[SECURITY] Fedora 19 Update: zeroinstall-injector-2.3-1.fc19

updates at fedoraproject.org updates at fedoraproject.org
Mon Jul 15 01:01:19 UTC 2013

Fedora Update Notification
2013-07-05 23:16:15

Name        : zeroinstall-injector
Product     : Fedora 19
Version     : 2.3
Release     : 1.fc19
URL         : http://0install.net
Summary     : The Zero Install Injector (0launch)
Description :
The Zero Install Injector makes it easy for users to install software
without needing root privileges. It takes the URL of a program and
runs it (downloading it first if necessary). Any dependencies of the
program are fetched in the same way. The user controls which version
of the program and its dependencies to use.

Zero Install is a decentralized installation system (there is no
central repository; all packages are identified by URLs),
loosely-coupled (if different programs require different versions of a
library then both versions are installed in parallel, without
conflicts), and has an emphasis on security (all package descriptions
are GPG-signed, and contain cryptographic hashes of the contents of
each version). Each version of each program is stored in its own
sub-directory within the Zero Install cache (nothing is installed to
directories outside of the cache, such as /usr/bin) and no code from
the package is run during install or uninstall. The system can
automatically check for updates when software is run.

Update Information:

- upstream now ships an experimental OCaml front-end, this is not yet enabled
- Add fish-shell command completion
- Allow relative files in <archive> and <file> for local feeds. This makes it easy to test feeds before passing them to 0repo.

Bug fixes:
- Better handling of default="" in <environment> bindings. This now specifies that the default should be "", overriding any system default.
- Fixed --refresh with "download" and "run" for apps.
- Updated ssl_match_hostname based on latest bug-fixes. This fix is intended to fix a denial-of-service attack, which doesn't really matter to 0install, but we might as well have the latest version. CVE-2013-2099
- Better error when the <rename> source does not exist.
- Allow selecting local archives even in offline mode.
- Support the use of the system store with recipes. This is especially important now that we treat all downloads as recipes!
- Removed old zeroinstall-add.desktop file.

Changes for APIs we depend on
- Cope with more PyGObject API changes. Based on patch in
- Keep gobject and glib separate. Sometimes we need GLib, sometimes we need GObject.
- Updates to avoid PyGIDeprecationWarning.


* Fri Jul  5 2013 Michel Salim <salimma at fedoraproject.org> - 2.3-1
- Update to 2.3
* Mon May  6 2013 Michel Salim <salimma at fedoraproject.org> - 2.2-1
- Update to 2.2

  [ 1 ] Bug #958834 - zeroinstall-injector-2.3 is available
  [ 2 ] Bug #966273 - CVE-2013-2098 CVE-2013-2099 python: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns [fedora-all]
  [ 3 ] Bug #966274 - CVE-2013-2098 CVE-2013-2099 python: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns [epel-6]

This update can be installed with the "yum" update program.  Use 
su -c 'yum update zeroinstall-injector' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list