--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2011-3394
2011-05-25 15:24:16
--------------------------------------------------------------------------------
Name : dokuwiki
Product : Fedora EPEL 5
Version : 0
Release : 0.8.20101107.a.el5
URL : http://www.dokuwiki.org/dokuwiki
Summary : Standards compliant simple to use wiki
Description :
DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating
documentation of any kind. It has a simple but powerful syntax which makes sure
the datafiles remain readable outside the Wiki and eases the creation of
structured texts.
All data is stored in plain text files no database is required.
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update dokuwiki' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2011-3417
2011-05-26 15:39:35
--------------------------------------------------------------------------------
Name : drupal7
Product : Fedora EPEL 6
Version : 7.2
Release : 1.el6
URL : http://www.drupal.org
Summary : An open-source content-management platform
Description :
Equipped with a powerful blend of features, Drupal is a Content Management
System written in PHP that can support a variety of websites ranging from
personal weblogs to large community-driven websites. Drupal is highly
configurable, skinnable, and secure.
--------------------------------------------------------------------------------
Update Information:
* Advisory ID: DRUPAL-SA-CORE-2011-001
* Project: Drupal core [1]
* Version: 6.x, 7.x
* Date: 2011-May-25
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Multiple vulnerabilities and weaknesses were discovered in Drupal.
.... Reflected cross site scripting vulnerability in error handler
A reflected cross site scripting vulnerability was discovered in Drupal's
error handler. Drupal displays PHP errors in the messages area, and a
specially crafted URL can cause malicious scripts to be injected into the
message. The issue can be mitigated by disabling on-screen error display at
admin/settings/error-reporting. This is the recommended setting for
production sites.
This issue affects Drupal 6.x only.
.... Cross site scripting vulnerability in Color module
When using re-colorable themes, color inputs are not sanitized. Malicious
color values can be used to insert arbitrary CSS and script code. Successful
exploitation requires the "Administer themes" permission.
This issue affects Drupal 6.x and 7.x.
.... Access bypass in File module
When using private files in combination with a node access module, the File
module allows unrestricted access to private files.
This issue affects Drupal 7.x only.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal 7.x before version 7.1.
* Drupal 6.x before version 6.21.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you are running Drupal 7.x then upgrade to Drupal 7.1 [3] or 7.2 [4].
* If you are running Drupal 6.x then upgrade to Drupal 6.21 [5] or 6.22. [6]
The Security Team has released both a pure security update without other bug
fixes and a security update combined with other bug fixes and improvements.
You can choose to either only include the security update for an immediate
fix (which might require less quality assurance and testing) or more fixes
and improvements alongside the security fixes by choosing between Drupal 7.1
[7] and Drupal 7.2 [8] or Drupal 6.21 [9] and Drupal 6.22 [10].
See the release announcement [11] for more information.
See also the Drupal core [12] project page.
-------- REPORTED BY
---------------------------------------------------------
* The reflected cross site scripting vulnerability was reported by Heine
Deelstra [13] (*).
* The Color module cross site scripting vulnerability was reported by Kasper
Lindgaard, Secunia Research.
* The File access bypass was reported by Hubert Lecorche, and Peter Bex
[14].
-------- FIXED BY
------------------------------------------------------------
* The reflected cross site scripting vulnerability was fixed by Alan
Smithee.
* The Color module cross site scripting vulnerability was fixed by Stéphane
Corlosquet [15] (*), Heine Deelstra [16] (*), and Peter Wolanin [17] (*).
* The File access bypass was fixed by Heine Deelstra [18] (*).
(*) Member of the Drupal security team.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [19].
Learn more about the Drupal Security team and their policies [20], writing
secure code for Drupal [21], and securing your site [22].
[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1168910
[4] http://drupal.org/node/1168946
[5] http://drupal.org/node/1168908
[6] http://drupal.org/node/1168950
[7] http://drupal.org/node/1168910
[8] http://drupal.org/node/1168946
[9] http://drupal.org/node/1168908
[10] http://drupal.org/node/1168950
[11] http://drupal.org/drupal-7.2
[12] http://drupal.org/project/drupal
[13] http://drupal.org/user/17943
[14] https://drupal.org/user/309898
[15] http://drupal.org/user/52142
[16] http://drupal.org/user/17943
[17] http://drupal.org/user/49851
[18] http://drupal.org/user/17943
[19] http://drupal.org/contact
[20] http://drupal.org/security-team
[21] http://drupal.org/writing-secure-code
[22] http://drupal.org/security/secure-configuration
_______________________________________________
Security-news mailing list
Security-news(a)drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
Require php 5.3.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #704319 - drupal7 should require php53 instead of php (including php sub-packages)
https://bugzilla.redhat.com/show_bug.cgi?id=704319
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update drupal7' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2011-3386
2011-05-25 15:23:59
--------------------------------------------------------------------------------
Name : python26-m2crypto
Product : Fedora EPEL 5
Version : 0.21.1
Release : 5.el5
URL : http://wiki.osafoundation.org/bin/view/Projects/MeTooCrypto
Summary : Support for using OpenSSL in python 2.6 scripts
Description :
This package allows you to call OpenSSL functions from python 2.6
scripts.
--------------------------------------------------------------------------------
Update Information:
This update consolidates a number of fixes from Fedora's main m2crypto package:
- Fixed M2Crypto.SMIME documentation and examples
- Fixed sending SSL data from buffer objects
- Fixed a memory leak
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #618500 - S/MIME signing does not work
https://bugzilla.redhat.com/show_bug.cgi?id=618500
[ 2 ] Bug #702766 - [F15 regression] traceback when sending over SSL
https://bugzilla.redhat.com/show_bug.cgi?id=702766
[ 3 ] Bug #659881 - Memory leak in m2crypto-0.16/SWIG/_aes.i: AES_crypt
https://bugzilla.redhat.com/show_bug.cgi?id=659881
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update python26-m2crypto' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2011-3378
2011-05-25 15:23:41
--------------------------------------------------------------------------------
Name : mod_flvx
Product : Fedora EPEL 4
Version : 0
Release : 0.1.20100525git.el4
URL : http://tperspective.blogspot.com/2009/02/apache-flv-streaming-done-right.ht…
Summary : FLV progressive download streaming for the Apache HTTP Server
Description :
FLV streaming means it can be sought to any position during video, and
browser (Flash player) will buffer only from this position to the end.
Thus streaming allows to skip boring parts or see video ending without
loading the whole file, which simply saves bandwidth. Even H264 is more
efficient, FLV is still a common container format for videos, because
H264 is supported by Flash since version 9.115.
For using FLV streaming on the web, a pseudo-streaming compliant Flash
player, such as Flowplayer, is needed. Streaming requires that the FLV
has embedded key-frame markers (meta-data), that can be injected by any
supported tool, e.g. flvtool2.
--------------------------------------------------------------------------------
Update Information:
FLV streaming means it can be sought to any position during video, and browser (Flash player) will buffer only from this position to the end. Thus streaming allows to skip boring parts or see video ending without loading the whole file, which simply saves bandwidth. Even H264 is more efficient, FLV is still a common container format for videos, because H264 is supported by Flash since version 9.115.
For using FLV streaming on the web, a pseudo-streaming compliant Flash player, such as Flowplayer, is needed. Streaming requires that the FLV has embedded key-frame markers (meta-data), that can be injected by any supported tool, e.g. flvtool2.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #688121 - Review Request: mod_flvx - FLV progressive download streaming for the Apache HTTP Server
https://bugzilla.redhat.com/show_bug.cgi?id=688121
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update mod_flvx' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2011-3369
2011-05-20 17:37:10
--------------------------------------------------------------------------------
Name : drupal6-features
Product : Fedora EPEL 6
Version : 1.0
Release : 3.el6
URL : http://drupal.org/project/features
Summary : Provides feature management for Drupal
Description :
The features module enables the capture
and management of features in Drupal.
A feature is a collection of Drupal entities
which taken together satisfy a certain use-case.
Features provides a UI and API for taking different site building components
from modules with exportables and
bundling them together in a single feature module.
A feature module is like any other Drupal module except
that it declares its components (e.g. views, contexts, CCK fields, etc.)
in its .info file so that it can be checked,
updated, or reverted programmatically.
--------------------------------------------------------------------------------
Update Information:
The features module enables the capture and management of
features in Drupal. A feature is a collection of Drupal entities which taken together satisfy a certain use-case.
The features module enables the capture and management of features
in Drupal. A feature is a collection of Drupal entities which taken together satisfy a certain use-case.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #705375 - README.txt should appear in module directory for use in-module
https://bugzilla.redhat.com/show_bug.cgi?id=705375
[ 2 ] Bug #698590 - Review Request: drupal6-features - Provides feature management for Drupal
https://bugzilla.redhat.com/show_bug.cgi?id=698590
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update drupal6-features' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2011-3408
2011-05-26 15:39:17
--------------------------------------------------------------------------------
Name : drupal6
Product : Fedora EPEL 5
Version : 6.22
Release : 1.el5
URL : http://www.drupal.org
Summary : An open-source content-management platform
Description :
Equipped with a powerful blend of features, Drupal is a Content Management
System written in PHP that can support a variety of websites ranging from
personal weblogs to large community-driven websites. Drupal is highly
configurable, skinnable, and secure.
--------------------------------------------------------------------------------
Update Information:
* Advisory ID: DRUPAL-SA-CORE-2011-001
* Project: Drupal core [1]
* Version: 6.x, 7.x
* Date: 2011-May-25
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Multiple vulnerabilities and weaknesses were discovered in Drupal.
.... Reflected cross site scripting vulnerability in error handler
A reflected cross site scripting vulnerability was discovered in Drupal's
error handler. Drupal displays PHP errors in the messages area, and a
specially crafted URL can cause malicious scripts to be injected into the
message. The issue can be mitigated by disabling on-screen error display at
admin/settings/error-reporting. This is the recommended setting for
production sites.
This issue affects Drupal 6.x only.
.... Cross site scripting vulnerability in Color module
When using re-colorable themes, color inputs are not sanitized. Malicious
color values can be used to insert arbitrary CSS and script code. Successful
exploitation requires the "Administer themes" permission.
This issue affects Drupal 6.x and 7.x.
.... Access bypass in File module
When using private files in combination with a node access module, the File
module allows unrestricted access to private files.
This issue affects Drupal 7.x only.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal 7.x before version 7.1.
* Drupal 6.x before version 6.21.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you are running Drupal 7.x then upgrade to Drupal 7.1 [3] or 7.2 [4].
* If you are running Drupal 6.x then upgrade to Drupal 6.21 [5] or 6.22. [6]
The Security Team has released both a pure security update without other bug
fixes and a security update combined with other bug fixes and improvements.
You can choose to either only include the security update for an immediate
fix (which might require less quality assurance and testing) or more fixes
and improvements alongside the security fixes by choosing between Drupal 7.1
[7] and Drupal 7.2 [8] or Drupal 6.21 [9] and Drupal 6.22 [10].
See the release announcement [11] for more information.
See also the Drupal core [12] project page.
-------- REPORTED BY
---------------------------------------------------------
* The reflected cross site scripting vulnerability was reported by Heine
Deelstra [13] (*).
* The Color module cross site scripting vulnerability was reported by Kasper
Lindgaard, Secunia Research.
* The File access bypass was reported by Hubert Lecorche, and Peter Bex
[14].
-------- FIXED BY
------------------------------------------------------------
* The reflected cross site scripting vulnerability was fixed by Alan
Smithee.
* The Color module cross site scripting vulnerability was fixed by Stéphane
Corlosquet [15] (*), Heine Deelstra [16] (*), and Peter Wolanin [17] (*).
* The File access bypass was fixed by Heine Deelstra [18] (*).
(*) Member of the Drupal security team.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [19].
Learn more about the Drupal Security team and their policies [20], writing
secure code for Drupal [21], and securing your site [22].
[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1168910
[4] http://drupal.org/node/1168946
[5] http://drupal.org/node/1168908
[6] http://drupal.org/node/1168950
[7] http://drupal.org/node/1168910
[8] http://drupal.org/node/1168946
[9] http://drupal.org/node/1168908
[10] http://drupal.org/node/1168950
[11] http://drupal.org/drupal-7.2
[12] http://drupal.org/project/drupal
[13] http://drupal.org/user/17943
[14] https://drupal.org/user/309898
[15] http://drupal.org/user/52142
[16] http://drupal.org/user/17943
[17] http://drupal.org/user/49851
[18] http://drupal.org/user/17943
[19] http://drupal.org/contact
[20] http://drupal.org/security-team
[21] http://drupal.org/writing-secure-code
[22] http://drupal.org/security/secure-configuration
_______________________________________________
Security-news mailing list
Security-news(a)drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update drupal6' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2011-3390
2011-05-25 15:24:08
--------------------------------------------------------------------------------
Name : dojo
Product : Fedora EPEL 6
Version : 1.6.0
Release : 1.el6
URL : http://dojotoolkit.org/
Summary : Modular JavaScript toolkit
Description :
Dojo is a JavaScript toolkit, providing cross-browser abstractions and widgets
for building dynamic web sites.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #609817 - Review Request: dojo - Modular JavaScript toolkit
https://bugzilla.redhat.com/show_bug.cgi?id=609817
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update dojo' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2011-3413
2011-05-26 15:39:26
--------------------------------------------------------------------------------
Name : autoconf-archive
Product : Fedora EPEL 5
Version : 2011.04.12
Release : 1.el5
URL : http://www.gnu.org/software/autoconf-archive/
Summary : The Autoconf Macro Archive
Description :
The GNU Autoconf Archive is a collection of more than 450 macros for
GNU Autoconf that have been contributed as free software by friendly
supporters of the cause from all over the Internet.
--------------------------------------------------------------------------------
Update Information:
The GNU Autoconf Archive is a collection of more than 450 macros for GNU Autoconf that have been contributed as free software by friendly supporters of the cause from all over the Internet.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #663925 - Review Request: autoconf-archive - The Autoconf Macro Archive
https://bugzilla.redhat.com/show_bug.cgi?id=663925
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update autoconf-archive' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2011-3376
2011-05-25 15:23:36
--------------------------------------------------------------------------------
Name : liveusb-creator
Product : Fedora EPEL 6
Version : 3.11.1
Release : 1.el6
URL : https://fedorahosted.org/liveusb-creator
Summary : A liveusb creator
Description :
A liveusb creator from Live Fedora images
--------------------------------------------------------------------------------
Update Information:
Support downloading the latest Fedora 15 release
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update liveusb-creator' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2011-3359
2011-05-20 17:36:48
--------------------------------------------------------------------------------
Name : couchdb
Product : Fedora EPEL 6
Version : 1.0.2
Release : 4.el6
URL : http://couchdb.apache.org/
Summary : A document database server, accessible via a RESTful JSON API
Description :
Apache CouchDB is a distributed, fault-tolerant and schema-free
document-oriented database accessible via a RESTful HTTP/JSON API.
Among other features, it provides robust, incremental replication
with bi-directional conflict detection and resolution, and is
queryable and indexable using a table-oriented view engine with
JavaScript acting as the default view definition language.
--------------------------------------------------------------------------------
Update Information:
- Fixed Futon test failures with Erlang/OTP R14B02
* Ver. 1.0.2 (Bugfix release)
* Ver. 1.0.2 (Bugfix release)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #674146 - CVE-2010-3854 couchdb: XSS vulnerability [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=674146
[ 2 ] Bug #674145 - CVE-2010-3854 couchdb: XSS vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=674145
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update couchdb' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------