The following Fedora EPEL 8 Security updates need testing:
Age URL
51 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1e00c3d01e
cutter-re-2.2.0-1.el8 rizin-0.5.1-1.el8
11 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-44ff2475c4
apptainer-1.1.8-1.el8
4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-ae97901b58
vtk-9.0.1-10.el8
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-f44d817bc9
chromium-113.0.5672.63-1.el8
The following builds have been pushed to Fedora EPEL 8 updates-testing
kiwi-9.24.59-1.el8
mate-power-manager-1.26.1-1.el8
tcpreplay-4.4.3-3.el8
unrealircd-6.1.0-1.el8
Details about builds:
================================================================================
kiwi-9.24.59-1.el8 (FEDORA-EPEL-2023-1c65f50148)
Flexible operating system image builder
--------------------------------------------------------------------------------
Update Information:
Update to 9.24.59
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 6 2023 Igor Raits <[email protected]> - 9.24.59-1
- Update to 9.24.59
* Thu Jan 19 2023 Fedora Release Engineering <[email protected]> -
9.24.52-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2152424 - kiwi-9.24.59 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2152424
--------------------------------------------------------------------------------
================================================================================
mate-power-manager-1.26.1-1.el8 (FEDORA-EPEL-2023-0d5dbb854d)
MATE power management service
--------------------------------------------------------------------------------
Update Information:
- update to 1.26.1
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 6 2023 Wolfgang Ulbrich <[email protected]> - 1.26.1-1
- update to 1.26.1
--------------------------------------------------------------------------------
================================================================================
tcpreplay-4.4.3-3.el8 (FEDORA-EPEL-2023-6463a51c68)
Replay captured network traffic
--------------------------------------------------------------------------------
Update Information:
Patch CVE-2023-27783 - CVE-2023-27789 - CVE-2023-27783 - CVE-2023-27784 -
CVE-2023-27785 - CVE-2023-27786 - CVE-2023-27787 - CVE-2023-27788 -
CVE-2023-27789
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 6 2023 Bojan Smojver <bojan@rexursive com> - 4.4.3-2
- CVE-2023-27783 CVE-2023-27784 CVE-2023-27785 CVE-2023-27786
CVE-2023-27787 CVE-2023-27788 CVE-2023-27789
* Sat Jan 21 2023 Fedora Release Engineering <[email protected]> -
4.4.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2193431 - CVE-2023-27783 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193431
[ 2 ] Bug #2193432 - CVE-2023-27783 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193432
[ 3 ] Bug #2193433 - CVE-2023-27784 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193433
[ 4 ] Bug #2193434 - CVE-2023-27784 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193434
[ 5 ] Bug #2193436 - CVE-2023-27785 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193436
[ 6 ] Bug #2193437 - CVE-2023-27785 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193437
[ 7 ] Bug #2193439 - CVE-2023-27786 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193439
[ 8 ] Bug #2193440 - CVE-2023-27786 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193440
[ 9 ] Bug #2193442 - CVE-2023-27787 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193442
[ 10 ] Bug #2193443 - CVE-2023-27787 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193443
[ 11 ] Bug #2193445 - CVE-2023-27788 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193445
[ 12 ] Bug #2193446 - CVE-2023-27788 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193446
[ 13 ] Bug #2193448 - CVE-2023-27789 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193448
[ 14 ] Bug #2193449 - CVE-2023-27789 tcpreplay: net-analyzer/tcpreplay:
multiple vulnerabilities [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2193449
--------------------------------------------------------------------------------
================================================================================
unrealircd-6.1.0-1.el8 (FEDORA-EPEL-2023-da44f7c7d3)
Open Source IRC server
--------------------------------------------------------------------------------
Update Information:
# UnrealIRCd 6.1.0 This is UnrealIRCd 6.1.0 stable. It is the direct successor
to 6.0.7, there will be no 6.0.8. This release contains several channel mode
`+f` enhancements and introduces a new channel mode `+F` which works with flood
profiles like `+F normal` and `+F strict`. It is much easier for users than the
scary looking mode `+f`. UnrealIRCd 6.1.0 also contains lots of JSON-RPC
improvements, which is used by the [UnrealIRCd admin
panel](https://www.unrealircd.org/docs/UnrealIRCd_webpanel). Live streaming of
logs has been added and the webpanel now communicates to UnrealIRCd which web
user issued a command (e.g.: who issued a kill, who changed a channel mode, ..).
Other improvements are whowasdb (persistent `WHOWAS` history) and a new guide on
running a Tor Onion service. The release also fixes a crash bug related to
remote includes and fixes multiple memory leaks. ## Enhancements * Channel
flood protection improvements: * New [channel mode
`+F`](https://www.unrealircd.org/docs/Channel_anti-flood_settings) (uppercase
F). This allows the user to choose a "flood profile", which (behind the scenes)
translates to something similar to an `+f` mode. This so end-users can simply
choose an `+F` profile without having to learn the complex channel mode `+f`.
* For example `+F normal` effectively results in
`[7c#C15,30j#R10,10k#K15,40m#M10,8n#N15]:15` * Multiple profiles are
available and changing them is possible, see [the
documentation](https://www.unrealircd.org/docs/Channel_anti-flood_settings).
* Any settings in mode `+f` will override the ones of the `+F` profile. To see
the effective flood settings, use `MODE #channel F`. * You can optionally set
a default profile via [`set::anti-flood::channel::default-
profile`](https://www.unrealircd.org/docs/Channel_anti-
flood_settings#Default_profile). This profile is used if the channel is `-F`. If
the user does not want channel flood protection then they have to use an
explicit `+F off`. * When channel mode `+f` or `+F` detect that a flood is
caused by >75% of ["unknown-users"](https://www.unrealircd.org/docs/Security-
group_block), the server will now set a temporary ban on `~security-
group:unknown-users`. It will still set `+i` and other modes if the flood keeps
on going (e.g. is caused by known-users). * Forced nick changes (e.g. by
NickServ) are no longer counted in nick flood for channel mode `+f`/`+F`. *
When a server splits on the network, UnrealIRCd now temporarily disables
`+f`/`+F` join-flood protection for 75 seconds ([`set::anti-
flood::channel::split-delay`](https://www.unrealircd.org/docs/Channel_anti-
flood_settings#config)). This because a server splitting could mean that server
has network problems or has died (or restarted), in which case the clients would
typically reconnect to the remaining other servers, triggering an `+f`/`+F`
join-flood and channels ending up being `+i` and such. That is not good because
UnrealIRCd wants `+f`/`+F` to be as effortless as possible, with as little false
positives as possible. * If your network has 5+ servers and the user load is
spread evenly among them, then you could disable this feature by setting the
amount of seconds to `0`. This because in such a scenario only 1/5th (20%) of
the users would reconnect and hopefully don't trigger `+f`/`+F` join floods. *
All these features only work properly if all servers are on 6.1.0-rc1 or later.
* New module `whowasdb` (persistent `WHOWAS` history): this saves the `WHOWAS`
history on disk periodically and when UnrealIRCd terminates, so next server boot
still has the `WHOWAS` history. This module is currently not loaded by default.
* New option [`listen::spoof-
ip`](https://www.unrealircd.org/docs/Listen_block#spoof-ip), only valid when
using UNIX domain sockets (so `listen::file`). This way you can override the IP
address that users come online with when they use the socket (default was and
still is `127.0.0.1`). * Add a new guide [Running Tor Onion service with UnrealI
RCd](https://www.unrealircd.org/docs/Running_Tor_Onion_service_with_UnrealIRCd)
which uses the new `listen::spoof-ip` and optionally requires a services
account. * [JSON-RPC](https://www.unrealircd.org/docs/JSON-RPC): * Logging of
JSON-RPC requests (e.g. via snomask `+R`) has been improved, it now shows: *
The issuer, such as the user logged in to the admin panel (if known) * The
parameters of the request * The JSON-RPC calls
[`channel.list`](https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.list),
[`channel.get`](https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.get),
[`user.list`](https://www.unrealircd.org/docs/JSON-RPC:User#user.list) and
[`user.get`](https://www.unrealircd.org/docs/JSON-RPC:User#user.get) now support
an optional argument `object_detail_level` which specifies how detailed the
[Channel](https://www.unrealircd.org/docs/JSON-
RPC:Channel#Structure_of_a_channel) and
[User](https://www.unrealircd.org/docs/JSON-
RPC:User#Structure_of_a_client_object) response object will be. Especially
useful if you don't need all the details in the list calls. * New JSON-RPC
methods [`log.subscribe`](https://www.unrealircd.org/docs/JSON-
RPC:Log#log.subscribe) and
[`log.unsubscribe`](https://www.unrealircd.org/docs/JSON-
RPC:Log#log.unsubscribe) to allow real-time streaming of [JSON log
events](https://www.unrealircd.org/docs/JSON_logging). * New JSON-RPC method
[`rpc.set_issuer`](https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer)
to indiciate who is actually issuing the requests. The admin panel uses this to
communicate who is logged in to the panel so this info can be used in logging.
* New JSON-RPC methods [`rpc.add_timer`](https://www.unrealircd.org/docs/JSON-
RPC:Rpc#rpc.add_timer) and
[`rpc.del_timer`](https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.del_timer) so
you can schedule JSON-RPC calls, like stats.get, to be executed every xyz msec.
* New JSON-RPC method [`whowas.get`](https://www.unrealircd.org/docs/JSON-
RPC:Whowas#whowas.get) to fetch `WHOWAS` history. * Low ASCII is no longer
filtered out in strings in JSON-RPC, only in JSON logging. * A new message tag
`unrealircd.org/issued-by` which is IRCOp-only (and used intra-server) to
communicate who actually issued a command. See
[docs](https://www.unrealircd.org/issued-by). ## Changes * The RPC modules are
enabled by default now. This so remote RPC works from other IRC servers for
calls like `modules.list`. The default configuration does NOT enable the
webserver nor does it cause listening on any socket for RPC, for that you need
to follow the [JSON-RPC](https://www.unrealircd.org/docs/JSON-RPC) instructions.
* The [blacklist-module](https://www.unrealircd.org/docs/Blacklist-
module_directive) directive now accepts wildcards, e.g. `blacklist-module
rpc/*;` * The setting set::modef-boot-delay has been moved to [`set::anti-
flood::channel::boot-delay`](https://www.unrealircd.org/docs/Channel_anti-
flood_settings#config). * UnrealIRCd now only exempts `127.0.0.1` and `::1` from
banning by default (hardcoded in the source). Previously UnrealIRCd exempted
whole `127.*` but that gets in the way if you want to allow Tor with a [require
authentication](https://www.unrealircd.org/docs/Require_authentication_block)
block or soft-ban. Now you can just tell Tor to bind to `127.0.0.2` so its not
affected by the default exemption. ## Fixes * Crash if there is a parse error
in an included file and there are other remote included files still being
downloaded. * Memory leak in `WHOWAS` * Memory leak when connecting to a TLS
server fails * Workaround a bug in some websocket implementations where the
`WSOP_PONG` frame is unmasked (now permitted). ## Developers and protocol * The
`cmode.free_param` definition changed. It now has an extra argument `int soft`
and for return value you will normally `return 0` here. You can `return 1` if
you resist freeing, which is rare and only used by `+F` with set::anti-
flood::channel::default-profile. * New `cmode.flood_type_action` which can be
used to indicate a channel mode can be used from +f/+F as an action. You need to
specify for which flood type your mode is, e.g. `cmode.flood_type_action = 'j';`
for joinflood. * JSON-RPC supports [UNIX domain
sockets](https://www.unrealircd.org/docs/JSON-
RPC:Technical_documentation#UNIX_domain_socket) for making RPC calls. If this is
used, UnrealIRCd now splits on `\n` (newline) so multiple parallel requests can
be handled properly. * Message tag `unrealircd.org/issued-by`, sent to IRCOps
only. See [docs](https://www.unrealircd.org/issued-by).
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 6 2023 Robert Scheck <[email protected]> 6.1.0-1
- Upgrade to 6.1.0 (#2185257)
--------------------------------------------------------------------------------
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
