The following Fedora 22 Security updates need testing: Age URL 13 https://admin.fedoraproject.org/updates/FEDORA-2015-4531/quassel-0.11.0-2.fc22 7 https://admin.fedoraproject.org/updates/FEDORA-2015-5279/strongswan-5.3.0-1.fc22 7 https://admin.fedoraproject.org/updates/FEDORA-2015-5308/mingw-gnutls-3.3.14-1.fc22,mingw-libtasn1-4.4-1.fc22 6 https://admin.fedoraproject.org/updates/FEDORA-2015-5430/jffi-1.2.7-5.fc22,jenkins-1.606-1.fc22,jenkins-executable-war-1.29-4.fc22 5 https://admin.fedoraproject.org/updates/FEDORA-2015-5504/php-symfony-2.5.11-1.fc22 5 https://admin.fedoraproject.org/updates/FEDORA-2015-5541/qemu-2.3.0-0.3.rc2.fc22 5 https://admin.fedoraproject.org/updates/FEDORA-2015-5510/postgis-2.1.7-1.fc22 5 https://admin.fedoraproject.org/updates/FEDORA-2015-5511/mediawiki-1.24.2-1.fc22 2 https://admin.fedoraproject.org/updates/FEDORA-2015-5643/groovy-sandbox-1.8-1.fc22,jenkins-script-security-plugin-1.13-2.fc22,jenkins-matrix-project-plugin-1.4.1-1.fc22 0 https://admin.fedoraproject.org/updates/FEDORA-2015-5904/perl-Test-Signature-1.11-1.fc22,perl-Module-Signature-0.78-1.fc22 0 https://admin.fedoraproject.org/updates/FEDORA-2015-5878/echoping-6.1-0.beta.r434svn.1.fc22 0 https://admin.fedoraproject.org/updates/FEDORA-2015-5761/ntp-4.2.6p5-29.fc22 0 https://admin.fedoraproject.org/updates/FEDORA-2015-5748/chrony-2.0-0.3.pre2.fc22 0 https://admin.fedoraproject.org/updates/FEDORA-2015-5786/knot-1.6.3-1.fc22 0 https://admin.fedoraproject.org/updates/FEDORA-2015-5885/netcf-0.2.8-1.fc22 0 https://admin.fedoraproject.org/updates/FEDORA-2015-5766/python-django-1.8-1.fc22 0 https://admin.fedoraproject.org/updates/FEDORA-2015-5890/tor-0.2.5.12-1.fc22
The following Fedora 22 Critical Path updates have yet to be approved: Age URL 8 https://admin.fedoraproject.org/updates/FEDORA-2015-5077/ModemManager-1.4.6-1.fc22 7 https://admin.fedoraproject.org/updates/FEDORA-2015-5310/bluez-5.29-2.fc22 7 https://admin.fedoraproject.org/updates/FEDORA-2015-5259/ca-certificates-2015.2.3-1.1.fc22 7 https://admin.fedoraproject.org/updates/FEDORA-2015-5323/libidn-1.29-3.fc22 6 https://admin.fedoraproject.org/updates/FEDORA-2015-5418/gmp-6.0.0-9.fc22 3 https://admin.fedoraproject.org/updates/FEDORA-2015-5620/cryptsetup-1.6.7-1.fc22 0 https://admin.fedoraproject.org/updates/FEDORA-2015-5880/python-bugzilla-1.2.0-1.fc22 0 https://admin.fedoraproject.org/updates/FEDORA-2015-5882/libhif-0.2.0-1.fc22,PackageKit-1.0.6-1.fc22 0 https://admin.fedoraproject.org/updates/FEDORA-2015-5902/colord-1.2.10-1.fc22 0 https://admin.fedoraproject.org/updates/FEDORA-2015-5763/testdisk-6.14-6.fc22,ntfs-3g-2015.3.14-1.fc22 The following builds have been pushed to Fedora 22 updates-testing PackageKit-1.0.6-1.fc22 asciinema-1.0.0-2.fc22 aspell-pt_BR-20090702-8.fc22 bpython-0.14.1-1.fc22 clufter-0.10.4-1.fc22 collectl-4.0.0-1.fc22 colord-1.2.10-1.fc22 darcs-2.8.5-2.fc22 dnssec-trigger-0.12-20.fc22 echoping-6.1-0.beta.r434svn.1.fc22 hwloc-1.10.1-2.fc22 libgovirt-0.3.3-1.fc22 libhif-0.2.0-1.fc22 libinput-0.13.0-4.fc22 liblouis-2.6.2-1.fc22 netcf-0.2.8-1.fc22 perl-MCE-1.606-1.fc22 perl-MetaCPAN-Client-1.012000-1.fc22 perl-Mixin-Linewise-0.108-1.fc22 perl-Module-Signature-0.78-1.fc22 perl-Test-Signature-1.11-1.fc22 python-bugzilla-1.2.0-1.fc22 python-colour-runner-0.0.4-1.fc22 python-keystoneclient-kerberos-0.1.4-1.fc22 python-modernize-0.4-1.fc22 python-netaddr-0.7.14-1.fc22 python-pelican-3.5.0-2.fc22 qpid-proton-0.9-3.fc22 roxterm-2.9.7-1.fc22 rpm-ostree-2015.3-7.fc22 samba-4.2.0-3.fc22 setroubleshoot-3.2.23-1.fc22 tor-0.2.5.12-1.fc22 vertica-python-0.3.5-1.fc22 Details about builds: ================================================================================ PackageKit-1.0.6-1.fc22 (FEDORA-2015-5882) Package management service -------------------------------------------------------------------------------- Update Information: - Update to new upstream versions -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 7 2015 Richard Hughes <rhug...@redhat.com> - 1.0.6-1 - New upstream release - Add dbus method for returning prepared packages - Don't recursive lock the debug mutex when using --verbose without a tty - Make "reboot" the default action for no action file -------------------------------------------------------------------------------- ================================================================================ asciinema-1.0.0-2.fc22 (FEDORA-2015-5896) Command line client (terminal recorder) for asciinema.org service -------------------------------------------------------------------------------- Update Information: Update to version 1.0.0 -------------------------------------------------------------------------------- ChangeLog: * Mon Mar 23 2015 Jakub Jedelsky <jakub.jedel...@gmail.com> - 1.0.0-2 - Patch: support locale which ends with utf8 - Patch: edit some details in man page * Tue Mar 17 2015 Jakub Jedelsky <jakub.jedel...@gmail.com> - 1.0.0-1 - Update to new version - Add Godeps to docs * Fri Mar 6 2015 Jakub Jedelsky <jakub.jedel...@gmail.com> - 0.9.9-1 - Update to new version - Rewritten to Go - License changed to GPLv3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1176859 - asciinema-1.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1176859 -------------------------------------------------------------------------------- ================================================================================ aspell-pt_BR-20090702-8.fc22 (FEDORA-2015-5903) Brazilian Portuguese dictionaries for Aspell -------------------------------------------------------------------------------- Update Information: Don't provide aspell-pt -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 jchaloup <jchal...@redhat.com> - 50:20090702-8 - Don't provide aspell-pt resolves: #1206898 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1206898 - Drop the virtual provides aspell-pt https://bugzilla.redhat.com/show_bug.cgi?id=1206898 -------------------------------------------------------------------------------- ================================================================================ bpython-0.14.1-1.fc22 (FEDORA-2015-5894) Fancy curses interface to the Python interactive interpreter -------------------------------------------------------------------------------- Update Information: Update to latest upstream release bpython 0.14.1. With this release gtk frontend is gone, while curtsies frontend is new default version. Old default is now known as bpython-cures. -------------------------------------------------------------------------------- ChangeLog: * Thu Mar 26 2015 Terje Rosten <terje.ros...@ntnu.no> - 0.14.1-1 - 0.14.1 - gtk gone upstream, remove sub package and add obsolete - appdata, desktop file and png upstream - new deps - curtsies now default * Thu Mar 26 2015 Richard Hughes <rhug...@redhat.com> - 0.13.2-2 - Add an AppData file for the software center -------------------------------------------------------------------------------- ================================================================================ clufter-0.10.4-1.fc22 (FEDORA-2015-5895) Tool/library for transforming/analyzing cluster configuration formats -------------------------------------------------------------------------------- Update Information: bump upstream package (incl. several bugfixes, e.g., rhbz#1207345) -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Jan Pokorný <jpokorny+rpm-cluf...@fedoraproject.org> - 0.10.4-1 - bump upstream package -------------------------------------------------------------------------------- ================================================================================ collectl-4.0.0-1.fc22 (FEDORA-2015-5891) A utility to collect various Linux performance data -------------------------------------------------------------------------------- Update Information: - update to upstream version 4.0.0 - upstream changelog at http://collectl.sourceforge.net/Releases.html -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 9 2015 Dan Horák <dan[at]danny.cz> - 4.0.0-1 - upgrade to upstream version 4.0.0 (#1201069) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1201069 - collectl-4.0.0.src is available https://bugzilla.redhat.com/show_bug.cgi?id=1201069 -------------------------------------------------------------------------------- ================================================================================ colord-1.2.10-1.fc22 (FEDORA-2015-5902) Color daemon -------------------------------------------------------------------------------- Update Information: New upstream version - Add a vendor quirk for Google -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Richard Hughes <rich...@hughsie.com> 1.2.10-1 - New upstream version - Add a vendor quirk for Google -------------------------------------------------------------------------------- ================================================================================ darcs-2.8.5-2.fc22 (FEDORA-2015-5877) Distributed Advanced Revision Control System -------------------------------------------------------------------------------- Update Information: do not own /etc/bash_completion.d -------------------------------------------------------------------------------- ChangeLog: * Mon Apr 6 2015 Jens Petersen <peter...@redhat.com> - 2.8.5-2 - do not own bash_completion.d/ (#1192805) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1192805 - darcs shouldn't own /etc/bash_completion.d https://bugzilla.redhat.com/show_bug.cgi?id=1192805 -------------------------------------------------------------------------------- ================================================================================ dnssec-trigger-0.12-20.fc22 (FEDORA-2015-3864) NetworkManager plugin to update/reconfigure DNSSEC resolving -------------------------------------------------------------------------------- Update Information: several bugs fixed -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Tomas Hozza <tho...@redhat.com> - 0.12-20 - Fix issue when installing private address range zone without global forwarders (#1205864) - Fix configuration of private address range zones (#1128310#c20) * Fri Mar 13 2015 Tomas Hozza <tho...@redhat.com> - 0.12-19 - Fix typo in the dnssec-trigger-script (#1187371) - Use Python3 by default -------------------------------------------------------------------------------- References: [ 1 ] Bug #1187371 - [abrt] dnssec-trigger: dnssec-trigger-script:60:Config:NameError: name 'TRUE' is not defined https://bugzilla.redhat.com/show_bug.cgi?id=1187371 [ 2 ] Bug #1185796 - fix switching between secure and insecure forward zones https://bugzilla.redhat.com/show_bug.cgi?id=1185796 [ 3 ] Bug #1130502 - search domains are not tried out for name resolution with dnssec-trigger https://bugzilla.redhat.com/show_bug.cgi?id=1130502 [ 4 ] Bug #1105685 - privacy: add an option to /etc/dnssec.conf to avoid flushing positive answers https://bugzilla.redhat.com/show_bug.cgi?id=1105685 [ 5 ] Bug #1128310 - in-addr.arpa queries for private IP ranges doesn't work if fallback servers are used https://bugzilla.redhat.com/show_bug.cgi?id=1128310 [ 6 ] Bug #1183975 - [abrt] dnssec-trigger: subprocess.py:1327:_execute_child:OSError: [Errno 2] No such file or directory https://bugzilla.redhat.com/show_bug.cgi?id=1183975 [ 7 ] Bug #1165126 - dnssec-trigger: publish the list of nameservers trusted for DNSSEC validation https://bugzilla.redhat.com/show_bug.cgi?id=1165126 [ 8 ] Bug #1125267 - turn /etc/resolv.conf into a symlink to dnssec-trigger's temporary file https://bugzilla.redhat.com/show_bug.cgi?id=1125267 [ 9 ] Bug #1089766 - option to prefer VPN DNS servers over default connection ones https://bugzilla.redhat.com/show_bug.cgi?id=1089766 [ 10 ] Bug #1112248 - dnssec-trigger-script fails to configure unbound on dnssec-triggerd restart https://bugzilla.redhat.com/show_bug.cgi?id=1112248 [ 11 ] Bug #824219 - dnssec: unbound fails to validate wildcard records when dnssec-trigger uses a broken bind as forwarder https://bugzilla.redhat.com/show_bug.cgi?id=824219 [ 12 ] Bug #1205864 - [abrt] dnssec-trigger: dnssec-trigger-script:278:_commit:KeyError: 'c.f.ip6.arpa' https://bugzilla.redhat.com/show_bug.cgi?id=1205864 -------------------------------------------------------------------------------- ================================================================================ echoping-6.1-0.beta.r434svn.1.fc22 (FEDORA-2015-5878) TCP performance test to measure response time of network hosts -------------------------------------------------------------------------------- Update Information: Updated to latest SVN, fixing various bugs. -------------------------------------------------------------------------------- ChangeLog: * Wed Feb 25 2015 Andreas Thienemann <andr...@bawue.net> - 6.1-0.beta.r434svn.1 - Updated to latest SVN, fixing #705174 and #1007031 - Removed so versioning and fixed module loading, fixing #460557 and #1032547 -------------------------------------------------------------------------------- References: [ 1 ] Bug #705174 - echoping: boundary error in SSL-related functions can lead to buffer overflow [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=705174 [ 2 ] Bug #1007031 - echoping segfaults all the time https://bugzilla.redhat.com/show_bug.cgi?id=1007031 [ 3 ] Bug #460557 - echoping : Package and software are in a desolate state https://bugzilla.redhat.com/show_bug.cgi?id=460557 [ 4 ] Bug #1032547 - echoping doesn't seem to work (cannot open shared object file) https://bugzilla.redhat.com/show_bug.cgi?id=1032547 -------------------------------------------------------------------------------- ================================================================================ hwloc-1.10.1-2.fc22 (FEDORA-2015-5897) Portable Hardware Locality - portable abstraction of hierarchical architectures -------------------------------------------------------------------------------- Update Information: Update to 1.10.1 Fix hwloc issue on arm -------------------------------------------------------------------------------- ChangeLog: * Sat Apr 4 2015 Orion Poplwski <or...@cora.nwra.com> - 1.10.1-2 - Fix hwloc issue on arm * Wed Apr 1 2015 Orion Poplwski <or...@cora.nwra.com> - 1.10.1-1 - Update to version 1.10.1 -------------------------------------------------------------------------------- ================================================================================ libgovirt-0.3.3-1.fc22 (FEDORA-2015-5899) A GObject library for interacting with oVirt REST API -------------------------------------------------------------------------------- Update Information: Update to upstream release 0.3.3 -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Christophe Fergeau <cferg...@redhat.com> 0.3.3-1 - Update to upstream release 0.3.3 -------------------------------------------------------------------------------- ================================================================================ libhif-0.2.0-1.fc22 (FEDORA-2015-5882) Simple package library built on top of hawkey and librepo -------------------------------------------------------------------------------- Update Information: - Update to new upstream versions -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Richard Hughes <rich...@hughsie.com> 0.2.0-1 - Update to new upstream version - Add new API required for ostree * Sat Mar 28 2015 Kalev Lember <kalevlem...@gmail.com> - 0.1.8-7 - Fix broken -devel package requires * Mon Mar 16 2015 Than Ngo <t...@redhat.com> - 0.1.8-6 - bump release and rebuild so that koji-shadow can rebuild it against new gcc on secondary arch -------------------------------------------------------------------------------- ================================================================================ libinput-0.13.0-4.fc22 (FEDORA-2015-5900) Input device library -------------------------------------------------------------------------------- Update Information: Fix finger miscounts on single-touch touchpads (#1209151) Fix mouse slowdown (#1208992) Fix crasher triggered by fake MT devices without ABS_X/Y (#1207574) libinput 0.13.0 -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 9 2015 Peter Hutterer <peter.hutte...@redhat.com> 0.13.0-4 - Fix finger miscounts on single-touch touchpads (#1209151) * Wed Apr 8 2015 Peter Hutterer <peter.hutte...@redhat.com> 0.13.0-3 - Fix mouse slowdown (#1208992) * Wed Apr 8 2015 Peter Hutterer <peter.hutte...@redhat.com> 0.13.0-2 - Fix crasher triggered by fake MT devices without ABS_X/Y (#1207574) * Tue Mar 24 2015 Peter Hutterer <peter.hutte...@redhat.com> 0.13.0-1 - libinput 0.13.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1209151 - one finger tap registers as two or three finger tap https://bugzilla.redhat.com/show_bug.cgi?id=1209151 [ 2 ] Bug #1207574 - libinput makes X crash when connecting Logitech G600 mouse https://bugzilla.redhat.com/show_bug.cgi?id=1207574 [ 3 ] Bug #1206564 - libinput-0.13.0-1.fc22 slows down the mousepointer extremely https://bugzilla.redhat.com/show_bug.cgi?id=1206564 [ 4 ] Bug #1208992 - Mouse cursor doesn't move when moving the physical mouse slowly. https://bugzilla.redhat.com/show_bug.cgi?id=1208992 -------------------------------------------------------------------------------- ================================================================================ liblouis-2.6.2-1.fc22 (FEDORA-2015-5883) Braille translation and back-translation library -------------------------------------------------------------------------------- Update Information: This release fixes a long standing emphasis bug, adds more functionality to the harness test suite and improves, as usual, on Braille tables. Notably there is a brand new finish table backed by Celia. Braille table improvements: * Correction to comments in Norwegian generic tables * Corrections to dot patterns in no-no-g0.utb * Corrections and additional test cases for Hungarian grade 1 * New 6-dot table for Finnish. The existing tables for Finnish were 8-dot, but there is an official specification only for 6-dot braille in Finnish. -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Martin Gieseking <martin.giesek...@uos.de> 2.6.2-1 - Updated to new upstream release. -------------------------------------------------------------------------------- ================================================================================ netcf-0.2.8-1.fc22 (FEDORA-2015-5885) Cross-platform network configuration library -------------------------------------------------------------------------------- Update Information: Security fix for CVE 2014-8119, as well as adding a few other minor bugfixes and enhancements (support for multiple IPv4 addresses, simultaneous static & dhcp for IPv4) -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Laine Stump <la...@redhat.com> - 0.2.8-1 - rebase to netcf-0.2.8 - resolve CVE-2014-8119 - Fix build on systems with newer libnl3 that doesn't - support multiple IPv4 addresses in interface config (redhat driver) - allow static IPv4 config simultaneous with DHCPv4 (redhat driver) - recognize IPADDR0/NETMASK0/PREFIX0 - remove extra quotes from IPV6ADDR_SECONDARIES (redhat+suse drivers) - miscellaneous systemd service fixes - use git to apply patches in rpm specfile - revert the 0.2.6-2 specfile patch mentioned below (now fixed properly) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1172176 - CVE-2014-8119 netcf: augeas path expression injection via interface name https://bugzilla.redhat.com/show_bug.cgi?id=1172176 -------------------------------------------------------------------------------- ================================================================================ perl-MCE-1.606-1.fc22 (FEDORA-2015-5889) Many-core Engine for Perl providing parallel processing capabilities -------------------------------------------------------------------------------- Update Information: A new version of MCE is available. See http://search.cpan.org/src/MARIOROY/MCE-1.606/CHANGES for details on changes in this release. A new version of MCE is available. See http://cpansearch.perl.org/src/MARIOROY/MCE-1.605/CHANGES for details on changes in this release. -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 9 2015 Petr Šabata <con...@redhat.com> - 1.606-1 - 1.606 bump * Wed Apr 8 2015 Petr Šabata <con...@redhat.com> - 1.605-1 - 1.605 bump -------------------------------------------------------------------------------- References: [ 1 ] Bug #1210119 - perl-MCE-1.606 is available https://bugzilla.redhat.com/show_bug.cgi?id=1210119 [ 2 ] Bug #1209148 - perl-MCE-1.605 is available https://bugzilla.redhat.com/show_bug.cgi?id=1209148 -------------------------------------------------------------------------------- ================================================================================ perl-MetaCPAN-Client-1.012000-1.fc22 (FEDORA-2015-5886) A comprehensive, DWIM-featured client to the MetaCPAN API -------------------------------------------------------------------------------- Update Information: Current upstream maintenance release. -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 9 2015 Paul Howarth <p...@city-fan.org> - 1.012000-1 - Update to 1.012000 - Added Mirror type and support for mirrors search in 'all' queries (GH#33) - Support 'ratings' search in 'all' queries (GH#33) - More example scripts: facets, top favorites, all authors blogs - Clean-up and documentation updates -------------------------------------------------------------------------------- ================================================================================ perl-Mixin-Linewise-0.108-1.fc22 (FEDORA-2015-5879) Write your linewise code for handles; this does the rest -------------------------------------------------------------------------------- Update Information: Current upstream maintenance release. -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 9 2015 Paul Howarth <p...@city-fan.org> - 0.108-1 - Update to 0.108 - First argument can be options only if there are two arguments * Wed Apr 8 2015 Paul Howarth <p...@city-fan.org> - 0.107-1 - Update to 0.107 - Add leading hashref arg for passing binmode to read_string, write_string - Do not modify references of args passed to read_file, write_file - Remove redundant %{?perl_default_filter} - Use %license - Make %files list more explicit -------------------------------------------------------------------------------- ================================================================================ perl-Module-Signature-0.78-1.fc22 (FEDORA-2015-5904) CPAN signature management utilities and modules -------------------------------------------------------------------------------- Update Information: This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behaviour is included in this update. Security issues: * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute automatically during "make test". * Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious module so that they would load from the '.' path in @INC. -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 9 2015 Paul Howarth <p...@city-fan.org> - 0.78-1 - Update to 0.78 - Fix verify() use from cpanm and CPAN.pm * Wed Apr 8 2015 Paul Howarth <p...@city-fan.org> - 0.77-1 - Update to 0.77 - Include the latest public keys of PAUSE, ANDK and AUDREYT - Clarify scripts/cpansign copyright to CC0 (#965126, CPAN RT#85466) * Wed Apr 8 2015 Paul Howarth <p...@city-fan.org> - 0.76-1 - Update to 0.76 - Fix signature tests by defaulting to verify(skip=>1) when $ENV{TEST_SIGNATURE} is true * Tue Apr 7 2015 Paul Howarth <p...@city-fan.org> - 0.75-1 - Update to 0.75 - Fix GPG signature parsing logic - MANIFEST.SKIP is no longer consulted unless --skip is given - Properly use open() modes to avoid injection attacks - More protection of @INC from relative paths - Don't try to run the signature test, which needs the network -------------------------------------------------------------------------------- References: [ 1 ] Bug #1209911 - perl-Module-Signature: unsigned files interpreted as signed in some circumstances https://bugzilla.redhat.com/show_bug.cgi?id=1209911 [ 2 ] Bug #1209915 - perl-Module-Signature: arbitrary code execution during test phase https://bugzilla.redhat.com/show_bug.cgi?id=1209915 [ 3 ] Bug #1209917 - perl-Module-Signature: arbitrary code execution when verifying module signatures https://bugzilla.redhat.com/show_bug.cgi?id=1209917 [ 4 ] Bug #1209918 - perl-Module-Signature: arbitrary modules loading in some circumstances https://bugzilla.redhat.com/show_bug.cgi?id=1209918 -------------------------------------------------------------------------------- ================================================================================ perl-Test-Signature-1.11-1.fc22 (FEDORA-2015-5904) Automated SIGNATURE testing -------------------------------------------------------------------------------- Update Information: This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behaviour is included in this update. Security issues: * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute automatically during "make test". * Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious module so that they would load from the '.' path in @INC. -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Paul Howarth <p...@city-fan.org> - 1.11-1 - Update to 1.11 - Compatibility with Module::Signature 0.75+ - Classify buildreqs by usage - Don't use macros for commands - Avoid clobbering ~/.gnupg for local builds - Make %files list more explicit - Drop %defattr, redundant since rpm 4.4 - Import upstream's GPG key in %prep so we don't need to fetch it from a keyserver when running the signature test -------------------------------------------------------------------------------- References: [ 1 ] Bug #1209911 - perl-Module-Signature: unsigned files interpreted as signed in some circumstances https://bugzilla.redhat.com/show_bug.cgi?id=1209911 [ 2 ] Bug #1209915 - perl-Module-Signature: arbitrary code execution during test phase https://bugzilla.redhat.com/show_bug.cgi?id=1209915 [ 3 ] Bug #1209917 - perl-Module-Signature: arbitrary code execution when verifying module signatures https://bugzilla.redhat.com/show_bug.cgi?id=1209917 [ 4 ] Bug #1209918 - perl-Module-Signature: arbitrary modules loading in some circumstances https://bugzilla.redhat.com/show_bug.cgi?id=1209918 -------------------------------------------------------------------------------- ================================================================================ python-bugzilla-1.2.0-1.fc22 (FEDORA-2015-5880) A python library and tool for interacting with Bugzilla -------------------------------------------------------------------------------- Update Information: * Rebased to version 1.2.0 * Add bugzilla new/query/modify --field flag (Arun Babu Neelicattu) * API support for ExternalBugs (Arun Babu Neelicattu, Brian Bouterse) * Add new/modify --alias support (Adam Williamson) * Bugzilla.logged_in now returns live state (Arun Babu Neelicattu) * Fix getbugs API with latest Bugzilla releases -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Cole Robinson <crobi...@redhat.com> - 1.2.0-1 - Rebased to version 1.2.0 - Add bugzilla new/query/modify --field flag (Arun Babu Neelicattu) - API support for ExternalBugs (Arun Babu Neelicattu, Brian Bouterse) - Add new/modify --alias support (Adam Williamson) - Bugzilla.logged_in now returns live state (Arun Babu Neelicattu) - Fix getbugs API with latest Bugzilla releases -------------------------------------------------------------------------------- ================================================================================ python-colour-runner-0.0.4-1.fc22 (FEDORA-2015-5901) Colour formatting for unittest tests -------------------------------------------------------------------------------- Update Information: Initial import of package -------------------------------------------------------------------------------- References: [ 1 ] Bug #1202303 - Review Request: python-colour-runner - Colour formatting for unittest test output https://bugzilla.redhat.com/show_bug.cgi?id=1202303 -------------------------------------------------------------------------------- ================================================================================ python-keystoneclient-kerberos-0.1.4-1.fc22 (FEDORA-2015-5881) Kerberos authentication for the OpenStack clients -------------------------------------------------------------------------------- Update Information: Update with new upstream package. Initial release -------------------------------------------------------------------------------- References: [ 1 ] Bug #1200672 - Review Request: python-keystoneclient-kerberos - Kerberos authentication for the OpenStack clients https://bugzilla.redhat.com/show_bug.cgi?id=1200672 -------------------------------------------------------------------------------- ================================================================================ python-modernize-0.4-1.fc22 (FEDORA-2015-5875) Modernizes Python code for eventual Python 3 migration -------------------------------------------------------------------------------- Update Information: Latest upstream. -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Ralph Bean <rb...@redhat.com> - 0.4-1 - new version -------------------------------------------------------------------------------- ================================================================================ python-netaddr-0.7.14-1.fc22 (FEDORA-2015-5888) A pure Python network address representation and manipulation library -------------------------------------------------------------------------------- Update Information: New upstream release 0.7.14 -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 1 2015 John Eckersberg <e...@redhat.com> - 0.7.14-1 - New upstream release 0.7.14 -------------------------------------------------------------------------------- ================================================================================ python-pelican-3.5.0-2.fc22 (FEDORA-2015-5876) A tool to generate a static blog from reStructuredText or Markdown input files -------------------------------------------------------------------------------- Update Information: add runtime requirement python-dateutil(rhbz#1204791) -------------------------------------------------------------------------------- ChangeLog: * Mon Mar 23 2015 Matthias Runge <mru...@redhat.com> - 3.5.0-2 - add runtime requirement python-dateutil(rhbz#1204791) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1204791 - python-pelican should depend on python-dateutil https://bugzilla.redhat.com/show_bug.cgi?id=1204791 -------------------------------------------------------------------------------- ================================================================================ qpid-proton-0.9-3.fc22 (FEDORA-2015-5893) A high performance, lightweight messaging library -------------------------------------------------------------------------------- Update Information: Added a global excludes macro to fix EL6 issues with example Perl modules. Marked the examples in -c-devel as doc. Rebased on Proton 0.9. -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Darryl L. Pierce <dpie...@redhat.com> - 0.9-3 - Added a global excludes macro to fix EL6 issues with example Perl modules. * Wed Apr 8 2015 Darryl L. Pierce <dpie...@redhat.com> - 0.9-2 - Marked the examples in -c-devel as doc. - Turned off the executable flag on all files under examples. * Mon Apr 6 2015 Darryl L. Pierce <dpie...@redhat.com> - 0.9-1 - Rebased on Proton 0.9. - Removed the proton binary from qpid-proton-c. - Added the perl-qpid-proton subpackage. -------------------------------------------------------------------------------- ================================================================================ roxterm-2.9.7-1.fc22 (FEDORA-2015-5892) A fast terminal emulator -------------------------------------------------------------------------------- Update Information: * Fixed scheme CLI switches (ticket #110) * --tab tries to use most recently focused win * Fix maximise and full screen buttons in profile * Fade text in unselected tabs * Recognise _NET_WM_DESKTOP value 0xffffffff * Check for unset $EDITOR when editing shortcuts -------------------------------------------------------------------------------- ChangeLog: * Sun Apr 5 2015 Christopher Meng <r...@cicku.me> - 2.9.7-1 - Update to 2.9.7 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1207456 - roxterm-2.9.7 is available https://bugzilla.redhat.com/show_bug.cgi?id=1207456 -------------------------------------------------------------------------------- ================================================================================ rpm-ostree-2015.3-7.fc22 (FEDORA-2015-5905) Client side upgrade program and server side compose tool -------------------------------------------------------------------------------- Update Information: Add patch to use yum-deprecated -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Colin Walters <walt...@redhat.com> - 2015.3-7 - Add patch to use yum-deprecated Resolves: #1209695 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1209695 - yum/dnf changes break composoing ostree trees https://bugzilla.redhat.com/show_bug.cgi?id=1209695 -------------------------------------------------------------------------------- ================================================================================ samba-4.2.0-3.fc22 (FEDORA-2015-5898) Server and Client software to interoperate with Windows machines -------------------------------------------------------------------------------- Update Information: Fix libsystemd detection. -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Andreas Schneider <a...@redhat.com> - 4.2.0-3 - resolves: #1207381 - Fix libsystemd detection. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1207381 - regression: smbd startup fails after update to 4.2.0-2.fc22 https://bugzilla.redhat.com/show_bug.cgi?id=1207381 -------------------------------------------------------------------------------- ================================================================================ setroubleshoot-3.2.23-1.fc22 (FEDORA-2015-5884) Helps troubleshoot SELinux problems -------------------------------------------------------------------------------- Update Information: setroubleshootd is set to be run as setroubleshoot user instead of root user, plugin fix commands are not execeted using shell anymore, bugfixes/ -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 9 2015 Petr Lautrbach <plaut...@redhat.com> 3.2.23-1 - setroubleshootd is set to be run as setroubleshoot user instead of root user - several bugfixes -------------------------------------------------------------------------------- References: [ 1 ] Bug #1144580 - sealert prints error to stdout https://bugzilla.redhat.com/show_bug.cgi?id=1144580 [ 2 ] Bug #1144555 - `sealert -a` False behaves as `sealert -a -` https://bugzilla.redhat.com/show_bug.cgi?id=1144555 [ 3 ] Bug #1174230 - [abrt] setroubleshoot-server: ConfigParser.py:743:set:TypeError: option values must be strings https://bugzilla.redhat.com/show_bug.cgi?id=1174230 -------------------------------------------------------------------------------- ================================================================================ tor-0.2.5.12-1.fc22 (FEDORA-2015-5890) Anonymizing overlay network for TCP (The onion router) -------------------------------------------------------------------------------- Update Information: Update to upstream release 0.2.5.12. Update to upstream release 0.2.5.11. -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 7 2015 Jamie Nguyen <jamieli...@fedoraproject.org> - 0.2.5.12-1 - update to upstream release 0.2.5.12 * Mon Mar 23 2015 Jamie Nguyen <jamieli...@fedoraproject.org> - 0.2.5.11-1 - update to upstream release 0.2.5.11 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1209804 - CVE-2015-2928 CVE-2015-2929 tor: multiple issues fixed in the new upstream releases https://bugzilla.redhat.com/show_bug.cgi?id=1209804 [ 2 ] Bug #1204773 - CVE-2015-2688 CVE-2015-2689 tor: security fixes in 0.2.4.26 and 0.2.5.11 https://bugzilla.redhat.com/show_bug.cgi?id=1204773 -------------------------------------------------------------------------------- ================================================================================ vertica-python-0.3.5-1.fc22 (FEDORA-2015-5887) A native Python adapter for the Vertica database -------------------------------------------------------------------------------- Update Information: update to version 0.3.5 -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Jakub Jedelsky <jakub.jedel...@gmail.com> - 0.3.5-1 - update to version 0.3.5 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1209692 - vertica-python-v0.3.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=1209692 -------------------------------------------------------------------------------- -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
