EPEL Fedora 5 updates-testing report

updates at fedoraproject.org updates at fedoraproject.org
Mon Aug 26 16:50:34 UTC 2013 

The following Fedora EPEL 5 Security updates need testing:
 Age  URL
 491  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3.2.10-5.el5
 386  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6608/Django-1.1.4-2.el5
   9  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11174/libzrtpcpp-3.2.1-3.el5
   9  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11165/cacti-0.8.8b-1.el5
   9  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11144/chrony-1.25-3.el5
   5  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11276/ssmtp-2.61-21.el5
   3  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11300/drupal7-theme-zen-5.4-1.el5
   0  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11336/lighttpd-1.4.32-1.el5


The following builds have been pushed to Fedora EPEL 5 updates-testing

    libburn-1.3.2-1.el5
    libisoburn-1.3.2-1.el5
    libisofs-1.3.2-1.el5
    lighttpd-1.4.32-1.el5
    mksh-48b-1.el5

Details about builds:


================================================================================
 libburn-1.3.2-1.el5 (FEDORA-EPEL-2013-11335)
 Library for reading, mastering and writing optical discs
--------------------------------------------------------------------------------
Update Information:

Changes towards previous version 1.3.0
======================================


libburn novelties
-----------------

  * Bug fix: The signal handler aborted on SIGCONT, SIGTSTP, SIGTTIN, SIGTTOU
  * New API call burn_make_input_sheet_v07t()
  * API call burn_session_input_sheet_v07t(): read multiple blocks from same file
  * New API calls burn_drive_extract_audio(), burn_drive_extract_audio_track()
  * Optional "make doc" now demands doxygen 1.8.4


cdrskin novelties
-----------------

  * Bug fix: cdrskin -msinfo on DVD and BD reported old session start = next writable address. Regression introduced by version 1.2.8 (rev 4956). Also fixed in libburn-1.3.0.pl01.
  * New cdrskin option textfile_to_v07t=
  * New cdrskin options cdtext_to_textfile= and cdtext_to_v07t=
  * New cdrskin options extract_audio_to= , extract_tracks= , extract_basename= , --extract_dap
  * New cdrskin option --pacifier_with_newline
  * Improved granularity of SCSI log time measurement, now with timestamp


libisofs novelties
------------------
  * Bug fix: iso_finish() left an invalid global pointer, which a subsequent call of iso_init() would try to dereference.
  * The sort weight of data files loaded from ISO image is now 2 exp 28 to 1 rather than 2 exp 31 - 1 to - 2 exp 31


libisoburn and xorriso novelties
--------------------------------

  * Bug fix: -find -exec "sort_weight" did not mark the image as having pending changes
  * Bug fix: -backslash_codes "with_program_arguments" was interpreted too late
  * Bug fix: Missing or empty parameter with -dus was interpreted as "*" rather than "."
  * Bug fix: readline history was spammed by -msg_op parsing and pipe loops
  * New -pacifier behavior code "interval="
  * New -as mkisofs options --sort-weight-list and --sort-weight-patterns
  * New -format mode "without_spare" (for BD-RE)
  * New command -named_pipe_loop
  * New command -sh_style_result
  * New -msg_op opcodes "parse_silently" and "parse_bulk_silently"
  * New command -application_use and new -as mkisofs option --application_use 
--------------------------------------------------------------------------------
ChangeLog:

* Sun Aug 25 2013 Robert Scheck <robert at fedoraproject.org> 1.3.2-1
- Update to upstream 1.3.2 (#994916)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #994921 - libisofs-1.3.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=994921
  [ 2 ] Bug #994916 - libburn-1.3.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=994916
  [ 3 ] Bug #994920 - libisoburn-1.3.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=994920
--------------------------------------------------------------------------------


================================================================================
 libisoburn-1.3.2-1.el5 (FEDORA-EPEL-2013-11335)
 Library to enable creation and expansion of ISO-9660 filesystems
--------------------------------------------------------------------------------
Update Information:

Changes towards previous version 1.3.0
======================================


libburn novelties
-----------------

  * Bug fix: The signal handler aborted on SIGCONT, SIGTSTP, SIGTTIN, SIGTTOU
  * New API call burn_make_input_sheet_v07t()
  * API call burn_session_input_sheet_v07t(): read multiple blocks from same file
  * New API calls burn_drive_extract_audio(), burn_drive_extract_audio_track()
  * Optional "make doc" now demands doxygen 1.8.4


cdrskin novelties
-----------------

  * Bug fix: cdrskin -msinfo on DVD and BD reported old session start = next writable address. Regression introduced by version 1.2.8 (rev 4956). Also fixed in libburn-1.3.0.pl01.
  * New cdrskin option textfile_to_v07t=
  * New cdrskin options cdtext_to_textfile= and cdtext_to_v07t=
  * New cdrskin options extract_audio_to= , extract_tracks= , extract_basename= , --extract_dap
  * New cdrskin option --pacifier_with_newline
  * Improved granularity of SCSI log time measurement, now with timestamp


libisofs novelties
------------------
  * Bug fix: iso_finish() left an invalid global pointer, which a subsequent call of iso_init() would try to dereference.
  * The sort weight of data files loaded from ISO image is now 2 exp 28 to 1 rather than 2 exp 31 - 1 to - 2 exp 31


libisoburn and xorriso novelties
--------------------------------

  * Bug fix: -find -exec "sort_weight" did not mark the image as having pending changes
  * Bug fix: -backslash_codes "with_program_arguments" was interpreted too late
  * Bug fix: Missing or empty parameter with -dus was interpreted as "*" rather than "."
  * Bug fix: readline history was spammed by -msg_op parsing and pipe loops
  * New -pacifier behavior code "interval="
  * New -as mkisofs options --sort-weight-list and --sort-weight-patterns
  * New -format mode "without_spare" (for BD-RE)
  * New command -named_pipe_loop
  * New command -sh_style_result
  * New -msg_op opcodes "parse_silently" and "parse_bulk_silently"
  * New command -application_use and new -as mkisofs option --application_use 
--------------------------------------------------------------------------------
ChangeLog:

* Sun Aug 25 2013 Robert Scheck <robert at fedoraproject.org> 1.3.2-1
- Upgrade to 1.3.2 (#994920)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #994921 - libisofs-1.3.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=994921
  [ 2 ] Bug #994916 - libburn-1.3.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=994916
  [ 3 ] Bug #994920 - libisoburn-1.3.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=994920
--------------------------------------------------------------------------------


================================================================================
 libisofs-1.3.2-1.el5 (FEDORA-EPEL-2013-11335)
 Library to create ISO 9660 disk images
--------------------------------------------------------------------------------
Update Information:

Changes towards previous version 1.3.0
======================================


libburn novelties
-----------------

  * Bug fix: The signal handler aborted on SIGCONT, SIGTSTP, SIGTTIN, SIGTTOU
  * New API call burn_make_input_sheet_v07t()
  * API call burn_session_input_sheet_v07t(): read multiple blocks from same file
  * New API calls burn_drive_extract_audio(), burn_drive_extract_audio_track()
  * Optional "make doc" now demands doxygen 1.8.4


cdrskin novelties
-----------------

  * Bug fix: cdrskin -msinfo on DVD and BD reported old session start = next writable address. Regression introduced by version 1.2.8 (rev 4956). Also fixed in libburn-1.3.0.pl01.
  * New cdrskin option textfile_to_v07t=
  * New cdrskin options cdtext_to_textfile= and cdtext_to_v07t=
  * New cdrskin options extract_audio_to= , extract_tracks= , extract_basename= , --extract_dap
  * New cdrskin option --pacifier_with_newline
  * Improved granularity of SCSI log time measurement, now with timestamp


libisofs novelties
------------------
  * Bug fix: iso_finish() left an invalid global pointer, which a subsequent call of iso_init() would try to dereference.
  * The sort weight of data files loaded from ISO image is now 2 exp 28 to 1 rather than 2 exp 31 - 1 to - 2 exp 31


libisoburn and xorriso novelties
--------------------------------

  * Bug fix: -find -exec "sort_weight" did not mark the image as having pending changes
  * Bug fix: -backslash_codes "with_program_arguments" was interpreted too late
  * Bug fix: Missing or empty parameter with -dus was interpreted as "*" rather than "."
  * Bug fix: readline history was spammed by -msg_op parsing and pipe loops
  * New -pacifier behavior code "interval="
  * New -as mkisofs options --sort-weight-list and --sort-weight-patterns
  * New -format mode "without_spare" (for BD-RE)
  * New command -named_pipe_loop
  * New command -sh_style_result
  * New -msg_op opcodes "parse_silently" and "parse_bulk_silently"
  * New command -application_use and new -as mkisofs option --application_use 
--------------------------------------------------------------------------------
ChangeLog:

* Sun Aug 25 2013 Robert Scheck <robert at fedoraproject.org> 1.3.2-1
- Upgrade to 1.3.2 (#994921)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #994921 - libisofs-1.3.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=994921
  [ 2 ] Bug #994916 - libburn-1.3.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=994916
  [ 3 ] Bug #994920 - libisoburn-1.3.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=994920
--------------------------------------------------------------------------------


================================================================================
 lighttpd-1.4.32-1.el5 (FEDORA-EPEL-2013-11336)
 Lightning fast webserver with light system requirements
--------------------------------------------------------------------------------
Update Information:

One important denial of service (in 1.4.31) fix: CVE-2012-5533.

A flaw was found in lighttpd version 1.4.31 that could be exploited by a remote user to cause a denial of service condition in lighttpd.  A client could send a malformed Connection header to lighttpd (such as "Connection: TE,,Keep-Alive"), which would cause lighttpd to enter an endless loop, detecting an empty token but not incrementing the current string position, causing it to continually read ',' over and over.

This flaw was introduced in 1.4.31 [1] when an "invalid read" bug was fixed [2].

[1] http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2830/diff/
[2] http://redmine.lighttpd.net/issues/2413


Acknowledgement:

Red Hat would like to thank Stefan Bühler for reporting this issue. Upstream acknowledges Jesse Sipprell from McClatchy Interactive, Inc. as the original reporter.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Aug 26 2013 Jon Ciesla <limburgher at gmail.com> - 1.4.32-1
- Update to 1.4.32, BZ 878915.
* Sat Aug  3 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.4.31-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.4.31-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.4.31-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #878915 - CVE-2012-5533 lighttpd: Denial of Service via malformed Connection headers [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=878915
  [ 2 ] Bug #878914 - CVE-2012-5533 lighttpd: Denial of Service via malformed Connection headers [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=878914
--------------------------------------------------------------------------------


================================================================================
 mksh-48b-1.el5 (FEDORA-EPEL-2013-11343)
 MirBSD enhanced version of the Korn Shell
--------------------------------------------------------------------------------
Update Information:

R48b is a minor bugfix update:

  * [tg] Fix display issue with multi-line prompts and SIGWINCH


R48 is a small but important bugfix update:

  * [tg] dot.mkshrc: unbreak hd(1) function in UTF-8 mode
  * [Jens Staal, tg] Improve buildability on Plan 9 and support kencc
  * [tg] Clean up and improve build process and testsuite
  * [Michael Langguth] Add multi-layer ICO file from mksh/Win32
  * [tg, Steffen Daode Nurpmeso] Fix interactive shell exiting on ^C or syntax error when the EXIT pseudo-signal trap was set (to anything)
  * [tg, Daode] Display longer command excerpts in job control
  * [tg] Rewrite Emacs mode display window sliding calculation code
  * [tg] dot.mkshrc: “doch” now keeps standard input
  * [tg] Reduce memory usage and improve comments and documentation
--------------------------------------------------------------------------------
ChangeLog:

* Sun Aug 25 2013 Robert Scheck <robert at fedoraproject.org> 48b-1
- Upgrade to 48b
--------------------------------------------------------------------------------

More information about the epel-devel mailing list