The following Fedora EPEL 6 Security updates need testing: Age URL 774 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5620/bugzilla-3.4.14-2.el6 121 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-0440/fwsnort-1.6.4-1.el6 106 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-0590/oath-toolkit-2.0.2-4.el6 65 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1011/php-ZendFramework-1.12.5-1.el6 19 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1414/gajim-0.14.4-4.el6 15 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1471/chicken-4.8.0.6-2.el6 11 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1477/drupal7-views-3.8-1.el6 11 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1475/moodle-2.4.10-1.el6 7 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1522/check-mk-1.2.4p2-2.el6 5 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1536/xmlsec1-1.2.19-3.el6 1 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1563/mono-2.10.8-2.el6,libgdiplus-2.10-1.el6 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1572/chkrootkit-0.49-9.el6
The following builds have been pushed to Fedora EPEL 6 updates-testing chkrootkit-0.49-9.el6 davix-0.3.1-1.el6 perl-Net-Statsd-0.08-1.el6 python-moksha-hub-1.3.3-1.el6 python-pyramid-chameleon-0.1-1.el6 python-rxjson-0.2-1.el6 tomcat-native-1.1.30-1.el6 zabbix20-2.0.12-1.el6 Details about builds: ================================================================================ chkrootkit-0.49-9.el6 (FEDORA-EPEL-2014-1572) Tool to locally check for signs of a rootkit -------------------------------------------------------------------------------- Update Information: A quoting issue was found in chkrootkit which would lead to a file in /tmp/ being executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as the root user. A local attacker could use this flaw to escalate their privileges. The problematic part was: file_port=$file_port $i Which is changed to file_port="$file_port $i" to fix the issue. From the Debian diff: --- chkrootkit-0.49.orig/debian/patches/CVE-2014-0476.patch +++ chkrootkit-0.49/debian/patches/CVE-2014-0476.patch @@ -0,0 +1,13 @@ +Index: chkrootkit/chkrootkit +=================================================================== +--- chkrootkit.orig/chkrootkit ++++ chkrootkit/chkrootkit +@@ -117,7 +117,7 @@ slapper (){ + fi + for i in ${SLAPPER_FILES}; do + if [ -f ${i} ]; then +- file_port=$file_port $i ++ file_port="$file_port $i" + STATUS=1 + fi + done Acknowledgements: Red Hat would like to thank Thomas Stangner for reporting this issue. -------------------------------------------------------------------------------- ChangeLog: * Wed Jun 4 2014 Jon Ciesla <limburg...@gmail.com> - 0.49-9 - Patch for CVE-2014-0476, BZ 1104456, 11044567. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1104456 - CVE-2014-0476 chkrootkit: local privilege escalation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1104456 [ 2 ] Bug #1104457 - CVE-2014-0476 chkrootkit: local privilege escalation [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1104457 -------------------------------------------------------------------------------- ================================================================================ davix-0.3.1-1.el6 (FEDORA-EPEL-2014-1577) Toolkit for Http-based file management -------------------------------------------------------------------------------- Update Information: davix 0.3.1 release, see RELEASE-NOTES for changes -------------------------------------------------------------------------------- ChangeLog: * Wed Jun 4 2014 Adrien Devresse <adevress at cern.ch> - 0.3.1-1 - davix 0.3.1 release, see RELEASE-NOTES for changes * Tue Jun 3 2014 Adrien Devresse <adevress at cern.ch> - 0.3.0-1 - davix 0.3.0 release, see RELEASE-NOTES for changes * Tue Jan 28 2014 Adrien Devresse <adevress at cern.ch> - 0.2.10-1 - davix 0.2.10 release, see RELEASE-NOTES for details -------------------------------------------------------------------------------- ================================================================================ perl-Net-Statsd-0.08-1.el6 (FEDORA-EPEL-2014-1570) Sends statistics to the stats daemon over UDP -------------------------------------------------------------------------------- Update Information: Initial release -------------------------------------------------------------------------------- References: [ 1 ] Bug #1103466 - Review Request: perl-Net-Statsd - Sends statistics to the stats daemon over UDP https://bugzilla.redhat.com/show_bug.cgi?id=1103466 -------------------------------------------------------------------------------- ================================================================================ python-moksha-hub-1.3.3-1.el6 (FEDORA-EPEL-2014-1571) Hub components for Moksha -------------------------------------------------------------------------------- Update Information: Threaded polling producer API. -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 3 2014 Ralph Bean <rb...@redhat.com> - 1.3.3-1 - Added threading model to the polling producer API. -------------------------------------------------------------------------------- ================================================================================ python-pyramid-chameleon-0.1-1.el6 (FEDORA-EPEL-2014-1553) Bindings for the Chameleon templating system in the Pyramid web framework -------------------------------------------------------------------------------- Update Information: New packages for Fedora. These are needed for Bodhi 2. -------------------------------------------------------------------------------- ================================================================================ python-rxjson-0.2-1.el6 (FEDORA-EPEL-2014-1553) JSON RX Schema validation tool -------------------------------------------------------------------------------- Update Information: New packages for Fedora. These are needed for Bodhi 2. -------------------------------------------------------------------------------- ================================================================================ tomcat-native-1.1.30-1.el6 (FEDORA-EPEL-2014-1573) Tomcat native library -------------------------------------------------------------------------------- Update Information: Update to version 1.1.30 for Tomcat 7.0.54 compatibility. http://tomcat.apache.org/native-doc/miscellaneous/changelog.html -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 15 2014 Ville Skyttä <ville.sky...@iki.fi> - 1.1.30-1 - Update to 1.1.30 -------------------------------------------------------------------------------- ================================================================================ zabbix20-2.0.12-1.el6 (FEDORA-EPEL-2014-1576) Open-source monitoring solution for your IT infrastructure -------------------------------------------------------------------------------- Update Information: Release notes: http://www.zabbix.com/rn2.0.12.php This build contains a patch for ZBX-8238: https://support.zabbix.com/browse/ZBXNEXT-3238 "logrt may continue reading an old file repeatedly." -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 3 2014 Volker Fröhlich <volke...@gmx.at> - 2.0.12-1 - New upstream release - Patch for ZBX-8238 (logrt may continue reading an old file repeatedly) * Tue Jun 3 2014 Volker Fröhlich <volke...@gmx.at> - 2.0.11-2 - Handle su directive in logrotate configuration properly (BZ1074318) -------------------------------------------------------------------------------- _______________________________________________ epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel