Fedora 20 updates-testing report
updates at fedoraproject.org
updates at fedoraproject.org
Sat Apr 11 09:11:21 UTC 2015
The following Fedora 20 Security updates need testing:
Age URL
130 https://admin.fedoraproject.org/updates/FEDORA-2014-15988/fail2ban-0.9.1-1.fc20
118 https://admin.fedoraproject.org/updates/FEDORA-2014-16845/resteasy-3.0.6-3.fc20
110 https://admin.fedoraproject.org/updates/FEDORA-2014-17089/aeskulap-0.2.2-0.20beta1.fc20,orthanc-0.8.5-2.fc20,dcmtk-3.6.1-1.fc20
66 https://admin.fedoraproject.org/updates/FEDORA-2015-1648/lcms-1.19-13.fc20
65 https://admin.fedoraproject.org/updates/FEDORA-2015-1718/389-admin-1.1.38-1.fc20
63 https://admin.fedoraproject.org/updates/FEDORA-2015-1790/fcgi-2.4.0-26.fc20
48 https://admin.fedoraproject.org/updates/FEDORA-2015-0951/xdg-utils-1.1.0-0.38.rc3.fc20
33 https://admin.fedoraproject.org/updates/FEDORA-2015-3417/389-ds-base-1.3.2.27-1.fc20
28 https://admin.fedoraproject.org/updates/FEDORA-2015-3738/ImageMagick-6.8.6.3-6.fc20
15 https://admin.fedoraproject.org/updates/FEDORA-2015-4486/ca-certificates-2015.2.3-1.0.fc20
15 https://admin.fedoraproject.org/updates/FEDORA-2015-4587/qt5-qtwebkit-5.4.1-4.fc20
15 https://admin.fedoraproject.org/updates/FEDORA-2015-4551/qtwebkit-2.3.4-6.fc20
15 https://admin.fedoraproject.org/updates/FEDORA-2015-4672/quassel-0.11.0-2.fc20
15 https://admin.fedoraproject.org/updates/FEDORA-2015-4554/rest-0.7.93-1.fc20
15 https://admin.fedoraproject.org/updates/FEDORA-2015-4556/libzip-0.11.2-5.fc20
15 https://admin.fedoraproject.org/updates/FEDORA-2015-4693/owncloud-7.0.5-2.fc20
13 https://admin.fedoraproject.org/updates/FEDORA-2015-4953/tcpdump-4.5.1-4.fc20
10 https://admin.fedoraproject.org/updates/FEDORA-2015-5182/libtasn1-3.8-3.fc20
8 https://admin.fedoraproject.org/updates/FEDORA-2015-5398/thunderbird-31.6.0-1.fc20
8 https://admin.fedoraproject.org/updates/FEDORA-2015-5390/mingw-libtasn1-3.8-2.fc20
7 https://admin.fedoraproject.org/updates/FEDORA-2015-5464/php-symfony-2.5.11-1.fc20
5 https://admin.fedoraproject.org/updates/FEDORA-2015-5546/arj-3.10.22-22.fc20
5 https://admin.fedoraproject.org/updates/FEDORA-2015-5569/mediawiki-1.23.9-1.fc20
5 https://admin.fedoraproject.org/updates/FEDORA-2015-5601/perl-DBD-Firebird-1.19-1.fc20
3 https://admin.fedoraproject.org/updates/FEDORA-2015-5723/firefox-37.0.1-1.fc20
3 https://admin.fedoraproject.org/updates/FEDORA-2015-5732/tor-0.2.5.12-1.fc20
2 https://admin.fedoraproject.org/updates/FEDORA-2015-5809/chrony-1.31.1-1.fc20
2 https://admin.fedoraproject.org/updates/FEDORA-2015-5812/knot-1.6.3-1.fc20
1 https://admin.fedoraproject.org/updates/FEDORA-2015-5840/perl-Test-Signature-1.11-1.fc20,perl-Module-Signature-0.78-1.fc20
1 https://admin.fedoraproject.org/updates/FEDORA-2015-5864/zarafa-7.1.12-1.fc20
1 https://admin.fedoraproject.org/updates/FEDORA-2015-5874/ntp-4.2.6p5-21.fc20
1 https://admin.fedoraproject.org/updates/FEDORA-2015-5910/netcf-0.2.8-1.fc20
0 https://admin.fedoraproject.org/updates/FEDORA-2015-6006/python-virtualenv-12.0.7-1.fc20
0 https://admin.fedoraproject.org/updates/FEDORA-2015-5997/openstack-neutron-2013.2.4-8.fc20
0 https://admin.fedoraproject.org/updates/FEDORA-2015-5972/yourls-1.7-3.20150410gitabc7d6c.fc20
0 https://admin.fedoraproject.org/updates/FEDORA-2015-5969/gnupg2-2.0.27-1.fc20
0 https://admin.fedoraproject.org/updates/FEDORA-2015-5970/asterisk-11.17.1-1.fc20
0 https://admin.fedoraproject.org/updates/FEDORA-2015-5978/krb5-1.11.5-20.fc20
0 https://admin.fedoraproject.org/updates/FEDORA-2015-6010/python-2.7.5-16.fc20
The following Fedora 20 Critical Path updates have yet to be approved:
Age URL
48 https://admin.fedoraproject.org/updates/FEDORA-2015-0951/xdg-utils-1.1.0-0.38.rc3.fc20
13 https://admin.fedoraproject.org/updates/FEDORA-2015-4892/btrfs-progs-3.19.1-1.fc20
10 https://admin.fedoraproject.org/updates/FEDORA-2015-5182/libtasn1-3.8-3.fc20
8 https://admin.fedoraproject.org/updates/FEDORA-2015-5398/thunderbird-31.6.0-1.fc20
8 https://admin.fedoraproject.org/updates/FEDORA-2015-5361/libidn-1.28-3.fc20
7 https://admin.fedoraproject.org/updates/FEDORA-2015-5488/perl-5.18.4-293.fc20
7 https://admin.fedoraproject.org/updates/FEDORA-2015-5448/ibus-1.5.10-2.fc20
2 https://admin.fedoraproject.org/updates/FEDORA-2015-5824/emacs-24.3-26.fc20
2 https://admin.fedoraproject.org/updates/FEDORA-2015-5809/chrony-1.31.1-1.fc20
1 https://admin.fedoraproject.org/updates/FEDORA-2015-5859/testdisk-6.14-4.fc20,ntfs-3g-2015.3.14-1.fc20
0 https://admin.fedoraproject.org/updates/FEDORA-2015-6008/linux-firmware-20150410-46.gitec89525b.fc20
0 https://admin.fedoraproject.org/updates/FEDORA-2015-5969/gnupg2-2.0.27-1.fc20
0 https://admin.fedoraproject.org/updates/FEDORA-2015-6007/pcre-8.33-9.fc20
0 https://admin.fedoraproject.org/updates/FEDORA-2015-6010/python-2.7.5-16.fc20
0 https://admin.fedoraproject.org/updates/FEDORA-2015-5978/krb5-1.11.5-20.fc20
The following builds have been pushed to Fedora 20 updates-testing
arduino-1.0.6-1.fc20
asterisk-11.17.1-1.fc20
cross-gcc-4.9.2-5.fc20
dovecot-2.2.16-1.fc20
globus-gass-copy-9.15-1.fc20
gnupg2-2.0.27-1.fc20
krb5-1.11.5-20.fc20
libzen-0.4.31-1.fc20
linux-firmware-20150410-46.gitec89525b.fc20
openstack-neutron-2013.2.4-8.fc20
pcre-8.33-9.fc20
perl-MCE-1.608-1.fc20
phpMyAdmin-4.4.1.1-1.fc20
pyotherside-1.4.0-4.fc20
python-2.7.5-16.fc20
python-virtualenv-12.0.7-1.fc20
qterminal-0.6.0-2.fc20
qtermwidget-0.6.0-2.fc20
yourls-1.7-3.20150410gitabc7d6c.fc20
Details about builds:
================================================================================
arduino-1.0.6-1.fc20 (FEDORA-2015-5999)
An IDE for Arduino-compatible electronics prototyping platforms
--------------------------------------------------------------------------------
Update Information:
Update to 1.0.6.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 6 2015 Peter Oliver <rpm at mavit.org.uk> - 1:1.0.6-1
- Update to 1.0.6.
--------------------------------------------------------------------------------
================================================================================
asterisk-11.17.1-1.fc20 (FEDORA-2015-5970)
The Open Source PBX
--------------------------------------------------------------------------------
Update Information:
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28, 11.6, and 13.1 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28.cert-5, 1.8.32.3, 11.6-cert11,
11.17.1, 12.8.2, 13.1-cert2, and 13.3.2.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security vulnerability:
* AST-2015-003: TLS Certificate Common name NULL byte exploit
When Asterisk registers to a SIP TLS device and and verifies the server,
Asterisk will accept signed certificates that match a common name other than
the one Asterisk is expecting if the signed certificate has a common name
containing a null byte after the portion of the common name that Asterisk
expected. This potentially allows for a man in the middle attack.
For more information about the details of this vulnerability, please read
security advisory AST-2015-003, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert5
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.3
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert11
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.17.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.2
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-13.1-cert2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.3.2
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2015-003.pdf
The Asterisk Development Team has announced the release of Asterisk 11.17.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 11.17.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
New Features made in this release:
-----------------------------------
* ASTERISK-17899 - Handle crypto lifetime in SDES-SRTP negotiation
(Reported by Dwayne Hubbard)
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24742 - [patch] Fix ast_odbc_find_table function in
res_odbc (Reported by ibercom)
* ASTERISK-22436 - [patch] No BYE to masqueraded channel on INVITE
with replaces (Reported by Eelco Brolman)
* ASTERISK-24479 - Enable REF_DEBUG for module references
(Reported by Corey Farrell)
* ASTERISK-24701 - Stasis: Write timeout on WebSocket fails to
fully disconnect underlying socket, leading to events being
dropped with no additional information (Reported by Matt Jordan)
* ASTERISK-24772 - ODBC error in realtime sippeers when device
unregisters under MariaDB (Reported by Richard Miller)
* ASTERISK-24451 - chan_iax2: reference leak in sched_delay_remove
(Reported by Corey Farrell)
* ASTERISK-24799 - [patch] make fails with undefined reference to
SSLv3_client_method (Reported by Alexander Traud)
* ASTERISK-24787 - [patch] - Microsoft exchange incompatibility
for playing back messages stored in IMAP - play_message: No
origtime (Reported by Graham Barnett)
* ASTERISK-24814 - asterisk/lock.h: Fix syntax errors for non-gcc
OSX with 64 bit integers (Reported by Corey Farrell)
* ASTERISK-24796 - Codecs and bucket schema's prevent module
unload (Reported by Corey Farrell)
* ASTERISK-24724 - 'httpstatus' Web Page Produces Incomplete HTML
(Reported by Ashley Sanders)
* ASTERISK-24797 - bridge_softmix: G.729 codec license held
(Reported by Kevin Harwell)
* ASTERISK-24800 - Crash in __sip_reliable_xmit due to invalid
thread ID being passed to pthread_kill (Reported by JoshE)
* ASTERISK-17721 - Incoming SRTP calls that specify a key lifetime
fail (Reported by Terry Wilson)
* ASTERISK-23214 - chan_sip WARNING message 'We are requesting
SRTP for audio, but they responded without it' is ambiguous and
wrong in some cases (Reported by Rusty Newton)
* ASTERISK-15434 - [patch] When ast_pbx_start failed, both an
error response and BYE are sent to the caller (Reported by
Makoto Dei)
* ASTERISK-18105 - most of asterisk modules are unbuildable in
cygwin environment (Reported by feyfre)
* ASTERISK-24828 - Fix Frame Leaks (Reported by Kevin Harwell)
* ASTERISK-24838 - chan_sip: Locking inversion occurs when
building a peer causes a peer poke during request handling
(Reported by Richard Mudgett)
* ASTERISK-24825 - Caller ID not recognized using
Centrex/Distinctive dialing (Reported by Richard Mudgett)
* ASTERISK-24739 - [patch] - Out of files -- call fails --
numerous files with inodes from under /usr/share/zoneinfo,
mostly posixrules (Reported by Ed Hynan)
* ASTERISK-23390 - NewExten Event with application AGI shows up
before and after AGI runs (Reported by Benjamin Keith Ford)
* ASTERISK-24786 - [patch] - Asterisk terminates when playing a
voicemail stored in LDAP (Reported by Graham Barnett)
* ASTERISK-24808 - res_config_odbc: Improper escaping of
backslashes occurs with MySQL (Reported by Javier Acosta)
* ASTERISK-20850 - [patch]Nested functions aren't portable.
Adapting RAII_VAR to use clang/llvm blocks to get the
same/similar functionality. (Reported by Diederik de Groot)
* ASTERISK-19470 - Documentation on app_amd is incorrect (Reported
by Frank DiGennaro)
* ASTERISK-21038 - Bad command completion of "core set debug
channel" (Reported by Richard Kenner)
* ASTERISK-18708 - func_curl hangs channel under load (Reported by
Dave Cabot)
* ASTERISK-16779 - Cannot disallow unknown format '' (Reported by
Atis Lezdins)
* ASTERISK-24876 - Investigate reference leaks from
tests/channels/local/local_optimize_away (Reported by Corey
Farrell)
* ASTERISK-24817 - init_logger_chain: unreachable code block
(Reported by Corey Farrell)
* ASTERISK-24880 - [patch]Compilation under OpenBSD (Reported by
snuffy)
* ASTERISK-24879 - [patch]Compilation fails due to 64bit time
under OpenBSD (Reported by snuffy)
Improvements made in this release:
-----------------------------------
* ASTERISK-24790 - Reduce spurious noise in logs from voicemail -
Couldn't find mailbox %s in context (Reported by Graham Barnett)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.17.0
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are
released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security vulnerability:
* AST-2014-019: Remote Crash Vulnerability in WebSocket Server
When handling a WebSocket frame the res_http_websocket module dynamically
changes the size of the memory used to allow the provided payload to fit. If a
payload length of zero was received the code would incorrectly attempt to
resize to zero. This operation would succeed and end up freeing the memory but
be treated as a failure. When the session was subsequently torn down this
memory would get freed yet again causing a crash.
For more information about the details of this vulnerability, please read
security advisory AST-2014-019, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2014-019.pdf
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are
released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security vulnerability:
* AST-2014-019: Remote Crash Vulnerability in WebSocket Server
When handling a WebSocket frame the res_http_websocket module dynamically
changes the size of the memory used to allow the provided payload to fit. If a
payload length of zero was received the code would incorrectly attempt to
resize to zero. This operation would succeed and end up freeing the memory but
be treated as a failure. When the session was subsequently torn down this
memory would get freed yet again causing a crash.
For more information about the details of this vulnerability, please read
security advisory AST-2014-019, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2014-019.pdf
The Asterisk Development Team has announced the release of Asterisk 11.17.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 11.17.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
New Features made in this release:
-----------------------------------
* ASTERISK-17899 - Handle crypto lifetime in SDES-SRTP negotiation
(Reported by Dwayne Hubbard)
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24742 - [patch] Fix ast_odbc_find_table function in
res_odbc (Reported by ibercom)
* ASTERISK-22436 - [patch] No BYE to masqueraded channel on INVITE
with replaces (Reported by Eelco Brolman)
* ASTERISK-24479 - Enable REF_DEBUG for module references
(Reported by Corey Farrell)
* ASTERISK-24701 - Stasis: Write timeout on WebSocket fails to
fully disconnect underlying socket, leading to events being
dropped with no additional information (Reported by Matt Jordan)
* ASTERISK-24772 - ODBC error in realtime sippeers when device
unregisters under MariaDB (Reported by Richard Miller)
* ASTERISK-24451 - chan_iax2: reference leak in sched_delay_remove
(Reported by Corey Farrell)
* ASTERISK-24799 - [patch] make fails with undefined reference to
SSLv3_client_method (Reported by Alexander Traud)
* ASTERISK-24787 - [patch] - Microsoft exchange incompatibility
for playing back messages stored in IMAP - play_message: No
origtime (Reported by Graham Barnett)
* ASTERISK-24814 - asterisk/lock.h: Fix syntax errors for non-gcc
OSX with 64 bit integers (Reported by Corey Farrell)
* ASTERISK-24796 - Codecs and bucket schema's prevent module
unload (Reported by Corey Farrell)
* ASTERISK-24724 - 'httpstatus' Web Page Produces Incomplete HTML
(Reported by Ashley Sanders)
* ASTERISK-24797 - bridge_softmix: G.729 codec license held
(Reported by Kevin Harwell)
* ASTERISK-24800 - Crash in __sip_reliable_xmit due to invalid
thread ID being passed to pthread_kill (Reported by JoshE)
* ASTERISK-17721 - Incoming SRTP calls that specify a key lifetime
fail (Reported by Terry Wilson)
* ASTERISK-23214 - chan_sip WARNING message 'We are requesting
SRTP for audio, but they responded without it' is ambiguous and
wrong in some cases (Reported by Rusty Newton)
* ASTERISK-15434 - [patch] When ast_pbx_start failed, both an
error response and BYE are sent to the caller (Reported by
Makoto Dei)
* ASTERISK-18105 - most of asterisk modules are unbuildable in
cygwin environment (Reported by feyfre)
* ASTERISK-24828 - Fix Frame Leaks (Reported by Kevin Harwell)
* ASTERISK-24838 - chan_sip: Locking inversion occurs when
building a peer causes a peer poke during request handling
(Reported by Richard Mudgett)
* ASTERISK-24825 - Caller ID not recognized using
Centrex/Distinctive dialing (Reported by Richard Mudgett)
* ASTERISK-24739 - [patch] - Out of files -- call fails --
numerous files with inodes from under /usr/share/zoneinfo,
mostly posixrules (Reported by Ed Hynan)
* ASTERISK-23390 - NewExten Event with application AGI shows up
before and after AGI runs (Reported by Benjamin Keith Ford)
* ASTERISK-24786 - [patch] - Asterisk terminates when playing a
voicemail stored in LDAP (Reported by Graham Barnett)
* ASTERISK-24808 - res_config_odbc: Improper escaping of
backslashes occurs with MySQL (Reported by Javier Acosta)
* ASTERISK-20850 - [patch]Nested functions aren't portable.
Adapting RAII_VAR to use clang/llvm blocks to get the
same/similar functionality. (Reported by Diederik de Groot)
* ASTERISK-19470 - Documentation on app_amd is incorrect (Reported
by Frank DiGennaro)
* ASTERISK-21038 - Bad command completion of "core set debug
channel" (Reported by Richard Kenner)
* ASTERISK-18708 - func_curl hangs channel under load (Reported by
Dave Cabot)
* ASTERISK-16779 - Cannot disallow unknown format '' (Reported by
Atis Lezdins)
* ASTERISK-24876 - Investigate reference leaks from
tests/channels/local/local_optimize_away (Reported by Corey
Farrell)
* ASTERISK-24817 - init_logger_chain: unreachable code block
(Reported by Corey Farrell)
* ASTERISK-24880 - [patch]Compilation under OpenBSD (Reported by
snuffy)
* ASTERISK-24879 - [patch]Compilation fails due to 64bit time
under OpenBSD (Reported by snuffy)
Improvements made in this release:
-----------------------------------
* ASTERISK-24790 - Reduce spurious noise in logs from voicemail -
Couldn't find mailbox %s in context (Reported by Graham Barnett)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.17.0
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are
released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security vulnerability:
* AST-2014-019: Remote Crash Vulnerability in WebSocket Server
When handling a WebSocket frame the res_http_websocket module dynamically
changes the size of the memory used to allow the provided payload to fit. If a
payload length of zero was received the code would incorrectly attempt to
resize to zero. This operation would succeed and end up freeing the memory but
be treated as a failure. When the session was subsequently torn down this
memory would get freed yet again causing a crash.
For more information about the details of this vulnerability, please read
security advisory AST-2014-019, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2014-019.pdf
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are
released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security vulnerability:
* AST-2014-019: Remote Crash Vulnerability in WebSocket Server
When handling a WebSocket frame the res_http_websocket module dynamically
changes the size of the memory used to allow the provided payload to fit. If a
payload length of zero was received the code would incorrectly attempt to
resize to zero. This operation would succeed and end up freeing the memory but
be treated as a failure. When the session was subsequently torn down this
memory would get freed yet again causing a crash.
For more information about the details of this vulnerability, please read
security advisory AST-2014-019, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2014-019.pdf
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr 9 2015 Jeffrey C. Ollie <jeff at ocjtech.us> - 11.17.1-1
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 1.8.28, 11.6, and 13.1 and Asterisk 1.8, 11, 12, and 13. The available
- security releases are released as versions 1.8.28.cert-5, 1.8.32.3, 11.6-cert11,
- 11.17.1, 12.8.2, 13.1-cert2, and 13.3.2.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolves the following security vulnerability:
-
- * AST-2015-003: TLS Certificate Common name NULL byte exploit
-
- When Asterisk registers to a SIP TLS device and and verifies the server,
- Asterisk will accept signed certificates that match a common name other than
- the one Asterisk is expecting if the signed certificate has a common name
- containing a null byte after the portion of the common name that Asterisk
- expected. This potentially allows for a man in the middle attack.
-
- For more information about the details of this vulnerability, please read
- security advisory AST-2015-003, which was released at the same time as this
- announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert5
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.3
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert11
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.17.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.2
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-13.1-cert2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.3.2
-
- The security advisory is available at:
-
- * http://downloads.asterisk.org/pub/security/AST-2015-003.pdf
* Wed Apr 1 2015 Jeffrey C. Ollie <jeff at ocjtech.us> - 11.17.0-1
- The Asterisk Development Team has announced the release of Asterisk 11.17.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.17.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- New Features made in this release:
- -----------------------------------
- * ASTERISK-17899 - Handle crypto lifetime in SDES-SRTP negotiation
- (Reported by Dwayne Hubbard)
-
- Bugs fixed in this release:
- -----------------------------------
- * ASTERISK-24742 - [patch] Fix ast_odbc_find_table function in
- res_odbc (Reported by ibercom)
- * ASTERISK-22436 - [patch] No BYE to masqueraded channel on INVITE
- with replaces (Reported by Eelco Brolman)
- * ASTERISK-24479 - Enable REF_DEBUG for module references
- (Reported by Corey Farrell)
- * ASTERISK-24701 - Stasis: Write timeout on WebSocket fails to
- fully disconnect underlying socket, leading to events being
- dropped with no additional information (Reported by Matt Jordan)
- * ASTERISK-24772 - ODBC error in realtime sippeers when device
- unregisters under MariaDB (Reported by Richard Miller)
- * ASTERISK-24451 - chan_iax2: reference leak in sched_delay_remove
- (Reported by Corey Farrell)
- * ASTERISK-24799 - [patch] make fails with undefined reference to
- SSLv3_client_method (Reported by Alexander Traud)
- * ASTERISK-24787 - [patch] - Microsoft exchange incompatibility
- for playing back messages stored in IMAP - play_message: No
- origtime (Reported by Graham Barnett)
- * ASTERISK-24814 - asterisk/lock.h: Fix syntax errors for non-gcc
- OSX with 64 bit integers (Reported by Corey Farrell)
- * ASTERISK-24796 - Codecs and bucket schema's prevent module
- unload (Reported by Corey Farrell)
- * ASTERISK-24724 - 'httpstatus' Web Page Produces Incomplete HTML
- (Reported by Ashley Sanders)
- * ASTERISK-24797 - bridge_softmix: G.729 codec license held
- (Reported by Kevin Harwell)
- * ASTERISK-24800 - Crash in __sip_reliable_xmit due to invalid
- thread ID being passed to pthread_kill (Reported by JoshE)
- * ASTERISK-17721 - Incoming SRTP calls that specify a key lifetime
- fail (Reported by Terry Wilson)
- * ASTERISK-23214 - chan_sip WARNING message 'We are requesting
- SRTP for audio, but they responded without it' is ambiguous and
- wrong in some cases (Reported by Rusty Newton)
- * ASTERISK-15434 - [patch] When ast_pbx_start failed, both an
- error response and BYE are sent to the caller (Reported by
- Makoto Dei)
- * ASTERISK-18105 - most of asterisk modules are unbuildable in
- cygwin environment (Reported by feyfre)
- * ASTERISK-24828 - Fix Frame Leaks (Reported by Kevin Harwell)
- * ASTERISK-24838 - chan_sip: Locking inversion occurs when
- building a peer causes a peer poke during request handling
- (Reported by Richard Mudgett)
- * ASTERISK-24825 - Caller ID not recognized using
- Centrex/Distinctive dialing (Reported by Richard Mudgett)
- * ASTERISK-24739 - [patch] - Out of files -- call fails --
- numerous files with inodes from under /usr/share/zoneinfo,
- mostly posixrules (Reported by Ed Hynan)
- * ASTERISK-23390 - NewExten Event with application AGI shows up
- before and after AGI runs (Reported by Benjamin Keith Ford)
- * ASTERISK-24786 - [patch] - Asterisk terminates when playing a
- voicemail stored in LDAP (Reported by Graham Barnett)
- * ASTERISK-24808 - res_config_odbc: Improper escaping of
- backslashes occurs with MySQL (Reported by Javier Acosta)
- * ASTERISK-20850 - [patch]Nested functions aren't portable.
- Adapting RAII_VAR to use clang/llvm blocks to get the
- same/similar functionality. (Reported by Diederik de Groot)
- * ASTERISK-19470 - Documentation on app_amd is incorrect (Reported
- by Frank DiGennaro)
- * ASTERISK-21038 - Bad command completion of "core set debug
- channel" (Reported by Richard Kenner)
- * ASTERISK-18708 - func_curl hangs channel under load (Reported by
- Dave Cabot)
- * ASTERISK-16779 - Cannot disallow unknown format '' (Reported by
- Atis Lezdins)
- * ASTERISK-24876 - Investigate reference leaks from
- tests/channels/local/local_optimize_away (Reported by Corey
- Farrell)
- * ASTERISK-24817 - init_logger_chain: unreachable code block
- (Reported by Corey Farrell)
- * ASTERISK-24880 - [patch]Compilation under OpenBSD (Reported by
- snuffy)
- * ASTERISK-24879 - [patch]Compilation fails due to 64bit time
- under OpenBSD (Reported by snuffy)
-
- Improvements made in this release:
- -----------------------------------
- * ASTERISK-24790 - Reduce spurious noise in logs from voicemail -
- Couldn't find mailbox %s in context (Reported by Graham Barnett)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.17.0
* Wed Apr 1 2015 Jeffrey C. Ollie <jeff at ocjtech.us> - 11.16.0-1
- The Asterisk Development Team has announced the release of Asterisk 11.16.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.16.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- Bugs fixed in this release:
- -----------------------------------
- * ASTERISK-24472 - Asterisk Crash in OpenSSL when calling over WSS
- from JSSIP (Reported by Badalian Vyacheslav)
- * ASTERISK-24614 - Deadlock when DEBUG_THREADS compiler flag
- enabled (Reported by Richard Mudgett)
- * ASTERISK-24449 - Reinvite for T.38 UDPTL fails if SRTP is
- enabled (Reported by Andreas Steinmetz)
- * ASTERISK-24619 - [patch]Gcc 4.10 fixes in r413589 (1.8) wrongly
- casts char to unsigned int (Reported by Walter Doekes)
- * ASTERISK-24337 - Spammy DEBUG message needs to be at a higher
- level - 'Remote address is null, most likely RTP has been
- stopped' (Reported by Rusty Newton)
- * ASTERISK-23733 - 'reload acl' fails if acl.conf is not present
- on startup (Reported by Richard Kenner)
- * ASTERISK-24628 - [patch] chan_sip - CANCEL is sent to wrong
- destination when 'sendrpid=yes' (in proxy environment) (Reported
- by Karsten Wemheuer)
- * ASTERISK-24672 - [PATCH] Memory leak in func_curl CURLOPT
- (Reported by Kristian Høgh)
- * ASTERISK-20744 - [patch] Security event logging does not work
- over syslog (Reported by Michael Keuter)
- * ASTERISK-23850 - Park Application does not respect Return
- Context Priority (Reported by Andrew Nagy)
- * ASTERISK-23991 - [patch]asterisk.pc file contains a small error
- in the CFlags returned (Reported by Diederik de Groot)
- * ASTERISK-24288 - [patch] - ODBC usage with app_voicemail -
- voicemail is not deleted after review, hangup (Reported by LEI
- FU)
- * ASTERISK-24048 - [patch] contrib/scripts/install_prereq selects
- 32-bit packages on 64-bit hosts (Reported by Ben Klang)
- * ASTERISK-24709 - [patch] msg_create_from_file used by MixMonitor
- m() option does not queue an MWI event (Reported by Gareth
- Palmer)
- * ASTERISK-24355 - [patch] chan_sip realtime uses case sensitive
- column comparison for 'defaultuser' (Reported by
- HZMI8gkCvPpom0tM)
- * ASTERISK-24719 - ConfBridge recording channels get stuck when
- recording started/stopped more than once (Reported by Richard
- Mudgett)
- * ASTERISK-24715 - chan_sip: stale nonce causes failure (Reported
- by Kevin Harwell)
- * ASTERISK-24728 - tcptls: Bad file descriptor error when
- reloading chan_sip (Reported by Kevin Harwell)
- * ASTERISK-24676 - Security Vulnerability: URL request injection
- in libCURL (CVE-2014-8150) (Reported by Matt Jordan)
- * ASTERISK-24711 - DTLS handshake broken with latest OpenSSL
- versions (Reported by Jared Biel)
- * ASTERISK-24646 - PJSIP changeset 4899 breaks TLS (Reported by
- Stephan Eisvogel)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.16.0
* Wed Apr 1 2015 Jeffrey C. Ollie <jeff at ocjtech.us> - 11.15.1-1
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
- security releases are released as versions 1.8.28.cert-4, 1.8.32.2, 11.6-cert10,
- 11.15.1, 12.8.1, and 13.1.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolves the following security vulnerabilities:
-
- * AST-2015-001: File descriptor leak when incompatible codecs are offered
-
- Asterisk may be configured to only allow specific audio or
- video codecs to be used when communicating with a
- particular endpoint. When an endpoint sends an SDP offer
- that only lists codecs not allowed by Asterisk, the offer
- is rejected. However, in this case, RTP ports that are
- allocated in the process are not reclaimed.
-
- This issue only affects the PJSIP channel driver in
- Asterisk. Users of the chan_sip channel driver are not
- affected.
-
- * AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability
-
- CVE-2014-8150 reported an HTTP request injection
- vulnerability in libcURL. Asterisk uses libcURL in its
- func_curl.so module (the CURL() dialplan function), as well
- as its res_config_curl.so (cURL realtime backend) modules.
-
- Since Asterisk may be configured to allow for user-supplied
- URLs to be passed to libcURL, it is possible that an
- attacker could use Asterisk as an attack vector to inject
- unauthorized HTTP requests if the version of libcURL
- installed on the Asterisk server is affected by
- CVE-2014-8150.
-
- For more information about the details of these vulnerabilities, please read
- security advisory AST-2015-001 and AST-2015-002, which were released at the same
- time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert4
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.2
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert10
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.15.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.1.1
-
- The security advisories are available at:
-
- * http://downloads.asterisk.org/pub/security/AST-2015-001.pdf
- * http://downloads.asterisk.org/pub/security/AST-2015-002.pdf
* Wed Apr 1 2015 Jeffrey C. Ollie <jeff at ocjtech.us> - 11.15.0-1
- The Asterisk Development Team has announced the release of Asterisk 11.15.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.15.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- Bugs fixed in this release:
- -----------------------------------
- * ASTERISK-20127 - [Regression] Config.c config_text_file_load()
- unescapes semicolons ("\;" -> ";") turning them into comments
- (corruption) on rewrite of a config file (Reported by George
- Joseph)
- * ASTERISK-24307 - Unintentional memory retention in stringfields
- (Reported by Etienne Lessard)
- * ASTERISK-24492 - main/file.c: ast_filestream sometimes causes
- extra calls to ast_module_unref (Reported by Corey Farrell)
- * ASTERISK-24504 - chan_console: Fix reference leaks to pvt
- (Reported by Corey Farrell)
- * ASTERISK-24468 - Incoming UCS2 encoded SMS truncated if SMS
- length exceeds 50 (roughly) national symbols (Reported by
- Dmitriy Bubnov)
- * ASTERISK-24500 - Regression introduced in chan_mgcp by SVN
- revision r227276 (Reported by Xavier Hienne)
- * ASTERISK-20402 - Unable to cancel (features.conf) attended
- transfer (Reported by Matt Riddell)
- * ASTERISK-24505 - manager: http connections leak references
- (Reported by Corey Farrell)
- * ASTERISK-24502 - Build fails when dev-mode, dont optimize and
- coverage are enabled (Reported by Corey Farrell)
- * ASTERISK-24444 - PBX: Crash when generating extension for
- pattern matching hint (Reported by Leandro Dardini)
- * ASTERISK-24522 - ConfBridge: delay occurs between kicking all
- endmarked users when last marked user leaves (Reported by Matt
- Jordan)
- * ASTERISK-15242 - transmit_refer leaks sip_refer structures
- (Reported by David Woolley)
- * ASTERISK-24440 - Call leak in Confbridge (Reported by Ben Klang)
- * ASTERISK-24469 - Security Vulnerability: Mixed IPv4/IPv6 ACLs
- allow blocked addresses through (Reported by Matt Jordan)
- * ASTERISK-24516 - [patch]Asterisk segfaults when playing back
- voicemail under high concurrency with an IMAP backend (Reported
- by David Duncan Ross Palmer)
- * ASTERISK-24572 - [patch]App_meetme is loaded without its
- defaults when the configuration file is missing (Reported by
- Nuno Borges)
- * ASTERISK-24573 - [patch]Out of sync conversation recording when
- divided in multiple recordings (Reported by Nuno Borges)
-
- Improvements made in this release:
- -----------------------------------
- * ASTERISK-24283 - [patch]Microseconds precision in the eventtime
- column in the cel_odbc module (Reported by Etienne Lessard)
- * ASTERISK-24530 - [patch] app_record stripping 1/4 second from
- recordings (Reported by Ben Smithurst)
- * ASTERISK-24577 - Speed up loopback switches by avoiding unneeded
- lookups (Reported by Birger "WIMPy" Harzenetter)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.15.0
* Wed Dec 10 2014 Jeffrey C. Ollie <jeff at ocjtech.us> - 11.14.2-1
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are
- released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolves the following security vulnerability:
-
- * AST-2014-019: Remote Crash Vulnerability in WebSocket Server
-
- When handling a WebSocket frame the res_http_websocket module dynamically
- changes the size of the memory used to allow the provided payload to fit. If a
- payload length of zero was received the code would incorrectly attempt to
- resize to zero. This operation would succeed and end up freeing the memory but
- be treated as a failure. When the session was subsequently torn down this
- memory would get freed yet again causing a crash.
-
- For more information about the details of this vulnerability, please read
- security advisory AST-2014-019, which was released at the same time as this
- announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2
-
- The security advisory is available at:
-
- * http://downloads.asterisk.org/pub/security/AST-2014-019.pdf
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1210225 - CVE-2015-3008 asterisk: TLS Certificate Common name NULL byte exploit
https://bugzilla.redhat.com/show_bug.cgi?id=1210225
[ 2 ] Bug #1173002 - CVE-2014-9374 asterisk: Remote Crash Vulnerability in WebSocket Server (AST-2014-019)
https://bugzilla.redhat.com/show_bug.cgi?id=1173002
--------------------------------------------------------------------------------
================================================================================
cross-gcc-4.9.2-5.fc20 (FEDORA-2015-5993)
Cross C compiler
--------------------------------------------------------------------------------
Update Information:
Rebase on gcc-4.9.2-6
--------------------------------------------------------------------------------
ChangeLog:
* Wed Apr 8 2015 David Howells <dhowells at redhat.com> - 4.9.2-4
- Rebase on gcc-4.9.2-6 [BZ 1183401].
* Mon Feb 9 2015 David Howells <dhowells at redhat.com> - 4.9.2-3
- Need to build-depend on isl-devel and cloog-devel.
* Tue Jan 13 2015 David Howells <dhowells at redhat.com> - 4.9.2-2
- Rebase on gcc-4.9.2-5.
- Use binutils-2.25.
* Fri Dec 12 2014 David Howells <dhowells at redhat.com> - 4.9.2-1
- Rebase on gcc-4.9.2-2.
* Fri Dec 12 2014 David Howells <dhowells at redhat.com> - 4.9.1-3
- Enable libgcc building on sh64 [gcc BZ 61844].
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 4.9.1-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Aug 12 2014 Kyle McMartin <kyle at fedoraproject.org> - 4.9.1-2
- Add --with-ld to ensure the cross-compiler can find the appropriate
linker without having to search high and low. [BZ 1122003]
--------------------------------------------------------------------------------
================================================================================
dovecot-2.2.16-1.fc20 (FEDORA-2015-5976)
Secure imap and pop3 server
--------------------------------------------------------------------------------
Update Information:
- dovecot updated to 2.2.16
- auth: Don't crash if master user login is attempted without
any configured master=yes passdbs
- Parsing UTF-8 text for mails could have caused broken results
sometimes if buffering was split in the middle of a UTF-8 character.
This affected at least searching messages.
- String sanitization for some logged output wasn't done properly:
UTF-8 text could have been truncated wrongly or the truncation may
not have happened at all.
- fts-lucene: Lookups from virtual mailbox consisting of over 32
physical mailboxes could have caused crashes.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Mar 16 2015 Michal Hlavinka <mhlavink at redhat.com> - 1:2.2.16-1
- dovecot updated to 2.2.16
- auth: Don't crash if master user login is attempted without
any configured master=yes passdbs
- Parsing UTF-8 text for mails could have caused broken results
sometimes if buffering was split in the middle of a UTF-8 character.
This affected at least searching messages.
- String sanitization for some logged output wasn't done properly:
UTF-8 text could have been truncated wrongly or the truncation may
not have happened at all.
- fts-lucene: Lookups from virtual mailbox consisting of over 32
physical mailboxes could have caused crashes.
--------------------------------------------------------------------------------
================================================================================
globus-gass-copy-9.15-1.fc20 (FEDORA-2015-5984)
Globus Toolkit - Globus Gass Copy
--------------------------------------------------------------------------------
Update Information:
Globus Toolkit update:
* globus-gass-copy (9.15)
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2015 Mattias Ellert <mattias.ellert at fysast.uu.se> - 9.15-1
- GT6 update (user-specified data channel stack handling, documentation)
--------------------------------------------------------------------------------
================================================================================
gnupg2-2.0.27-1.fc20 (FEDORA-2015-5969)
Utility for secure communication and data storage
--------------------------------------------------------------------------------
Update Information:
Updated package from upstream fixing minor security issues.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2015 Tomáš Mráz <tmraz at redhat.com> - 2.0.27-1
- new upstream release fixing minor security issues
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.0.25-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1178759 - gnupg2: double free in cmd_readkey()
https://bugzilla.redhat.com/show_bug.cgi?id=1178759
--------------------------------------------------------------------------------
================================================================================
krb5-1.11.5-20.fc20 (FEDORA-2015-5978)
The Kerberos network authentication system
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2014-5353
(this was fixed in an older build but the announcement was lost)
--------------------------------------------------------------------------------
ChangeLog:
* Thu Mar 19 2015 Roland Mainz <rmainz at redhat.com> - 1.11.5-20
- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated
denial of service in recvauth_common() and others"
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1174543 - CVE-2014-5353 krb5: NULL pointer dereference when using a ticket policy name as a password policy name
https://bugzilla.redhat.com/show_bug.cgi?id=1174543
--------------------------------------------------------------------------------
================================================================================
libzen-0.4.31-1.fc20 (FEDORA-2015-5977)
Shared library for libmediainfo and medianfo*
--------------------------------------------------------------------------------
Update Information:
update to 0.4.31
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr 9 2015 Vasiliy N. Glazov <vascom2 at gmail.com> - 0.4.31-1
- update to 0.4.31
* Thu Jan 15 2015 Ivan Romanov <drizt at land.ru> - 0.4.30-4
- added patch to fix building MediaInfo
--------------------------------------------------------------------------------
================================================================================
linux-firmware-20150410-46.gitec89525b.fc20 (FEDORA-2015-6008)
Firmware files used by the Linux kernel
--------------------------------------------------------------------------------
Update Information:
Update to the latest upstream git snapshot.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2015 Josh Boyer <jwboyer at fedoraproject.org> 20150415-46.gitec89525b
- Update to the latest upstream git snapshot
* Thu Mar 19 2015 Josh Boyer <jwboyer at fedoraproject.org>
- Ship the cx18x firmware files (rhbz 1203385)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1203385 - Please include cx18 firmware in the linux-firmware package
https://bugzilla.redhat.com/show_bug.cgi?id=1203385
--------------------------------------------------------------------------------
================================================================================
openstack-neutron-2013.2.4-8.fc20 (FEDORA-2015-5997)
OpenStack Networking Service
--------------------------------------------------------------------------------
Update Information:
2013.2.4 rebase; CVE-2014-7821 fixed.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr 9 2015 Ihar Hrachyshka <ihrachys at redhat.com> 2013.2.4-8
- CVE-2014-7821: Fix hostname validation for nameservers, rhbz#1165887
- CVE-2014-7821: Fix hostname regex pattern, rhbz#1165887
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1165887 - CVE-2014-7821 openstack-neutron: DoS via maliciously crafted dns_nameservers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1165887
--------------------------------------------------------------------------------
================================================================================
pcre-8.33-9.fc20 (FEDORA-2015-6007)
Perl-compatible regular expression library
--------------------------------------------------------------------------------
Update Information:
This release fixes various bugs when compiling regular expressions or matching them which could lead to a process crash. Also infinite loop in pcretest(1) and pcregrep(1) tools when using \K in a lookbehind assertion was fixed.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2015 Petr Pisar <ppisar at redhat.com> - 8.33-9
- Fix computing size for pattern with a negated special calss in on-UCP mode
(bug #1210383)
- Fix compilation of a parenthesized comment (bug #1210410)
- Fix compliation of mutual recursion inside a lookbehind assertion
(bug #1210417)
- Fix pcregrep loop when \K is used in a lookbehind assertion (bug #1210423)
- Fix pcretest loop when \K is used in a lookbehind assertion (bug #1210423)
- Fix backtracking for \C\X* in UTF-8 mode (bug #1210576)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1210383 - Crash when compiling /[\\S\\V\\H]/8
https://bugzilla.redhat.com/show_bug.cgi?id=1210383
[ 2 ] Bug #1210410 - Internal error when compiling /(?1)(?#?'){8}(a)/
https://bugzilla.redhat.com/show_bug.cgi?id=1210410
[ 3 ] Bug #1210417 - Crash when compiling /(?<=((?2))((?1)))/
https://bugzilla.redhat.com/show_bug.cgi?id=1210417
[ 4 ] Bug #1210423 - pcregrep -o '(?<=\\Ka)' does not halt
https://bugzilla.redhat.com/show_bug.cgi?id=1210423
[ 5 ] Bug #1210576 - Crash when matching /\\C\\X*/ in UTF-8 mode
https://bugzilla.redhat.com/show_bug.cgi?id=1210576
--------------------------------------------------------------------------------
================================================================================
perl-MCE-1.608-1.fc20 (FEDORA-2015-6009)
Many-core Engine for Perl providing parallel processing capabilities
--------------------------------------------------------------------------------
Update Information:
A new version of MCE is available. See http://cpansearch.perl.org/src/MARIOROY/MCE-1.608/CHANGES for details on changes in this release.
A new version of MCE is available. See http://search.cpan.org/src/MARIOROY/MCE-1.606/CHANGES for details on changes in this release.
A new version of MCE is available. See http://cpansearch.perl.org/src/MARIOROY/MCE-1.605/CHANGES for details on changes in this release.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2015 Petr Šabata <contyk at redhat.com> - 1.608-1
- 1.608 bump
* Thu Apr 9 2015 Petr Šabata <contyk at redhat.com> - 1.606-1
- 1.606 bump
* Wed Apr 8 2015 Petr Šabata <contyk at redhat.com> - 1.605-1
- 1.605 bump
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1210734 - perl-MCE-1.608 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1210734
[ 2 ] Bug #1210119 - perl-MCE-1.606 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1210119
[ 3 ] Bug #1209148 - perl-MCE-1.605 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1209148
--------------------------------------------------------------------------------
================================================================================
phpMyAdmin-4.4.1.1-1.fc20 (FEDORA-2015-5994)
Handle the administration of MySQL over the World Wide Web
--------------------------------------------------------------------------------
Update Information:
phpMyAdmin 4.4.1.1 (2015-04-08)
===============================
Some debugging code slipped into the 4.4.1 codebase, producing messages in the web server's error log.
phpMyAdmin 4.4.1.0 (2015-04-07)
===============================
- MySQL 5.7.6 and the Users menu tab
- MySQL 5.7.6 and changing the password for another user
- Request URI too large
- MySQL 5.7.6 and Databases
- Use 'server' parameter in console to work in multi server environments
- Missing tooltip in monitor
- Missing sort icons in monitor
- Inline edit broken when using functions in query
- Timed-out import fails to restart when file represented
- pMA DB not detected properly
- Datepicker missing when changing number of rows on Insert page
- INNODB STATUS page is empty
- JavaScript is loaded in wrong order
- TEXT formatting doesn't work after inline editing
- Compress when php.ini output_buffering is active
- Sorting distinct values result loses links
- Do not attach token to css requests to improve caching
phpMyAdmin 4.4.0 (2015-04-01)
=============================
Welcome to phpMyAdmin 4.4.0, an incremental feature release including many bug fixes.
A complete list of new features and bugs fixed is available in the ChangeLog file or changelog.php included with this release.
A few highlights:
* Rename configuration directive from $cfg['NavigationTreeDisableDatabaseExpansion'] to $cfg['NavigationTreeEnableExpansion'] -- if used, please update your config.inc.php
* Move the SQL scripts to create phpMyAdmin configuration storage from 'examples' to 'sql' directory
* Upgrade Recaptcha to version 2 of the API
* Added support for the SSL GRANT option
* Improvements to the table structure and tracking pages
* Improvements to the console feature
* Improvements to the ZeroConf feature
There are many more; please refer to the ChangeLog for full details.
As always, downloads are available at http://www.phpmyadmin.net
The phpMyAdmin Team
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2015 Robert Scheck <robert at fedoraproject.org> 4.4.1.1-1
- Upgrade to 4.4.1.1 (#1208320)
- Mon Apr 06 2015 Robert Scheck <robert at fedoraproject.org> 4.4.0-1
- Upgrade to 4.4.0 (thanks to Remi Collet)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1208320 - phpMyAdmin-4.4.1.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1208320
--------------------------------------------------------------------------------
================================================================================
pyotherside-1.4.0-4.fc20 (FEDORA-2015-5983)
Asynchronous Python 3 Bindings for Qt 5
--------------------------------------------------------------------------------
Update Information:
Initial PyOtherSide package
--------------------------------------------------------------------------------
================================================================================
python-2.7.5-16.fc20 (FEDORA-2015-6010)
An interpreted, interactive, object-oriented programming language
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2013-1752
multiple unbound readline() DoS flaws in python stdlib
following fixes (which all relates to this CVE) are in this patch:
* ftplib: Limit amount of data read by limiting the call to readline(). #16038
* imaplib: limit line length in imaplib readline calls. #16039
* nntplib: Limit maximum line lengths to 2048 to prevent readline() calls from consuming too much memory. #16040
* poplib: limit maximum line length that we read from the network #16041
* smtplib: limit amount read from the network #16042
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2015 Robert Kuska <rkuska at redhat.com> - 2.7.5-16
- Fix CVE-2013-1752 multiple unbound readline() DoS flaws in python stdlib
Resolves: rhbz#1159200
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1046174 - CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib
https://bugzilla.redhat.com/show_bug.cgi?id=1046174
--------------------------------------------------------------------------------
================================================================================
python-virtualenv-12.0.7-1.fc20 (FEDORA-2015-6006)
Tool to create isolated Python environments
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2013-5123
--------------------------------------------------------------------------------
ChangeLog:
* Mon Mar 16 2015 Matej Stuchlik <mstuchli at redhat.com> - 12.0.7-1
- Update to 12.0.7
* Thu Jan 15 2015 Matthias Runge <mrunge at redhat.com> - 1.11.6-2
- add a python3-package, thanks to Matej Stuchlik (rhbz#1179150)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1066692 - CVE-2013-5123 python-pip: insecure software download with mirroring support
https://bugzilla.redhat.com/show_bug.cgi?id=1066692
--------------------------------------------------------------------------------
================================================================================
qterminal-0.6.0-2.fc20 (FEDORA-2015-5998)
Advanced terminal emulator
--------------------------------------------------------------------------------
Update Information:
Rebuild with new qtermwidget
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2015 TI_Eugene <ti.eugene at gmail.com> - 0.6.0-2
- Rebuild with new qtermwidget
--------------------------------------------------------------------------------
================================================================================
qtermwidget-0.6.0-2.fc20 (FEDORA-2015-5982)
Qt4 terminal widget
--------------------------------------------------------------------------------
Update Information:
qt-virt-manager compatible patch added
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2015 TI_Eugene <ti.eugene at gmail.com> - 0.6.0-2
- qt-virt-manager compatible patch added
--------------------------------------------------------------------------------
================================================================================
yourls-1.7-3.20150410gitabc7d6c.fc20 (FEDORA-2015-5972)
Your Own URL Shortener
--------------------------------------------------------------------------------
Update Information:
Update to the latest master from git
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2015 Martin Krizek <mkrizek at redhat.com> - 1.7-3.20150410gitabc7d6c
- Update to the latest master from git
- Fix bz #1157335
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1157335 - CVE-2014-8488 yourls: cross-site scripting (XSS) flaw
https://bugzilla.redhat.com/show_bug.cgi?id=1157335
--------------------------------------------------------------------------------
More information about the test
mailing list