The following Fedora EPEL 6 Security updates need testing:
 Age  URL
 774  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5620/bugzilla-3.4.14-2.el6
 121  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-0440/fwsnort-1.6.4-1.el6
 106  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-0590/oath-toolkit-2.0.2-4.el6
  65  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1011/php-ZendFramework-1.12.5-1.el6
  19  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1414/gajim-0.14.4-4.el6
  15  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1471/chicken-4.8.0.6-2.el6
  11  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1477/drupal7-views-3.8-1.el6
  11  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1475/moodle-2.4.10-1.el6
   7  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1522/check-mk-1.2.4p2-2.el6
   5  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1536/xmlsec1-1.2.19-3.el6
   1  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1563/mono-2.10.8-2.el6,libgdiplus-2.10-1.el6
   0  
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1572/chkrootkit-0.49-9.el6


The following builds have been pushed to Fedora EPEL 6 updates-testing

    chkrootkit-0.49-9.el6
    davix-0.3.1-1.el6
    perl-Net-Statsd-0.08-1.el6
    python-moksha-hub-1.3.3-1.el6
    python-pyramid-chameleon-0.1-1.el6
    python-rxjson-0.2-1.el6
    tomcat-native-1.1.30-1.el6
    zabbix20-2.0.12-1.el6

Details about builds:


================================================================================
 chkrootkit-0.49-9.el6 (FEDORA-EPEL-2014-1572)
 Tool to locally check for signs of a rootkit
--------------------------------------------------------------------------------
Update Information:

A quoting issue was found in chkrootkit which would lead to a file in /tmp/ 
being executed, if /tmp/ was mounted without the noexec option. chkrootkit is 
typically run as the root user. A local attacker could use this flaw to 
escalate their privileges.

The problematic part was:

file_port=$file_port $i

Which is changed to file_port="$file_port $i" to fix the issue. From the Debian 
diff:

--- chkrootkit-0.49.orig/debian/patches/CVE-2014-0476.patch
+++ chkrootkit-0.49/debian/patches/CVE-2014-0476.patch
@@ -0,0 +1,13 @@
+Index: chkrootkit/chkrootkit
+===================================================================
+--- chkrootkit.orig/chkrootkit
++++ chkrootkit/chkrootkit
+@@ -117,7 +117,7 @@ slapper (){
+    fi
+    for i in ${SLAPPER_FILES}; do
+       if [ -f ${i} ]; then
+-       file_port=$file_port $i
++       file_port="$file_port $i"
+          STATUS=1
+       fi
+    done

Acknowledgements:

Red Hat would like to thank Thomas Stangner for reporting this issue.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun  4 2014 Jon Ciesla <limburg...@gmail.com> - 0.49-9
- Patch for CVE-2014-0476, BZ 1104456, 11044567.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1104456 - CVE-2014-0476 chkrootkit: local privilege escalation 
[fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1104456
  [ 2 ] Bug #1104457 - CVE-2014-0476 chkrootkit: local privilege escalation 
[epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1104457
--------------------------------------------------------------------------------


================================================================================
 davix-0.3.1-1.el6 (FEDORA-EPEL-2014-1577)
 Toolkit for Http-based file management
--------------------------------------------------------------------------------
Update Information:

davix 0.3.1 release, see RELEASE-NOTES for changes
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun  4 2014 Adrien Devresse <adevress at cern.ch> - 0.3.1-1
- davix 0.3.1 release, see RELEASE-NOTES for changes
* Tue Jun  3 2014 Adrien Devresse <adevress at cern.ch> - 0.3.0-1
- davix 0.3.0 release, see RELEASE-NOTES for changes
* Tue Jan 28 2014 Adrien Devresse <adevress at cern.ch> - 0.2.10-1
- davix 0.2.10 release, see RELEASE-NOTES for details
--------------------------------------------------------------------------------


================================================================================
 perl-Net-Statsd-0.08-1.el6 (FEDORA-EPEL-2014-1570)
 Sends statistics to the stats daemon over UDP
--------------------------------------------------------------------------------
Update Information:

Initial release
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1103466 - Review Request: perl-Net-Statsd - Sends statistics to 
the stats daemon over UDP
        https://bugzilla.redhat.com/show_bug.cgi?id=1103466
--------------------------------------------------------------------------------


================================================================================
 python-moksha-hub-1.3.3-1.el6 (FEDORA-EPEL-2014-1571)
 Hub components for Moksha
--------------------------------------------------------------------------------
Update Information:

Threaded polling producer API.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun  3 2014 Ralph Bean <rb...@redhat.com> - 1.3.3-1
- Added threading model to the polling producer API.
--------------------------------------------------------------------------------


================================================================================
 python-pyramid-chameleon-0.1-1.el6 (FEDORA-EPEL-2014-1553)
 Bindings for the Chameleon templating system in the Pyramid web framework
--------------------------------------------------------------------------------
Update Information:

New packages for Fedora.

These are needed for Bodhi 2.
--------------------------------------------------------------------------------


================================================================================
 python-rxjson-0.2-1.el6 (FEDORA-EPEL-2014-1553)
 JSON RX Schema validation tool
--------------------------------------------------------------------------------
Update Information:

New packages for Fedora.

These are needed for Bodhi 2.
--------------------------------------------------------------------------------


================================================================================
 tomcat-native-1.1.30-1.el6 (FEDORA-EPEL-2014-1573)
 Tomcat native library
--------------------------------------------------------------------------------
Update Information:

Update to version 1.1.30 for Tomcat 7.0.54 compatibility.

http://tomcat.apache.org/native-doc/miscellaneous/changelog.html
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 15 2014 Ville Skyttä <ville.sky...@iki.fi> - 1.1.30-1
- Update to 1.1.30
--------------------------------------------------------------------------------


================================================================================
 zabbix20-2.0.12-1.el6 (FEDORA-EPEL-2014-1576)
 Open-source monitoring solution for your IT infrastructure
--------------------------------------------------------------------------------
Update Information:

Release notes: http://www.zabbix.com/rn2.0.12.php

This build contains a patch for ZBX-8238:
https://support.zabbix.com/browse/ZBXNEXT-3238

"logrt may continue reading an old file repeatedly."
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun  3 2014 Volker Fröhlich <volke...@gmx.at> - 2.0.12-1
- New upstream release
- Patch for ZBX-8238 (logrt may continue reading an old file repeatedly)
* Tue Jun  3 2014 Volker Fröhlich <volke...@gmx.at> - 2.0.11-2
- Handle su directive in logrotate configuration properly (BZ1074318)
--------------------------------------------------------------------------------

_______________________________________________
epel-devel mailing list
epel-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/epel-devel

Reply via email to