EPEL Fedora 6 updates-testing report

updates at fedoraproject.org updates at fedoraproject.org
Fri Aug 1 16:43:00 UTC 2014


The following Fedora EPEL 6 Security updates need testing:
 Age  URL
 831  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5620/bugzilla-3.4.14-2.el6
 178  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-0440/fwsnort-1.6.4-1.el6
 163  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-0590/oath-toolkit-2.0.2-4.el6
  72  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1471/chicken-4.8.0.6-2.el6
  68  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1477/drupal7-views-3.8-1.el6
  50  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1616/puppet-2.7.26-1.el6
  40  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1693/perl-Email-Address-1.905-1.el6
  35  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1745/mediawiki119-1.19.17-1.el6
  11  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1961/cobbler-2.6.3-1.el6
  11  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1923/sdcc-3.2.0-1.el6
  11  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1947/drupal6-6.32-1.el6
   9  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1980/moodle-2.4.11-1.el6
   8  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1940/phpMyAdmin-4.0.10.1-1.el6
   8  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1999/exim-4.72-6.el6
   4  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2045/ansible-1.6.10-1.el6
   3  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2050/drupal7-7.30-1.el6
   0  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2084/drupal7-date-2.8-1.el6
   0  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2088/tor-0.2.4.23-1.el6
   0  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2099/v8-3.14.5.10-11.el6


The following builds have been pushed to Fedora EPEL 6 updates-testing

    golang-github-gorilla-context-0-0.27.git14f550f.el6
    libuv-0.10.28-1.el6
    nodejs-0.10.30-1.el6
    openconnect-5.03-1.el6
    pgpdump-0.29-1.el6
    php-symfony-icu-1.1.2-1.el6
    seren-0.0.19-1.el6
    v8-3.14.5.10-11.el6
    x2goserver-4.0.1.15-2.el6

Details about builds:


================================================================================
 golang-github-gorilla-context-0-0.27.git14f550f.el6 (FEDORA-EPEL-2014-2094)
 A golang registry for global request variables
--------------------------------------------------------------------------------
Update Information:

remove conditionals for arch specification (handle el6 separately)
update to commit b06ed15e1c (required for docker 1.0
golang exclusivearch for el6+
revert golang >= 1.2 requirement
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 31 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 0-0.27.git
- remove conditionals for arch specification (handle el6 separately)
- defattr only for el6
* Thu Jul 24 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 0-0.26.git
- disable debuginfo
* Mon Jul 21 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 0-0.25.git
- update to commit 14f550f51a for docker 1.1.0 (and 1.1.1)
- use golang packaging macros wherever applicable
- do not own directories owned by 'golang' package
* Sat Jun  7 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0-0.24.gitb06ed15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sat May 31 2014 Lokesh Mandvekar <lsm5 at redhat.com> 0-0.23.git
- update to commit b06ed15e1c (required for docker 1.0
https://github.com/dotcloud/docker/issues/5908 )
* Wed Jan 15 2014 Lokesh Mandvekar <lsm5 at redhat.com> 0-0.22.git708054d
- golang exclusivearch for el6+
- add check
* Wed Jan 15 2014 Lokesh Mandvekar <lsm5 at redhat.com> 0-0.21.git708054d
- revert golang 1.2 requirement
* Wed Jan 15 2014 Lokesh Mandvekar <lsm5 at redhat.com> 0-0.20.git708054d
- require golang 1.2 and up
--------------------------------------------------------------------------------


================================================================================
 libuv-0.10.28-1.el6 (FEDORA-EPEL-2014-2096)
 Platform layer for node.js
--------------------------------------------------------------------------------
Update Information:

### 2014.07.31, node.js Version 0.10.30 (Stable)

* Revert "stream: start old-mode read in a next tick" (Fedor Indutny)

* buffer: fix sign overflow in `readUIn32BE` (Fedor Indutny)

* buffer: improve {read,write}{U}Int* methods (Nick Apperson)

* child_process: handle writeUtf8String error (Fedor Indutny)

* lib: remove and restructure calls to isNaN() (cjihrig)

* module: eliminate double `getenv()` (Maciej Małecki)

* stream2: flush extant data on read of ended stream (Chris Dickinson)

* streams: remove unused require('assert') (Rod Vagg)

* timers: backport f8193ab (Julien Gilli)

### 2014.07.32, Version 0.10.28 (Stable)

* unix: return system error on EAI_SYSTEM (Saúl Ibarra Corretgé)

* unix: fix bogus structure field name (Saúl Ibarra Corretgé)

Please note that the v8 security fix shipped in the bundled copy of v8 in this upstream release is not included in this update.  Instead, this fix is applied in the [v8-3.14.5.10-11 update](https://admin.fedoraproject.org/updates/v8-3.14.5.10-11.fc18).
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:0.10.28-1
- new upstream release 0.10.28
  https://github.com/joyent/libuv/blob/v0.10.28/ChangeLog
* Thu Jul  3 2014 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:0.10.27-3
- build static library for rust (RHBZ#1115975)
* Sat Jun  7 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1:0.10.27-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1115975 - Add libuv-static package to prepare rust
        https://bugzilla.redhat.com/show_bug.cgi?id=1115975
--------------------------------------------------------------------------------


================================================================================
 nodejs-0.10.30-1.el6 (FEDORA-EPEL-2014-2096)
 JavaScript runtime
--------------------------------------------------------------------------------
Update Information:

### 2014.07.31, node.js Version 0.10.30 (Stable)

* Revert "stream: start old-mode read in a next tick" (Fedor Indutny)

* buffer: fix sign overflow in `readUIn32BE` (Fedor Indutny)

* buffer: improve {read,write}{U}Int* methods (Nick Apperson)

* child_process: handle writeUtf8String error (Fedor Indutny)

* lib: remove and restructure calls to isNaN() (cjihrig)

* module: eliminate double `getenv()` (Maciej Małecki)

* stream2: flush extant data on read of ended stream (Chris Dickinson)

* streams: remove unused require('assert') (Rod Vagg)

* timers: backport f8193ab (Julien Gilli)

### 2014.07.32, Version 0.10.28 (Stable)

* unix: return system error on EAI_SYSTEM (Saúl Ibarra Corretgé)

* unix: fix bogus structure field name (Saúl Ibarra Corretgé)

Please note that the v8 security fix shipped in the bundled copy of v8 in this upstream release is not included in this update.  Instead, this fix is applied in the [v8-3.14.5.10-11 update](https://admin.fedoraproject.org/updates/v8-3.14.5.10-11.fc18).
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 T.C. Hollingsworth <tchollingsworth at gmail.com> - 0.10.30-1
- new upstream release 0.10.30
  http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1115975 - Add libuv-static package to prepare rust
        https://bugzilla.redhat.com/show_bug.cgi?id=1115975
--------------------------------------------------------------------------------


================================================================================
 openconnect-5.03-1.el6 (FEDORA-EPEL-2014-2093)
 Open client for Cisco AnyConnect VPN
--------------------------------------------------------------------------------
Update Information:

Update to 5.03 release
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 Nikos Mavrogiannopoulos <nmav at redhat.com> - 5.03-1
- Update to 5.03 release
* Sat Jun  1 2013 David Woodhouse <David.Woodhouse at intel.com> - 5.01-1
- Update to 5.01 release (#955710, #964329, #964650)
--------------------------------------------------------------------------------


================================================================================
 pgpdump-0.29-1.el6 (FEDORA-EPEL-2014-2095)
 PGP packet visualizer
--------------------------------------------------------------------------------
Update Information:

* GnuPG extensions in private/experimental S2K specifiers (type 101), and parsing of gnu-dummy (1001) (indicating absent secret key material), and gnu-divert-to-card (2002) (indicating key material tored on a smartcard).
* Ignore whitespace in Radix-64 input, per RFC 4880 section 6.4
* Makefile change
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 Christopher Meng <rpm at cicku.me> - 0.29-1
- Update to 0.29
--------------------------------------------------------------------------------


================================================================================
 php-symfony-icu-1.1.2-1.el6 (FEDORA-EPEL-2014-2092)
 Symfony Icu Component
--------------------------------------------------------------------------------
Update Information:

Updated to 1.1.2
* Fixed IcuTestCase to set a common locale for all tests
* Updated data files with improved transformation classes

Git diffs:
* v1.1.0 to v1.1.1: https://github.com/symfony/Icu/compare/v1.1.0...v1.1.1
* v1.1.1 to v1.1.2: https://github.com/symfony/Icu/compare/v1.1.1...v1.1.2
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 31 2014 Shawn Iwinski <shawn.iwinski at gmail.com> - 1.1.2-1
- Updated to 1.1.2 (BZ #1124230)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1124230 - php-symfony-icu-1.1.2/1.2.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1124230
--------------------------------------------------------------------------------


================================================================================
 seren-0.0.19-1.el6 (FEDORA-EPEL-2014-2097)
 Simple VoIP program to create conferences from the terminal
--------------------------------------------------------------------------------
Update Information:

Version bump
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 Francesco Frassinelli <fraph24 at gmail.com> - 0.0.19-1
- Version bump
* Sun Jun  8 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.0.18-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
--------------------------------------------------------------------------------


================================================================================
 v8-3.14.5.10-11.el6 (FEDORA-EPEL-2014-2099)
 JavaScript Engine
--------------------------------------------------------------------------------
Update Information:

TJ Fontaine of the Node.js project reports:

A memory corruption vulnerability, which results in a
denial-of-service, was identified in the versions of V8 that ship with
Node.js 0.8 and 0.10. In certain circumstances, a particularly deep
recursive workload that may trigger a GC and receive an interrupt may
overflow the stack and result in a segmentation fault. For instance,
if your work load involves successive `JSON.parse` calls and the
parsed objects are significantly deep, you may experience the process
aborting while parsing.

This issue was identified by Tom Steele of [^Lift
Security](https://liftsecurity.io/) and Fedor Indunty, Node.js Core
Team member worked closely with the V8 team to find our resolution.

The V8 issue is described here https://codereview.chromium.org/339883002

It has landed in the Node repository here:
https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356

And has been released in the following versions:

 * [v0.10.30](http://nodejs.org/dist/v0.10.30)
http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/
 * [v0.8.28](http://nodejs.org/dist/v0.8.28)
http://blog.nodejs.org/2014/07/31/node-v0-8-28-maintenance/

### The Fix

[Applied in this update.]

### Remediation

The best course of action is to patch or upgrade Node.js.

### Mitigation

To mitigate against deep JSON parsing you can limit the size of the
string you parse against, or ban clients who trigger a `RangeError`
for parsing JSON.

There is no specific maximum size of a JSON string, though keeping the
max to the size of your known message bodies is suggested. If your
message bodies cannot be over 20K, there's no reason to accept 1MB
bodies.

For web frameworks that do automatic JSON parsing, you may need to
configure the routes that accept JSON payloads to have a maximum body
size.

 * [expressjs](http://expressjs.com) and
[krakenjs](http://krakenjs.com) used with the
[body-parser](https://github.com/expressjs/body-parser#bodyparserjsonoptions)
plugin accepts a `limit` parameter in your JSON config
 * [Hapi.js](http://hapijs.com) has `payload.maxBytes`
https://github.com/spumko/hapi/blob/master/docs/Reference.md
 * [restify](http://mcavage.me/node-restify/#Bundled-Plugins) bundled
`bodyParser` accepts a `maxBodySize`

Source: https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 31 2014 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:3.14.5.10-11
- backport security fix for memory corruption and stack overflow (RHBZ#1125464)
  https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ
- backport bug fix for x64 MathMinMax for negative untagged int32 arguments.
  https://github.com/joyent/node/commit/3530fa9cd09f8db8101c4649cab03bcdf760c434
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1125464 - V8 Memory Corruption and Stack Overflow
        https://bugzilla.redhat.com/show_bug.cgi?id=1125464
--------------------------------------------------------------------------------


================================================================================
 x2goserver-4.0.1.15-2.el6 (FEDORA-EPEL-2014-2098)
 X2Go Server
--------------------------------------------------------------------------------
Update Information:

- Add Requires xorg-x11-xauth
- Update to 4.0.1.15:
- Fix hanging of x2goserver init script.
- Log SSHFS output and errors to ~/.x2go/C-<session>/sshfs-mounts.log. (Fixes: #415).
- If x2golistmounts is used without cmd option <session_id>, then the env var $X2GO_SESSION (current session) will be attempted to use.
- If x2goumount-session is used without cmd option <session_id>, then the env var $X2GO_SESSION (current session) will be attempted to use.
- Fix x2gostartagent. Make sure the -nolisten tcp option is configurable via x2goagent.options. (Fixes: #424).
- Safely remove desktop files for client-side shared folders. Remove the correct desktop file, even if the shared folder has already been (forcefully) umounted. Such situations occur in cases where the connection gets interrupted. SSHFS will then get removed by the Linux kernel and we have to "guess" what desktop icons is actually to be removed.
- Fix broken file descriptor closures in x2gocleansessions. (Fixes: #441).
- x2gofm.desktop: Drop obsolete Encoding key from .desktop file.
- Fix typos / hyphen-as-minus signs issues in x2goversion.8 and x2gomountdirs.8.
--------------------------------------------------------------------------------
ChangeLog:

* Fri May  2 2014 Orion Poplawski <orion at cora.nwra.com> - 4.0.1.15-2
- Add Requires xorg-x11-xauth
* Thu Apr  3 2014 Orion Poplawski <orion at cora.nwra.com> - 4.0.1.15-1
- Update to 4.0.1.15
* Wed Apr  2 2014 Orion Poplawski <orion at cora.nwra.com> - 4.0.1.14-1
- Update to 4.0.1.14
--------------------------------------------------------------------------------



More information about the epel-devel mailing list