Fedora 13 updates-testing report
updates at fedoraproject.org
updates at fedoraproject.org
Tue Feb 22 18:54:22 UTC 2011
The following Fedora 13 Security updates need testing:
https://admin.fedoraproject.org/updates/abcm2ps-5.9.21-1.fc13
https://admin.fedoraproject.org/updates/dbus-1.2.24-2.fc13
https://admin.fedoraproject.org/updates/subversion-1.6.15-1.fc13
https://admin.fedoraproject.org/updates/kernel-2.6.34.8-67.fc13
https://admin.fedoraproject.org/updates/ruby-1.8.6.420-2.fc13
https://admin.fedoraproject.org/updates/telepathy-gabble-0.10.5-1.fc13,telepathy-glib-0.11.16-2.fc13
https://admin.fedoraproject.org/updates/dhcp-4.1.2-2.ESV.R1.fc13
https://admin.fedoraproject.org/updates/q-7.11-8.fc13
https://admin.fedoraproject.org/updates/feh-1.10.1-1.fc13
https://admin.fedoraproject.org/updates/openssl-1.0.0d-1.fc13
https://admin.fedoraproject.org/updates/patch-2.6.1-8.fc13
https://admin.fedoraproject.org/updates/asterisk-1.6.2.16.2-1.fc13
https://admin.fedoraproject.org/updates/phpMyAdmin-3.3.9.2-1.fc13
https://admin.fedoraproject.org/updates/tor-0.2.1.29-1300.fc13
The following Fedora 13 Critical Path updates have yet to be approved:
https://admin.fedoraproject.org/updates/lua-5.1.4-7.fc13
https://admin.fedoraproject.org/updates/librsvg2-2.26.3-3.fc13
https://admin.fedoraproject.org/updates/mobile-broadband-provider-info-1.20110218-1.fc13
https://admin.fedoraproject.org/updates/less-436-9.fc13
https://admin.fedoraproject.org/updates/dosfstools-3.0.9-4.fc13
https://admin.fedoraproject.org/updates/openssl-1.0.0d-1.fc13
https://admin.fedoraproject.org/updates/patch-2.6.1-8.fc13
https://admin.fedoraproject.org/updates/file-5.04-7.fc13
https://admin.fedoraproject.org/updates/tzdata-2011b-1.fc13
https://admin.fedoraproject.org/updates/kernel-2.6.34.8-67.fc13
https://admin.fedoraproject.org/updates/system-config-users-1.2.107-1.fc13
https://admin.fedoraproject.org/updates/python-ethtool-0.6-1.fc13
https://admin.fedoraproject.org/updates/livecd-tools-13.1-1.fc13
https://admin.fedoraproject.org/updates/libical-0.46-2.fc13
https://admin.fedoraproject.org/updates/pm-utils-1.2.6.1-4.fc13
https://admin.fedoraproject.org/updates/mash-0.5.20-1.fc13
https://admin.fedoraproject.org/updates/nss-3.12.7-4.fc13,nss-util-3.12.7-2.fc13,nss-softokn-3.12.7-3.fc13,nspr-4.8.6-1.fc13
https://admin.fedoraproject.org/updates/xorg-x11-drv-openchrome-0.2.904-7.fc13
The following builds have been pushed to Fedora 13 updates-testing
asterisk-1.6.2.16.2-1.fc13
cinepaint-0.25.0-0.1.fc13
kde-plasma-networkmanagement-0.9-0.35.20110221.fc13
libst2205-1.4.3-2.fc13
pidgin-2.7.10-1.fc13
q-7.11-8.fc13
rear-1.10.0-1.fc13
serdisplib-1.97.9-1.fc13
system-config-printer-1.2.7-2.fc13
Details about builds:
================================================================================
asterisk-1.6.2.16.2-1.fc13 (FEDORA-2011-1977)
The Open Source PBX
--------------------------------------------------------------------------------
Update Information:
Asterisk Project Security Advisory - AST-2011-002
Product Asterisk
Summary Multiple array overflow and crash vulnerabilities in
UDPTL code
Nature of Advisory Exploitable Stack and Heap Array Overflows
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On January 27, 2011
Reported By Matthew Nicholson
Posted On February 21, 2011
Last Updated On February 21, 2011
Advisory Contact Matthew Nicholson <mnicholson at digium.com>
CVE Name
Description When decoding UDPTL packets, multiple stack and heap based
arrays can be made to overflow by specially crafted packets.
Systems doing T.38 pass through or termination are vulnerable.
Resolution The UDPTL decoding routines have been modified to respect the
limits of exploitable arrays.
In asterisk versions not containing the fix for this issue,
disabling T.38 support will prevent this vulnerability from
being exploited. T.38 support can be disabled in chan_sip by
setting the t38pt_udptl option to "no" (it is off by default).
t38pt_udptl = no
The chan_ooh323 module should also be disabled by adding the
following line in modles.conf.
noload => chan_ooh323
Affected Versions
Product Release Series
Asterisk Open Source 1.4.x All versions
Asterisk Open Source 1.6.x All versions
Asterisk Business Edition C.x.x All versions
AsteriskNOW 1.5 All versions
s800i (Asterisk Appliance) 1.2.x All versions
Corrected In
Product Release
Asterisk Open Source 1.4.39.2, 1.6.1.22, 1.6.2.16.2, 1.8.2.4
Asterisk Business Edition C.3.6.3
Patches
URL Branch
http://downloads.asterisk.org/pub/security/AST-2011-002-1.4.diff 1.4
http://downloads.asterisk.org/pub/security/AST-2011-002-1.6.1.diff 1.6.1
http://downloads.asterisk.org/pub/security/AST-2011-002-1.6.2.diff 1.6.2
http://downloads.asterisk.org/pub/security/AST-2011-002-1.8.diff 1.8
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-002.pdf and
http://downloads.digium.com/pub/security/AST-2011-002.html
Revision History
Date Editor Revisions Made
02/21/11 Matthew Nicholson Initial Release
Asterisk Project Security Advisory - AST-2011-002
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Feb 21 2011 <jeff at ocjtech.us> - 1.6.2.16.2-1
-
- Asterisk Project Security Advisory - AST-2011-002
-
- Product Asterisk
- Summary Multiple array overflow and crash vulnerabilities in
- UDPTL code
- Nature of Advisory Exploitable Stack and Heap Array Overflows
- Susceptibility Remote Unauthenticated Sessions
- Severity Critical
- Exploits Known No
- Reported On January 27, 2011
- Reported By Matthew Nicholson
- Posted On February 21, 2011
- Last Updated On February 21, 2011
- Advisory Contact Matthew Nicholson <mnicholson at digium.com>
- CVE Name
-
- Description When decoding UDPTL packets, multiple stack and heap based
- arrays can be made to overflow by specially crafted packets.
- Systems doing T.38 pass through or termination are vulnerable.
-
- Resolution The UDPTL decoding routines have been modified to respect the
- limits of exploitable arrays.
-
- In asterisk versions not containing the fix for this issue,
- disabling T.38 support will prevent this vulnerability from
- being exploited. T.38 support can be disabled in chan_sip by
- setting the t38pt_udptl option to "no" (it is off by default).
-
- t38pt_udptl = no
-
- The chan_ooh323 module should also be disabled by adding the
- following line in modles.conf.
-
- noload => chan_ooh323
-
- Affected Versions
- Product Release Series
- Asterisk Open Source 1.4.x All versions
- Asterisk Open Source 1.6.x All versions
- Asterisk Business Edition C.x.x All versions
- AsteriskNOW 1.5 All versions
- s800i (Asterisk Appliance) 1.2.x All versions
-
- Corrected In
- Product Release
- Asterisk Open Source 1.4.39.2, 1.6.1.22, 1.6.2.16.2, 1.8.2.4
- Asterisk Business Edition C.3.6.3
-
- Patches
- URL Branch
- http://downloads.asterisk.org/pub/security/AST-2011-002-1.4.diff 1.4
- http://downloads.asterisk.org/pub/security/AST-2011-002-1.6.1.diff 1.6.1
- http://downloads.asterisk.org/pub/security/AST-2011-002-1.6.2.diff 1.6.2
- http://downloads.asterisk.org/pub/security/AST-2011-002-1.8.diff 1.8
-
- Links
-
- Asterisk Project Security Advisories are posted at
- http://www.asterisk.org/security
-
- This document may be superseded by later versions; if so, the latest
- version will be posted at
- http://downloads.digium.com/pub/security/AST-2011-002.pdf and
- http://downloads.digium.com/pub/security/AST-2011-002.html
-
- Revision History
- Date Editor Revisions Made
- 02/21/11 Matthew Nicholson Initial Release
-
- Asterisk Project Security Advisory - AST-2011-002
- Copyright (c) 2011 Digium, Inc. All Rights Reserved.
- Permission is hereby granted to distribute and publish this advisory in its
- original, unaltered form.
--------------------------------------------------------------------------------
================================================================================
cinepaint-0.25.0-0.1.fc13 (FEDORA-2011-1961)
CinePaint is a tool for manipulating images
--------------------------------------------------------------------------------
Update Information:
Lot of bug-fixes and enhancements.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Feb 21 2011 Nicolas Chauvet <kwizart at gmail.com> - 0.25.0-0.1
- Update to pre 0.25
--------------------------------------------------------------------------------
================================================================================
kde-plasma-networkmanagement-0.9-0.35.20110221.fc13 (FEDORA-2011-1973)
NetworkManager KDE 4 integration
--------------------------------------------------------------------------------
Update Information:
New snapshot includes translation fixes as well as many other small bug fixes.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Feb 21 2011 Rex Dieter <rdieter at fedoraproject.org> 1:0.9-0.35.20110221
- 20110221 snapshot
* Thu Feb 17 2011 Rex Dieter <rdieter at fedoraproject.org> 1:0.9-0.34.20110217
- 20110217 snapshot (with translations)
* Mon Feb 7 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1:0.9-0.33.20110106
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Thu Jan 6 2011 Rex Dieter <rdieter at fedoraproject.org> 1:0.9-0.32.20110106
- 20110106 snapshot (sans translations for now)
* Wed Nov 17 2010 Rex Dieter <rdieter at fedoraproject.org> 1:0.9-0.31.20101117
- 20101117 snapshot
- "Always ask for password" does not work (#582933,kde#244416)
* Tue Nov 9 2010 Rex Dieter <rdieter at fedoraproject.org> 1:0.9-0.30.20101105
- move shared bits to main pkg
- -libs: Requires: %name
* Tue Nov 9 2010 Rex Dieter <rdieter at fedoraproject.org> 1:0.9-0.29.20101105
- 20101105 snapshot
- use kde-plasma-networkmangement-* subpkg names
- drop monolithic/knm bits
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #582933 - knetworkmanager: "Always ask for password" does not work
https://bugzilla.redhat.com/show_bug.cgi?id=582933
[ 2 ] Bug #677339 - knetworkmanager lists garbage in the Connections-list (after suspend/resume)
https://bugzilla.redhat.com/show_bug.cgi?id=677339
--------------------------------------------------------------------------------
================================================================================
libst2205-1.4.3-2.fc13 (FEDORA-2011-1964)
Library for accessing the display of hacked st2205 photo frames
--------------------------------------------------------------------------------
Update Information:
libst2205 is a new Fedora package.
Description:
It is possible to flash digital photo frames with the st2205 chip-sets with a modified firmware, which allows one to display real time images on the display of the frame from a PC. This package contains a library for accessing the display from the PC, for st2205 frames with the hacked firmware.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #678887 - Review Request: libst2205 - Library for accessing the display of hacked st2205 photo frames
https://bugzilla.redhat.com/show_bug.cgi?id=678887
--------------------------------------------------------------------------------
================================================================================
pidgin-2.7.10-1.fc13 (FEDORA-2011-1972)
A Gtk+ based multiprotocol instant messaging client
--------------------------------------------------------------------------------
Update Information:
New release 2.7.10
Upstream ChangeLog:
http://developer.pidgin.im/wiki/ChangeLog
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 22 2011 Stu Tomlinson <stu at nosnilmot.com> 2.7.10-1
- 2.7.10
* Wed Feb 9 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.7.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Tue Feb 1 2011 Milan Crha <mcrha at redhat.com> 2.7.9-3
- Rebuild against newer evolution-data-server
* Wed Jan 12 2011 Milan Crha <mcrha at redhat.com> 2.7.9-2
- Rebuild against newer evolution-data-server
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #676569 - pidgin-2.7.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=676569
--------------------------------------------------------------------------------
================================================================================
q-7.11-8.fc13 (FEDORA-2011-1958)
Equational programming language
--------------------------------------------------------------------------------
Update Information:
Rebuilt against system libltdl.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 22 2011 Gérard Milmeister <gemi at bluewin.ch> - 7.11-8
- Rebuild against system libltdl
* Fri Sep 17 2010 Rex Dieter <rdieter at fedoraproject.org> - 7.11-7.1
- rebuild (ImageMagick)
* Mon May 24 2010 Tom "spot" Callaway <tcallawa at redhat.com> - 7.11-7
- disable rpath
- rebuild for non-static libxslt
* Wed Mar 24 2010 Mike McGrath <mmcgrath at redhat.com> - 7.11-6.1
- Rebuilt for broken dep
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #537941 - CVE-2009-3736 libtool: libltdl may load and execute code from a library in the current directory
https://bugzilla.redhat.com/show_bug.cgi?id=537941
--------------------------------------------------------------------------------
================================================================================
rear-1.10.0-1.fc13 (FEDORA-2011-1971)
Relax and Recover (ReaR) is a Linux Disaster Recovery framework
--------------------------------------------------------------------------------
Update Information:
release 1.10.0 fixes the upgrade problems from 1.7.26.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Feb 21 2011 Gratien D'haese <gdha at sourceforge.net> - 1.10.0
- new release
--------------------------------------------------------------------------------
================================================================================
serdisplib-1.97.9-1.fc13 (FEDORA-2011-1968)
Library to drive serial displays with built-in controllers
--------------------------------------------------------------------------------
Update Information:
serdisplib is a new Fedora package.
Description:
serdisplib started as a library to drive serial displays with built-in controllers. beginning with version 1.95 support was added for parallel driven displays. anyhow: the name 'serdisplib' will not change.
The serial in "serial display" characterizes the way of how the data is transferred to the display controller: data is sent bit by bit using a single input line. several (few) other lines are controlling things like timing (clock), data or command, ...
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #678889 - Review Request: serdisplib - Library to drive serial displays with built-in controllers
https://bugzilla.redhat.com/show_bug.cgi?id=678889
--------------------------------------------------------------------------------
================================================================================
system-config-printer-1.2.7-2.fc13 (FEDORA-2010-19111)
A printer administration tool
--------------------------------------------------------------------------------
Update Information:
New upstream release that fixes several bugs.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 22 2011 Tim Waugh <twaugh at redhat.com> - 1.2.7-2
- Applied upstream fix for dnssdresolve traceback (bug #678961).
* Wed Feb 9 2011 Jiri Popelka <jpopelka at redhat.com> 1.2.7-1
- 1.2.7:
- Handle failure to connect in PrinterURIIndex (bug #668568).
- Fixed bugs in gtk_label_autowrap.py (bug #637829).
- Improvements for DNS-SD support from Till Kamppeter
* Fri Jan 21 2011 Jiri Popelka <jpopelka at redhat.com> 1.2.6-3
- Fixed driver selection when there are duplicate PPDs available. (#667571)
- Grabbing focus for editing breaks it (bug #650995).
* Tue Jan 18 2011 Jiri Popelka <jpopelka at redhat.com> 1.2.6-2
- Allow %, ( and ) characters in dnssd URI (bug #669820).
* Mon Jan 17 2011 Jiri Popelka <jpopelka at redhat.com> 1.2.6-1
- 1.2.6:
- Remove reference to current printer on exit (bug #556548).
- Handle cups.Connection() failure in PrinterURIIndexr (bug #648014).
- Block unwanted characters when editing queue name (bug #658550).
- Initialise D-Bus threading in timedops module (bug #662047).
- many other fixes
* Mon Dec 20 2010 Jiri Popelka <jpopelka at redhat.com> 1.2.5-8
- Updated pycups to 1.9.53 (bug #662805).
* Thu Dec 2 2010 Tim Waugh <twaugh at redhat.com> - 1.2.5-7
- Grab focus on the IconView after setting it editable (bug #650995).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #637829 - Display artifacts in PPD change confirmation dialog
https://bugzilla.redhat.com/show_bug.cgi?id=637829
[ 2 ] Bug #650995 - [Compiz] Unable to rename printer
https://bugzilla.redhat.com/show_bug.cgi?id=650995
[ 3 ] Bug #648014 - [abrt] system-config-printer-1.2.4-1.fc13: jobviewer.py:125:_map_printer:RuntimeError: failed to connect to server
https://bugzilla.redhat.com/show_bug.cgi?id=648014
[ 4 ] Bug #658550 - Spaces in printer name get removed
https://bugzilla.redhat.com/show_bug.cgi?id=658550
[ 5 ] Bug #662047 - troubleshooter uses D-Bus from two threads
https://bugzilla.redhat.com/show_bug.cgi?id=662047
[ 6 ] Bug #662805 - [abrt] system-config-printer-1.2.5-6.fc14: PyObject_Call: Process /usr/bin/python was killed by signal 11 (SIGSEGV)
https://bugzilla.redhat.com/show_bug.cgi?id=662805
[ 7 ] Bug #667571 - Did something change my CUPS driver from Postscript to pxlmono?
https://bugzilla.redhat.com/show_bug.cgi?id=667571
[ 8 ] Bug #668127 - [abrt] system-config-printer-1.2.5-8.fc14: system-config-printer.py:5634:entry_changed:UnicodeDecodeError: 'utf8' codec can't decode byte 0xaa in position 52: invalid start byte
https://bugzilla.redhat.com/show_bug.cgi?id=668127
[ 9 ] Bug #668568 - [abrt] system-config-printer-1.2.95-4.fc15: jobviewer.py:71:__init__:RuntimeError: failed to connect to server
https://bugzilla.redhat.com/show_bug.cgi?id=668568
[ 10 ] Bug #669820 - dnssd unable to resolve URI for HP network printer
https://bugzilla.redhat.com/show_bug.cgi?id=669820
[ 11 ] Bug #678961 - [abrt] system-config-printer-1.2.7-1.fc14: dnssdresolve.py:99:_reply:KeyError: (dbus.String(u'Canon iP90 @ Chris Hanes\u2019s iMac (625)'), dbus.String(u'_ipp._tcp'), dbus.String(u'local'))
https://bugzilla.redhat.com/show_bug.cgi?id=678961
--------------------------------------------------------------------------------
More information about the test
mailing list