of-bounds read * Fix NFC input conversion (regression) * Shrink TR46 static mapping data * API and ABI is backwards compatible with the previous version Libidn2 0.14 (released 2016-12-30) ================================== * build: Fix gentr46map build * API and ABI is backwards compatible with the previous version Libidn2 0.13 (released 2016-12-29) ================================== * build: Doesn't download external files during build * doc: Clarify license * build: Generate ChangeLog file properly * doc: API documentation related to TR46 flags * API and ABI is backwards compatible with the previous version Libidn2 0.12 (released 2016-12-26) ================================== * All changes by Tim R��hsen tim.ruehsen@gmx.de except stated otherwise * Builds/links with libunistring * Fix two possible crashes with unchecked NULL pointers * Memleak fix, reported by Hanno B��ck hanno@hboeck.de * Binary search for codepoints in tables * Do not taint output variable on error in idn2_register_u8() * Do not taint output variable on error in idn2_lookup_u8() * Update to Unicode 6.3.0 IDNA tables * Add TR46 / UTS#46 support to API and idn2 utility * Add NFC quick check * Add make target 'check-coverage' for test coverage report * Add tests to increase test code coverage * API and ABI is backwards compatible with the previous version -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1416642 - libidn2-0.16 is available https://bugzilla.redhat.com/show_bug.cgi?id=1416642 --------------------------------------------------------------------------------

================================================================================ pam_mapi-0.3.1-1.el6 (FEDORA-EPEL-2017-f8d6e0d5c2) PAM module for authentication via MAPI against a Zarafa server -------------------------------------------------------------------------------- Update Information:

Update to pam_mapi 0.3.1 --------------------------------------------------------------------------------

================================================================================ php-PsrLog-1.0.2-2.el6 (FEDORA-EPEL-2017-1bab685154) Common interface for logging libraries -------------------------------------------------------------------------------- Update Information:

### 1.0.2 * Fixed test suite fix in 1.0.1 to use a more appropriate phpunit method * Fixed return types to be void instead of null -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1416878 - package does not require autoloader https://bugzilla.redhat.com/show_bug.cgi?id=1416878 --------------------------------------------------------------------------------

================================================================================ python-boto-2.45.0-3.el6 (FEDORA-EPEL-2017-ec83c9c31f) A simple, lightweight interface to Amazon Web Services -------------------------------------------------------------------------------- Update Information:

This update adds support for EC2's ModifySubnetAttribute operation. --------------------------------------------------------------------------------

================================================================================ python-httpretty-0.8.14-2.20161011git70af1f8.el6 (FEDORA-EPEL-2017-1cffc445e8) HTTP request mock tool for Python -------------------------------------------------------------------------------- Update Information:

This update fixes a bug Garrett Holmstrom noticed in the previous update, whereby the `setUp` and `tearDown` methods do not call `reset`. This could cause problems for some test suites. Thanks to Garrett for the report. --------------------------------------------------------------------------------

================================================================================ wordpress-4.7.2-1.el6 (FEDORA-EPEL-2017-0b96f86793) Blog tool and publishing platform -------------------------------------------------------------------------------- Update Information:

**WordPress 4.7.2 Security Release** WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.1 and earlier are affected by three security issues: * The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive. * WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we���ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo). * A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team. ---- **WordPress 4.7.1** Security and Maintenance Release This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7 and earlier are affected by eight security issues: * Remote code execution (RCE) in PHPMailer ��� No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was reported to PHPMailer by Dawid Golunski and Paul Buonopane. * The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean. * Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team. * Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam. * Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince. * Post via email checks mail.example.com if default settings aren���t changed. Reported by John Blackbourn of the WordPress Security Team. * A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing. * Weak cryptographic security for multisite activation key. Reported by Jack. Thank you to the reporters for practicing responsible disclosure. In addition to the security issues above, WordPress 4.7.1 fixes 62 bugs from 4.7. For more information, see the [release notes](https://codex.wordpress.org/Version_4.7.1) or consult the [list of changes](https://core.trac.wordpress.org/query?milestone=4.7.1). -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1417158 - wordpress: Multiple security fixes in 4.7.2 https://bugzilla.redhat.com/show_bug.cgi?id=1417158 --------------------------------------------------------------------------------