Fedora 15 updates-testing report

updates at fedoraproject.org updates at fedoraproject.org
Thu Oct 20 10:00:25 UTC 2011 

The following Fedora 15 Security updates need testing:

    https://admin.fedoraproject.org/updates/FEDORA-2011-14216
    https://admin.fedoraproject.org/updates/FEDORA-2011-12981
    https://admin.fedoraproject.org/updates/FEDORA-2011-13861
    https://admin.fedoraproject.org/updates/FEDORA-2011-14308
    https://admin.fedoraproject.org/updates/FEDORA-2011-14022
    https://admin.fedoraproject.org/updates/FEDORA-2011-14210
    https://admin.fedoraproject.org/updates/FEDORA-2011-14453
    https://admin.fedoraproject.org/updates/FEDORA-2011-14377
    https://admin.fedoraproject.org/updates/FEDORA-2011-14673
    https://admin.fedoraproject.org/updates/FEDORA-2011-14538
    https://admin.fedoraproject.org/updates/FEDORA-2011-14634


The following Fedora 15 Critical Path updates have yet to be approved:

    https://admin.fedoraproject.org/updates/FEDORA-2011-14672
    https://admin.fedoraproject.org/updates/FEDORA-2011-14677
    https://admin.fedoraproject.org/updates/FEDORA-2011-14553
    https://admin.fedoraproject.org/updates/FEDORA-2011-14513
    https://admin.fedoraproject.org/updates/FEDORA-2011-14523
    https://admin.fedoraproject.org/updates/FEDORA-2011-14387
    https://admin.fedoraproject.org/updates/FEDORA-2011-14384
    https://admin.fedoraproject.org/updates/FEDORA-2011-14415
    https://admin.fedoraproject.org/updates/FEDORA-2011-14309
    https://admin.fedoraproject.org/updates/FEDORA-2011-14143
    https://admin.fedoraproject.org/updates/FEDORA-2011-14140
    https://admin.fedoraproject.org/updates/FEDORA-2011-13937
    https://admin.fedoraproject.org/updates/FEDORA-2011-13859
    https://admin.fedoraproject.org/updates/FEDORA-2011-13512
    https://admin.fedoraproject.org/updates/FEDORA-2011-13399
    https://admin.fedoraproject.org/updates/FEDORA-2011-13246
    https://admin.fedoraproject.org/updates/FEDORA-2011-12797
    https://admin.fedoraproject.org/updates/FEDORA-2011-12720
    https://admin.fedoraproject.org/updates/FEDORA-2011-12576
    https://admin.fedoraproject.org/updates/FEDORA-2011-11955
    https://admin.fedoraproject.org/updates/FEDORA-2011-9651
    https://admin.fedoraproject.org/updates/FEDORA-2011-8822
    https://admin.fedoraproject.org/updates/FEDORA-2011-6791
    https://admin.fedoraproject.org/updates/FEDORA-2011-5583


The following builds have been pushed to Fedora 15 updates-testing

    389-ds-base-1.2.10-0.4.a4.fc15
    cclive-0.7.7-1.fc15
    cherokee-1.2.101-1.fc15
    dcmtk-3.6.0-6.fc15
    diffuse-0.4.5-1.fc15
    e16-1.0.10-1.fc15
    e16-themes-1.0.1-1.fc15
    facter-1.6.2-1.fc15
    firstaidkit-0.3.2-2.fc15
    freeipa-2.1.3-2.fc15
    ghc-hamlet-0.10.3-1.fc15
    gnome-shell-theme-ambiance-1.0-2.fc15
    krb5-1.9.1-14.fc15
    kyotocabinet-1.2.70-2.fc15
    mathomatic-15.6.5-1.fc15
    offlineimap-6.3.4-1.fc15
    python-slip-0.2.18-1.fc15
    ql2400-firmware-5.06.02-1.fc15
    ql2500-firmware-5.06.02-1.fc15
    recutils-1.3-4.fc15
    rubygem-rhc-0.79.5-1.fc15
    scap-workbench-0.5.1-1.fc15
    sssd-1.5.14-1.fc15
    systemd-26-12.fc15
    tcplay-0.9-0.4.20111007git97ed5f9.fc15
    tzdata-2011l-3.fc15
    xscreensaver-5.15-3.fc15
    znc-infobot-0.202-1.fc15

Details about builds:


================================================================================
 389-ds-base-1.2.10-0.4.a4.fc15 (FEDORA-2011-14639)
 389 Directory Server (base)
--------------------------------------------------------------------------------
Update Information:

FreeIPA:

== What happened to 2.1.2!? ==

Right after tagging 2.1.2 we found an upgrade issue that would have 
affected any users using the selfsign CA (installed with --selfsign). We 
decided to hold back the release, fix a few more bugs, and just push out 
2.1.3 instead about a week later. So here we are.

== Highlights in 2.1.3 ==

* Enforce that system hostname matches hostname of IPA server.
* Require that /etc/hosts is sane even when configuring DNS.
* Increase default server-side LDAP search limits.
* Client enrollment improvements including longer wait for sssd to 
start, recovery if discovered IPA server is not responsive and when 
anonymous bind is disabled in 389-ds.

== Highlights in 2.1.2 ==

* Upgrade older dogtag installs to use new PKI proxy configuration
* hbactest improvements
* Added platform-independent code to make ipa-client-install more portable
* Make client uninstaller more robust, should restore state more completely.
* UI usability improvements
* Tool for Enabling/Disabling Managed Entry Plugins
* Managed Entries configuration is now replicated
* IPv6 client enrollment improvements
* Man page improvements
* Performance improvements when calculating indirect membership
* Improved handling of disabled anonymous binds in 389-ds
* user is now prompted to enter current password when changing to a new
password
* ipa server now support multiple namingContexts. ipa-client-install and
password migration were fixed

== Upgrading ==

=== Server ===

To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
  # yum update freeipa-server --enablerepo=updates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c 
packages (and perhaps some others). A script will be executed in the rpm 
postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds, 
https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to 
read-write locks. The NSPR RW lock implementation does not safely allow 
re-entrant use of reader
locks. This is a timing issue so it is difficult to predict. During 
testing one user experienced this and the upgrade hung. To break the 
hang kill the ns-slapd process for your realm, wait for the yum 
transaction to complete, then restart 389-ds and manually run the update 
process:

  # service dirsrv start
  # ipa-ldap-updater --update

=== Client ===

The ipa-client-install tool in the ipa-client package is just a 
configuration tool. There should be no need to re-run this on every 
client already enrolled.




SSSD:
== Highlights ==
 * Improved handling of users and groups with multi-valued name
attributes (aliases)
 * Performance enhancements
  * Initgroups on RFC2307bis/FreeIPA
  * HBAC rule processing
 * Improved process-hang detection and restarting
 * Enabled the midpoint cache refresh by default (fewer cache misses on
commonly-used entries)
 * Cleaned up the example configuration


389-ds-base:
 * fix config del/add mods
 * memberof is transaction aware resource
 * limits for simple paged results
 * Native systemd support
 * Fix for managed entry
 * Fixed source tarball
 * fix transaction support in ldbm_delete

--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct  7 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.10-0.4.a4
- Bug 741744 - part3 - MOD operations with chained delete/add get back error 53
- 1d2f5a0 make memberof transaction aware and able to be a betxnpostoperation plug in
- b6d3ba7 pass the plugin config entry to the plugin init function
- 28f7bfb set the ENTRY_POST_OP for modrdn betxnpostoperation plugins
- Bug 743966 - Compiler warnings in account usability plugin
* Wed Oct  5 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.10.a3-0.3
- 498c42b fix transaction support in ldbm_delete
* Wed Oct  5 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.10.a2-0.2
- Bug 740942 - allow resource limits to be set for paged searches independently of limits for other searches/operations
- Bug 741744 - MOD operations with chained delete/add get back error 53 on backend config
- Bug 742324 - allow nsslapd-idlistscanlimit to be set dynamically and per-user
* Tue Sep 27 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.10.a1-0.1
- Bug 739172 - Allow separate fractional attrs for incremental and total protocols
- 6120b3d Make all backend operations transaction aware
- 056cc35 Add support for pre/post db transaction plugins
- Bug 736712 - Modifying ruv entry deadlocks server
- Bug 590826 - Reloading database from ldif causes changelog to emit "data no longer matches" errors
- Bug 730387 - Add slapi_rwlock API and use POSIX rwlocks
- Bug 611438 - Add Account Usability Control support
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #743035 - HBAC processing is very slow when dealing with FreeIPA deployments with large numbers of hosts.
        https://bugzilla.redhat.com/show_bug.cgi?id=743035
  [ 2 ] Bug #741744 - MOD operations with chained delete/add get back error 53 on backend config
        https://bugzilla.redhat.com/show_bug.cgi?id=741744
  [ 3 ] Bug #743966 - Compiler warnings in account usability plugin
        https://bugzilla.redhat.com/show_bug.cgi?id=743966
  [ 4 ] Bug #740942 - allow resource limits to be set for paged searches independently of limits for other searches/operations
        https://bugzilla.redhat.com/show_bug.cgi?id=740942
  [ 5 ] Bug #742324 - allow nsslapd-idlistscanlimit to be set dynamically and per-user
        https://bugzilla.redhat.com/show_bug.cgi?id=742324
  [ 6 ] Bug #739172 - Allow separate fractional attrs to be defined for incremental and total protocols
        https://bugzilla.redhat.com/show_bug.cgi?id=739172
  [ 7 ] Bug #736712 - Modifying ruv entry deadlocks server
        https://bugzilla.redhat.com/show_bug.cgi?id=736712
  [ 8 ] Bug #590826 - Reloading database from ldif causes changelog to emit "data no longer matches" errors
        https://bugzilla.redhat.com/show_bug.cgi?id=590826
  [ 9 ] Bug #730387 - Use POSIX RW locks instead of NSPR implementation
        https://bugzilla.redhat.com/show_bug.cgi?id=730387
  [ 10 ] Bug #611438 - [RFE] [CRM#2027194] adding Account Usable Request Control '1.3.6.1.4.1.42.2.27.9.5.8' in RHDS
        https://bugzilla.redhat.com/show_bug.cgi?id=611438
  [ 11 ] Bug #735114 - renaming a managed entry does not update mepmanagedby
        https://bugzilla.redhat.com/show_bug.cgi?id=735114
--------------------------------------------------------------------------------


================================================================================
 cclive-0.7.7-1.fc15 (FEDORA-2011-14653)
 Command line video extraction utility
--------------------------------------------------------------------------------
Update Information:

Update to 0.7.7
--------------------------------------------------------------------------------
ChangeLog:

* Mon Oct 17 2011 Nicoleau Fabien <nicoleau.fabien at gmail.com> 0.7.7-1
- Update to 0.7.7
--------------------------------------------------------------------------------


================================================================================
 cherokee-1.2.101-1.fc15 (FEDORA-2011-14634)
 Flexible and Fast Webserver
--------------------------------------------------------------------------------
Update Information:

Latest 1.2.x upstream release
Resolves bz 746532 - put some deps back: GeoIP-devel openldap-devel
Latest 1.2.x upstream release
.spec corrections for optional build for systemd
Resolves bz 710474
Resolves bz 713307
Resolves bz 680691
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 19 2011 Pavel Lisý <pali at fedoraproject.org> - 1.2.101-1
- Latest 1.2.x upstream release
* Tue Oct 18 2011 Pavel Lisý <pali at fedoraproject.org> - 1.2.100-2
- Resolves bz 746532 - put some deps back: GeoIP-devel openldap-devel
* Mon Oct 10 2011 Pavel Lisý <pali at fedoraproject.org> - 1.2.100-1
- Latest 1.2.x upstream release
- .spec corrections for optional build for systemd
- Resolves bz 710474
- Resolves bz 713307
- Resolves bz 680691
* Wed Sep 14 2011 Pavel Lisý <pali at fedoraproject.org> - 1.2.99-2
- .spec corrections for EL4 build
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #746532 - Cherokee 1.2.100 RPMs built without LDAP, GeoIP support
        https://bugzilla.redhat.com/show_bug.cgi?id=746532
  [ 2 ] Bug #710474 - cherokee: A weakness in Cherokee’s administrative interface random administrator password generation [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=710474
  [ 3 ] Bug #713307 - CVE-2011-2190 CVE-2011-2191 cherokee: multiple vulnerabilities [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=713307
  [ 4 ] Bug #680691 - cherokee uses libssl from openssl >1.0, when opensssl <1.0 is current in repository
        https://bugzilla.redhat.com/show_bug.cgi?id=680691
--------------------------------------------------------------------------------


================================================================================
 dcmtk-3.6.0-6.fc15 (FEDORA-2011-14657)
 Offis DICOM Toolkit (DCMTK)
--------------------------------------------------------------------------------
Update Information:

Added explicit require for CharLS-devel.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 19 2011 Mario Ceresa <mrceresa at fedoraproject.org> 3.6.0-6
- Added explicit require for CharLS-devel as requested in #745277
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #745277 - dcmtk-devel should require CharLS-devel
        https://bugzilla.redhat.com/show_bug.cgi?id=745277
--------------------------------------------------------------------------------


================================================================================
 diffuse-0.4.5-1.fc15 (FEDORA-2011-14663)
 Graphical tool for comparing and merging text files
--------------------------------------------------------------------------------
Update Information:

Update to 0.4.5
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 19 2011 Jon Levell <fedora at coralbark.net> - 0.4.5-1
- Update to 0.4.5 upstream release
--------------------------------------------------------------------------------


================================================================================
 e16-1.0.10-1.fc15 (FEDORA-2011-14644)
 The Enlightenment window manager, DR16
--------------------------------------------------------------------------------
Update Information:

Update to latest upstream release e16 1.0.10.

--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 19 2011 Terje Rosten <terje.rosten at ntnu.no> - 1.0.10-1
- 1.0.10
--------------------------------------------------------------------------------


================================================================================
 e16-themes-1.0.1-1.fc15 (FEDORA-2011-14643)
 Themes for Enlightenment, DR16
--------------------------------------------------------------------------------
Update Information:

Update to upstream latest release e16-themes 1.0.1. 
Also remove some unwanted fonts from the package and source package.



--------------------------------------------------------------------------------
ChangeLog:

* Tue Oct 18 2011 Terje Rosten <terje.rosten at ntnu.no> - 1.0.1-1
- 1.0.1
- Remove fonts (bz #477378)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #477378 - [e16-themes] Please convert to new font packaging guidelines
        https://bugzilla.redhat.com/show_bug.cgi?id=477378
  [ 2 ] Bug #615723 - Package includes non-free fonts
        https://bugzilla.redhat.com/show_bug.cgi?id=615723
--------------------------------------------------------------------------------


================================================================================
 facter-1.6.2-1.fc15 (FEDORA-2011-14642)
 Ruby module for collecting simple facts about a host operating system
--------------------------------------------------------------------------------
Update Information:

This is an upstream bugfix release.  One new addition that is of interest is the osfamily fact.  For details on the fixes refer to the upstream release announcement:

http://groups.google.com/group/puppet-users/msg/9856678279f498a5
--------------------------------------------------------------------------------
ChangeLog:

* Sat Oct 15 2011 Todd Zullinger <tmz at pobox.com> - 1.6.2-1
- Update to 1.6.2
- Update source URL
--------------------------------------------------------------------------------


================================================================================
 firstaidkit-0.3.2-2.fc15 (FEDORA-2011-14636)
 System analysis and rescue tool
--------------------------------------------------------------------------------
Update Information:

This update removes defective grub plugin.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct 14 2011 Martin Sivak <msivak at redhat.com> - 0.3.2-2
- Added Obsolete clause as Yum cannot handle updates with removal
  Resolves: rhbz#738563
* Wed Aug  3 2011 Martin Sivak <msivak at redhat.com> - 0.3.2-1
- Removed GRUB plugin, it was a broken hack anyways
--------------------------------------------------------------------------------


================================================================================
 freeipa-2.1.3-2.fc15 (FEDORA-2011-14639)
 The Identity, Policy and Audit system
--------------------------------------------------------------------------------
Update Information:

FreeIPA:

== What happened to 2.1.2!? ==

Right after tagging 2.1.2 we found an upgrade issue that would have 
affected any users using the selfsign CA (installed with --selfsign). We 
decided to hold back the release, fix a few more bugs, and just push out 
2.1.3 instead about a week later. So here we are.

== Highlights in 2.1.3 ==

* Enforce that system hostname matches hostname of IPA server.
* Require that /etc/hosts is sane even when configuring DNS.
* Increase default server-side LDAP search limits.
* Client enrollment improvements including longer wait for sssd to 
start, recovery if discovered IPA server is not responsive and when 
anonymous bind is disabled in 389-ds.

== Highlights in 2.1.2 ==

* Upgrade older dogtag installs to use new PKI proxy configuration
* hbactest improvements
* Added platform-independent code to make ipa-client-install more portable
* Make client uninstaller more robust, should restore state more completely.
* UI usability improvements
* Tool for Enabling/Disabling Managed Entry Plugins
* Managed Entries configuration is now replicated
* IPv6 client enrollment improvements
* Man page improvements
* Performance improvements when calculating indirect membership
* Improved handling of disabled anonymous binds in 389-ds
* user is now prompted to enter current password when changing to a new
password
* ipa server now support multiple namingContexts. ipa-client-install and
password migration were fixed

== Upgrading ==

=== Server ===

To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
  # yum update freeipa-server --enablerepo=updates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c 
packages (and perhaps some others). A script will be executed in the rpm 
postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds, 
https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to 
read-write locks. The NSPR RW lock implementation does not safely allow 
re-entrant use of reader
locks. This is a timing issue so it is difficult to predict. During 
testing one user experienced this and the upgrade hung. To break the 
hang kill the ns-slapd process for your realm, wait for the yum 
transaction to complete, then restart 389-ds and manually run the update 
process:

  # service dirsrv start
  # ipa-ldap-updater --update

=== Client ===

The ipa-client-install tool in the ipa-client package is just a 
configuration tool. There should be no need to re-run this on every 
client already enrolled.




SSSD:
== Highlights ==
 * Improved handling of users and groups with multi-valued name
attributes (aliases)
 * Performance enhancements
  * Initgroups on RFC2307bis/FreeIPA
  * HBAC rule processing
 * Improved process-hang detection and restarting
 * Enabled the midpoint cache refresh by default (fewer cache misses on
commonly-used entries)
 * Cleaned up the example configuration


389-ds-base:
 * fix config del/add mods
 * memberof is transaction aware resource
 * limits for simple paged results
 * Native systemd support
 * Fix for managed entry
 * Fixed source tarball
 * fix transaction support in ldbm_delete

--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 19 2011 Rob Crittenden <rcritten at redhat.com> - 2.1.3-2
- Set minimum nvr of sssd to 1.5.14
* Tue Oct 18 2011 Rob Crittenden <rcritten at redhat.com> - 2.1.3-1
- Update to upstream 2.1.3
* Wed Sep  7 2011 Rob Crittenden <rcritten at redhat.com> - 2.1.1-1
- Update to upstream 2.1.1
* Mon Aug 29 2011 Rob Crittenden <rcritten at redhat.com> - 2.1.0-2
- Update minimum pki-ca and pki-selinux to 9.0.11 to fix BZ 700505
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #743035 - HBAC processing is very slow when dealing with FreeIPA deployments with large numbers of hosts.
        https://bugzilla.redhat.com/show_bug.cgi?id=743035
  [ 2 ] Bug #741744 - MOD operations with chained delete/add get back error 53 on backend config
        https://bugzilla.redhat.com/show_bug.cgi?id=741744
  [ 3 ] Bug #743966 - Compiler warnings in account usability plugin
        https://bugzilla.redhat.com/show_bug.cgi?id=743966
  [ 4 ] Bug #740942 - allow resource limits to be set for paged searches independently of limits for other searches/operations
        https://bugzilla.redhat.com/show_bug.cgi?id=740942
  [ 5 ] Bug #742324 - allow nsslapd-idlistscanlimit to be set dynamically and per-user
        https://bugzilla.redhat.com/show_bug.cgi?id=742324
  [ 6 ] Bug #739172 - Allow separate fractional attrs to be defined for incremental and total protocols
        https://bugzilla.redhat.com/show_bug.cgi?id=739172
  [ 7 ] Bug #736712 - Modifying ruv entry deadlocks server
        https://bugzilla.redhat.com/show_bug.cgi?id=736712
  [ 8 ] Bug #590826 - Reloading database from ldif causes changelog to emit "data no longer matches" errors
        https://bugzilla.redhat.com/show_bug.cgi?id=590826
  [ 9 ] Bug #730387 - Use POSIX RW locks instead of NSPR implementation
        https://bugzilla.redhat.com/show_bug.cgi?id=730387
  [ 10 ] Bug #611438 - [RFE] [CRM#2027194] adding Account Usable Request Control '1.3.6.1.4.1.42.2.27.9.5.8' in RHDS
        https://bugzilla.redhat.com/show_bug.cgi?id=611438
  [ 11 ] Bug #735114 - renaming a managed entry does not update mepmanagedby
        https://bugzilla.redhat.com/show_bug.cgi?id=735114
--------------------------------------------------------------------------------


================================================================================
 ghc-hamlet-0.10.3-1.fc15 (FEDORA-2011-14635)
 Haml-like template files that are compile-time checked
--------------------------------------------------------------------------------
Update Information:

Update to 0.10.3 release.
--------------------------------------------------------------------------------
ChangeLog:

* Sat Oct  8 2011 Jens Petersen <petersen at redhat.com> - 0.10.3-1
- update to 0.10.3
- BR prof not devel deps
* Tue Oct  4 2011 Jens Petersen <petersen at redhat.com> - 0.9.0-4
- rebuild against latest blaze-html
* Fri Sep 30 2011 Jens Petersen <petersen at redhat.com> - 0.9.0-3
- rebuild against latest blaze-html
* Thu Aug  4 2011 Jens Petersen <petersen at redhat.com> - 0.9.0-2
- rebuild for blaze-html update
* Mon Jul 25 2011 Ben Boeckel <mathstuf at gmail.com> - 0.9.0-1
- Update to 0.9.0
- Update to cabal2spec-0.24
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #734408 - ghc-hamlet-0.10.3 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=734408
--------------------------------------------------------------------------------


================================================================================
 gnome-shell-theme-ambiance-1.0-2.fc15 (FEDORA-2011-14655)
 The Ambience gnome-shell theme
--------------------------------------------------------------------------------
Update Information:

The ambiance theme for gnome-shell
--------------------------------------------------------------------------------


================================================================================
 krb5-1.9.1-14.fc15 (FEDORA-2011-14673)
 The Kerberos network authentication system
--------------------------------------------------------------------------------
Update Information:

This update applies the upstream patch to fix a null pointer dereference with the LDAP kdb backend (CVE-2011-1527, #744125), an assertion failure with multiple kdb backends (CVE-2011-1528), and a null pointer dereference with multiple kdb backends (CVE-2011-1529). (#737711)

It also rolls up a number of mostly-minor fixes, some of which were backported from upstream to the Fedora 16 branch.  The main user-visible change is a fix for cross-realm authentication in the client libraries.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Oct 18 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-14
- apply upstream patch to fix a null pointer dereference with the LDAP kdb
  backend (CVE-2011-1527, #744125), an assertion failure with multiple kdb
  backends (CVE-2011-1528), and a null pointer dereference with multiple kdb
  backends (CVE-2011-1529) (#737711)
* Wed Oct 12 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-13
- handle a harder-to-trigger assertion failure that starts cropping up when we
  exit the transmit loop on time (#739853)
* Tue Sep  6 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-12
- pull in upstream patch for RT#6952, confusion following referrals for
  cross-realm auth (#734341)
- pull in build-time deps for the tests
* Thu Sep  1 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-11
- switch to the upstream patch for #727829
* Wed Aug 31 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-10
- handle an assertion failure that starts cropping up when the patch for
  using poll (#701446) meets servers that aren't running KDCs or against
  which the connection fails for other reasons (#727829, #734172)
* Mon Aug  8 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-9
- override the default build rules to not delete temporary y.tab.c files,
  so that they can be packaged, allowing debuginfo files which point to them
  do so usefully (#729044)
* Fri Jul 22 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-8
- build shared libraries with partial RELRO support (#723995)
- filter out potentially multiple instances of -Wl,-z,relro from krb5-config
  output, now that it's in the buildroot's default LDFLAGS
- pull in a patch to fix losing track of the replay cache FD, from SVN by
  way of Kevin Coffman
* Wed Jul 20 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-7
- kadmind.init: drop the attempt to detect no-database-present errors (#723723)
* Tue Jul 19 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-6
- backport fixes to teach libkrb5 to use descriptors higher than FD_SETSIZE
  to talk to a KDC by using poll() if it's detected at compile-time (#701446,
  RT#6905)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #737711 - CVE-2011-1527 CVE-2011-1528 CVE-2011-1529 krb5: KDC denial of service vulnerabilities (MITKRB5-SA-2011-006)
        https://bugzilla.redhat.com/show_bug.cgi?id=737711
--------------------------------------------------------------------------------


================================================================================
 kyotocabinet-1.2.70-2.fc15 (FEDORA-2011-14674)
 A lightweight database library
--------------------------------------------------------------------------------
Update Information:

Fix some compiler flags and debuginfo
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 19 2011 Casey Dahlin <cdahlin at redhat.com> - 1.2.70-2
- Prevent -march=native build flag [735822], credit Ville Skyatta
  <ville.skyata at iki.fi>
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #735822 - kyotocabinet 1.2.70-1 built with problematic compiler flags
        https://bugzilla.redhat.com/show_bug.cgi?id=735822
--------------------------------------------------------------------------------


================================================================================
 mathomatic-15.6.5-1.fc15 (FEDORA-2011-14676)
 Small, portable symbolic math program
--------------------------------------------------------------------------------
Update Information:

Update to latest upstream release mathomatic 15.6.5.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Oct 18 2011 Terje Rosten <terje.rosten at ntnu.no> - 15.6.5-1
- 15.6.5
--------------------------------------------------------------------------------


================================================================================
 offlineimap-6.3.4-1.fc15 (FEDORA-2011-14662)
 Powerful IMAP/Maildir synchronization and reader support
--------------------------------------------------------------------------------
Update Information:

Update to latest stable release.
--------------------------------------------------------------------------------
ChangeLog:

* Sun Oct 16 2011 Christoph Höger <choeger at umpa-net.de> - 6.3.4-1
- Upgrade to latest stable version
- Fixes #708898
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #708898 - offlineimap 6.3.3 deletes local emails
        https://bugzilla.redhat.com/show_bug.cgi?id=708898
--------------------------------------------------------------------------------


================================================================================
 python-slip-0.2.18-1.fc15 (FEDORA-2011-14672)
 Miscellaneous convenience, extension and workaround code for Python
--------------------------------------------------------------------------------
Update Information:

This update contains fixes for dbus backends that are meant to be persistent.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 19 2011 Nils Philippsen <nils at redhat.com> - 0.2.18-1
- actually use persistent value in Object constructor
--------------------------------------------------------------------------------


================================================================================
 ql2400-firmware-5.06.02-1.fc15 (FEDORA-2011-14646)
 Firmware for qlogic 2400 devices
--------------------------------------------------------------------------------
Update Information:

It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife.

However little known the feelings or views of such a man may be on his first entering a neighbourhood, this truth is so well fixed in the minds of the surrounding families, that he is considered the rightful property of some one or other of their daughters.

"My dear Mr. ql2400-firmware," said his lady to him one day, "have you heard that Beefy Miracle is chosen at last?"

Mr. ql2400-firmware replied that he had not.

"But it is," returned she; "for Mrs. Bergeron has just been here, and she told me all about it."

Mr. ql2400-firmware made no answer.

"Do you not want to know which release has taken it?" cried his wife impatiently.

"You want to tell me, and I have no objection to hearing it."

This was invitation enough.

"Why, my dear, you must know, Mrs. Bergeron says that ql2500-firmware is taken by a young distribution of large fortune from the north of England; that he came down on Monday in a chaise and four to see the name, and was so much delighted with it, that he agreed with Mr. Smith immediately; that he is to take possession before Michaelmas, and some of his servants are to be branded with the logo by the end of next week."

"What is his name?"

"[CENSORED]."

"Is he married or single?"

"Oh! Single, my dear, to be sure! A single component of large fortune; four or five thousand changes a year. What a fine thing for our users!"

"How so? How can it affect them?"

"My dear Mr. ql2400-firmware," replied his wife, "how can you be so tiresome! You must know that I am thinking of his marrying one of them."

"Is that his design in making the update?"

"Design! Nonsense, how can you talk so! But it is very likely that he may fall in love with one of them, and therefore you must visit him as soon as he comes."

"I see no occasion for that. You and the girls may go, or you may send them by themselves, which perhaps will be still better, for as you are as handsome as any of them, Mr. Pangolin may like you the best of the party."

"My dear, you flatter me. I certainly have had my share of beauty, but I do not pretend to be anything extraordinary now. When a woman has five grown-up daughters, she ought to give over thinking of her own beauty."

"In such cases, a woman has not often much beauty to think of."

"But, my dear, you must indeed go and see Mr. Pangolin when he comes into the neighbourhood."

"It is more than I engage for, I assure you." 
--------------------------------------------------------------------------------
ChangeLog:

* Tue Oct 18 2011 Tom Callaway <spot at fedoraproject.org> - 5.06.02-1
- update to 5.06.02
--------------------------------------------------------------------------------


================================================================================
 ql2500-firmware-5.06.02-1.fc15 (FEDORA-2011-14646)
 Firmware for qlogic 2500 devices
--------------------------------------------------------------------------------
Update Information:

It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife.

However little known the feelings or views of such a man may be on his first entering a neighbourhood, this truth is so well fixed in the minds of the surrounding families, that he is considered the rightful property of some one or other of their daughters.

"My dear Mr. ql2400-firmware," said his lady to him one day, "have you heard that Beefy Miracle is chosen at last?"

Mr. ql2400-firmware replied that he had not.

"But it is," returned she; "for Mrs. Bergeron has just been here, and she told me all about it."

Mr. ql2400-firmware made no answer.

"Do you not want to know which release has taken it?" cried his wife impatiently.

"You want to tell me, and I have no objection to hearing it."

This was invitation enough.

"Why, my dear, you must know, Mrs. Bergeron says that ql2500-firmware is taken by a young distribution of large fortune from the north of England; that he came down on Monday in a chaise and four to see the name, and was so much delighted with it, that he agreed with Mr. Smith immediately; that he is to take possession before Michaelmas, and some of his servants are to be branded with the logo by the end of next week."

"What is his name?"

"[CENSORED]."

"Is he married or single?"

"Oh! Single, my dear, to be sure! A single component of large fortune; four or five thousand changes a year. What a fine thing for our users!"

"How so? How can it affect them?"

"My dear Mr. ql2400-firmware," replied his wife, "how can you be so tiresome! You must know that I am thinking of his marrying one of them."

"Is that his design in making the update?"

"Design! Nonsense, how can you talk so! But it is very likely that he may fall in love with one of them, and therefore you must visit him as soon as he comes."

"I see no occasion for that. You and the girls may go, or you may send them by themselves, which perhaps will be still better, for as you are as handsome as any of them, Mr. Pangolin may like you the best of the party."

"My dear, you flatter me. I certainly have had my share of beauty, but I do not pretend to be anything extraordinary now. When a woman has five grown-up daughters, she ought to give over thinking of her own beauty."

"In such cases, a woman has not often much beauty to think of."

"But, my dear, you must indeed go and see Mr. Pangolin when he comes into the neighbourhood."

"It is more than I engage for, I assure you." 
--------------------------------------------------------------------------------
ChangeLog:

* Tue Oct 18 2011 Tom Callaway <spot at fedoraproject.org> - 5.06.02-1
- update to 5.06.02
--------------------------------------------------------------------------------


================================================================================
 recutils-1.3-4.fc15 (FEDORA-2011-14658)
 A set of tools to access GNU recfile databases
--------------------------------------------------------------------------------
Update Information:

initial packaging for Fedora
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #704112 - Review Request: recutils - A set of tools to access GNU recfile databases
        https://bugzilla.redhat.com/show_bug.cgi?id=704112
--------------------------------------------------------------------------------


================================================================================
 rubygem-rhc-0.79.5-1.fc15 (FEDORA-2011-14661)
 OpenShift Express Client Tools
--------------------------------------------------------------------------------
Update Information:

Updated version 0.79.5
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 19 2011 Guillermo Gómez <gomix at fedoraproject.org> - 0.79.5-1
- Update to version 0.79.5
--------------------------------------------------------------------------------


================================================================================
 scap-workbench-0.5.1-1.fc15 (FEDORA-2011-14656)
 Scanning, tailoring, editing and validation tool for SCAP content
--------------------------------------------------------------------------------
Update Information:

Updated to latest upstream release 0.5.1 which contains both new features
and bug fixes. Marking this as enhancement since none of the 0.4.0 bugs are
critical on Fedora 15.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 19 2011 Martin Preisler <mpreisle at redhat.com> 0.5.1-1
- Don't use the deprecated "gnome" module
- Only use absolute imports in intra-package modules
* Wed Oct 12 2011 Martin Preisler <mpreisle at redhat.com> 0.5.0-1
- Commenting, refactoring and code cleanup
- New uncaught exception dialog
- Version time editing
- Fixed bugs
--------------------------------------------------------------------------------


================================================================================
 sssd-1.5.14-1.fc15 (FEDORA-2011-14639)
 System Security Services Daemon
--------------------------------------------------------------------------------
Update Information:

FreeIPA:

== What happened to 2.1.2!? ==

Right after tagging 2.1.2 we found an upgrade issue that would have 
affected any users using the selfsign CA (installed with --selfsign). We 
decided to hold back the release, fix a few more bugs, and just push out 
2.1.3 instead about a week later. So here we are.

== Highlights in 2.1.3 ==

* Enforce that system hostname matches hostname of IPA server.
* Require that /etc/hosts is sane even when configuring DNS.
* Increase default server-side LDAP search limits.
* Client enrollment improvements including longer wait for sssd to 
start, recovery if discovered IPA server is not responsive and when 
anonymous bind is disabled in 389-ds.

== Highlights in 2.1.2 ==

* Upgrade older dogtag installs to use new PKI proxy configuration
* hbactest improvements
* Added platform-independent code to make ipa-client-install more portable
* Make client uninstaller more robust, should restore state more completely.
* UI usability improvements
* Tool for Enabling/Disabling Managed Entry Plugins
* Managed Entries configuration is now replicated
* IPv6 client enrollment improvements
* Man page improvements
* Performance improvements when calculating indirect membership
* Improved handling of disabled anonymous binds in 389-ds
* user is now prompted to enter current password when changing to a new
password
* ipa server now support multiple namingContexts. ipa-client-install and
password migration were fixed

== Upgrading ==

=== Server ===

To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
  # yum update freeipa-server --enablerepo=updates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c 
packages (and perhaps some others). A script will be executed in the rpm 
postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds, 
https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to 
read-write locks. The NSPR RW lock implementation does not safely allow 
re-entrant use of reader
locks. This is a timing issue so it is difficult to predict. During 
testing one user experienced this and the upgrade hung. To break the 
hang kill the ns-slapd process for your realm, wait for the yum 
transaction to complete, then restart 389-ds and manually run the update 
process:

  # service dirsrv start
  # ipa-ldap-updater --update

=== Client ===

The ipa-client-install tool in the ipa-client package is just a 
configuration tool. There should be no need to re-run this on every 
client already enrolled.




SSSD:
== Highlights ==
 * Improved handling of users and groups with multi-valued name
attributes (aliases)
 * Performance enhancements
  * Initgroups on RFC2307bis/FreeIPA
  * HBAC rule processing
 * Improved process-hang detection and restarting
 * Enabled the midpoint cache refresh by default (fewer cache misses on
commonly-used entries)
 * Cleaned up the example configuration


389-ds-base:
 * fix config del/add mods
 * memberof is transaction aware resource
 * limits for simple paged results
 * Native systemd support
 * Fix for managed entry
 * Fixed source tarball
 * fix transaction support in ldbm_delete

--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 19 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.14-1
- New upstream release 1.5.14
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.14
- Improved handling of users and groups with multi-valued name attributes
  (aliases)
- Performance enhancements
  * Initgroups on RFC2307bis/FreeIPA
  * HBAC rule processing
- Improved process-hang detection and restarting
- Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries)
- Cleaned up the example configuration
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #743035 - HBAC processing is very slow when dealing with FreeIPA deployments with large numbers of hosts.
        https://bugzilla.redhat.com/show_bug.cgi?id=743035
  [ 2 ] Bug #741744 - MOD operations with chained delete/add get back error 53 on backend config
        https://bugzilla.redhat.com/show_bug.cgi?id=741744
  [ 3 ] Bug #743966 - Compiler warnings in account usability plugin
        https://bugzilla.redhat.com/show_bug.cgi?id=743966
  [ 4 ] Bug #740942 - allow resource limits to be set for paged searches independently of limits for other searches/operations
        https://bugzilla.redhat.com/show_bug.cgi?id=740942
  [ 5 ] Bug #742324 - allow nsslapd-idlistscanlimit to be set dynamically and per-user
        https://bugzilla.redhat.com/show_bug.cgi?id=742324
  [ 6 ] Bug #739172 - Allow separate fractional attrs to be defined for incremental and total protocols
        https://bugzilla.redhat.com/show_bug.cgi?id=739172
  [ 7 ] Bug #736712 - Modifying ruv entry deadlocks server
        https://bugzilla.redhat.com/show_bug.cgi?id=736712
  [ 8 ] Bug #590826 - Reloading database from ldif causes changelog to emit "data no longer matches" errors
        https://bugzilla.redhat.com/show_bug.cgi?id=590826
  [ 9 ] Bug #730387 - Use POSIX RW locks instead of NSPR implementation
        https://bugzilla.redhat.com/show_bug.cgi?id=730387
  [ 10 ] Bug #611438 - [RFE] [CRM#2027194] adding Account Usable Request Control '1.3.6.1.4.1.42.2.27.9.5.8' in RHDS
        https://bugzilla.redhat.com/show_bug.cgi?id=611438
  [ 11 ] Bug #735114 - renaming a managed entry does not update mepmanagedby
        https://bugzilla.redhat.com/show_bug.cgi?id=735114
--------------------------------------------------------------------------------


================================================================================
 systemd-26-12.fc15 (FEDORA-2011-14203)
 A System and Service Manager
--------------------------------------------------------------------------------
Update Information:

Several bugfixes:

* Fix a possible crash with `ConditionVirtualization`.
* Fix a couple of minor fd leaks.
* Decrease the max file size for readahead.
* Introduce `local-fs-pre.target` to fix bind mounts of the root filesystem.
* Disable the guessing of main PID for SysV services. For services with broken daemonization the guess could be wrong, causing them to be stopped immediately after start.
* Fix a crash in isolating.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 19 2011 Michal Schmidt <mschmidt at redhat.com> - 26-12
- Fix a crash in isolating.
- Fixes: BZ#717325
* Wed Oct 12 2011 Michal Schmidt <mschmidt at redhat.com> - 26-11
- Pick a few fixes from upstream v37.
- Including the change to disable main PID guessing for SysV services.
- Loop over %{patches} in the spec.
- Fixes: BZ#718464, fdo#41336
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #718464 - NFS exports bind mounts as read-only
        https://bugzilla.redhat.com/show_bug.cgi?id=718464
  [ 2 ] Bug #717325 - Assertion 'j->installed' failed at src/manager.c:1202, function transaction_apply(). Aborting.
        https://bugzilla.redhat.com/show_bug.cgi?id=717325
--------------------------------------------------------------------------------


================================================================================
 tcplay-0.9-0.4.20111007git97ed5f9.fc15 (FEDORA-2011-14665)
 Utility to create/open/map TrueCrypt-compatible volumes
--------------------------------------------------------------------------------
Update Information:

The tcplay utility provides full support for creating and
opening/mapping TrueCrypt-compatible volumes.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #743497 - Review Request: tcplay - Utility to create/open/map TrueCrypt-compatible volumes
        https://bugzilla.redhat.com/show_bug.cgi?id=743497
--------------------------------------------------------------------------------


================================================================================
 tzdata-2011l-3.fc15 (FEDORA-2011-14677)
 Timezone data
--------------------------------------------------------------------------------
Update Information:

- Ukraine decided to enter Winter Time after all
- State of Bahia, Brazil, to resume Summer Time on Oct 16
- Fiji will introduce DST
- A couple of fixes for past stamps
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 19 2011 Petr Machata <pmachata at redhat.com> - 2011l-3
- Ukraine will enter Winter Time after all
* Fri Oct 14 2011 Petr Machata <pmachata at redhat.com> - 2011l-2
- State of Bahia, Brazil, to resume Summer Time on Oct 16
- The project moved, reflect this in URL
- Resolves: #746183
* Tue Oct 11 2011 Petr Machata <pmachata at redhat.com> - 2011l-1
- Upstream 2011l:
  - Fix ancient stamps for America/Sitka
  - Asia/Hebron transitioned to standard time already on Sep 30, not Oct 3
  - Fiji will introduce DST on Oct 22
--------------------------------------------------------------------------------


================================================================================
 xscreensaver-5.15-3.fc15 (FEDORA-2011-14645)
 X screen saver and locker
--------------------------------------------------------------------------------
Update Information:

A bug is reported that vidwhacker won't work when selecting "Choose Random Image" on "Image Manipulation" in xscreensaver-demo. This new rpm will fix this issue.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Oct 18 2011 Mamoru Tasaka <mtasaka at fedoraproject.org> - 1:5.15-3
- Make vidwhacker work correctly when xscreensaver-getimage-file
  returns relative path (bug 746847)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #746847 - vidwhacker now broken
        https://bugzilla.redhat.com/show_bug.cgi?id=746847
--------------------------------------------------------------------------------


================================================================================
 znc-infobot-0.202-1.fc15 (FEDORA-2011-14647)
 infobot module for ZNC IRC Bouncer
--------------------------------------------------------------------------------
Update Information:

Build znc-infobot against 0.202
Initial Package Build
Initial Package Build
Initial Package for F14.
Initial Package build for F15
ZNC-Infobot initial package built
--------------------------------------------------------------------------------

More information about the test mailing list