The following Fedora EPEL 6 Security updates need testing: Age URL 617 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2011-4701/supybot-gribble-0.83.4.1-10.el6 429 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5620/bugzilla-3.4.14-2.el6 24 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6034/heat-jeos-9-1.el6 18 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6090/ssmtp-2.61-20.el6 13 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10418/python-feedparser-5.1.2-2.el6 10 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10445/fail2ban-0.8.10-1.el6 4 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10532/python-bugzilla-0.9.0-1.el6 3 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10581/glpi-0.83.9-1.el6 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10586/rubygem-passenger-3.0.21-3.el6 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10617/wordpress-3.5.2-1.el6 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10621/openstack-keystone-2012.2.4-5.el6 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10623/ReviewBoard-1.7.10-1.el6
The following builds have been pushed to Fedora EPEL 6 updates-testing ReviewBoard-1.7.10-1.el6 openstack-keystone-2012.2.4-5.el6 python-tahrir-api-0.2.2-1.el6 rubygem-gssapi-1.1.2-1.el6 sx-2.15-1.el6 tcpcopy-0.8.0-3.el6 wordpress-3.5.2-1.el6 Details about builds: ================================================================================ ReviewBoard-1.7.10-1.el6 (FEDORA-EPEL-2013-10623) Web-based code review tool -------------------------------------------------------------------------------- Update Information: New upstream release 1.7.10 - http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/ - Security Updates: * Fixed an XSS vulnerability where users could trigger script errors under certain conditions in auto-complete widgets - Web API Changes: * Added n ?order-by=<fieldname> query parameter for comment resources, allowing ordering by fields such as line numbers (for diff comments) * Added a filename field to screenshot resources, which provides the base filename (without path) of the screenshot * Added a review_url field to screenshot resources, which provides the URL to the screenshot review page * Added a thumbnail_url field to screenshot comment resources, which provides the URL to the snippet of the screenshot being commented on * Added a link_text field to file attachment comment resources, which shows the text for any link pointing to the file. This may differ depending on the comment * Added a review_url field to file attachment comment resources, which provides the URL to the review page for the file * Added a thumbnail_html field to file attachment comment resources, which provides HTML for rendering the thumbnail of the portion of the file being rendered, if any - UI Changes: * Improved the look and feel of the issue summary table. It’s cleaner and no longer looks odd with long comment text - Bug Fixes: * Fixed periodic but harmless JavaScript errors when removing elements with relative timestamps * Editing or reordering dashboard columns no longer breaks after the dashboard reloads * Relative timestamps in the dashboard no longer break after the dashboard reloads * The maximum size of the timezone has increased, allowing for longer timezone strings -------------------------------------------------------------------------------- ChangeLog: * Mon Jun 24 2013 Stephen Gallagher <sgall...@redhat.com> - 1.7.10-1 - New upstream release 1.7.10 - http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/ - Security Updates: * Fixed an XSS vulnerability where users could trigger script errors under certain conditions in auto-complete widgets - Web API Changes: * Added n ?order-by=<fieldname> query parameter for comment resources, allowing ordering by fields such as line numbers (for diff comments) * Added a filename field to screenshot resources, which provides the base filename (without path) of the screenshot * Added a review_url field to screenshot resources, which provides the URL to the screenshot review page * Added a thumbnail_url field to screenshot comment resources, which provides the URL to the snippet of the screenshot being commented on * Added a link_text field to file attachment comment resources, which shows the text for any link pointing to the file. This may differ depending on the comment * Added a review_url field to file attachment comment resources, which provides the URL to the review page for the file * Added a thumbnail_html field to file attachment comment resources, which provides HTML for rendering the thumbnail of the portion of the file being rendered, if any - UI Changes: * Improved the look and feel of the issue summary table. It’s cleaner and no longer looks odd with long comment text - Bug Fixes: * Fixed periodic but harmless JavaScript errors when removing elements with relative timestamps * Editing or reordering dashboard columns no longer breaks after the dashboard reloads * Relative timestamps in the dashboard no longer break after the dashboard reloads * The maximum size of the timezone has increased, allowing for longer timezone strings * Mon Jun 3 2013 Stephen Gallagher <sgall...@redhat.com> - 1.7.9-1 - New upstream release 1.7.9 - http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.9/ - API Changes: * Added new blocks and depends_on fields to the Review Request resource - Bug Fixes: * Fixed the max_length of the new HostingServiceAccount.hosting_url field * Fixed the documentation for the cgit configuration for Git * Fixed the cgit URL for Fedora Hosted * Mon Jun 3 2013 Stephen Gallagher <sgall...@redhat.com> - 1.7.8.1-1 - New upstream release 1.7.8.1 - http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.8.1/ - Bug Fixes: * Fixed a regression with saving repositories that don't use hosting services - Misc. Changes: * Compatibility changes for the upcoming PDF review plugin - New upstream release 1.7.8 - http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.8/ - New Features: * Added Depends On and Blocks fields to review requests * Added an improved support page * Added the ability to set where Get Support takes users * Added improved logging for many operations - Performance Improvements: * Reduced the upload time for many new diffs * The templates used for rendering the various pages are now cached after the first render, speeding up the rendering for any future renders. We've seen speedups of ~100-120ms for review request pages - Usability Improvements: * The review request actions are now larger, making them more visible and easier to hit, particularly on touch screens * Clicking Fixed, Drop or Re-open now keeps the page in the same scroll position * The dashboard now reloads dynamically, without reloading the entire page * The comment dialog now tells you when you can't make a comment (due to being logged out or reviewing something that's part of a draft - API Changes * Fixed deleting pending replies to comments * Fixed some issues returning certain lists of data - Extensibility Improvements: * Extensions can now customize their metadata directly in the Extension class * TemplateHooks can now render their own content by overriding render_to_string() * NavigationBarHook can now take a url_name parameter specifying the URL name to link to * Review UIs can now specify the link and link text for any comments on a review by overriding get_comment_link_url() and get_comment_link_text() * Custom hosting services can now be registered/unregistered by extensions by using register_hosting_service() and unregister_hosting_service() (from reviewboard.hostingsvcs.service) * Added the ability to more easily write hosting services support that works for self-installable services - Bug Fixes: * Added missing repository validation for Mercurial repositories * Fixed replying to comments on file attachments that have since been removed * Fixed the display of the upload dialogs when viewing a file attachment * Comments on file attachments in e-mails now link to the correct review UI handling the file * Worked around rare issues where a reset of the Open An Issue default for a user would cause pages to break - Misc Changes: * E-mails now show the user’s full name instead of just their first name * The New Review Request page now mentions RBTools instead of just post-review -------------------------------------------------------------------------------- References: [ 1 ] Bug #977423 - CVE-2013-2209 ReviewBoard: Stored XSS due improper sanitization of user's full name in the reviews dropdown https://bugzilla.redhat.com/show_bug.cgi?id=977423 -------------------------------------------------------------------------------- ================================================================================ openstack-keystone-2012.2.4-5.el6 (FEDORA-EPEL-2013-10621) OpenStack Identity Service -------------------------------------------------------------------------------- Update Information: Updated to stable folsom release 2012.2.4 Force simple Bind for authentication CVE-2013-2157 authtoken: Check token expiry CVE-2013-2104 Revoke tokens on user delete CVE-2013-2059 authtoken: Securely create signing_dir CVE-2013-2030 Avoid potential disclosure in log files CVE-2013-2006 Fix online revocation check for PKI tokens CVE-2013-1865 -------------------------------------------------------------------------------- ChangeLog: * Sat Jun 22 2013 ape...@redhat.com 2012.2.4-5 - Force simple Bind for authentication CVE-2013-2157 * Wed Jun 12 2013 Alan Pevec <ape...@redhat.com> 2012.2.4-4 - authtoken: Check token expiry CVE-2013-2104 * Mon May 13 2013 Alan Pevec <ape...@redhat.com> 2012.2.4-3 - authtoken: Securely create signing_dir CVE-2013-2030 - Revoke tokens on user delete CVE-2013-2059 * Thu Apr 25 2013 Alan Pevec <ape...@redhat.com> 2012.2.4-2 - avoid potential disclosure in log files CVE-2013-2006 - restrict /var/log/keystone/ rhbz#956814 * Thu Apr 11 2013 Alan Pevec <ape...@redhat.com> 2012.2.4-1 - updated to stable folsom release 2012.2.4 * Fri Mar 29 2013 Alan Pevec <ape...@redhat.com> 2012.2.3-5 - Fix online revocation check for PKI tokens CVE-2013-1865 -------------------------------------------------------------------------------- References: [ 1 ] Bug #971884 - CVE-2013-2157 openstack-keystone: Authentication bypass when using LDAP backend https://bugzilla.redhat.com/show_bug.cgi?id=971884 [ 2 ] Bug #956474 - OpenStack keystone: /var/log/keystone/ is world readable https://bugzilla.redhat.com/show_bug.cgi?id=956474 [ 3 ] Bug #965852 - CVE-2013-2104 OpenStack Keystone: Missing expiration check in Keystone PKI token validation https://bugzilla.redhat.com/show_bug.cgi?id=965852 [ 4 ] Bug #956007 - CVE-2013-2006 OpenStack keystone: DEBUG level LDAP password disclosure in log files https://bugzilla.redhat.com/show_bug.cgi?id=956007 [ 5 ] Bug #922230 - CVE-2013-1865 OpenStack keystone: online validation of Keystone PKI tokens bypasses revocation check https://bugzilla.redhat.com/show_bug.cgi?id=922230 -------------------------------------------------------------------------------- ================================================================================ python-tahrir-api-0.2.2-1.el6 (FEDORA-EPEL-2013-10616) An API for interacting with the Tahrir database -------------------------------------------------------------------------------- Update Information: Add alembic scripts. -------------------------------------------------------------------------------- ChangeLog: * Sun Jun 23 2013 Ralph Bean <rb...@redhat.com> - 0.2.2-1 - Add alembic upgrade scripts. - Add check section with tests. * Sun Jun 23 2013 Ralph Bean <rb...@redhat.com> - 0.2.1-1 - Bugfix - stop leaking sqlalchemy sessions. - API enhancement - can query for user by username, id, or email now. * Thu Jun 20 2013 Ralph Bean <rb...@redhat.com> - 0.2.0-1 - API enhancements. * Thu Jun 13 2013 Ralph Bean <rb...@redhat.com> - 0.1.8-6 - Use paste-deploy1.5 forward compat package. - Use zope-interface4 forward compat package. * Thu Jun 13 2013 Ralph Bean <rb...@redhat.com> - 0.1.8-5 - Added dep on zope.interface. * Thu Jun 13 2013 Ralph Bean <rb...@redhat.com> - 0.1.8-4 - Conditional mako0.4 requirement for epel6. * Thu Jun 13 2013 Ralph Bean <rb...@redhat.com> - 0.1.8-3 - More epel6 fixes. * Thu Jun 13 2013 Ralph Bean <rb...@redhat.com> - 0.1.8-2 - Conditionalize sqlalchemy forward compat package for epel6. * Fri Jun 7 2013 Ralph Bean <rb...@redhat.com> - 0.1.8-1 - New Invitations API. - Bugfixes to other API functions. - Relicense to GPLv3+ -------------------------------------------------------------------------------- ================================================================================ rubygem-gssapi-1.1.2-1.el6 (FEDORA-EPEL-2013-10620) A FFI wrapper around the system GSSAPI library -------------------------------------------------------------------------------- Update Information: Newly packaged gssapi ruby gem. -------------------------------------------------------------------------------- References: [ 1 ] Bug #975339 - Review Request: rubygem-gssapi - A FFI wrapper around the system GSSAPI library https://bugzilla.redhat.com/show_bug.cgi?id=975339 -------------------------------------------------------------------------------- ================================================================================ sx-2.15-1.el6 (FEDORA-EPEL-2013-10622) Tool to extract reports and run plug-ins against those extracted reports -------------------------------------------------------------------------------- Update Information: New upstream release to resolve bugs and add new features enhancements. No backward compatibility issues known. -------------------------------------------------------------------------------- ChangeLog: * Thu Jun 20 2013 Shane Bradley <sbrad...@redhat.com>- 2.15-0.0 - bz955343: There was incorrect labeling on cluster.py when there was no rpms found, instead of being split by HA and RS, they are split by packages and module-packages. - Changed the chkconfig cluster service summary output to display enabled and disabled services. - Modified bonding mode check for clusterevaluator since there is some new supported modes. - A devicemapper parser error when libudev entries were in the files for dmsetup_info and lvs. - Fix all the urls since kcs changed. - Added a catch all exception that will write a debug file if uncaught exception is raised. - Added a check and summary output for transport mode which includes: broadcast, multicast, and updu. - Added code to check all valid values for attributes that can be enabled and disabled for /etc/cluster/cluster.conf. - Fixed parsing of sos_commands/startup/chkconfig_--list for spanish words. -------------------------------------------------------------------------------- References: [ 1 ] Bug #977243 - Update to sx-2.15 https://bugzilla.redhat.com/show_bug.cgi?id=977243 -------------------------------------------------------------------------------- ================================================================================ tcpcopy-0.8.0-3.el6 (FEDORA-EPEL-2013-10624) An online request replication tool -------------------------------------------------------------------------------- Update Information: New RPM. -------------------------------------------------------------------------------- References: [ 1 ] Bug #967482 - Review Request: tcpcopy - An online request replication tool https://bugzilla.redhat.com/show_bug.cgi?id=967482 -------------------------------------------------------------------------------- ================================================================================ wordpress-3.5.2-1.el6 (FEDORA-EPEL-2013-10617) Blog tool and publishing platform -------------------------------------------------------------------------------- Update Information: WordPress 3.5.2 is now available. This is the second maintenance release of 3.5, fixing 12 bugs. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. The WordPress security team resolved seven security issues, and this release also contains some additional security hardening. The security fixes included: - Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site. - Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan. - An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki. (Developers: More on SWFUpload here.) - Prevention of a denial of service attack, affecting sites using password-protected posts. - An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram. - Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo. - Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk. -------------------------------------------------------------------------------- ChangeLog: * Mon Jun 24 2013 Remi Collet <rcol...@redhat.com> - 3.5.2-1 - version 3.5.2, various bug and security fixes: CVE-2013-2173 CVE-2013-2199 CVE-2013-2200 CVE-2013-2201 CVE-2013-2202 CVE-2013-2203 CVE-2013-2204 -------------------------------------------------------------------------------- References: [ 1 ] Bug #976784 - CVE-2013-2199 CVE-2013-2200 CVE-2013-2201 CVE-2013-2202 CVE-2013-2203 CVE-2013-2204 CVE-2013-2205 wordpress: Multiple security flaws to be corrected within upstream 3.5.2 version https://bugzilla.redhat.com/show_bug.cgi?id=976784 [ 2 ] Bug #973254 - CVE-2013-2173 wordpress: DoS when computing user-input hash for certain password protected blogs https://bugzilla.redhat.com/show_bug.cgi?id=973254 -------------------------------------------------------------------------------- _______________________________________________ epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel