[EPEL-devel] Fedora EPEL 8 updates-testing report
The following Fedora EPEL 8 Security updates need testing: Age URL 6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-d47bce8e4e chromium-119.0.6045.199-1.el8 The following builds have been pushed to Fedora EPEL 8 updates-testing java-latest-openjdk-portable-21.0.1.0.12-2.rolling.el8 root-6.30.02-1.el8 wsdd-0.7.1-1.el8 Details about builds: java-latest-openjdk-portable-21.0.1.0.12-2.rolling.el8 (FEDORA-EPEL-2023-8ce17c621c) OpenJDK 21 Runtime Environment portable edition Update Information: updated to october CPU ChangeLog: * Wed Nov 22 2023 Jiri Vanek - 1:21.0.1.0.12-2.rolling - updated to OpenJDK 21.0.1 (2023-10-17) - adjsuted generate_source_tarball - removed icedtea_sync - dropped standalone licenses - added usntripped subpkg - added docs subpkg - adjsuted versions of bundled libraries - build refactored to several solid methods following gnu_andrew - removed no longer needed jdk8296108-tzdata2022f.patch, jdk8296715-cldr2022f.patch, rh1648644-java_access_bridge_privileged_security.patch - added jdk8311630-s390_ffmapi.patch to support virtual threads on s390x - aligned fips-21u-75ffdc48eda.patch (gnu_andrew) - fixed '--without release' build-ability by moving docs and misc to if-release only * Wed Sep 20 2023 Jiri Vanek - 1:21.0.0.0.35-4.rolling - removed %{1} from miscportablename * Fri Sep 15 2023 Andrew Hughes - 1:21.0.0.0.35-3.rolling - Update documentation (README.md, add missing JEP to release notes) - Replace alt-java patch with a binary separate from the JDK - Drop stale patches that are of little use any more: - * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work - * No accessibility subpackage to warrant RH1648242 patch any more - * No use of system libjpeg turbo to warrant RH649512 patch any more - Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed - Update generate_tarball.sh to sync with upstream vanilla script - Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball - Use upstream release URL for OpenJDK source - Port misc tarball from RHEL to house alt-java outside the JDK tree - Port improved tarball creation and checking from RHEL so tarballs are verified * Thu Sep 14 2023 Andrew Hughes - 1:21.0.0.0.35-2.rolling - Bump buildjdkver now that java-21-openjdk is available in the buildroot * Tue Aug 8 2023 Petra Alice Mikova 1:21.0.0.0.35-1.rolling - updated to jdk-21+35, which is no longer EA * Tue Aug 8 2023 Petra Alice Mikova 1:21.0.0.0.34-0.1.ea.rolling - initial update to jdk21 - commented out fips patches - updated to jdk21 ea - updated patch 1001 - rh1648249-add_commented_out_nss_cfg_provider_to_java_security - replace smoketests in staticlibs test, as the previous files used were removed by a patch in JDK - require tzdata 2023c - Update FIPS support to bring in latest changes - * RH2048582: Support PKCS#12 keystores - * RH2020290: Support TLS 1.3 in FIPS mode - * Add nss.fips.cfg support to OpenJDK tree - * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode - * Remove forgotten dead code from RH2020290 and RH2104724 - * OJ1357: Fix issue on FIPS with a SecurityManager in place - * RH2134669: Add missing attributes when registering services in FIPS mode. - * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class - * RH1940064: Enable XML Signature provider in FIPS mode - * Remove GCC minor versioning (JDK-8284772) to unbreak testing - Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build root-6.30.02-1.el8 (FEDORA-EPEL-2023-5cf6b377b2) Numerical data analysis framework Update Information: ROOT 6.30.02 ChangeLog: * Sat Dec 2 2023 Mattias Ellert - 6.30.02-1 - Update to 6.30.02 wsdd-0.7.1-1.el8 (FEDORA-EPEL-2023-e43ee1ef96) Web Services Dynamic Discovery host daemon Update Information: Latest upstream release. Includes https://src.fedoraproject.org/rpms/wsdd/pull- request/1 . ChangeLog: * Fri Oct 6 2023 Ondrej Holy - 0.7.1-1 - Update to 0.7.1. * Sat Jul 22 2023 Fe
[EPEL-devel] Fedora EPEL 7 updates-testing report
The following Fedora EPEL 7 Security updates need testing: Age URL 6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-46696cc30b chromium-119.0.6045.199-1.el7 The following builds have been pushed to Fedora EPEL 7 updates-testing wsdd-0.7.1-1.el7 Details about builds: wsdd-0.7.1-1.el7 (FEDORA-EPEL-2023-4e7c9d636e) Web Services Dynamic Discovery host daemon Update Information: Latest upstream release. Includes https://src.fedoraproject.org/rpms/wsdd/pull- request/1 . ChangeLog: * Fri Oct 6 2023 Ondrej Holy - 0.7.1-1 - Update to 0.7.1. * Sat Jul 22 2023 Fedora Release Engineering - 0.7.0-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Sat Jan 21 2023 Fedora Release Engineering - 0.7.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild * Sat Jul 23 2022 Fedora Release Engineering - 0.7.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild * Sat Jan 22 2022 Fedora Release Engineering - 0.7.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild -- ___ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[EPEL-devel] Fedora EPEL 9 updates-testing report
The following Fedora EPEL 9 Security updates need testing: Age URL 6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-2537ccf8b5 chromium-119.0.6045.199-1.el9 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-3d9a822df5 rust-pore-0.1.8-5.el9 The following builds have been pushed to Fedora EPEL 9 updates-testing bluechi-0.6.0-1.el9 java-latest-openjdk-portable-21.0.1.0.12-2.rolling.el9 nickle-2.96-1.el9 python-google-auth-2.25.1-1.el9 root-6.30.02-1.el9 snakeyaml-1.33-1.el9 wsdd-0.7.1-1.el9 Details about builds: bluechi-0.6.0-1.el9 (FEDORA-EPEL-2023-73c4c9c7aa) A systemd service controller for multi-nodes environments Update Information: Version 0.6.0 includes the following changes and updates: - Renamed bluechi to bluechi-controller for binary, rpm and documentation - Moved bluechi binaries to /usr/libexec for auto-completion - Added properties and signals for connection status and disconnected timestamp to Agent's public API - Removed duplicate NodeConnectionStateChanged signal from bluechi-controller - CLI option for the version (-v) prints version and git commit hash for non-release builds - Extended BlueChi's public D-Bus API specification by inline-comments - Added EmitsChangedSignal annotation to properties in BlueChi's public D-Bus API specification - Enhanced typed python bindings generator to use inline- comments from specification - Enhanced typed python bindings generator to provide listener functions for property changed signals - Fixes in the D-Bus API description - Improved error messages returned by D-Bus API - Added static code analysis from gcc and fixed detected issues - Added a graceful node shutdown in bluechi-controller - Fixed a few smaller memory leaks - Fixed bug where configured manager address was overridden on connection failure - Fixed bug where removing a subscription was not prevented - Fixed race condition leading bluechi-proxy and bluechi-dep service to transition into failed state - Aligned and added API examples for Python, Go and Rust - Changed the license for python bindings to MIT-0 ChangeLog: * Wed Nov 29 2023 Michael Engel - 0.6.0-1 - Update to 0.6.0 - Rename bluechi package to controller java-latest-openjdk-portable-21.0.1.0.12-2.rolling.el9 (FEDORA-EPEL-2023-a52c6ecf48) OpenJDK 21 Runtime Environment portable edition Update Information: updated to october CPU ChangeLog: * Wed Nov 22 2023 Jiri Vanek - 1:21.0.1.0.12-2.rolling - updated to OpenJDK 21.0.1 (2023-10-17) - adjsuted generate_source_tarball - removed icedtea_sync - dropped standalone licenses - added usntripped subpkg - added docs subpkg - adjsuted versions of bundled libraries - build refactored to several solid methods following gnu_andrew - removed no longer needed jdk8296108-tzdata2022f.patch, jdk8296715-cldr2022f.patch, rh1648644-java_access_bridge_privileged_security.patch - added jdk8311630-s390_ffmapi.patch to support virtual threads on s390x - aligned fips-21u-75ffdc48eda.patch (gnu_andrew) - fixed '--without release' build-ability by moving docs and misc to if-release only * Wed Sep 20 2023 Jiri Vanek - 1:21.0.0.0.35-4.rolling - removed %{1} from miscportablename * Fri Sep 15 2023 Andrew Hughes - 1:21.0.0.0.35-3.rolling - Update documentation (README.md, add missing JEP to release notes) - Replace alt-java patch with a binary separate from the JDK - Drop stale patches that are of little use any more: - * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work - * No accessibility subpackage to warrant RH1648242 patch any more - * No use of system libjpeg turbo to warrant RH649512 patch any more - Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed - Update generate_tarball.sh to sync with upstream vanilla script - Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball - Use upstream release URL for OpenJDK source - Port misc tarball from RHEL to house alt-java outside the JDK tree - Port improved tarball creation and checking from RHEL so tarballs are verified * Thu Sep 14 2023 Andrew Hughes - 1:21.0.0.0.35-2.rolling - Bump buildjdkver now that java-21-openjdk is available in the buildroot * Tue Aug 8 2023 Petra Alice Mikova 1:21.0.0.0.35-1.rolling - updated to jdk-21+35, which is no longer EA * Tue Aug 8 2023 Petra Alice Mikova 1:21.0.0
[EPEL-devel] Re: Proposed incompatible security update (again) for llhttp in EPEL9
On Tue, Nov 28, 2023 at 8:37 AM Ben Beasley wrote: > This email proposes upgrading the llhttp package in EPEL9 from 8.1.1 to > 9.1.3, which would break the ABI and bump the SONAME version, under the > EPEL Incompatible Upgrades Policy[1]. > > The llhttp package is a C library (transpiled from TypeScript) that > provides the low-level HTTP support for NodeJS and for python-aiohttp. > Currently, only python-aiohttp depends on the llhttp package in EPEL9. > > Versions of python-aiohttp prior to 3.8.6[2] are affected by > CVE-2023-47627[3][4], an HTTP request/response smuggling vulnerability > rated 5.3 in CVSS v3 and rated Moderate by Red Hat. This was reported as > RHBZ#2249825[5]. Since the flaw is only in the pure-Python parser, and > we compile the llhttp-based parser, this affects only code using the > AIOHTTP_NO_EXTENSIONS environment variable. Updating aiohttp from 3.8.5 > to 3.8.6 to fix that still requires updating llhttp from 8.x to 9.x. > Additionally, according to the release notes this includes an > llhttp-related security fix[6] with no assigned CVE, which provides > added motivation to update. > > The ABI break in llhttp would only affect python-aiohttp. The > python-aiohttp update itself is compatible (by upstream intent, and as > already demonstrated in Rawhide and F39/F38); and a large list of > packages that depend on python-aiohttp would benefit from the fix. The > necessary rebuild would be conducted in a side tag. > > The same incompatible update was approved by FESCo for Fedora 38 and > 39[7]. Furthermore, it appears that FESCo will approve a permanent > exception for llhttp[8]. > > The purpose of this email is to document and explain the proposed > update, to begin the minimum one-week discussion period mandated by the > EPEL Incompatible Upgrades Policy, and to request that the update be > added to the agenda for an upcoming EPEL meeting. > > [1] > > https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/#process_for_incompatible_upgrades > > [2] https://github.com/aio-libs/aiohttp/releases/tag/v3.8.6 > > [3] https://access.redhat.com/security/cve/CVE-2023-47627 > > [4] > https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg > > [5] https://bugzilla.redhat.com/show_bug.cgi?id=2249825 > > [6] https://github.com/aio-libs/aiohttp/releases/tag/v3.8.6 > > [7] https://pagure.io/fesco/issue/3106 > > [8] https://pagure.io/fesco/issue/3115 > > This exception, as well as a permanent exception, was approved this week in the EPEL Steering Committee meeting. Troy -- ___ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue