EPEL Fedora 5 updates-testing report

Wed, 04 Sep 2013 11:28:44 -0700 

The following Fedora EPEL 5 Security updates need testing:
 Age  URL
 500  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3.2.10-5.el5
 395  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6608/Django-1.1.4-2.el5
  15  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11276/ssmtp-2.61-21.el5
  13  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11300/drupal7-theme-zen-5.4-1.el5
   9  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11336/lighttpd-1.4.32-1.el5
   3  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11396/cacti-0.8.8b-2.el5
   1  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11418/graphite-web-0.9.12-1.el5
   0  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11448/perl-Crypt-DSA-0.14-8.el5


The following builds have been pushed to Fedora EPEL 5 updates-testing

    perl-Crypt-DSA-0.14-8.el5
    rubygem-rest-client-1.6.7-1.el5

Details about builds:


================================================================================
 perl-Crypt-DSA-0.14-8.el5 (FEDORA-EPEL-2013-11448)
 Perl module for DSA signatures and key generation
--------------------------------------------------------------------------------
Update Information:

As taught by the '09 Debian PGP disaster relating to DSA, the randomness source 
is extremely important. On systems without /dev/random, Crypt::DSA falls back 
to using Data::Random. Data::Random uses rand(), about which the perldoc says 
"rand() is not cryptographically secure. You should not rely on it in 
security-sensitive situations." In the case of DSA, this is even worse. Using 
improperly secure randomness sources can compromise the signing key upon 
signature of a message.
   
See: http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/
    
It might seem that this would not affect Linux since /dev/random is always 
available and so the fall back to Data::Random would never happen. However, if 
an application is confined using a MAC system such as SELinux then access to 
/dev/random could be denied by policy and the fall back would be triggered.

--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #743567 - CVE-2011-3599 perl-Crypt-DSA: Cryptographically insecure 
method used for random numbers generation on systems without /dev/random
        https://bugzilla.redhat.com/show_bug.cgi?id=743567
--------------------------------------------------------------------------------


================================================================================
 rubygem-rest-client-1.6.7-1.el5 (FEDORA-EPEL-2013-11450)
 Simple REST client for Ruby
--------------------------------------------------------------------------------
Update Information:

Version 1.6.7
--------------------------------------------------------------------------------
ChangeLog:

* Wed Sep  4 2013 Michal Fojtik <mfoj...@redhat.com> - 1.6.7-1
- Update to 1.6.7
* Mon Mar 21 2011 Michal Fojtik <mfoj...@redhat.com> - 1.4.0-7
- Reverted to old version
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #672213 - request to upgrade package version
        https://bugzilla.redhat.com/show_bug.cgi?id=672213
--------------------------------------------------------------------------------

_______________________________________________
epel-devel mailing list
epel-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/epel-devel

Reply via email to