The following Fedora EPEL 5 Security updates need testing:
Age URL
840 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-1626
puppet-2.7.26-1.el5
689 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-3849
sblim-sfcb-1.3.8-2.el5
332 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-edbea40516
mcollective-2.8.4-1.el5
304 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-582c8075e6
thttpd-2.25b-24.el5
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-f724258766
irssi-0.8.20-2.el5
0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-803d3bfa1a
openssl101e-1.0.1e-9.el5
The following builds have been pushed to Fedora EPEL 5 updates-testing
nmh-1.6-7.el5
openssl101e-1.0.1e-9.el5
pcp-3.11.5-1.el5
Details about builds:
================================================================================
nmh-1.6-7.el5 (FEDORA-EPEL-2016-3b64e5f103)
A capable mail handling system with a command line interface
--------------------------------------------------------------------------------
Update Information:
- New package on EL5.
--------------------------------------------------------------------------------
================================================================================
openssl101e-1.0.1e-9.el5 (FEDORA-EPEL-2016-803d3bfa1a)
A general purpose cryptography library with TLS implementation
--------------------------------------------------------------------------------
Update Information:
OpenSSL ======= Security Fixes -------------- * A memory leak flaw was found
in the way OpenSSL handled TLS status request extension data during session
renegotiation. A remote attacker could cause a TLS server using OpenSSL to
consume an excessive amount of memory and, possibly, exit unexpectedly after
exhausting all available memory, if it enabled OCSP stapling support.
(CVE-2016-6304) * It was discovered that OpenSSL did not always use constant
time operations when computing Digital Signature Algorithm (DSA) signatures. A
local attacker could possibly use this flaw to obtain a private DSA key
belonging to another user or service running on the same system. (CVE-2016-2178)
* It was discovered that the Datagram TLS (DTLS) implementation could fail to
release memory in certain cases. A malicious DTLS client could cause a DTLS
server using OpenSSL to consume an excessive amount of memory and, possibly,
exit unexpectedly after exhausting all available memory. (CVE-2016-2179) * A
flaw was found in the Datagram TLS (DTLS) replay protection implementation in
OpenSSL. A remote attacker could possibly use this flaw to make a DTLS server
using OpenSSL to reject further packets sent from a DTLS client over an
established DTLS connection. (CVE-2016-2181) * An out of bounds write flaw was
discovered in the OpenSSL BN_bn2dec() function. An attacker able to make an
application using OpenSSL to process a large BIGNUM could cause the application
to crash or, possibly, execute arbitrary code. (CVE-2016-2182) * A flaw was
found in the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-
the-middle attacker could use this flaw to recover some plaintext data by
capturing large amounts of encrypted traffic between TLS/SSL server and client
if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) * This
update mitigates the CVE-2016-2183 issue by lowering priority of DES cipher
suites so they are not preferred over cipher suites using AES. For compatibility
reasons, DES cipher suites remain enabled by default and included in the set of
cipher suites identified by the HIGH cipher string. Future updates may move them
to MEDIUM or not enable them by default. * An integer underflow flaw leading
to a buffer over-read was found in the way OpenSSL parsed TLS session tickets. A
remote attacker could use this flaw to crash a TLS server using OpenSSL if it
used SHA-512 as HMAC for session tickets. (CVE-2016-6302) * Multiple integer
overflow flaws were found in the way OpenSSL performed pointer arithmetic. A
remote attacker could possibly use these flaws to cause a TLS/SSL server or
client using OpenSSL to crash. (CVE-2016-2177) * An out of bounds read flaw
was found in the way OpenSSL formatted Public Key Infrastructure Time-Stamp
Protocol data for printing. An attacker could possibly cause an application
using OpenSSL to crash if it printed time stamp data from the attacker.
(CVE-2016-2180) * Multiple out of bounds read flaws were found in the way
OpenSSL handled certain TLS/SSL protocol handshake messages. A remote attacker
could possibly use these flaws to crash a TLS/SSL server or client using
OpenSSL. (CVE-2016-6306)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit
block ciphers (SWEET32)
https://bugzilla.redhat.com/show_bug.cgi?id=1369383
[ 2 ] Bug #1377594 - CVE-2016-6306 openssl: certificate message OOB reads
https://bugzilla.redhat.com/show_bug.cgi?id=1377594
[ 3 ] Bug #1377600 - CVE-2016-6304 openssl: OCSP Status Request extension
unbounded memory growth
https://bugzilla.redhat.com/show_bug.cgi?id=1377600
[ 4 ] Bug #1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket
HMAC length checks
https://bugzilla.redhat.com/show_bug.cgi?id=1369855
[ 5 ] Bug #1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by
unchecked errors in BN_bn2dec()
https://bugzilla.redhat.com/show_bug.cgi?id=1367340
[ 6 ] Bug #1369113 - CVE-2016-2181 openssl: DTLS replay protection bypass
allows DoS against DTLS connection
https://bugzilla.redhat.com/show_bug.cgi?id=1369113
[ 7 ] Bug #1359615 - CVE-2016-2180 OpenSSL: OOB read in TS_OBJ_print_bio()
https://bugzilla.redhat.com/show_bug.cgi?id=1359615
[ 8 ] Bug #1369504 - CVE-2016-2179 openssl: DTLS memory exhaustion DoS when
messages are not removed from fragment buffer
https://bugzilla.redhat.com/show_bug.cgi?id=1369504
[ 9 ] Bug #1343400 - CVE-2016-2178 openssl: Non-constant time codepath
followed for certain operations in DSA implementation
https://bugzilla.redhat.com/show_bug.cgi?id=1343400
[ 10 ] Bug #1341705 - CVE-2016-2177 openssl: Possible integer overflow
vulnerabilities in codebase
https://bugzilla.redhat.com/show_bug.cgi?id=1341705
--------------------------------------------------------------------------------
================================================================================
pcp-3.11.5-1.el5 (FEDORA-EPEL-2016-63742f1d5b)
System-level performance monitoring and performance management
--------------------------------------------------------------------------------
Update Information:
Update to latest PCP sources, enhancements and bugfixes. See CHANGELOG for
details.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1365658 - None
https://bugzilla.redhat.com/show_bug.cgi?id=1365658
[ 2 ] Bug #1249123 - None
https://bugzilla.redhat.com/show_bug.cgi?id=1249123
[ 3 ] Bug #1375415 - None
https://bugzilla.redhat.com/show_bug.cgi?id=1375415
--------------------------------------------------------------------------------
_______________________________________________
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
