The following Fedora 26 Security updates need testing:
Age URL
189
https://bodhi.fedoraproject.org/updates/FEDORA-2017-ccb5c8d1e7
docker-distribution-2.6.2-1.git48294d9.fc26
82
https://bodhi.fedoraproject.org/updates/FEDORA-2017-3915878e18 ldns-1.7.0-4.fc26
35
https://bodhi.fedoraproject.org/updates/FEDORA-2017-d75a88f263
monit-5.25.1-1.fc26
27
https://bodhi.fedoraproject.org/updates/FEDORA-2018-ccef1ced42 gimp-2.8.22-3.fc26
21
https://bodhi.fedoraproject.org/updates/FEDORA-2018-66b885ae3c
keycloak-httpd-client-install-0.8-1.fc26
20
https://bodhi.fedoraproject.org/updates/FEDORA-2018-0db545e976 ruby-2.4.3-86.fc26
8
https://bodhi.fedoraproject.org/updates/FEDORA-2018-9780220f7d
dnsmasq-2.76-6.fc26
8
https://bodhi.fedoraproject.org/updates/FEDORA-2018-a10a19e06a
unbound-1.6.8-1.fc26
8
https://bodhi.fedoraproject.org/updates/FEDORA-2018-b166805347
transmission-2.92-12.fc26
8
https://bodhi.fedoraproject.org/updates/FEDORA-2018-4f8a78a5ef
squid-4.0.23-1.fc26
7
https://bodhi.fedoraproject.org/updates/FEDORA-2018-f73abc5680
knot-resolver-1.5.3-1.fc26
7
https://bodhi.fedoraproject.org/updates/FEDORA-2018-a6b59d8f78
libxml2-2.9.7-1.fc26
5
https://bodhi.fedoraproject.org/updates/FEDORA-2018-bbf8c38b51
jackson-databind-2.7.6-8.fc26
5
https://bodhi.fedoraproject.org/updates/FEDORA-2018-43712163de
webkitgtk4-2.18.6-1.fc26
3
https://bodhi.fedoraproject.org/updates/FEDORA-2018-958b22c73f
clamav-0.99.3-1.fc26
2
https://bodhi.fedoraproject.org/updates/FEDORA-2018-d4746c772f
mujs-0-11.20180129git25821e6.fc26
2
https://bodhi.fedoraproject.org/updates/FEDORA-2018-c7c6160e65
thunderbird-52.6.0-1.fc26
2
https://bodhi.fedoraproject.org/updates/FEDORA-2018-034101216d rsync-3.1.3-2.fc26
1
https://bodhi.fedoraproject.org/updates/FEDORA-2018-b5ecac9405
flatpak-0.10.3-1.fc26
1
https://bodhi.fedoraproject.org/updates/FEDORA-2018-48d385a6fd
apache-commons-email-1.5-1.fc26
The following Fedora 26 Critical Path updates have yet to be approved:
Age URL
27
https://bodhi.fedoraproject.org/updates/FEDORA-2018-c2eed6bd99
iproute-4.14.1-4.fc26
23
https://bodhi.fedoraproject.org/updates/FEDORA-2018-4818a0a3fb
lxpanel-0.9.3-2.D20180109git2ddf8dfc.fc26
18
https://bodhi.fedoraproject.org/updates/FEDORA-2018-ba521808e0
gnome-settings-daemon-3.24.3-4.fc26
11
https://bodhi.fedoraproject.org/updates/FEDORA-2018-8633570be3
nfs-utils-2.2.1-4.rc2.fc26
11
https://bodhi.fedoraproject.org/updates/FEDORA-2018-fcda2573ac
python-rpm-macros-3-21.fc26
8
https://bodhi.fedoraproject.org/updates/FEDORA-2018-9780220f7d
dnsmasq-2.76-6.fc26
8
https://bodhi.fedoraproject.org/updates/FEDORA-2018-f200f504b3 dtc-1.4.6-1.fc26
7
https://bodhi.fedoraproject.org/updates/FEDORA-2018-6fe92b98df
perl-threads-shared-1.58-1.fc26
7
https://bodhi.fedoraproject.org/updates/FEDORA-2018-0f208aa267
perl-threads-2.21-1.fc26
7
https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9a5708bef
python3-3.6.4-2.fc26
7
https://bodhi.fedoraproject.org/updates/FEDORA-2018-a6b59d8f78
libxml2-2.9.7-1.fc26
5
https://bodhi.fedoraproject.org/updates/FEDORA-2018-49cd53ff36
libguestfs-1.36.13-1.fc26
5
https://bodhi.fedoraproject.org/updates/FEDORA-2018-be2cb3e65a xen-4.8.3-2.fc26
5
https://bodhi.fedoraproject.org/updates/FEDORA-2018-b88532d5ee satyr-0.23-2.fc26
5
https://bodhi.fedoraproject.org/updates/FEDORA-2018-43712163de
webkitgtk4-2.18.6-1.fc26
2
https://bodhi.fedoraproject.org/updates/FEDORA-2018-034101216d rsync-3.1.3-2.fc26
2
https://bodhi.fedoraproject.org/updates/FEDORA-2018-c7c6160e65
thunderbird-52.6.0-1.fc26
2
https://bodhi.fedoraproject.org/updates/FEDORA-2018-24006fc98f
redhat-rpm-config-64-1.fc26
2
https://bodhi.fedoraproject.org/updates/FEDORA-2018-0f5d497bce krb5-1.15.2-5.fc26
2
https://bodhi.fedoraproject.org/updates/FEDORA-2018-b830db2f1e
gnupg2-2.2.4-1.fc26
2
https://bodhi.fedoraproject.org/updates/FEDORA-2018-d267a6b7f6
vim-8.0.1438-1.fc26
1
https://bodhi.fedoraproject.org/updates/FEDORA-2018-c541c1d598
glusterfs-3.10.10-1.fc26
1
https://bodhi.fedoraproject.org/updates/FEDORA-2018-fb7da310cb
perl-Socket-2.027-1.fc26
1
https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa879be08e gcc-7.3.1-2.fc26
1
https://bodhi.fedoraproject.org/updates/FEDORA-2018-b5ecac9405
flatpak-0.10.3-1.fc26
The following builds have been pushed to Fedora 26 updates-testing
389-ds-base-1.3.6.13-1.fc26
autofs-5.1.4-5.fc26
composer-1.6.3-1.fc26
kernel-4.14.16-200.fc26
libabigail-1.1-1.fc26
mozilla-noscript-10.1.6.4-1.fc26
mozilla-ublock-origin-1.14.24-1.fc26
onionshare-1.2-1.fc26
pcre-8.41-5.fc26
perl-List-UtilsBy-0.11-1.fc26
php-composer-spdx-licenses-1.3.0-1.fc26
php-phpunit-PHPUnit-5.7.27-1.fc26
php-zendframework-zend-session-2.8.4-1.fc26
postfix-3.2.5-1.fc26
python-fedora-0.10.0-1.fc26
qupzilla-2.2.5-2.fc26
rpmgrill-0.32-2.fc26
sox-14.4.2.0-16.fc26
tig-2.3.3-1.fc26
tomcat-native-1.2.16-1.fc26
weechat-2.0.1-1.fc26
Details about builds:
================================================================================
389-ds-base-1.3.6.13-1.fc26 (FEDORA-2018-7f7f7051e9)
389 Directory Server (base)
--------------------------------------------------------------------------------
Update Information:
Bump version to 1.3.6.13
--------------------------------------------------------------------------------
================================================================================
autofs-5.1.4-5.fc26 (FEDORA-2017-164b3ee23a)
A tool for automatically mounting and unmounting filesystems
--------------------------------------------------------------------------------
Update Information:
- fix deadlock in dumpmaps and some amd map handling problems. - fix use after
free in do_master_list_reset(). ---- - this release (5.1.4) fixes a couple of
regressions in 5.1.3. - it also improves the network not available at startup
problem that users have seen.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1523866 - autofs with NIS logs add_host_addrs: hostname lookup failed: Name
or service not known/No address associated with hostname
https://bugzilla.redhat.com/show_bug.cgi?id=1523866
[ 2 ] Bug #1409103 - autofs cannot mount samba/cifs shares that end with a dollar sign
https://bugzilla.redhat.com/show_bug.cgi?id=1409103
[ 3 ] Bug #1500027 - Drop preventing bind mounts when port is specified
https://bugzilla.redhat.com/show_bug.cgi?id=1500027
[ 4 ] Bug #698449 - [RFE] Add optional nss map read retries
https://bugzilla.redhat.com/show_bug.cgi?id=698449
--------------------------------------------------------------------------------
================================================================================
composer-1.6.3-1.fc26 (FEDORA-2018-3f59cf8988)
Dependency Manager for PHP
--------------------------------------------------------------------------------
Update Information:
**composer/spdx-licenses 1.3.0**- 2018-01-31 * Added:
`SpdxLicenses::getLicenses` to get the whole list of methods. * Changed:
license identifiers are now case insensitive. ---- **composer 1.6.3** -
2018-01-31 * Fixed GitLab downloads failing in some edge cases * Fixed
ctrl-C handling during create-project * Fixed GitHub VCS repositories not
prompting for a token in some conditions * Fixed SPDX license identifiers
being case sensitive * Fixed and clarified a few dependency resolution error
reporting strings * Fixed SVN commit log fetching in verbose mode when using
private repositories
--------------------------------------------------------------------------------
================================================================================
kernel-4.14.16-200.fc26 (FEDORA-2018-d82b617d6c)
The Linux kernel
--------------------------------------------------------------------------------
Update Information:
The 4.14.16 stable kernel update contains a number of important fixes across the
tree. ---- The 4.14.15-301 update reverts the retpoline VERMAGIC ABI change
for modules. ---- The 4.14.15 stable kernel update contains a number of
important fixes across the tree.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1492664 - kernel: Soft lockup in warn_alloc
https://bugzilla.redhat.com/show_bug.cgi?id=1492664
[ 2 ] Bug #1539706 - CVE-2018-5750 kernel: Kernel address information leak in
drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass
https://bugzilla.redhat.com/show_bug.cgi?id=1539706
[ 3 ] Bug #1535315 - CVE-2018-1000004 kernel: Race condition in sound system can lead to
denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=1535315
--------------------------------------------------------------------------------
================================================================================
libabigail-1.1-1.fc26 (FEDORA-2018-c7ae501e67)
Set of ABI analysis tools
--------------------------------------------------------------------------------
Update Information:
Update to upstream 1.1
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1532670 - in compare_dies at: abg-dwarf-reader.cc:11423
https://bugzilla.redhat.com/show_bug.cgi?id=1532670
--------------------------------------------------------------------------------
================================================================================
mozilla-noscript-10.1.6.4-1.fc26 (FEDORA-2018-7e290aa4cb)
JavaScript white list extension for Mozilla Firefox
--------------------------------------------------------------------------------
Update Information:
**NOTE:** All packaged Firefox add-ons are affected by Firefox bug
fedora#1508827 . A workaround is provided in the bug report. Please do not give
negative karma just because of that bug. **Fedora changes:** The package is
now split into three. Firefox WebExtension (`firefox-noscript`) and SeaMonkey
legacy XPI Extension (`seamonkey-noscript`) while the main package (`mozilla-
noscript`) became a metapackage and requires both. You can uninstall the one
you're not using along with the metapackage. **Upstream changes:** * Fixed
race condition on XSS filter first load * Fixed duplicate entries in UI on page
reloads (thanks 8-bit for reporting) * Spinner for long sites lists in Options
page * Removed obsolete work-around for accidental TRUSTED preset wiping * [UI]
Fixed clicking on capability's label doesn't toggle the related checkbox (thanks
dhouwn and olf for reporting) * [XSS] Fixed false positives on badly encoded
URLs (thanks sage11 for reporting)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1539464 - mozilla-noscript-10.1.6.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1539464
--------------------------------------------------------------------------------
================================================================================
mozilla-ublock-origin-1.14.24-1.fc26 (FEDORA-2018-6ff92e773b)
An efficient blocker for Firefox
--------------------------------------------------------------------------------
Update Information:
**NOTE:** All packaged Firefox add-ons are affected by Firefox bug
fedora#1508827 . A workaround is provided in the bug report. Please do not give
negative karma just because of that bug. Emergency fix for "[Cannot full
support Domain restrictive Inverse type
options](https://github.com/nikrolls
/uBlock-Edge/issues/101)".
--------------------------------------------------------------------------------
================================================================================
onionshare-1.2-1.fc26 (FEDORA-2018-1f56ebb970)
Securely and anonymously share files of any size
--------------------------------------------------------------------------------
Update Information:
Update to 1.2
--------------------------------------------------------------------------------
================================================================================
pcre-8.41-5.fc26 (FEDORA-2018-97c235c370)
Perl-compatible regular expression library
--------------------------------------------------------------------------------
Update Information:
This release fixes an out-out-bound read for a partial match against an emptry
string when the newline type is CRLF.
--------------------------------------------------------------------------------
================================================================================
perl-List-UtilsBy-0.11-1.fc26 (FEDORA-2018-675479fbc8)
Higher-order list utility functions
--------------------------------------------------------------------------------
Update Information:
Upstream update.
--------------------------------------------------------------------------------
================================================================================
php-composer-spdx-licenses-1.3.0-1.fc26 (FEDORA-2018-3f59cf8988)
SPDX licenses list and validation library
--------------------------------------------------------------------------------
Update Information:
**composer/spdx-licenses 1.3.0**- 2018-01-31 * Added:
`SpdxLicenses::getLicenses` to get the whole list of methods. * Changed:
license identifiers are now case insensitive. ---- **composer 1.6.3** -
2018-01-31 * Fixed GitLab downloads failing in some edge cases * Fixed
ctrl-C handling during create-project * Fixed GitHub VCS repositories not
prompting for a token in some conditions * Fixed SPDX license identifiers
being case sensitive * Fixed and clarified a few dependency resolution error
reporting strings * Fixed SVN commit log fetching in verbose mode when using
private repositories
--------------------------------------------------------------------------------
================================================================================
php-phpunit-PHPUnit-5.7.27-1.fc26 (FEDORA-2018-05c0c8883f)
The PHP Unit Testing framework
--------------------------------------------------------------------------------
Update Information:
**Version 5.7.27** - 2018-02-01 * **Fixed** * Fixed
[#2236](https://github.com/sebastianbergmann/phpunit/issues/2236): Exceptions in
`tearDown()` do not affect `getStatus()` * Fixed
[#2950](https://github.com/sebastianbergmann/phpunit/issues/2950): Class
extending `PHPUnit\Framework\TestSuite` does not extend
`PHPUnit\FrameworkTestCase` * Fixed
[#2972](https://github.com/sebastianbergmann/phpunit/issues/2972): PHPUnit
crashes when test suite contains both `.phpt` files and unconventionally named
tests
--------------------------------------------------------------------------------
================================================================================
php-zendframework-zend-session-2.8.4-1.fc26 (FEDORA-2018-870022cc2f)
Zend Framework Session component
--------------------------------------------------------------------------------
Update Information:
**Version 2.8.4** - 2018-01-31 * **Fixed** -
[#107](https://github.com/zendframework/zend-session/pull/107) fixes an error
raised by `ini_set()` within `SessionConfig::setStorageOption()` that occurs
for certain INI values that cannot be set if the session is active. When this
situation occurs, the class performs a `session_write_close()`, sets the new
INI value, and then restarts the session. As such, we recommend that you either
set production INI values in your production `php.ini`, and/or always pass your
fully configured session manager to container instances you create. -
[#105](https://github.com/zendframework/zend-session/pull/105) fixes an edge
case whereby if the special `__ZF` session value is a non-array value,
initializing the session would result in errors. -
[#102](https://github.com/zendframework/zend-session/pull/102) fixes an issue
introduced with 2.8.0 with `AbstractContainer::offsetGet`. Starting in 2.8.0,
if the provided `$key` did not exist, the method would raise an error regarding
an invalid variable reference; this release provides a fix that resolves that
issue.
--------------------------------------------------------------------------------
================================================================================
postfix-3.2.5-1.fc26 (FEDORA-2018-83e9689d6f)
Postfix Mail Transport Agent
--------------------------------------------------------------------------------
Update Information:
This is new version of postfix, for details see upstream announcement:
http://www.postfix.org/announcements/postfix-3.2.5.html
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1539465 - postfix-3.2.5 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1539465
--------------------------------------------------------------------------------
================================================================================
python-fedora-0.10.0-1.fc26 (FEDORA-2018-ea972dd79c)
Python modules for talking to Fedora Infrastructure Services
--------------------------------------------------------------------------------
Update Information:
Rebase to upstream 0.10.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1481210 - spec file points to URL:
https://fedorahosted.org/python-fedora/
https://bugzilla.redhat.com/show_bug.cgi?id=1481210
[ 2 ] Bug #1540970 - python-fedora-0.10.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1540970
--------------------------------------------------------------------------------
================================================================================
qupzilla-2.2.5-2.fc26 (FEDORA-2018-a98a820850)
Modern web browser
--------------------------------------------------------------------------------
Update Information:
An update of QupZilla to the latest upstream release, version 2.2.5. New in
QupZilla 2.2.4: * added option to disable search suggestions from locationbar *
added support for detaching and moving tabs to other windows with drag&drop *
added support for dropping text/url on tabbar to create new tabs * added support
for GreaseMonkey 4.0 API in userscripts * added support for customizing
navigation bar layout and widgets * added support for loading userChrome.css
stylesheet from profile to configure interface * added new buttons to navigation
bar: Tools, Downloads, GreaseMonkey and AdBlock * added new Windows theme and
improve every other theme * added support for printing from JavaScript with
window.print() * closed windows can now be restored using history menu or
Ctrl+Shit+N shortcut * multiple windows in session now each restore its
geometry, state and settings * number of fixes and improvements in tabbar *
greatly improved compatibility with various GreaseMonkey userscripts * updated
design for SpeedDial * fix infinite loading animation on some sites with
QtWebEngine 5.10 * fix restoring maximized state after leaving fullscreen * fix
internal pages not working when JavaScript is disabled * fix showing close
button in Web Inspector * fix tabs not being restored when activated in some
cases * fix loading "localhost" from locationbar * fix applying web settings
when in private mode New in QupZilla 2.2.5: * added Unload Tab action * added
search engine buttons to locationbar completer * added option to disable
automatic password completion on sites * plugins are now always enabled (fixes
missing AdBlock) * bring back AdBlock and GreaseMonkey icons in statusbar + add
new buttons * fix incorrect size of buttons in bookmarks toolbar with some
styles * fix losing session when loading newer profile with old application
version * fix temporariliy enabling/disabling JavaScript using StatusBarIcons
plugin * fix user agent settings not being applied on startup * fix calculating
remaining time in download manager See also
http://blog.qupzilla.com/2018/01
/whats-new-in-qupzilla-224.html Note that qupzilla-2.2.5-2.fc26 enables the
workaround for the tab loading animation not stopping on some websites when
using QtWebEngine 5.10.0 (see
https://github.com/QupZilla/qupzilla/issues/2479
and
https://bugreports.qt.io/browse/QTBUG-65223) unconditionally, because
upstream enabled it only if the Qt version is 5.10.0, but we ship only
QtWebEngine 5.10.0, Qt is still 5.9.x LTS, so it did not work as shipped by
upstream.
--------------------------------------------------------------------------------
================================================================================
rpmgrill-0.32-2.fc26 (FEDORA-2018-477684233b)
A utility for catching problems in koji builds
--------------------------------------------------------------------------------
Update Information:
bz1520003 - Do not hard require clamav-data
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1520003 - minimal .spec file change to assist lessening load
https://bugzilla.redhat.com/show_bug.cgi?id=1520003
--------------------------------------------------------------------------------
================================================================================
sox-14.4.2.0-16.fc26 (FEDORA-2018-790e7e720d)
A general purpose sound file conversion tool
--------------------------------------------------------------------------------
Update Information:
Security fix for **CVE-2017-15372**, **CVE-2017-15642**.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1510923 - CVE-2017-15642 sox: Use-after-free in lsx_aiffstartread
https://bugzilla.redhat.com/show_bug.cgi?id=1510923
[ 2 ] Bug #1510919 - CVE-2017-15372 sox: Stack-based buffer overflow in the
lsx_ms_adpcm_block_expand_i function
https://bugzilla.redhat.com/show_bug.cgi?id=1510919
--------------------------------------------------------------------------------
================================================================================
tig-2.3.3-1.fc26 (FEDORA-2018-e2fac3d5a7)
Text-mode interface for the git revision control system
--------------------------------------------------------------------------------
Update Information:
Update to version 2.3.3, which includes several bug fixes. See the release
notes at
https://jonas.github.io/tig/NEWS.html.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1527726 - tig-2.3.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1527726
--------------------------------------------------------------------------------
================================================================================
tomcat-native-1.2.16-1.fc26 (FEDORA-2018-318b5d74bd)
Tomcat native library
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2017-15698
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1540824 - CVE-2017-15698 tomcat-native: Mishandling of client certificates
can allow for OCSP check bypass
https://bugzilla.redhat.com/show_bug.cgi?id=1540824
--------------------------------------------------------------------------------
================================================================================
weechat-2.0.1-1.fc26 (FEDORA-2018-1aea02d8b7)
Portable, fast, light and extensible IRC client
--------------------------------------------------------------------------------
Update Information:
Update to 2.0.1
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1528100 - weechat-2.0.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1528100
--------------------------------------------------------------------------------