The following Fedora 19 Security updates need testing:
Age URL
189
https://admin.fedoraproject.org/updates/FEDORA-2013-19963/openstack-glanc...
126
https://admin.fedoraproject.org/updates/FEDORA-2013-24023/varnish-3.0.5-1...
31
https://admin.fedoraproject.org/updates/FEDORA-2014-4676/a2ps-4.14-23.fc19
18
https://admin.fedoraproject.org/updates/FEDORA-2014-5024/smb4k-1.1.1-2.fc19
15
https://admin.fedoraproject.org/updates/FEDORA-2014-5308/srm-1.2.13-1.fc19
7
https://admin.fedoraproject.org/updates/FEDORA-2014-5609/kernel-3.13.11-1...
6
https://admin.fedoraproject.org/updates/FEDORA-2014-5715/qt-4.8.6-2.fc19
6
https://admin.fedoraproject.org/updates/FEDORA-2014-5691/mediawiki-1.21.9...
6
https://admin.fedoraproject.org/updates/FEDORA-2014-5680/qt5-qtbase-5.2.1...
4
https://admin.fedoraproject.org/updates/FEDORA-2014-5751/mumble-1.2.5-1.fc19
4
https://admin.fedoraproject.org/updates/FEDORA-2014-5759/cups-filters-1.0...
3
https://admin.fedoraproject.org/updates/FEDORA-2014-5783/fish-2.1.0-9.fc19
3
https://admin.fedoraproject.org/updates/FEDORA-2014-5795/dmlite-0.6.2-2.fc19
3
https://admin.fedoraproject.org/updates/FEDORA-2014-5801/python-lxml-3.3....
1
https://admin.fedoraproject.org/updates/FEDORA-2014-5896/nrpe-2.15-2.fc19
1
https://admin.fedoraproject.org/updates/FEDORA-2014-5903/miniupnpc-1.9-1....
0
https://admin.fedoraproject.org/updates/FEDORA-2014-5938/rxvt-unicode-9.2...
0
https://admin.fedoraproject.org/updates/FEDORA-2014-5941/xen-4.2.4-4.fc19
0
https://admin.fedoraproject.org/updates/FEDORA-2014-5974/python-fmn-web-0...
0
https://admin.fedoraproject.org/updates/FEDORA-2014-5948/python-fedora-0....
0
https://admin.fedoraproject.org/updates/FEDORA-2014-5984/php-5.5.12-1.fc19
The following Fedora 19 Critical Path updates have yet to be approved:
Age URL
137
https://admin.fedoraproject.org/updates/FEDORA-2013-22326/fedora-bookmark...
64
https://admin.fedoraproject.org/updates/FEDORA-2014-3245/testdisk-6.14-2....
7
https://admin.fedoraproject.org/updates/FEDORA-2014-5620/abrt-2.2.1-1.fc1...
6
https://admin.fedoraproject.org/updates/FEDORA-2014-5665/curl-7.29.0-18.fc19
6
https://admin.fedoraproject.org/updates/FEDORA-2014-5715/qt-4.8.6-2.fc19
3
https://admin.fedoraproject.org/updates/FEDORA-2014-5809/xorg-x11-drv-syn...
3
https://admin.fedoraproject.org/updates/FEDORA-2014-5788/xorg-x11-drv-evd...
2
https://admin.fedoraproject.org/updates/FEDORA-2014-5818/libssh2-1.4.3-7....
2
https://admin.fedoraproject.org/updates/FEDORA-2014-5867/kde-workspace-4....
2
https://admin.fedoraproject.org/updates/FEDORA-2014-5448/ibus-1.5.7-1.fc19
The following builds have been pushed to Fedora 19 updates-testing
armadillo-4.300.0-1.fc19
chmsee-2.0.2-9.git86d101c9.fc19
clamtk-5.06-1.fc19
drupal7-variable-2.5-1.fc19
gretl-1.9.90-1.fc19
gst-entrans-1.0.2-1.fc19
jortho-1.0-2.fc19
libuv-0.10.27-1.fc19
lua-term-0.03-3.fc19
nodejs-0.10.28-1.fc19
openspecfun-0.3-1.fc19
php-5.5.12-1.fc19
puddletag-1.0.3-1.fc19
python-fedora-0.3.34-1.fc19
python-fmn-web-0.2.4-3.fc19
python-lazy-1.2-1.fc19
v8-3.14.5.10-8.fc19
Details about builds:
================================================================================
armadillo-4.300.0-1.fc19 (FEDORA-2014-5963)
Fast C++ matrix library with interfaces to LAPACK and ATLAS
--------------------------------------------------------------------------------
Update Information:
This release is the latest stable release with the following improvements:
* faster find()
* added find_finite() and find_nonfinite() for finding indices of finite and non-finite
elements
* expressions X=inv(A)*B*C and X=A.i()*B*C are automatically converted to
X=solve(A,B*C)
* enables use of C++11 random number generator when using gcc 4.9+ in C++11 mode
--------------------------------------------------------------------------------
ChangeLog:
* Fri May 2 2014 José Matos <jamatos(a)fedoraproject.org> - 4.300.0-1
- update to 4.300.0
--------------------------------------------------------------------------------
================================================================================
chmsee-2.0.2-9.git86d101c9.fc19 (FEDORA-2014-5945)
HTML Help viewer for Unix/Linux
--------------------------------------------------------------------------------
Update Information:
rebuild for xulrunner 29
--------------------------------------------------------------------------------
ChangeLog:
* Tue Apr 29 2014 Yijun Yuan <bbbush.yuan(a)gmail.com> - 2.0.2-9.git86d101c9
- rebuild for xulrunner 29
* Fri Mar 28 2014 Yijun Yuan <bbbush.yuan(a)gmail.com> - 2.0.2-8.git86d101c9
- rebuild for xulrunner 28
--------------------------------------------------------------------------------
================================================================================
clamtk-5.06-1.fc19 (FEDORA-2014-5967)
Easy to use graphical user interface for Clam anti virus
--------------------------------------------------------------------------------
Update Information:
Update to 5.06.
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 3 2014 Dave M. <dave.nerd(a)gmail.com> - 5.06-1
- Updated to release 5.06.
- Remove zenity from dependencies.
--------------------------------------------------------------------------------
================================================================================
drupal7-variable-2.5-1.fc19 (FEDORA-2014-5985)
Provides a registry for meta-data about Drupal variables
--------------------------------------------------------------------------------
Update Information:
- Updated to 2.5 (BZ #1090883; release notes
https://drupal.org/node/2247839)
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 3 2014 Peter Borsa <peter.borsa(a)gmail.com> - 2.5-1
- Updated to 2.5 (BZ #1090883; release notes
https://drupal.org/node/2247839)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1090883 - drupal7-variable-2.5 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1090883
--------------------------------------------------------------------------------
================================================================================
gretl-1.9.90-1.fc19 (FEDORA-2014-5944)
A tool for econometric analysis
--------------------------------------------------------------------------------
Update Information:
- Update to 1.9.90
-
http://sourceforge.net/projects/gretl/files/gretl/1.9.90/
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 3 2014 Johannes Lips <hannes(a)fedoraproject.org> - 1.9.90-1
- Update to 1.9.90
--------------------------------------------------------------------------------
================================================================================
gst-entrans-1.0.2-1.fc19 (FEDORA-2014-5946)
Plug-ins and tools for transcoding and recording with GStreamer
--------------------------------------------------------------------------------
Update Information:
This update includes various bug fixes and improves compatibility with GStreamer 1.x.
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 3 2014 Theodore Lee <theo148(a)gmail.com> - 1.0.2-1
- Update to 1.0.2 release
- Update man file path
* Sat Aug 3 2013 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> -
1.0.0-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Apr 3 2013 Theodore Lee <theo148(a)gmail.com> - 1.0.0-1
- Update to 1.0.0 release (GStreamer 1.0 port)
- Switch over build dependencies to GStreamer 1.0
- Rename gstreamer-plugins-entrans[-docs] to gstreamer1-plugins-entrans[-docs]
- Run autoreconf in build for initial aarch64 build support
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #925500 - gst-entrans: Does not support aarch64 in f19 and rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=925500
--------------------------------------------------------------------------------
================================================================================
jortho-1.0-2.fc19 (FEDORA-2014-5954)
A spell checker for Java
--------------------------------------------------------------------------------
Update Information:
Initial version
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1092096 - Review Request: jortho - A spell checker for Java
https://bugzilla.redhat.com/show_bug.cgi?id=1092096
--------------------------------------------------------------------------------
================================================================================
libuv-0.10.27-1.fc19 (FEDORA-2014-5975)
Platform layer for node.js
--------------------------------------------------------------------------------
Update Information:
There were no changes in nodejs 0.10.28 or libuv 0.10.27 that affected Fedora. The latest
nodejs update contained a fixed npm, which is shipped seperately in Fedora. The latest
libuv update contains only fixes for Windows.
Nonetheless, the latest version of both has been packaged to avoid confusion. However,
only these changelog entries from the previous releases are relevant:
2014.05.01, Version 0.10.27 (Stable)
* dns: fix certain txt entries (Fedor Indutny)
* assert: Ensure reflexivity of deepEqual (Mike Pennisi)
* child_process: fix deadlock when sending handles (Fedor Indutny)
* child_process: fix sending handle twice (Fedor Indutny)
* crypto: do not lowercase cipher/hash names (Fedor Indutny)
* http: do not emit EOF non-readable socket (Fedor Indutny)
* http: invoke createConnection when no agent (Nathan Rajlich)
* stream: remove useless check (Brian White)
* timer: don't reschedule timer bucket in a domain (Greg Brail)
* url: treat the same as / (isaacs)
* util: format as Error if instanceof Error (Rod Vagg)
2014.04.07, Version 0.10.26 (Stable)
* process: don't close stdio fds during spawn (Tonis Tiigi)
* kqueue: invalidate fd in uv_fs_event_t (Fedor Indutny)
* linux: always deregister closing fds from epoll (Geoffry Song)
* error: add ENXIO for O_NONBLOCK FIFO open() (Fedor Indutny)
--------------------------------------------------------------------------------
ChangeLog:
* Fri May 2 2014 T.C. Hollingsworth <tchollingsworth(a)gmail.com> - 1:0.10.27-1
- new upstream release 0.10.27
https://github.com/joyent/libuv/blob/v0.10.27/ChangeLog
--------------------------------------------------------------------------------
================================================================================
lua-term-0.03-3.fc19 (FEDORA-2014-5957)
Terminal functions for Lua
--------------------------------------------------------------------------------
Update Information:
Lua module for manipulating a terminal.
--------------------------------------------------------------------------------
================================================================================
nodejs-0.10.28-1.fc19 (FEDORA-2014-5975)
JavaScript runtime
--------------------------------------------------------------------------------
Update Information:
There were no changes in nodejs 0.10.28 or libuv 0.10.27 that affected Fedora. The latest
nodejs update contained a fixed npm, which is shipped seperately in Fedora. The latest
libuv update contains only fixes for Windows.
Nonetheless, the latest version of both has been packaged to avoid confusion. However,
only these changelog entries from the previous releases are relevant:
2014.05.01, Version 0.10.27 (Stable)
* dns: fix certain txt entries (Fedor Indutny)
* assert: Ensure reflexivity of deepEqual (Mike Pennisi)
* child_process: fix deadlock when sending handles (Fedor Indutny)
* child_process: fix sending handle twice (Fedor Indutny)
* crypto: do not lowercase cipher/hash names (Fedor Indutny)
* http: do not emit EOF non-readable socket (Fedor Indutny)
* http: invoke createConnection when no agent (Nathan Rajlich)
* stream: remove useless check (Brian White)
* timer: don't reschedule timer bucket in a domain (Greg Brail)
* url: treat the same as / (isaacs)
* util: format as Error if instanceof Error (Rod Vagg)
2014.04.07, Version 0.10.26 (Stable)
* process: don't close stdio fds during spawn (Tonis Tiigi)
* kqueue: invalidate fd in uv_fs_event_t (Fedor Indutny)
* linux: always deregister closing fds from epoll (Geoffry Song)
* error: add ENXIO for O_NONBLOCK FIFO open() (Fedor Indutny)
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 3 2014 T.C. Hollingsworth <tchollingsworth(a)gmail.com> - 0.10.28-1
- new upstream release 0.10.28
There is no dfference between 0.10.27 and 0.10.28 for Fedora, as the only
thing updated was npm, which is shipped seperately. The latest was only
packaged to avoid confusion. Please see the v0.10.27 changelog for relevant
changes in this update:
http://blog.nodejs.org/2014/05/01/node-v0-10-27-stable/
--------------------------------------------------------------------------------
================================================================================
openspecfun-0.3-1.fc19 (FEDORA-2014-5959)
Library providing a collection of special mathematical functions
--------------------------------------------------------------------------------
Update Information:
New upstream release.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1062901 - Review Request: openspecfun - Library providing a collection of
special mathematical functions
https://bugzilla.redhat.com/show_bug.cgi?id=1062901
--------------------------------------------------------------------------------
================================================================================
php-5.5.12-1.fc19 (FEDORA-2014-5984)
PHP scripting language for creating dynamic web sites
--------------------------------------------------------------------------------
Update Information:
Notice: to fix CVE-2014-0185 this version change default php-fpm unix domain socket
permission to 660 (instead of 666). Check your configuration if php-fpm use UDS (default
configuration use a network socket).
Upstream Changelog: 01 May 2014, PHP 5.5.12
Core:
* Fixed bug #61019 (Out of memory on command stream_get_contents). (Mike)
* Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX
sockets). (Mike)
* Fixed bug #66182 (exit in stream filter produces segfault). (Mike)
* Fixed bug #66736 (fpassthru broken). (Mike)
* Fixed bug #67024 (getimagesize should recognize BMP files with negative height). (Gabor
Buella)
* Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)
cURL:
* Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent). (Freek
Lijten)
Date:
* Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
(Boro Sitnikovski)
Embed:
* Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol).
Fileinfo:
* Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian). (Remi)
FPM:
* Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
* Fixed bug #67060 (possible privilege escalation due to insecure default configuration).
(CVE-2014-0185) (christian at hoffie dot info)
LDAP:
* Fixed issue with null bytes in LDAP bindings. (Matthew Daley)
mysqli:
* Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter (extra comma)
and third parameters (lack of escaping). (Andrey)
OpenSSL:
* Fix bug #66942 (memory leak in openssl_seal()). (Chuan Ma)
* Fix bug #66952 (memory leak in openssl_open()). (Chuan Ma)
SimpleXML:
* Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)
SQLite:
* Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3). (Anatol)
XSL:
* Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded
with "file://"). (Anatol)
Apache2 Handler SAPI:
* Fixed Apache log issue caused by APR's lack of support for %zu (APR issue
https://issues.apache.org/bugzilla/show_bug.cgi?id=56120). (Jeff Trawick)
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 3 2014 Remi Collet <rcollet(a)redhat.com> 5.5.12-1
- Update to 5.5.12
http://www.php.net/releases/5_5_12.php
- php-fpm: change default unix socket permission CVE-2014-0185
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1092815 - CVE-2014-0185 php: PHP script execution by default via PHP FPM
https://bugzilla.redhat.com/show_bug.cgi?id=1092815
--------------------------------------------------------------------------------
================================================================================
puddletag-1.0.3-1.fc19 (FEDORA-2014-5953)
Feature rich, easy to use tag editor
--------------------------------------------------------------------------------
Update Information:
Update to latest upstream release puddletag 1.0.3.
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 3 2014 Terje Rosten <terje.rosten(a)ntnu.no> - 1.0.3-1
- 1.0.3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1091741 - puddletag-1.0.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1091741
--------------------------------------------------------------------------------
================================================================================
python-fedora-0.3.34-1.fc19 (FEDORA-2014-5948)
Python modules for talking to Fedora Infrastructure Services
--------------------------------------------------------------------------------
Update Information:
Fix two security issues for services using python-fedora's TG1 and flask helpers.
The TG1 fix quotes variables that could have been used to launch an XSS attack.
The flask fix addresses OpenID Covert Redirect for web services which use flask_fas_openid
to authenticate against the Fedora Account System.
--------------------------------------------------------------------------------
ChangeLog:
* Fri May 2 2014 Toshio Kuratomi <toshio(a)fedoraproject.org> - 0.3.34-1
- Upstream 0.3.34 release with security fixes for TG and flask services built
with python-fedora
* Fri Mar 14 2014 Toshio Kuratomi <toshio(a)fedoraproject.org> - 0.3.33-3
- Do not build the TG1 subpackage on EPEL7. Infrastructure is going to port
its applications away from TG1 by the time they switch to RHEL7. So we want
to get rid of TurboGears1 packages before RHEL7.
- Fix conditionals so that they include the proper packages on epel7
* Fri Jan 10 2014 Dennis Gilmore <dennis(a)ausil.us> - 0.3.33-2
- clean up some rhel logic in the spec
--------------------------------------------------------------------------------
================================================================================
python-fmn-web-0.2.4-3.fc19 (FEDORA-2014-5974)
Frontend Web Application for Fedora Notifications
--------------------------------------------------------------------------------
Update Information:
Fix for Covert Redirect.
--------------------------------------------------------------------------------
ChangeLog:
* Fri May 2 2014 Ralph Bean <rbean(a)redhat.com> - 0.2.4-3
- Actually apply that patch.
* Fri May 2 2014 Ralph Bean <rbean(a)redhat.com> - 0.2.4-2
- Patch for Covert Redirect.
--------------------------------------------------------------------------------
================================================================================
python-lazy-1.2-1.fc19 (FEDORA-2014-5956)
Lazy attributes for Python objects
--------------------------------------------------------------------------------
Update Information:
New upstream release lazy-1.2
--------------------------------------------------------------------------------
ChangeLog:
* Fri May 2 2014 David Shea <dshea(a)redhat.com> - 1.2-1
- New upstream release lazy-1.2
--------------------------------------------------------------------------------
================================================================================
v8-3.14.5.10-8.fc19 (FEDORA-2014-5969)
JavaScript Engine
--------------------------------------------------------------------------------
Update Information:
This update modifies the way V8 queries the system time, greatly improving performance on
virtual machines where the real time clock is virtualized.
For more information, see:
https://github.com/joyent/node/commit/f9ced08de30c37838756e8227bd091f80ad...
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 3 2014 T.C. Hollingsworth <tchollingsworth(a)gmail.com> - 1:3.14.5.10-8
- use clock_gettime() instead of gettimeofday(), which increases V8 performance
dramatically on virtual machines
--------------------------------------------------------------------------------