The following Fedora EPEL 7 Security updates need testing:
Age URL
648
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-1087
dokuwiki-0-0.24.20140929c.el7
410
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-dac7ed832f
mcollective-2.8.4-1.el7
129
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-23fa04bf1c
redis-3.2.3-1.el7
112
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-e8f4ff76b3
chicken-4.11.0-3.el7
55
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-ee3cc4d1b6
compat-guile18-1.8.8-14.el7
11
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-fd41ef0987
php-simplesamlphp-saml2-2.3.3-1.el7 php-simplesamlphp-saml2_1-1.10.3-1.el7
11
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-967040283d
lxc-1.0.9-1.el7
2
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-090cbd0a83
botan-1.10.14-3.el7
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-73b4fc1c78
chromium-55.0.2883.87-1.el7.1
The following builds have been pushed to Fedora EPEL 7 updates-testing
NetworkManager-openvpn-1.2.6-1.el7
R-3.3.2-3.el7
chromium-55.0.2883.87-1.el7.1
golang-github-golang-appengine-0-0.8.git1c3fdc5.el7
golang-github-golang-glog-0-0.13.gitfca8c88.el7
golang-google-golangorg-cloud-0-0.9.git2400193.el7
golang-googlecode-google-api-client-0-0.16.git18450f4.el7
golang-googlecode-goprotobuf-0-0.25.git8616e8e.el7
golang-googlecode-net-0-0.35.git4d38db7.el7
golang-googlecode-text-0-0.15.git6fc2e00.el7
gsi-openssh-6.6.1p1-6.el7
openblas-0.2.19-4.el7
php-fig-http-message-util-1.1.0-1.el7
php-getid3-1.9.13-1.el7
php-justinrainbow-json-schema4-4.0.1-1.el7
php-simplesamlphp-saml2-2.3.4-1.el7
python-attrs-16.3.0-1.el7
python3-requests-2.12.3-1.el7
tpm2-tss-1.0-2.el7
Details about builds:
================================================================================
NetworkManager-openvpn-1.2.6-1.el7 (FEDORA-EPEL-2016-1427c2b2fc)
NetworkManager VPN plugin for OpenVPN
--------------------------------------------------------------------------------
Update Information:
Latest upstream for EL-7.3, multiple bugfixes.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1119073 - Can not set network-manager-openvpn plugin routing settings from
gnome-control
https://bugzilla.redhat.com/show_bug.cgi?id=1119073
[ 2 ] Bug #1257651 - Broken configuration dialog for NM-openvpn
https://bugzilla.redhat.com/show_bug.cgi?id=1257651
[ 3 ] Bug #1260168 - NetworkManager invoking OpenVPN as root
https://bugzilla.redhat.com/show_bug.cgi?id=1260168
[ 4 ] Bug #1288711 - Not working with static key and tcp
https://bugzilla.redhat.com/show_bug.cgi?id=1288711
[ 5 ] Bug #1373829 - cannot add/edit openvpn configuration in MATE
https://bugzilla.redhat.com/show_bug.cgi?id=1373829
[ 6 ] Bug #1379803 - Please add support for verify-x509-name
https://bugzilla.redhat.com/show_bug.cgi?id=1379803
[ 7 ] Bug #1388169 - Config should not need a username to apply changes in the gui
https://bugzilla.redhat.com/show_bug.cgi?id=1388169
[ 8 ] Bug #1396598 - NetworkManager-openvpn does not respect disabled --reneg-sec
setting
https://bugzilla.redhat.com/show_bug.cgi?id=1396598
--------------------------------------------------------------------------------
================================================================================
R-3.3.2-3.el7 (FEDORA-EPEL-2016-08541f148f)
A language for data analysis and graphics
--------------------------------------------------------------------------------
Update Information:
R now uses openblas instead of the unoptimized blas bundled with R (on all
architectures where openblas is supported). In the previous update, this was
done by symlinking /usr/lib64/R/lib/libRblas.so to /usr/lib64/libopenblas.so.0.
While this worked fine for R, it did not work for anything linking to libR.so or
trying to dynload libRblas.so. To resolve this, a new openblas subpackage
(openblas-Rblas) has been added, which contains a copy of openblas built as
libRblas.so (and reporting libRblas.so as its soname). R now depends on
openblas-Rblas on all architectures which support openblas and on all targets
new enough to build openblas (RHEL 7+, Fedora 23+). Older targets or
incompatible architectures use the unoptimized Rblas. If you wish to switch
from the openblas libRblas.so to the R provided blas, simply rename
/usr/lib64/R/lib/libRrefblas.so to /usr/lib64/R/lib/libRblas.so.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1392192 - segfault during normal usage
https://bugzilla.redhat.com/show_bug.cgi?id=1392192
[ 2 ] Bug #1404662 - libR.so doesn't contain full path of libRblas.so
https://bugzilla.redhat.com/show_bug.cgi?id=1404662
[ 3 ] Bug #1404796 - libRblas.so()(64bit) is needed by package
R-core-3.3.2-2.el5.x86_64
https://bugzilla.redhat.com/show_bug.cgi?id=1404796
--------------------------------------------------------------------------------
================================================================================
chromium-55.0.2883.87-1.el7.1 (FEDORA-EPEL-2016-73b4fc1c78)
A WebKit (Blink) powered web browser
--------------------------------------------------------------------------------
Update Information:
Update to Chromium 55. Security fix for CVE-2016-9651, CVE-2016-5208,
CVE-2016-5207, CVE-2016-5206, CVE-2016-5205, CVE-2016-5204, CVE-2016-5209,
CVE-2016-5203, CVE-2016-5210, CVE-2016-5212, CVE-2016-5211, CVE-2016-5213,
CVE-2016-5214, CVE-2016-5216, CVE-2016-5215, CVE-2016-5217, CVE-2016-5218,
CVE-2016-5219, CVE-2016-5221, CVE-2016-5220, CVE-2016-5222, CVE-2016-9650,
CVE-2016-5223, CVE-2016-5226, CVE-2016-5225, CVE-2016-5224, CVE-2016-9652,
CVE-2016-5199, CVE-2016-5200, CVE-2016-5201, CVE-2016-5202
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1400879 - CVE-2016-9652 chromium-browser: various fixes from internal audits
https://bugzilla.redhat.com/show_bug.cgi?id=1400879
[ 2 ] Bug #1400878 - CVE-2016-5224 chromium-browser: same-origin bypass in svg
https://bugzilla.redhat.com/show_bug.cgi?id=1400878
[ 3 ] Bug #1400877 - CVE-2016-5225 chromium-browser: csp bypass in blink
https://bugzilla.redhat.com/show_bug.cgi?id=1400877
[ 4 ] Bug #1400876 - CVE-2016-5226 chromium-browser: limited xss in blink
https://bugzilla.redhat.com/show_bug.cgi?id=1400876
[ 5 ] Bug #1400875 - CVE-2016-5223 chromium-browser: integer overflow in pdfium
https://bugzilla.redhat.com/show_bug.cgi?id=1400875
[ 6 ] Bug #1400873 - CVE-2016-9650 chromium-browser: csp referrer disclosure
https://bugzilla.redhat.com/show_bug.cgi?id=1400873
[ 7 ] Bug #1400872 - CVE-2016-5222 chromium-browser: address spoofing in omnibox
https://bugzilla.redhat.com/show_bug.cgi?id=1400872
[ 8 ] Bug #1400871 - CVE-2016-5220 chromium-browser: local file access in pdfium
https://bugzilla.redhat.com/show_bug.cgi?id=1400871
[ 9 ] Bug #1400870 - CVE-2016-5221 chromium-browser: integer overflow in angle
https://bugzilla.redhat.com/show_bug.cgi?id=1400870
[ 10 ] Bug #1400869 - CVE-2016-5219 chromium-browser: use after free in v8
https://bugzilla.redhat.com/show_bug.cgi?id=1400869
[ 11 ] Bug #1400868 - CVE-2016-5218 chromium-browser: address spoofing in omnibox
https://bugzilla.redhat.com/show_bug.cgi?id=1400868
[ 12 ] Bug #1400867 - CVE-2016-5217 chromium-browser: use of unvalidated data in pdfium
https://bugzilla.redhat.com/show_bug.cgi?id=1400867
[ 13 ] Bug #1400866 - CVE-2016-5215 chromium-browser: use after free in webaudio
https://bugzilla.redhat.com/show_bug.cgi?id=1400866
[ 14 ] Bug #1400865 - CVE-2016-5216 chromium-browser: use after free in pdfium
https://bugzilla.redhat.com/show_bug.cgi?id=1400865
[ 15 ] Bug #1400864 - CVE-2016-5214 chromium-browser: file download protection bypass
https://bugzilla.redhat.com/show_bug.cgi?id=1400864
[ 16 ] Bug #1400863 - CVE-2016-5213 chromium-browser: use after free in v8
https://bugzilla.redhat.com/show_bug.cgi?id=1400863
[ 17 ] Bug #1400862 - CVE-2016-5211 chromium-browser: use after free in pdfium
https://bugzilla.redhat.com/show_bug.cgi?id=1400862
[ 18 ] Bug #1400861 - CVE-2016-5212 chromium-browser: local file disclosure in devtools
https://bugzilla.redhat.com/show_bug.cgi?id=1400861
[ 19 ] Bug #1400859 - CVE-2016-5210 chromium-browser: out of bounds write in pdfium
https://bugzilla.redhat.com/show_bug.cgi?id=1400859
[ 20 ] Bug #1400857 - CVE-2016-5203 chromium-browser: use after free in pdfium
https://bugzilla.redhat.com/show_bug.cgi?id=1400857
[ 21 ] Bug #1400856 - CVE-2016-5209 chromium-browser: out of bounds write in blink
https://bugzilla.redhat.com/show_bug.cgi?id=1400856
[ 22 ] Bug #1400855 - CVE-2016-5204 chromium-browser: universal xss in blink
https://bugzilla.redhat.com/show_bug.cgi?id=1400855
[ 23 ] Bug #1400854 - CVE-2016-5205 chromium-browser: universal xss in blink
https://bugzilla.redhat.com/show_bug.cgi?id=1400854
[ 24 ] Bug #1400853 - CVE-2016-5206 chromium-browser: same-origin bypass in pdfium
https://bugzilla.redhat.com/show_bug.cgi?id=1400853
[ 25 ] Bug #1400852 - CVE-2016-5207 chromium-browser: universal xss in blink
https://bugzilla.redhat.com/show_bug.cgi?id=1400852
[ 26 ] Bug #1400851 - CVE-2016-5208 chromium-browser: universal xss in blink
https://bugzilla.redhat.com/show_bug.cgi?id=1400851
[ 27 ] Bug #1400850 - CVE-2016-9651 chromium-browser: private property access in v8
https://bugzilla.redhat.com/show_bug.cgi?id=1400850
--------------------------------------------------------------------------------
================================================================================
golang-github-golang-appengine-0-0.8.git1c3fdc5.el7 (FEDORA-EPEL-2016-39a09d8ed5)
Go App Engine for Managed VMs
--------------------------------------------------------------------------------
Update Information:
Polish the spec file
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1249049 - Tracker for golang-github-golang-appengine
https://bugzilla.redhat.com/show_bug.cgi?id=1249049
--------------------------------------------------------------------------------
================================================================================
golang-github-golang-glog-0-0.13.gitfca8c88.el7 (FEDORA-EPEL-2016-18fd833152)
Leveled execution logs for Go
--------------------------------------------------------------------------------
Update Information:
Polish the spec file ---- Enable devel and unit-test packages for epel7
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1249052 - Tracker for golang-github-golang-glog
https://bugzilla.redhat.com/show_bug.cgi?id=1249052
--------------------------------------------------------------------------------
================================================================================
golang-google-golangorg-cloud-0-0.9.git2400193.el7 (FEDORA-EPEL-2016-ce86a7cd24)
Google Cloud Platform APIs related types and common functions
--------------------------------------------------------------------------------
Update Information:
Polish the spec file
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1246239 - Tracker for golang-google-golangorg-cloud
https://bugzilla.redhat.com/show_bug.cgi?id=1246239
--------------------------------------------------------------------------------
================================================================================
golang-googlecode-google-api-client-0-0.16.git18450f4.el7 (FEDORA-EPEL-2016-4391908602)
Go libraries for "new style" Google APIs
--------------------------------------------------------------------------------
Update Information:
Polish the spec file ---- Polish spec file, enable devel and unit-test for
epel7
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1250521 - Tracker for golang-googlecode-google-api-client
https://bugzilla.redhat.com/show_bug.cgi?id=1250521
--------------------------------------------------------------------------------
================================================================================
golang-googlecode-goprotobuf-0-0.25.git8616e8e.el7 (FEDORA-EPEL-2016-44cc58d54c)
Go support for Google protocol buffers
--------------------------------------------------------------------------------
Update Information:
Polish the spec file
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1246113 - Tracker for golang-googlecode-goprotobuf
https://bugzilla.redhat.com/show_bug.cgi?id=1246113
--------------------------------------------------------------------------------
================================================================================
golang-googlecode-net-0-0.35.git4d38db7.el7 (FEDORA-EPEL-2016-9e6c2dee66)
Supplementary Go networking libraries
--------------------------------------------------------------------------------
Update Information:
Polish the spec file ---- Enable devel and unit-test for epel7
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1326890 - FTBFS with gcc-go on s390x
https://bugzilla.redhat.com/show_bug.cgi?id=1326890
--------------------------------------------------------------------------------
================================================================================
golang-googlecode-text-0-0.15.git6fc2e00.el7 (FEDORA-EPEL-2016-869f81189a)
Supplementary Go text libraries
--------------------------------------------------------------------------------
Update Information:
Polish the spec file
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1254601 - Tracker for golang-googlecode-text
https://bugzilla.redhat.com/show_bug.cgi?id=1254601
--------------------------------------------------------------------------------
================================================================================
gsi-openssh-6.6.1p1-6.el7 (FEDORA-EPEL-2016-7901e4d58d)
An implementation of the SSH protocol with GSI authentication
--------------------------------------------------------------------------------
Update Information:
Sync with RHEL package. Adding mechanism OID negotiation with the introduction
of micv2 OID.
--------------------------------------------------------------------------------
================================================================================
openblas-0.2.19-4.el7 (FEDORA-EPEL-2016-08541f148f)
An optimized BLAS library based on GotoBLAS2
--------------------------------------------------------------------------------
Update Information:
R now uses openblas instead of the unoptimized blas bundled with R (on all
architectures where openblas is supported). In the previous update, this was
done by symlinking /usr/lib64/R/lib/libRblas.so to /usr/lib64/libopenblas.so.0.
While this worked fine for R, it did not work for anything linking to libR.so or
trying to dynload libRblas.so. To resolve this, a new openblas subpackage
(openblas-Rblas) has been added, which contains a copy of openblas built as
libRblas.so (and reporting libRblas.so as its soname). R now depends on
openblas-Rblas on all architectures which support openblas and on all targets
new enough to build openblas (RHEL 7+, Fedora 23+). Older targets or
incompatible architectures use the unoptimized Rblas. If you wish to switch
from the openblas libRblas.so to the R provided blas, simply rename
/usr/lib64/R/lib/libRrefblas.so to /usr/lib64/R/lib/libRblas.so.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1392192 - segfault during normal usage
https://bugzilla.redhat.com/show_bug.cgi?id=1392192
[ 2 ] Bug #1404662 - libR.so doesn't contain full path of libRblas.so
https://bugzilla.redhat.com/show_bug.cgi?id=1404662
[ 3 ] Bug #1404796 - libRblas.so()(64bit) is needed by package
R-core-3.3.2-2.el5.x86_64
https://bugzilla.redhat.com/show_bug.cgi?id=1404796
--------------------------------------------------------------------------------
================================================================================
php-fig-http-message-util-1.1.0-1.el7 (FEDORA-EPEL-2016-ed59e326ee)
PSR Http Message Util
--------------------------------------------------------------------------------
Update Information:
This library holds utility classes and constants to facilitate common operations
of PSR-7; the primary purpose is to provide constants for referring to request
methods, response status codes and messages, and potentially common headers.
Autoloader: /usr/share/php/Fig/Http/Message/autoload.php
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1404577 - Review Request: php-fig-http-message-util - PSR Http Message Util
https://bugzilla.redhat.com/show_bug.cgi?id=1404577
--------------------------------------------------------------------------------
================================================================================
php-getid3-1.9.13-1.el7 (FEDORA-EPEL-2016-fc99664c09)
The PHP media file parser
--------------------------------------------------------------------------------
Update Information:
**Version 1.9.11**: [2015-12-24] James Heinrich * bugfix (G:64): update
constructor syntax for PHP 7 * bugfix (G:62): infinite loop in large PNG files *
bugfix (G:61): ID3v2 remove BOM from frame descriptions * bugfix (G:60): missing
"break" in module.audio-video.quicktime.php * bugfix (G:59): .gitignore
comments
* bugfix (G:58): inconsistency in relation to module.tag.id3v2.php * bugfix
(G:57): comparing instead of assign * bugfix (G:56): unsupported MIME type
"audio/x-wave" * bugfix (G:55): readme.md variable reference * bugfix (G:54):
QuickTime false 1000fps * bugfix (G:53): Quicktime / ID3v2 multiple genres *
bugfix (G:52): sys_get_temp_dir in GetDataImageSize * bugfix (#1903): Quicktime
meta atom not parsed * demo.joinmp3.php enhancements * m4b (audiobook) chapters
not parsed correctly * sqlite3 caching not working Packaging changes: * pull
sources from github * fix project URL * use fedora/autoloader
--------------------------------------------------------------------------------
================================================================================
php-justinrainbow-json-schema4-4.0.1-1.el7 (FEDORA-EPEL-2016-908654fb39)
A library to validate a json schema
--------------------------------------------------------------------------------
Update Information:
A PHP Implementation for validating JSON Structures against a given Schema. *
This package provides the library version 4. * The php-JsonSchema package
provides the library version 1. * The php-justinrainbow-json-schema package
provides the library version 2. See
http://json-schema.org/ Autoloader:
/usr/share/php/JsonSchema4/autoload.php
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1403724 - Review Request: php-justinrainbow-json-schema4 - A library to
validate a json schema
https://bugzilla.redhat.com/show_bug.cgi?id=1403724
--------------------------------------------------------------------------------
================================================================================
php-simplesamlphp-saml2-2.3.4-1.el7 (FEDORA-EPEL-2016-ea6746837f)
SAML2 PHP library from SimpleSAMLphp
--------------------------------------------------------------------------------
Update Information:
### v2.3.4 This is a bugfix release for an issue when trying to use the
SOAPClient provided with the library.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1405027 - php-simplesamlphp-saml2-2.3.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1405027
--------------------------------------------------------------------------------
================================================================================
python-attrs-16.3.0-1.el7 (FEDORA-EPEL-2016-f097670bf4)
Python attributes without boilerplate
--------------------------------------------------------------------------------
Update Information:
Fixes support of __slots__ classes.
--------------------------------------------------------------------------------
================================================================================
python3-requests-2.12.3-1.el7 (FEDORA-EPEL-2016-937d666659)
HTTP library, written in Python, for human beings
--------------------------------------------------------------------------------
Update Information:
Most existing Python modules for sending HTTP requests are extremely verbose and
cumbersome. Python���s built-in urllib2 module provides most of the HTTP
capabilities you should need, but the API is thoroughly broken. This library is
designed to make HTTP requests easy for developers.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1399337 - Review Request: python3-requests - HTTP library, written in Python,
for human beings
https://bugzilla.redhat.com/show_bug.cgi?id=1399337
--------------------------------------------------------------------------------
================================================================================
tpm2-tss-1.0-2.el7 (FEDORA-EPEL-2016-22cc02f80e)
TPM2.0 Software Stack
--------------------------------------------------------------------------------
Update Information:
This is a new package, providing TCG's TPM2.0 specified API interfaces for
applications.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1369708 - Review Request: tpm2-tss - TPM2.0 Software Stack
https://bugzilla.redhat.com/show_bug.cgi?id=1369708
--------------------------------------------------------------------------------