--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2015-0648
2015-02-05 17:38:33
--------------------------------------------------------------------------------
Name : perl-Fsdb
Product : Fedora EPEL 7
Version : 2.56
Release : 1.el7
URL : http://www.isi.edu/~johnh/SOFTWARE/FSDB/
Summary : A set of commands for manipulating flat-text databases from the shell
Description :
FSDB is a package of commands for manipulating flat-ASCII databases from
shell scripts. FSDB is useful to process medium amounts of data (with
very little data you'd do it by hand, with megabytes you might want a
real database). FSDB is very good at doing things like:
- extracting measurements from experimental output
- re-examining data to address different hypotheses
- joining data from different experiments
- eliminating/detecting outliers
- computing statistics on data (mean, confidence intervals,
correlations, histograms)
- reformatting data for graphing programs
Rather than hand-code scripts to do each special case, FSDB provides
higher-level functions than one gets with raw perl or shell scripts.
(Some features: control uses names instead of column numbers,
it is self-documenting, and is robust with good error and memory handling.)
--------------------------------------------------------------------------------
Update Information:
See http://www.isi.edu/~johnh/SOFTWARE/FSDB/
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1188538 - perl-Fsdb-2.55-1.fc22 FTBFS: t/test_command.t tests fail
https://bugzilla.redhat.com/show_bug.cgi?id=1188538
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update perl-Fsdb' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2015-0642
2015-02-05 17:38:10
--------------------------------------------------------------------------------
Name : beakerlib
Product : Fedora EPEL 6
Version : 1.10
Release : 2.el6
URL : https://fedorahosted.org/beakerlib
Summary : A shell-level integration testing library
Description :
The BeakerLib project means to provide a library of various helpers, which
could be used when writing operating system level integration tests.
--------------------------------------------------------------------------------
Update Information:
remount if mounting already mounted mount point with options,
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update beakerlib' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2015-0638
2015-02-05 17:38:01
--------------------------------------------------------------------------------
Name : gstreamer1-vaapi
Product : Fedora EPEL 7
Version : 0.5.9
Release : 3.el7
URL : https://gitorious.org/vaapi/gstreamer-vaapi/
Summary : GStreamer plugins to use VA API video acceleration
Description :
A collection of GStreamer plugins to let you make use of VA API video
acceleration from GStreamer applications.
Includes elements for video decoding, display, encoding and post-processing
using VA API (subject to hardware limitations).
--------------------------------------------------------------------------------
Update Information:
Filter out encoder and decoder Provides
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1164508 - [abrt] totem: isDRI2Connected(): totem-video-thumbnailer killed by SIGABRT
https://bugzilla.redhat.com/show_bug.cgi?id=1164508
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update gstreamer1-vaapi' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2015-0628
2015-02-05 17:37:41
--------------------------------------------------------------------------------
Name : perl-MCE
Product : Fedora EPEL 7
Version : 1.600
Release : 1.el7
URL : http://search.cpan.org/dist/MCE/
Summary : Many-core Engine for Perl providing parallel processing capabilities
Description :
Many-core Engine (MCE) for Perl helps enable a new level of performance by
maximizing all available cores. MCE spawns a pool of workers and therefore
does not fork a new process per each element of data. Instead, MCE follows
a bank queuing model. Imagine the line being the data and bank-tellers the
parallel workers. MCE enhances that model by adding the ability to chunk
the next n elements from the input stream to the next available worker.
--------------------------------------------------------------------------------
Update Information:
A new enhancement and bugfix release of MCE is available. See http://cpansearch.perl.org/src/MARIOROY/MCE-1.600/CHANGES for the summary of changes in this release.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1188820 - perl-MCE-1.600 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1188820
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update perl-MCE' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2015-0639
2015-02-05 17:38:03
--------------------------------------------------------------------------------
Name : beakerlib
Product : Fedora EPEL 5
Version : 1.10
Release : 2.el5
URL : https://fedorahosted.org/beakerlib
Summary : A shell-level integration testing library
Description :
The BeakerLib project means to provide a library of various helpers, which
could be used when writing operating system level integration tests.
--------------------------------------------------------------------------------
Update Information:
remount if mounting already mounted mount point with options,
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update beakerlib' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2015-0631
2015-02-05 17:37:46
--------------------------------------------------------------------------------
Name : puppetlabs-stdlib
Product : Fedora EPEL 6
Version : 4.5.1
Release : 2.20150121git7a91f20.el6
URL : https://github.com/puppetlabs/puppetlabs-stdlib
Summary : Puppet Labs Standard Library
Description :
Puppet Labs Standard Library module.
--------------------------------------------------------------------------------
Update Information:
Install metadata.json for Puppet to pick stdlib release when "puppet module list" is called
Security fix for CVE-2015-1029
Security fix for CVE-2015-1029
Security fix for CVE-2015-1029
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1182578 - CVE-2015-1029 puppetlabs-stdlib: local information leakage and local privilege escalation vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1182578
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update puppetlabs-stdlib' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2015-0641
2015-02-05 17:38:07
--------------------------------------------------------------------------------
Name : moodle
Product : Fedora EPEL 6
Version : 2.6.8
Release : 1.el6
URL : http://moodle.org/
Summary : A Course Management System
Description :
Moodle is a course management system (CMS) - a free, Open Source software
package designed using sound pedagogical principles, to help educators create
effective online learning communities.
--------------------------------------------------------------------------------
Update Information:
The following security notifications have now been made public:
==============================================================================
MSA-15-0001: Insufficient access check in LTI module
Description: Absence of capability check in AJAX backend script could
allow any enrolled user to search the list of registered
tools
Issue summary: mod/lti/ajax.php security problems
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47920
CVE identifier: CVE-2015-0211
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47920
==============================================================================
MSA-15-0002: XSS vulnerability in course request pending approval page
Description: Course summary on course request pending approval page was
displayed to the manager unescaped and could be used for
XSS attack
Issue summary: XSS in course request pending approval page (Privilege
Escalation?)
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Skylar Kelty
Issue no.: MDL-48368
Workaround: Grant permission moodle/course:request only to trusted
users
CVE identifier: CVE-2015-0212
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48368
==============================================================================
MSA-15-0003: CSRF possible in Glossary module
Description: Two files in the Glossary module lacked a session key check
potentially allowing cross-site request forgery
Issue summary: Multiple CSRF in mod glossary
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Ankit Agarwal
Issue no.: MDL-48106
CVE identifier: CVE-2015-0213
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48106
==============================================================================
MSA-15-0004: Information leak through messaging functions in web-services
Description: Through web-services it was possible to access
messaging-related functions such as people search even if
messaging is disabled on the site
Issue summary: Messages external functions doesn't check if messaging is
enabled
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Juan Leyva
Issue no.: MDL-48329
Workaround: Disable web services or disable individual message-related
functions
CVE identifier: CVE-2015-0214
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48329
==============================================================================
MSA-15-0005: Insufficient access check in calendar functions in web-services
Description: Through web-services it was possible to get information
about calendar events which user did not have enough
permissions to see
Issue summary: calendar/externallib.php lacks
self::validate_context($context);
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-48017
CVE identifier: CVE-2015-0215
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48017
==============================================================================
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask
Description: Users with capability to grade in Lesson module were not
reported as users with XSS risk but their feedback was
displayed without cleaning
Issue summary: mod/lesson:grade capability missing RISK_XSS but essay
feedback is displayed with noclean=true
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1
Versions fixed: 2.8.2
Reported by: Damyon Wiese
Issue no.: MDL-48034
CVE identifier: CVE-2015-0216
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48034
==============================================================================
MSA-15-0007: ReDoS possible in the multimedia filter
Description: Not optimal regular expression in the filter could be
exploited to create extra server load or make particular
page unavailable
Issue summary: ReDOS in the multimedia filter
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Nicolas Martignoni
Issue no.: MDL-48546
Workaround: Disable multimedia filter
CVE identifier: CVE-2015-0217
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48546
==============================================================================
MSA-15-0008: Forced logout through Shibboleth authentication plugin
Description: It was possible to forge a request to logout users even
when not authenticated through Shibboleth
Issue summary: Forced logout via auth/shibboleth/logout.php
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47964
Workaround: Deny access to file auth/shibboleth/logout.php in webserver
configuration
CVE identifier: CVE-2015-0218
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964
==============================================================================
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1183695 - CVE-2015-0218 CVE-2015-0212 CVE-2015-0213 CVE-2015-0211 CVE-2015-0216 CVE-2015-0217 CVE-2015-0214 CVE-2015-0215 moodle: new update fixes several security issues [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1183695
[ 2 ] Bug #1183694 - CVE-2015-0218 CVE-2015-0212 CVE-2015-0213 CVE-2015-0211 CVE-2015-0216 CVE-2015-0217 CVE-2015-0214 CVE-2015-0215 moodle: new update fixes several security issues [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1183694
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update moodle' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2015-0735
2015-02-14 00:51:19
--------------------------------------------------------------------------------
Name : tokyocabinet
Product : Fedora EPEL 5
Version : 1.4.33
Release : 6.el5
URL : http://1978th.net/tokyocabinet/
Summary : A modern implementation of a DBM
Description :
Tokyo Cabinet is a library of routines for managing a database. It is the
successor of QDBM. Tokyo Cabinet runs very fast. For example, the time required
to store 1 million records is 1.5 seconds for a hash database and 2.2 seconds
for a B+ tree database. Moreover, the database size is very small and can be up
to 8EB. Furthermore, the scalability of Tokyo Cabinet is great.
--------------------------------------------------------------------------------
Update Information:
Tokyo Cabinet is a library of routines for managing a database. It is the successor of QDBM. Tokyo Cabinet runs very fast. For example, the time required to store 1 million records is 1.5 seconds for a hash database and 2.2 seconds for a B+ tree database. Moreover, the database size is very small and can be up to 8EB. Furthermore, the scalability of Tokyo Cabinet is great.
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update tokyocabinet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2015-0630
2015-02-05 17:37:44
--------------------------------------------------------------------------------
Name : roundcubemail
Product : Fedora EPEL 6
Version : 1.0.5
Release : 1.el6
URL : http://www.roundcube.net
Summary : Round Cube Webmail is a browser-based multilingual IMAP client
Description :
RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.
--------------------------------------------------------------------------------
Update Information:
Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5 version.
http://roundcube.net/news/2015/01/24/security-update-1.0.5/http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5http://trac.roundcube.net/ticket/1490227
CVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1188203 - CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1188203
[ 2 ] Bug #1188202 - CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1188202
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update roundcubemail' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------