Fedora 16 updates-testing report

updates at fedoraproject.org updates at fedoraproject.org
Wed Jan 9 09:04:34 UTC 2013


The following Fedora 16 Security updates need testing:
 Age  URL
   6  https://admin.fedoraproject.org/updates/FEDORA-2013-0110/tcl-snack-2.2.10-17.fc16
  28  https://admin.fedoraproject.org/updates/FEDORA-2012-20157/libproxy-0.4.11-1.fc16
  28  https://admin.fedoraproject.org/updates/FEDORA-2012-20156/389-ds-base-1.2.10.24-1.fc16
 109  https://admin.fedoraproject.org/updates/FEDORA-2012-14452/bacula-5.0.3-33.fc16
   0  https://admin.fedoraproject.org/updates/FEDORA-2013-0468/proftpd-1.3.4b-4.fc16
  28  https://admin.fedoraproject.org/updates/FEDORA-2012-20236/rssh-2.3.4-1.fc16
 187  https://admin.fedoraproject.org/updates/FEDORA-2012-10314/revelation-0.4.14-1.fc16
 107  https://admin.fedoraproject.org/updates/FEDORA-2012-14654/tor-0.2.2.39-1600.fc16
   4  https://admin.fedoraproject.org/updates/FEDORA-2013-0225/pl-5.10.2-9.fc16
   4  https://admin.fedoraproject.org/updates/FEDORA-2013-0244/rubygem-activerecord-3.0.10-4.fc16
   0  https://admin.fedoraproject.org/updates/FEDORA-2013-0477/gnupg-1.4.13-2.fc16
   0  https://admin.fedoraproject.org/updates/FEDORA-2012-19347/cups-1.5.4-12.fc16
   4  https://admin.fedoraproject.org/updates/FEDORA-2013-0222/gnupg2-2.0.19-7.fc16
  70  https://admin.fedoraproject.org/updates/FEDORA-2012-17291/thunderbird-16.0.2-1.fc16
   4  https://admin.fedoraproject.org/updates/FEDORA-2013-0261/nss-3.14.1-3.fc16
   4  https://admin.fedoraproject.org/updates/FEDORA-2013-0269/drupal7-context-3.0-0.3.beta6.fc16
   7  https://admin.fedoraproject.org/updates/FEDORA-2013-0061/php-ZendFramework-1.12.1-1.fc16
   0  https://admin.fedoraproject.org/updates/FEDORA-2013-0270/qt-4.8.4-6.fc16


The following Fedora 16 Critical Path updates have yet to be approved:
 Age URL
   0  https://admin.fedoraproject.org/updates/FEDORA-2013-0477/gnupg-1.4.13-2.fc16
   4  https://admin.fedoraproject.org/updates/FEDORA-2013-0230/selinux-policy-3.10.0-98.fc16
   0  https://admin.fedoraproject.org/updates/FEDORA-2013-0270/qt-4.8.4-6.fc16
   4  https://admin.fedoraproject.org/updates/FEDORA-2013-0263/qtwebkit-2.2.2-5.fc16
   4  https://admin.fedoraproject.org/updates/FEDORA-2013-0261/nss-3.14.1-3.fc16
   4  https://admin.fedoraproject.org/updates/FEDORA-2013-0222/gnupg2-2.0.19-7.fc16
   4  https://admin.fedoraproject.org/updates/FEDORA-2013-0238/mysql-5.5.29-1.fc16
  12  https://admin.fedoraproject.org/updates/FEDORA-2012-20795/nss-3.14.1-2.fc16,nss-softokn-3.14.1-3.fc16,nss-util-3.14.1-1.fc16,nspr-4.9.4-1.fc16
The following builds have been pushed to Fedora 16 updates-testing

    WindowMaker-0.95.4-2.fc16
    Xnee-3.14-1.fc16
    cups-1.5.4-12.fc16
    darktable-1.1.1-2.fc16
    gnupg-1.4.13-2.fc16
    googlecl-0.9.14-1.fc16
    mkproject-0.4.6-3.fc16
    proftpd-1.3.4b-4.fc16
    qt-4.8.4-6.fc16
    rednotebook-1.6.5-1.fc16
    slrn-0.9.9p1-5.fc16
    yap-6.2.0-7.fc16

Details about builds:


================================================================================
 WindowMaker-0.95.4-2.fc16 (FEDORA-2013-0480)
 A fast, feature rich Window Manager
--------------------------------------------------------------------------------
Update Information:

New upstream version.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jan  7 2013 Andreas Bierfert <andreas.bierfert[AT]lowlatency.de>
- 0.95.4-2
- fix incorrect fsf address
- submit extra package for review so this is not updated each time we update
  windowmaker
* Mon Jan  7 2013 Andreas Bierfert <andreas.bierfert[AT]lowlatency.de>
- 0.95.4-1
- version upgrade
- readd windowmaker extra stuff
* Mon Jan  7 2013 Adam Tkac <atkac redhat com> - 0.95.3-4
- rebuild against new libjpeg
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.95.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
--------------------------------------------------------------------------------


================================================================================
 Xnee-3.14-1.fc16 (FEDORA-2013-0469)
 X11 environment recorder
--------------------------------------------------------------------------------
Update Information:

Update to 3.14
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan  8 2013 Matthieu Saulnier <fantom at fedoraproject.org> - 3.14-1
- Update to 3.14
--------------------------------------------------------------------------------


================================================================================
 cups-1.5.4-12.fc16 (FEDORA-2012-19347)
 Common Unix Printing System
--------------------------------------------------------------------------------
Update Information:

This update addresses two security issues:

* CVE-2012-5519 (privilege escalation for users fo the CUPS SystemGroup group or via polkit) is fixed by moving certain configuration keywords into a separate file, cups-files.conf, which cannot be modified by cupsd.

* CVE-2012-6094 (configuration issue with IPv4 vs IPv6) has been fixed by dropping support for systemd socket activation via IP sockets.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jan  4 2013 Tim Waugh <twaugh at redhat.com> 1:1.5.4-12
- Avoid misleading error message when configuration cannot be read.
- Don't enable IP-based systemd socket activation by default
  (bug #842365, bug #891945, CVE-2012-6094).
* Thu Dec  6 2012 Tim Waugh <twaugh at redhat.com> 1:1.5.4-11
- Additional fix relating to CVE-2012-5519 to avoid misleading error
  message about actions to take to enable file device URIs.
* Tue Dec  4 2012 Tim Waugh <twaugh at redhat.com> 1:1.5.4-10
- Small error handling improvements in the configuration migration
  script.
* Mon Dec  3 2012 Tim Waugh <twaugh at redhat.com> 1:1.5.4-9
- Applied additional upstream patch for CVE-2012-5519 so that the
  RemoteRoot keyword is recognised in the correct configuration file.
* Mon Dec  3 2012 Tim Waugh <twaugh at redhat.com> 1:1.5.4-8
- Fixed patch for CVE-2012-5519 so that LogFilePerm and LPDConfigFile
  are recognised keywords for cups-files.conf (bug #882379).
* Wed Nov 28 2012 Tim Waugh <twaugh at redhat.com> 1:1.5.4-7
- Fixed paths in config migration %post script.
- Set default cups-files.conf filename.
* Mon Nov 26 2012 Tim Waugh <twaugh at redhat.com> 1:1.5.4-6
- Apply upstream fix for CVE-2012-5519 (STR #4223, bug #875898).
  Migrate configuration keywords as needed.
* Mon Oct 22 2012 Jiri Popelka <jpopelka at redhat.com> 1:1.5.4-5
- Add quirk rule for Xerox Phaser 3124 (#867392)
* Mon Oct  1 2012 Jiri Popelka <jpopelka at redhat.com> 1:1.5.4-4
- improved usblp-quirks.patch (bug #847923, STR #4191)
* Thu Sep 20 2012 Tim Waugh <twaugh at redhat.com> 1:1.5.4-3
- The cups-libs subpackage contains code distributed under the zlib
  license (md5.c).
* Thu Aug 23 2012 Jiri Popelka <jpopelka at redhat.com> 1:1.5.4-2
- quirk handler for port reset done by new USB backend (bug #847923, STR #4155)
* Thu Jul 26 2012 Jiri Popelka <jpopelka at redhat.com> 1:1.5.4-1
- 1.5.4
* Mon May 28 2012 Jiri Popelka <jpopelka at redhat.com> 1:1.5.3-2
- Buildrequire libusb1 (STR #3477)
* Tue May 15 2012 Jiri Popelka <jpopelka at redhat.com> 1:1.5.3-1
- 1.5.3
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #875898 - CVE-2012-5519 cups: privilege escalation for users of the CUPS SystemGroup group
        https://bugzilla.redhat.com/show_bug.cgi?id=875898
  [ 2 ] Bug #891942 - CVE-2012-6094 cups: 'Listen localhost:631' option not honoured correctly on IPv6-enabled systems when systemd used for CUPS socket activation
        https://bugzilla.redhat.com/show_bug.cgi?id=891942
--------------------------------------------------------------------------------


================================================================================
 darktable-1.1.1-2.fc16 (FEDORA-2013-0454)
 Utility to organize and develop raw images
--------------------------------------------------------------------------------
Update Information:

adding map mode
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jan  6 2013 Edouard Bourguignon <madko at linuxed.net> - 1.1.1-2
- Add map mode
--------------------------------------------------------------------------------


================================================================================
 gnupg-1.4.13-2.fc16 (FEDORA-2013-0477)
 A GNU utility for secure communication and data storage
--------------------------------------------------------------------------------
Update Information:

fix build on big endian arches, IDEA was buggy
New upstream with CVE fix.
New upstream with CVE fix.
New upstream with CVE fix.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jan  7 2013 Dan Horák <dan[at]danny.cz> 1.4.13-2
- fix build on big-endian arches (gnupg bug #1461)
* Wed Jan  2 2013 Brian C. Lane <bcl at redhat.com> 1.4.13-1
- New upstream v1.4.13
  fixes for CVE-2012-6085 (#891142)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #891142 - CVE-2012-6085 GnuPG: read_block() corrupt key input validation
        https://bugzilla.redhat.com/show_bug.cgi?id=891142
--------------------------------------------------------------------------------


================================================================================
 googlecl-0.9.14-1.fc16 (FEDORA-2013-0475)
 Command line tools for the Google Data APIs
--------------------------------------------------------------------------------
Update Information:

* new upstream bugfix release 0.9.14
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jan  6 2013 Christian Krause <chkr at fedoraproject.org> - 0.9.14-1
- New upstream release, see http://code.google.com/p/googlecl/source/browse/trunk/changelog (BZ 890972)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #890972 - googlecl-0.9.14 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=890972
--------------------------------------------------------------------------------


================================================================================
 mkproject-0.4.6-3.fc16 (FEDORA-2013-0463)
 Make project skeletons
--------------------------------------------------------------------------------
Update Information:

New package for mkproject, which is a command that makes project skeletons.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #890733 - Review Request: mkproject - make project skeletons
        https://bugzilla.redhat.com/show_bug.cgi?id=890733
--------------------------------------------------------------------------------


================================================================================
 proftpd-1.3.4b-4.fc16 (FEDORA-2013-0468)
 Flexible, stable and highly-configurable FTP server
--------------------------------------------------------------------------------
Update Information:

Jann Horn reported that there is a possible race condition in the handling of the MKD/XMKD FTP commands, when the UserOwner directive is involved, and the attacker is on the same physical machine as a running proftpd. This race applies to mod_sftp and the handling of the MKDIR SFTP request as well.

Note that using the DefaultRoot directive to restrict sessions mitigates this attack, since the symlinks created by the local attacker will point outside of the chroot(2) area within the FTP session, and thus the ownership change will fail. The default configuration in Fedora applies the DefaultRoot directive to all users except "adm".

The upstream reference for this issue is:
http://bugs.proftpd.org/show_bug.cgi?id=3841

This update includes upstream's backport to proftpd 1.3.4 of the fix for this issue.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jan  7 2013 Paul Howarth <paul at city-fan.org> 1.3.4b-4
- Fix possible symlink race when applying UserOwner to newly created directory
  (CVE-2012-6095, #892715, http://bugs.proftpd.org/show_bug.cgi?id=3841)
* Sat Sep 22 2012 Remi Collet <remi at fedoraproject.org> 1.3.4b-3
- Rebuild against libmemcached.so.11 without SASL
* Thu Aug 30 2012 Paul Howarth <paul at city-fan.org> 1.3.4b-2
- Add support for systemd presets in Fedora 18+ (#850281)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #892715 - CVE-2012-6095 proftpd: Symlink race condition when applying UserOwner to a newly (ProFTPD) created directory
        https://bugzilla.redhat.com/show_bug.cgi?id=892715
--------------------------------------------------------------------------------


================================================================================
 qt-4.8.4-6.fc16 (FEDORA-2013-0270)
 Qt toolkit
--------------------------------------------------------------------------------
Update Information:

This build fixes a security issues:

* QSslSocket may report incorrect errors when certificate verification fails.  For more information: http://lists.qt-project.org/pipermail/announce/2013-January/000020.html

* blacklists unauthorized SSL certificates by Türktrust.  For more information: http://lists.qt-project.org/pipermail/announce/2013-January/000021.html

This build also produces a new qt-designer-plugin-webkit subpackage containing QtWebKit designer plugin.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jan  7 2013 Rex Dieter <rdieter at fedoraproject.org> 4.8.4-6
- blacklist unauthorized SSL certificates by Türktrust
* Fri Jan  4 2013 Rex Dieter <rdieter at fedoraproject.org> 1:4.8.4-5
- QGtkStyle was unable to detect the current GTK+ theme (#702493, QTBUG-5545))
* Fri Jan  4 2013 Rex Dieter <rdieter at fedoraproject.org> 1:4.8.4-4
- QSslSocket may report incorrect errors when certificate verification fails
* Thu Jan  3 2013 Rex Dieter <rdieter at fedoraproject.org> 1:4.8.4-3
- -x11: %exclude %{_qt4_plugindir}/designer/libqwebview.so
* Sun Dec 16 2012 Rex Dieter <rdieter at fedoraproject.org> 1:4.8.4-2
- -designer-plugin-webkit subpkg (#887501)
- fix/prune/changelog
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #891955 - CVE-2012-6093 qt: QSslSocket might report inappropriate errors when certificate verification fails
        https://bugzilla.redhat.com/show_bug.cgi?id=891955
--------------------------------------------------------------------------------


================================================================================
 rednotebook-1.6.5-1.fc16 (FEDORA-2013-0494)
 A desktop diary
--------------------------------------------------------------------------------
Update Information:

* Sun Jan 06 2013 Fabian Affolter <mail at fabian-affolter.ch> - 1.6.5-1
- Updated to new upstream version 1.6.5
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jan  6 2013 Fabian Affolter <mail at fabian-affolter.ch> - 1.6.5-1
- Updated to new upstream version 1.6.5
* Tue Dec 25 2012 Fabian Affolter <mail at fabian-affolter.ch> - 1.6.4-1
- Updated to new upstream version 1.6.4
* Sat Dec  8 2012 Fabian Affolter <mail at fabian-affolter.ch> - 1.6.3-1
- Updated to new upstream version 1.6.3
--------------------------------------------------------------------------------


================================================================================
 slrn-0.9.9p1-5.fc16 (FEDORA-2013-0461)
 A threaded Internet news reader
--------------------------------------------------------------------------------
Update Information:

Fix crash when editing line.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan  8 2013 Petr Pisar <ppisar at redhat.com> - 0.9.9p1-5
- Fix NULL pointer dereference in rline_update call-backs (bug #847706)
* Wed Feb  9 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.9.9p1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #847706 - [abrt] slrn-0.9.9p1-5.fc17: __wmemcmp_ssse3: Process /usr/bin/slrn was killed by signal 11 (SIGSEGV)
        https://bugzilla.redhat.com/show_bug.cgi?id=847706
--------------------------------------------------------------------------------


================================================================================
 yap-6.2.0-7.fc16 (FEDORA-2013-0450)
 High-performance Prolog Compiler
--------------------------------------------------------------------------------
Update Information:

Fix off-by-one error when initializing yap_flags.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jan  7 2013 Petr Pisar <ppisar at redhat.com> - 6.2.0-7
- Fix off-by-one error when initializing yap_flags
--------------------------------------------------------------------------------



More information about the test mailing list