[EPEL-devel] Fedora EPEL 8 updates-testing report
The following Fedora EPEL 8 Security updates need testing:
Age URL
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-d47bce8e4e
chromium-119.0.6045.199-1.el8
The following builds have been pushed to Fedora EPEL 8 updates-testing
java-latest-openjdk-portable-21.0.1.0.12-2.rolling.el8
root-6.30.02-1.el8
wsdd-0.7.1-1.el8
Details about builds:
java-latest-openjdk-portable-21.0.1.0.12-2.rolling.el8
(FEDORA-EPEL-2023-8ce17c621c)
OpenJDK 21 Runtime Environment portable edition
Update Information:
updated to october CPU
ChangeLog:
* Wed Nov 22 2023 Jiri Vanek - 1:21.0.1.0.12-2.rolling
- updated to OpenJDK 21.0.1 (2023-10-17)
- adjsuted generate_source_tarball
- removed icedtea_sync
- dropped standalone licenses
- added usntripped subpkg
- added docs subpkg
- adjsuted versions of bundled libraries
- build refactored to several solid methods following gnu_andrew
- removed no longer needed jdk8296108-tzdata2022f.patch,
jdk8296715-cldr2022f.patch,
rh1648644-java_access_bridge_privileged_security.patch
- added jdk8311630-s390_ffmapi.patch to support virtual threads on s390x
- aligned fips-21u-75ffdc48eda.patch (gnu_andrew)
- fixed '--without release' build-ability by moving docs and misc to if-release
only
* Wed Sep 20 2023 Jiri Vanek - 1:21.0.0.0.35-4.rolling
- removed %{1} from miscportablename
* Fri Sep 15 2023 Andrew Hughes -
1:21.0.0.0.35-3.rolling
- Update documentation (README.md, add missing JEP to release notes)
- Replace alt-java patch with a binary separate from the JDK
- Drop stale patches that are of little use any more:
- * nss.cfg has been disabled since early PKCS11 work and long superseded by
FIPS work
- * No accessibility subpackage to warrant RH1648242 patch any more
- * No use of system libjpeg turbo to warrant RH649512 patch any more
- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being
upstreamed
- Update generate_tarball.sh to sync with upstream vanilla script
- Change top_level_dir_name to use the VCS tag, matching new upstream release
style tarball
- Use upstream release URL for OpenJDK source
- Port misc tarball from RHEL to house alt-java outside the JDK tree
- Port improved tarball creation and checking from RHEL so tarballs are verified
* Thu Sep 14 2023 Andrew Hughes -
1:21.0.0.0.35-2.rolling
- Bump buildjdkver now that java-21-openjdk is available in the buildroot
* Tue Aug 8 2023 Petra Alice Mikova
1:21.0.0.0.35-1.rolling
- updated to jdk-21+35, which is no longer EA
* Tue Aug 8 2023 Petra Alice Mikova
1:21.0.0.0.34-0.1.ea.rolling
- initial update to jdk21
- commented out fips patches
- updated to jdk21 ea
- updated patch 1001 -
rh1648249-add_commented_out_nss_cfg_provider_to_java_security
- replace smoketests in staticlibs test, as the previous files used were
removed by a patch in JDK
- require tzdata 2023c
- Update FIPS support to bring in latest changes
- * RH2048582: Support PKCS#12 keystores
- * RH2020290: Support TLS 1.3 in FIPS mode
- * Add nss.fips.cfg support to OpenJDK tree
- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
- * Remove forgotten dead code from RH2020290 and RH2104724
- * OJ1357: Fix issue on FIPS with a SecurityManager in place
- * RH2134669: Add missing attributes when registering services in FIPS mode.
- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg
main class
- * RH1940064: Enable XML Signature provider in FIPS mode
- * Remove GCC minor versioning (JDK-8284772) to unbreak testing
- Drop local nss.fips.cfg.in handling now this is handled in the patched
OpenJDK build
root-6.30.02-1.el8 (FEDORA-EPEL-2023-5cf6b377b2)
Numerical data analysis framework
Update Information:
ROOT 6.30.02
ChangeLog:
* Sat Dec 2 2023 Mattias Ellert - 6.30.02-1
- Update to 6.30.02
wsdd-0.7.1-1.el8 (FEDORA-EPEL-2023-e43ee1ef96)
Web Services Dynamic Discovery host daemon
Update Information:
Latest upstream release. Includes https://src.fedoraproject.org/rpms/wsdd/pull-
request/1 .
ChangeLog:
* Fri Oct 6 2023 Ondrej Holy - 0.7.1-1
- Update to 0.7.1.
* Sat Jul 22 2023 Fe
[EPEL-devel] Fedora EPEL 7 updates-testing report
The following Fedora EPEL 7 Security updates need testing: Age URL 6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-46696cc30b chromium-119.0.6045.199-1.el7 The following builds have been pushed to Fedora EPEL 7 updates-testing wsdd-0.7.1-1.el7 Details about builds: wsdd-0.7.1-1.el7 (FEDORA-EPEL-2023-4e7c9d636e) Web Services Dynamic Discovery host daemon Update Information: Latest upstream release. Includes https://src.fedoraproject.org/rpms/wsdd/pull- request/1 . ChangeLog: * Fri Oct 6 2023 Ondrej Holy - 0.7.1-1 - Update to 0.7.1. * Sat Jul 22 2023 Fedora Release Engineering - 0.7.0-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Sat Jan 21 2023 Fedora Release Engineering - 0.7.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild * Sat Jul 23 2022 Fedora Release Engineering - 0.7.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild * Sat Jan 22 2022 Fedora Release Engineering - 0.7.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild -- ___ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[EPEL-devel] Fedora EPEL 9 updates-testing report
The following Fedora EPEL 9 Security updates need testing:
Age URL
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-2537ccf8b5
chromium-119.0.6045.199-1.el9
5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-3d9a822df5
rust-pore-0.1.8-5.el9
The following builds have been pushed to Fedora EPEL 9 updates-testing
bluechi-0.6.0-1.el9
java-latest-openjdk-portable-21.0.1.0.12-2.rolling.el9
nickle-2.96-1.el9
python-google-auth-2.25.1-1.el9
root-6.30.02-1.el9
snakeyaml-1.33-1.el9
wsdd-0.7.1-1.el9
Details about builds:
bluechi-0.6.0-1.el9 (FEDORA-EPEL-2023-73c4c9c7aa)
A systemd service controller for multi-nodes environments
Update Information:
Version 0.6.0 includes the following changes and updates: - Renamed bluechi to
bluechi-controller for binary, rpm and documentation - Moved bluechi binaries
to /usr/libexec for auto-completion - Added properties and signals for
connection status and disconnected timestamp to Agent's public API - Removed
duplicate NodeConnectionStateChanged signal from bluechi-controller - CLI
option for the version (-v) prints version and git commit hash for non-release
builds - Extended BlueChi's public D-Bus API specification by inline-comments
- Added EmitsChangedSignal annotation to properties in BlueChi's public D-Bus
API specification - Enhanced typed python bindings generator to use inline-
comments from specification - Enhanced typed python bindings generator to
provide listener functions for property changed signals - Fixes in the D-Bus
API description - Improved error messages returned by D-Bus API - Added static
code analysis from gcc and fixed detected issues - Added a graceful node
shutdown in bluechi-controller - Fixed a few smaller memory leaks - Fixed bug
where configured manager address was overridden on connection failure - Fixed
bug where removing a subscription was not prevented - Fixed race condition
leading bluechi-proxy and bluechi-dep service to transition into failed state -
Aligned and added API examples for Python, Go and Rust - Changed the license
for python bindings to MIT-0
ChangeLog:
* Wed Nov 29 2023 Michael Engel - 0.6.0-1
- Update to 0.6.0
- Rename bluechi package to controller
java-latest-openjdk-portable-21.0.1.0.12-2.rolling.el9
(FEDORA-EPEL-2023-a52c6ecf48)
OpenJDK 21 Runtime Environment portable edition
Update Information:
updated to october CPU
ChangeLog:
* Wed Nov 22 2023 Jiri Vanek - 1:21.0.1.0.12-2.rolling
- updated to OpenJDK 21.0.1 (2023-10-17)
- adjsuted generate_source_tarball
- removed icedtea_sync
- dropped standalone licenses
- added usntripped subpkg
- added docs subpkg
- adjsuted versions of bundled libraries
- build refactored to several solid methods following gnu_andrew
- removed no longer needed jdk8296108-tzdata2022f.patch,
jdk8296715-cldr2022f.patch,
rh1648644-java_access_bridge_privileged_security.patch
- added jdk8311630-s390_ffmapi.patch to support virtual threads on s390x
- aligned fips-21u-75ffdc48eda.patch (gnu_andrew)
- fixed '--without release' build-ability by moving docs and misc to if-release
only
* Wed Sep 20 2023 Jiri Vanek - 1:21.0.0.0.35-4.rolling
- removed %{1} from miscportablename
* Fri Sep 15 2023 Andrew Hughes -
1:21.0.0.0.35-3.rolling
- Update documentation (README.md, add missing JEP to release notes)
- Replace alt-java patch with a binary separate from the JDK
- Drop stale patches that are of little use any more:
- * nss.cfg has been disabled since early PKCS11 work and long superseded by
FIPS work
- * No accessibility subpackage to warrant RH1648242 patch any more
- * No use of system libjpeg turbo to warrant RH649512 patch any more
- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being
upstreamed
- Update generate_tarball.sh to sync with upstream vanilla script
- Change top_level_dir_name to use the VCS tag, matching new upstream release
style tarball
- Use upstream release URL for OpenJDK source
- Port misc tarball from RHEL to house alt-java outside the JDK tree
- Port improved tarball creation and checking from RHEL so tarballs are verified
* Thu Sep 14 2023 Andrew Hughes -
1:21.0.0.0.35-2.rolling
- Bump buildjdkver now that java-21-openjdk is available in the buildroot
* Tue Aug 8 2023 Petra Alice Mikova
1:21.0.0.0.35-1.rolling
- updated to jdk-21+35, which is no longer EA
* Tue Aug 8 2023 Petra Alice Mikova
1:21.0.0
[EPEL-devel] Re: Proposed incompatible security update (again) for llhttp in EPEL9
On Tue, Nov 28, 2023 at 8:37 AM Ben Beasley wrote: > This email proposes upgrading the llhttp package in EPEL9 from 8.1.1 to > 9.1.3, which would break the ABI and bump the SONAME version, under the > EPEL Incompatible Upgrades Policy[1]. > > The llhttp package is a C library (transpiled from TypeScript) that > provides the low-level HTTP support for NodeJS and for python-aiohttp. > Currently, only python-aiohttp depends on the llhttp package in EPEL9. > > Versions of python-aiohttp prior to 3.8.6[2] are affected by > CVE-2023-47627[3][4], an HTTP request/response smuggling vulnerability > rated 5.3 in CVSS v3 and rated Moderate by Red Hat. This was reported as > RHBZ#2249825[5]. Since the flaw is only in the pure-Python parser, and > we compile the llhttp-based parser, this affects only code using the > AIOHTTP_NO_EXTENSIONS environment variable. Updating aiohttp from 3.8.5 > to 3.8.6 to fix that still requires updating llhttp from 8.x to 9.x. > Additionally, according to the release notes this includes an > llhttp-related security fix[6] with no assigned CVE, which provides > added motivation to update. > > The ABI break in llhttp would only affect python-aiohttp. The > python-aiohttp update itself is compatible (by upstream intent, and as > already demonstrated in Rawhide and F39/F38); and a large list of > packages that depend on python-aiohttp would benefit from the fix. The > necessary rebuild would be conducted in a side tag. > > The same incompatible update was approved by FESCo for Fedora 38 and > 39[7]. Furthermore, it appears that FESCo will approve a permanent > exception for llhttp[8]. > > The purpose of this email is to document and explain the proposed > update, to begin the minimum one-week discussion period mandated by the > EPEL Incompatible Upgrades Policy, and to request that the update be > added to the agenda for an upcoming EPEL meeting. > > [1] > > https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/#process_for_incompatible_upgrades > > [2] https://github.com/aio-libs/aiohttp/releases/tag/v3.8.6 > > [3] https://access.redhat.com/security/cve/CVE-2023-47627 > > [4] > https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg > > [5] https://bugzilla.redhat.com/show_bug.cgi?id=2249825 > > [6] https://github.com/aio-libs/aiohttp/releases/tag/v3.8.6 > > [7] https://pagure.io/fesco/issue/3106 > > [8] https://pagure.io/fesco/issue/3115 > > This exception, as well as a permanent exception, was approved this week in the EPEL Steering Committee meeting. Troy -- ___ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
