[EPEL-devel] peel HTTPS urls don't work in older CentOS
Hi guys, I’ve recently tried to deploy some apps with saltstack on CentOS 6.4. I’m using saltstack bootstrap script, which installs EPEL. The problem is, that yum fails with update because it cannot reach the HTTPS repositories. When changing to HTTP, it starts working. You can see a detailed discussion about it here: https://github.com/saltstack/salt-bootstrap/issues/474#issuecomment-62449575 What can I do about that? Regards, Przemysław Hejman ___ epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel
Re: [EPEL-devel] peel HTTPS urls don't work in older CentOS
On Wed, 12 Nov 2014 10:02:37 +0100 Przemysław Hejman przemyslaw.hej...@gmail.com wrote: Hi guys, I’ve recently tried to deploy some apps with saltstack on CentOS 6.4. I’m using saltstack bootstrap script, which installs EPEL. The problem is, that yum fails with update because it cannot reach the HTTPS repositories. When changing to HTTP, it starts working. You can see a detailed discussion about it here: https://github.com/saltstack/salt-bootstrap/issues/474#issuecomment-62449575 What can I do about that? The problem is that the fedora project has disabled SSLv3 (after it was found to be insecure). As part of that, mirrors.fedoraproject.org also no longer works for clients that can't negotiate better than SSLv3. CentOS/RHEL 6.6 works fine. I think 6.5 works fine with all nss* package updates applied. I don't have any idea about 6.4. Are there pending nss* updates for you? Would it be possible for you to update to 6.6 or 6.5? kevin pgpDa61Lyr8Hb.pgp Description: OpenPGP digital signature ___ epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel
[EPEL-devel] Fedora EPEL 5 updates-testing report
The following Fedora EPEL 5 Security updates need testing: Age URL 935 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3.2.10-5.el5 389 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11893/libguestfs-1.20.12-1.el5 153 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1626/puppet-2.7.26-1.el5 49 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2669/check-mk-1.2.4p5-1.el5 48 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2853/mediawiki119-1.19.18-1.el5 21 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3549/rubygem-actionpack-2.3.18-1.el5,rubygem-activerecord-2.3.18-1.el5,rubygem-activesupport-2.3.18-1.el5 20 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3554/rubygem-rails-2.3.18-1.el5,rubygem-actionmailer-2.3.18-1.el5,rubygem-activeresource-2.3.18-1.el5 15 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3675/Pound-2.6-2.el5.2 7 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3784/mantis-1.2.17-3.el5 3 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3849/sblim-sfcb-1.3.8-2.el5 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3972/nginx-0.8.55-6.el5 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3983/polarssl-1.3.2-3.el5 The following builds have been pushed to Fedora EPEL 5 updates-testing nginx-0.8.55-6.el5 polarssl-1.3.2-3.el5 Details about builds: nginx-0.8.55-6.el5 (FEDORA-EPEL-2014-3972) Robust, small and high performance HTTP and reverse proxy server Update Information: fix CVE-2013-4547 security bypass due to whitespace parsing ChangeLog: * Tue Nov 11 2014 Jamie Nguyen jamieli...@fedoraproject.org - 0.8.55-6 - fix CVE-2013-4547 security bypass due to whitespace parsing (#1032266, #1032269) References: [ 1 ] Bug #1032266 - CVE-2013-4547 nginx: security restriction bypass flaw due to whitespace parsing https://bugzilla.redhat.com/show_bug.cgi?id=1032266 polarssl-1.3.2-3.el5 (FEDORA-EPEL-2014-3983) Light-weight cryptographic and SSL/TLS library Update Information: - Fix for CVE-2014-8628 (#1159845) ChangeLog: * Wed Nov 12 2014 Morten Stevens mstev...@imt-systems.com - 1.3.2-3 - CVE-2014-8628 (#1159845) References: [ 1 ] Bug #1159845 - CVE-2014-8627 CVE-2014-8628 polarssl: various issues fixed in 1.3.9 https://bugzilla.redhat.com/show_bug.cgi?id=1159845 ___ epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel
[EPEL-devel] Fedora EPEL 7 updates-testing report
The following Fedora EPEL 7 Security updates need testing: Age URL 15 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3621/php-Smarty-3.1.21-1.el7 15 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3642/Pound-2.7-0.4.d.el7.1 11 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3745/tnftp-20141031-1.el7 7 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3664/konversation-1.5.1-1.el7 3 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3886/python-requests-kerberos-0.6-1.el7 2 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3794/polarssl-1.3.9-2.el7 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3989/cross-binutils-2.23.88.0.1-2.el7.1 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3995/oath-toolkit-2.4.1-8.el7 The following builds have been pushed to Fedora EPEL 7 updates-testing FoXlibf-4.1.2-1.el7 createrepo_c-0.7.4-1.el7 cross-binutils-2.23.88.0.1-2.el7.1 drupal7-7.33-1.el7 elk-2.3.22-10.el7 erlang-R16B-03.8.el7 gpaw-0.10.0.11364-7.el7 gr-iqbal-0.37.2-3.el7 makeself-2.2.0-3.el7 nodejs-nsp-audit-shrinkwrap-1.0.0-1.el7 oath-toolkit-2.4.1-8.el7 owncloud-7.0.3-2.el7 perl-MCE-1.520-1.el7 php-channel-dropbox-php-1.3-5.el7 php-channel-phpseclib-1.3-1.el7 php-dropbox-php-Dropbox-1.0.0-6.el7 php-horde-Horde-Alarm-2.2.3-1.el7 php-horde-Horde-Db-2.2.0-1.el7 php-horde-Horde-Imap-Client-2.25.3-1.el7 php-pear-Crypt-Blowfish-1.1.0-0.10.rc2.el7 php-pecl-mongo-1.5.8-1.el7 php-phpseclib-crypt-aes-0.3.9-1.el7 php-phpseclib-crypt-base-0.3.9-1.el7 php-phpseclib-crypt-blowfish-0.3.9-2.el7 php-phpseclib-crypt-des-0.3.9-2.el7 php-phpseclib-crypt-hash-0.3.9-1.el7 php-phpseclib-crypt-random-0.3.9-1.el7 php-phpseclib-crypt-rc4-0.3.9-2.el7 php-phpseclib-crypt-rijndael-0.3.9-2.el7 php-phpseclib-crypt-rsa-0.3.9-1.el7 php-phpseclib-crypt-tripledes-0.3.9-2.el7 php-phpseclib-crypt-twofish-0.3.9-2.el7 php-phpseclib-math-biginteger-0.3.9-1.el7 php-phpseclib-net-sftp-0.3.9-1.el7 php-phpseclib-net-ssh2-0.3.9-1.el7 php-phpunit-PHPUnit-4.3.5-1.el7 php-theseer-autoload-1.16.0-2.el7 python-django-1.6.8-1.el7 python-pyngus-1.2.0-1.el7 rubygem-addressable-2.3.6-6.el7 rubygem-configuration-1.3.2-3.el7 rubygem-coveralls-0.7.0-4.el7 rubygem-crack-0.3.2-1.el7 rubygem-require_all-1.3.2-5.el7 rubygem-rest-client-1.6.7-4.el7 rubygem-term-ansicolor-1.3.0-4.el7 rubygem-tins-1.0.0-2.el7 tcalc-1.3-1.el7 tor-0.2.5.10-1.el7 torsocks-2.0.0-2.el7 wxGTK3-3.0.2-2.el7 Details about builds: FoXlibf-4.1.2-1.el7 (FEDORA-EPEL-2014-4004) A Fortran XML Library Update Information: FoXlibf-4.1.2 References: [ 1 ] Bug #1104289 - Review Request: FoXlibf - A Fortran XML Library https://bugzilla.redhat.com/show_bug.cgi?id=1104289 createrepo_c-0.7.4-1.el7 (FEDORA-EPEL-2014-4000) Creates a common metadata repository Update Information: createrepo_c, mergerepo_c: Follow redirs by default while downloading remote repos Update to 0.7.1 Update to 0.7.0 ChangeLog: * Tue Nov 11 2014 Tomas Mlcoch tmlcoch at redhat.com - 0.7.4-1 - createrepo_c, mergerepo_c: Follow redirs by default while downloading remote repos - mergerepo_c: Fix segfault when a package without sourcerpm is part of metadata and --koji option is used * Mon Nov 10 2014 Tomas Mlcoch tmlcoch at redhat.com - 0.7.3-1 - xml_parser: Add file path into error messages - Refactor: Replace g_error() with g_critical() (RhBug: 1162102) * Thu Nov 6 2014 Tomas Mlcoch tmlcoch at redhat.com - 0.7.2-1 - createrepo_c: New option --local-sqlite * Fri Oct 31 2014 Tomas Mlcoch tmlcoch at redhat.com - 0.7.1-1 - Mergerepo: Fix mergerepo - Mergerepo: Add some debugging of metadata read. * Mon Oct 20 2014 Tomas Mlcoch tmlcoch at redhat.com - 0.7.0-1 - deltarpms: Update module to work with current version of drpm - mergerepo_c: Add --omit-baseurl option - craterepo_c: Gen empty repo if empty pkglist is used - Docs: Output python docs to separate directory - Several small fixes * Tue Aug 12 2014 Tomas Mlcoch tmlcoch at redhat.com - 0.6.1-1 - updateinfo: Use Python datetime objects in python bindings * Tue Aug 5 2014 Tomas Mlcoch tmlcoch at redhat.com - 0.6.0-1 - Support for updateinfo.xml manipulation (including Python bindings) * Fri Jul 18 2014
Re: [EPEL-devel] peel HTTPS urls don't work in older CentOS
13.11.2014, 0.37, Kevin Fenzi kirjoitti: The problem is that the fedora project has disabled SSLv3 (after it was found to be insecure). As part of that, mirrors.fedoraproject.org also no longer works for clients that can't negotiate better than SSLv3. CentOS/RHEL 6.6 works fine. I think 6.5 works fine with all nss* package updates applied. I don't have any idea about 6.4. Are there pending nss* updates for you? I believe the problem is not really SSLv3, but that the Fedora Project uses 4096 bit keys, which the old nss can't handle. I was unable to locate any other web server that used 4096 bit keys when I was diagnosing the issue back then, so I was unable to confirm my theory. CentOS 6.4 without any updates does not work, but works with C6.4's nss and nspr update. nss-3.14.3-4.el6_4 is the oldest version that works. CentOS 6.5 and later will of course work as well. To fix the problem: yum update --disablerepo=epel\* If your nss is too old to handle Fedora's certificates, it means you haven't run yum update for more than a year and you are missing a large bunch of important CentOS updates. ___ epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel
Re: [EPEL-devel] peel HTTPS urls don't work in older CentOS
On Thu, 13 Nov 2014 01:37:13 +0200 Anssi Johansson e...@miuku.net wrote: I believe the problem is not really SSLv3, but that the Fedora Project uses 4096 bit keys, which the old nss can't handle. I was unable to locate any other web server that used 4096 bit keys when I was diagnosing the issue back then, so I was unable to confirm my theory. Well, we changed certs in April after heartbleed. I would expect if that broke things we would have seen it before now. CentOS 6.4 without any updates does not work, but works with C6.4's nss and nspr update. nss-3.14.3-4.el6_4 is the oldest version that works. CentOS 6.5 and later will of course work as well. To fix the problem: yum update --disablerepo=epel\* If your nss is too old to handle Fedora's certificates, it means you haven't run yum update for more than a year and you are missing a large bunch of important CentOS updates. Yeah. kevin pgpf66oUlrxUK.pgp Description: OpenPGP digital signature ___ epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel
