The following Fedora EPEL 7 Security updates need testing:
Age URL
53 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-f005e1b879
debmirror-2.35-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
openssl11-1.1.1k-1.el7
rpki-client-7.5-1.el7
Details about builds:
================================================================================
openssl11-1.1.1k-1.el7 (FEDORA-EPEL-2021-39d32447db)
Utilities from the general purpose cryptography library with TLS implementation
--------------------------------------------------------------------------------
Update Information:
- backport from 1.1.1k-4: Fixes bugs in s390x AES code - backport from 1.1.1k-4:
Uses the first detected address family if IPv6 is not available - backport from
1.1.1k-4: Reverts the changes in https://github.com/openssl/openssl/pull/13305
as it introduces a regression if server has a DSA key pair, the handshake fails
when the protocol is not explicitly set to TLS 1.2. However, if the patch is
reverted, it has an effect on the "ssl_reject_handshake" feature in nginx.
Although, this feature will continue to work, TLS 1.3 protocol becomes
unavailable/disabled. This is already known -
https://trac.nginx.org/nginx/ticket/2071#comment:1 and as per
https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx
could early callback instead of servername callback. Resolves: rhbz#197821,
related: rhbz#1934534 - backport from 1.1.1k-3: Cleansup the peer point formats
on renegotiation. Resolves rhbz#1965362 - backport from 1.1.1k-2: Fixes
FIPS_selftest to work in FIPS mode. Resolves: rhbz#1940085 - backport from
1.1.1k-2: Using safe primes for FIPS DH self-test - backport from 1.1.1k-1:
Update to version 1.1.1k - backport from 1.1.1g-16: Use AI_ADDRCONFIG only when
explicit host name is given - backport from 1.1.1g-16: Allow only curves defined
in RFC 8446 in TLS 1.3
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 9 2021 Robert Scheck <[email protected]> 1.1.1k-1
- backport from 1.1.1k-4: Fixes bugs in s390x AES code
- backport from 1.1.1k-4: Uses the first detected address family if IPv6 is not
available
- backport from 1.1.1k-4: Reverts the changes in
https://github.com/openssl/openssl/pull/13305
as it introduces a regression if server has a DSA key pair, the handshake
fails
when the protocol is not explicitly set to TLS 1.2. However, if the patch is
reverted,
it has an effect on the "ssl_reject_handshake" feature in nginx. Although,
this feature
will continue to work, TLS 1.3 protocol becomes unavailable/disabled. This is
already
known - https://trac.nginx.org/nginx/ticket/2071#comment:1
As per
https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx
could
early callback instead of servername callback. Resolves: rhbz#197821,
related: rhbz#1934534
- backport from 1.1.1k-3: Cleansup the peer point formats on renegotiation.
Resolves rhbz#1965362
- backport from 1.1.1k-2: Fixes FIPS_selftest to work in FIPS mode. Resolves:
rhbz#1940085
- backport from 1.1.1k-2: Using safe primes for FIPS DH self-test
- backport from 1.1.1k-1: Update to version 1.1.1k
- backport from 1.1.1g-16: Use AI_ADDRCONFIG only when explicit host name is
given
- backport from 1.1.1g-16: Allow only curves defined in RFC 8446 in TLS 1.3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1930310 - CVE-2021-23841 openssl: NULL pointer dereference in
X509_issuer_and_serial_hash()
https://bugzilla.redhat.com/show_bug.cgi?id=1930310
[ 2 ] Bug #1930324 - CVE-2021-23840 openssl: integer overflow in CipherUpdate
https://bugzilla.redhat.com/show_bug.cgi?id=1930324
--------------------------------------------------------------------------------
================================================================================
rpki-client-7.5-1.el7 (FEDORA-EPEL-2021-05dd12001e)
RPKI validator to support BGP Origin Validation
--------------------------------------------------------------------------------
Update Information:
rpki-client 7.5 =============== * Make rpki-client more resilient regarding
untrusted input: - Fail repository synchronisation after 15min runtime.
- Limit the number of repositories per TAL. - Don't allow `DOCTYPE`
definitions in RRDP XML files. - Fix detection of HTTP redirect loops. *
Limit the number of concurrent `rsync` processes. * Fix `CRLF` in TAL files.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 9 2021 Robert Scheck <[email protected]> 7.5-1
- Upgrade to 7.5 (#2021523)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2021523 - rpki-client-7.5 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2021523
--------------------------------------------------------------------------------
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
