EPEL Fedora 5 updates-testing report
updates at fedoraproject.org
updates at fedoraproject.org
Wed Sep 4 18:27:43 UTC 2013
The following Fedora EPEL 5 Security updates need testing:
Age URL
500 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3.2.10-5.el5
395 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6608/Django-1.1.4-2.el5
15 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11276/ssmtp-2.61-21.el5
13 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11300/drupal7-theme-zen-5.4-1.el5
9 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11336/lighttpd-1.4.32-1.el5
3 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11396/cacti-0.8.8b-2.el5
1 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11418/graphite-web-0.9.12-1.el5
0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11448/perl-Crypt-DSA-0.14-8.el5
The following builds have been pushed to Fedora EPEL 5 updates-testing
perl-Crypt-DSA-0.14-8.el5
rubygem-rest-client-1.6.7-1.el5
Details about builds:
================================================================================
perl-Crypt-DSA-0.14-8.el5 (FEDORA-EPEL-2013-11448)
Perl module for DSA signatures and key generation
--------------------------------------------------------------------------------
Update Information:
As taught by the '09 Debian PGP disaster relating to DSA, the randomness source is extremely important. On systems without /dev/random, Crypt::DSA falls back to using Data::Random. Data::Random uses rand(), about which the perldoc says "rand() is not cryptographically secure. You should not rely on it in security-sensitive situations." In the case of DSA, this is even worse. Using improperly secure randomness sources can compromise the signing key upon signature of a message.
See: http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/
It might seem that this would not affect Linux since /dev/random is always available and so the fall back to Data::Random would never happen. However, if an application is confined using a MAC system such as SELinux then access to /dev/random could be denied by policy and the fall back would be triggered.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #743567 - CVE-2011-3599 perl-Crypt-DSA: Cryptographically insecure method used for random numbers generation on systems without /dev/random
https://bugzilla.redhat.com/show_bug.cgi?id=743567
--------------------------------------------------------------------------------
================================================================================
rubygem-rest-client-1.6.7-1.el5 (FEDORA-EPEL-2013-11450)
Simple REST client for Ruby
--------------------------------------------------------------------------------
Update Information:
Version 1.6.7
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 4 2013 Michal Fojtik <mfojtik at redhat.com> - 1.6.7-1
- Update to 1.6.7
* Mon Mar 21 2011 Michal Fojtik <mfojtik at redhat.com> - 1.4.0-7
- Reverted to old version
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #672213 - request to upgrade package version
https://bugzilla.redhat.com/show_bug.cgi?id=672213
--------------------------------------------------------------------------------
More information about the epel-devel
mailing list