[EPEL-devel] Fedora EPEL 8 updates-testing report
The following Fedora EPEL 8 Security updates need testing: Age URL 25 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1e00c3d01e cutter-re-2.2.0-1.el8 rizin-0.5.1-1.el8 6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-d4a7c0e04e pdns-recursor-4.8.4-1.el8 6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-9215c40764 zchunk-1.3.1-1.el8 4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-b06600ebc7 bzip3-1.3.0-1.el8 The following builds have been pushed to Fedora EPEL 8 updates-testing icewm-3.3.3-2.el8 remmina-1.4.30-1.el8 Details about builds: icewm-3.3.3-2.el8 (FEDORA-EPEL-2023-f838d970bd) Window manager designed for speed, usability, and consistency Update Information: Update to latest version ChangeLog: * Mon Apr 10 2023 Artem Polishchuk - 3.3.3-1 - chore: Update to 3.3.3 remmina-1.4.30-1.el8 (FEDORA-EPEL-2023-deedf363e4) Remote Desktop Client Update Information: * Mon Apr 10 2023 Phil Wyett - 1.4.30-1 - New upstream version 1.4.30. - Use SPDX license identifiers. - Remove no longer needed patches. ChangeLog: * Mon Apr 10 2023 Phil Wyett - 1.4.30-1 - New upstream version 1.4.30. - Use SPDX license identifiers. - Remove no longer needed patches. ___ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[EPEL-devel] Fedora EPEL 9 updates-testing report
The following Fedora EPEL 9 Security updates need testing: Age URL 6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-911b83cb42 netatalk-3.1.14-3.el9 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-bb6f0bba09 pdns-recursor-4.8.4-1.el9 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-0ff8a4bc32 zchunk-1.3.1-1.el9 4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1fcf6a407e bzip3-1.3.0-1.el9 The following builds have been pushed to Fedora EPEL 9 updates-testing chromium-112.0.5615.49-1.el9 icewm-3.3.3-1.el9 remmina-1.4.30-1.el9 rust-io-lifetimes-1.0.10-1.el9 rust-is-terminal-0.4.7-1.el9 rust-libc-0.2.141-1.el9 rust-linux-raw-sys-0.3.1-1.el9 rust-rustix-0.37.11-2.el9 rust-tempfile-3.5.0-1.el9 rust-terminal_size-0.2.6-1.el9 vorta-0.8.12-2.el9 Details about builds: chromium-112.0.5615.49-1.el9 (FEDORA-EPEL-2023-7573786f98) A WebKit (Blink) powered web browser that Google doesn't want you to use Update Information: update to 112.0.5615.49. Fixes the following security issues: CVE-2023-1528 CVE-2023-1529 CVE-2023-1530 CVE-2023-1531 CVE-2023-1532 CVE-2023-1533 CVE-2023-1534, CVE-2023-25193 ChangeLog: * Wed Apr 5 2023 Than Ngo - 112.0.5615.49-1 - update to 112.0.5615.49 - fix #2184142, Small fonts in menus References: [ 1 ] Bug #2173489 - CVE-2023-25193 chromium: harfbuzz: allows attackers to trigger O(n^2) growth via consecutive marks [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2173489 [ 2 ] Bug #2184142 - Small fonts in menus https://bugzilla.redhat.com/show_bug.cgi?id=2184142 [ 3 ] Bug #2184710 - CVE-2023-1810 CVE-2023-1811 CVE-2023-1812 CVE-2023-1813 CVE-2023-1814 CVE-2023-1815 CVE-2023-1816 CVE-2023-1817 CVE-2023-1818 CVE-2023-1819 CVE-2023-1820 CVE-2023-1821 CVE-2023-1822 CVE-2023-1823 chromium: various flaws [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2184710 icewm-3.3.3-1.el9 (FEDORA-EPEL-2023-baaea66110) Window manager designed for speed, usability, and consistency Update Information: Update to latest version ChangeLog: * Mon Apr 10 2023 Artem Polishchuk - 3.3.3-1 - chore: Update to 3.3.3 remmina-1.4.30-1.el9 (FEDORA-EPEL-2023-cb05eaf8f2) Remote Desktop Client Update Information: * Mon Apr 10 2023 Phil Wyett - 1.4.30-1 - New upstream version 1.4.30. - Use SPDX license identifiers. - Remove no longer needed patches. ChangeLog: * Mon Apr 10 2023 Phil Wyett - 1.4.30-1 - New upstream version 1.4.30. - Use SPDX license identifiers. - Remove no longer needed patches. rust-io-lifetimes-1.0.10-1.el9 (FEDORA-EPEL-2023-cf9283e5fc) Low-level I/O ownership and borrowing library Update Information: - Update the rustix crate to version 0.37.11. - Update the io-lifetimes crate to version 1.0.10. - Update the is-terminal crate to version 0.4.7. - Update the libc crate to version 0.2.141. - Update the linux-raw-sys crate to version 0.3.1. - Update the tempfile crate to version 3.5.0. - Update the terminal_size crate to version 0.2.6. ChangeLog: * Mon Apr 10 2023 Fabio Valentini - 1.0.10-1 - Update to version 1.0.10; Fixes RHBZ#2184547 rust-is-terminal-0.4.7-1.el9 (FEDORA-EPEL-2023-cf9283e5fc) Test whether a given stream is a terminal Update Information: - Update the rustix crate to version 0.37.11. - Update the io-lifetimes crate to version 1.0.10. - Update the is-terminal crate to version 0.4.7. - Update the
[EPEL-devel] Fedora EPEL 7 updates-testing report
The following Fedora EPEL 7 Security updates need testing: Age URL 6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-237e339dd2 netatalk-3.1.14-3.el7 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-d9256ecd7c zchunk-1.3.1-1.el7 The following builds have been pushed to Fedora EPEL 7 updates-testing chromium-112.0.5615.49-1.el7 Details about builds: chromium-112.0.5615.49-1.el7 (FEDORA-EPEL-2023-4821639cb4) A WebKit (Blink) powered web browser that Google doesn't want you to use Update Information: update to 112.0.5615.49. Fixes the following security issues: CVE-2023-1528 CVE-2023-1529 CVE-2023-1530 CVE-2023-1531 CVE-2023-1532 CVE-2023-1533 CVE-2023-1534, CVE-2023-25193 ChangeLog: * Wed Apr 5 2023 Than Ngo - 112.0.5615.49-1 - update to 112.0.5615.49 - fix #2184142, Small fonts in menus References: [ 1 ] Bug #2173489 - CVE-2023-25193 chromium: harfbuzz: allows attackers to trigger O(n^2) growth via consecutive marks [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2173489 [ 2 ] Bug #2184142 - Small fonts in menus https://bugzilla.redhat.com/show_bug.cgi?id=2184142 [ 3 ] Bug #2184710 - CVE-2023-1810 CVE-2023-1811 CVE-2023-1812 CVE-2023-1813 CVE-2023-1814 CVE-2023-1815 CVE-2023-1816 CVE-2023-1817 CVE-2023-1818 CVE-2023-1819 CVE-2023-1820 CVE-2023-1821 CVE-2023-1822 CVE-2023-1823 chromium: various flaws [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2184710 ___ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[EPEL-devel] Re: Intent to retire flintqs in EPEL7, EPEL8, and EPEL9 for security reasons
On Mon, Apr 10, 2023 at 10:40 AM Ben Beasley wrote: > When I took over maintenance of the flintqs package[1]—which contains > William Hart’s quadratic sieve implementation, as modified for > sagemath—I built it for EPEL7, EPEL8, and EPEL9. My thoughts were, “Why > not? Someone might find it useful.” > > It was recently pointed out[2][3] that the flintqs command-line tool > uses temporary files in unsafe ways[4], which could potentially > represent an exploitable security vulnerability; this has been assigned > CVE-2023-29465[5]. > > There is no immediate patch available; while one could surely be > constructed, the sagemath project plans to incorporate the factorization > algorithm directly in sagemath and discontinue support of the vulnerable > command-line tool rather than fixing it[6]. > > Since sagemath is not packaged in any of the EPEL releases, and flintqs > is therefore a leaf package, I plan to handle this security report by > retiring flintqs in all three EPELs. This email is the beginning of that > process as prescribed in the EPEL Retirement Policy: Process: Security > Reasons[7]. I doubt there will be any objections, but the process > requires a one-week discussion period, so I will follow up on the > epel-announce list and do the retirements no earlier than 2023-03-17. > > [1] https://src.fedoraproject.org/rpms/flintqs > > [2] https://bugzilla.redhat.com/show_bug.cgi?id=2185301 > > [3] https://github.com/sagemath/FlintQS/issues/3 > > [4] > https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File > > [5] https://nvd.nist.gov/vuln/detail/CVE-2023-29465 > > [6] https://github.com/sagemath/sage/pull/35419 > > [7] > > https://docs.fedoraproject.org/en-US/epel/epel-policy-retirement/#process_security_reasons > Thank you for following the retirement policy. I'm assuming that's a typo and you really meant "no earlier than 2023-04-17" Troy ___ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[EPEL-devel] Intent to retire flintqs in EPEL7, EPEL8, and EPEL9 for security reasons
When I took over maintenance of the flintqs package[1]—which contains William Hart’s quadratic sieve implementation, as modified for sagemath—I built it for EPEL7, EPEL8, and EPEL9. My thoughts were, “Why not? Someone might find it useful.” It was recently pointed out[2][3] that the flintqs command-line tool uses temporary files in unsafe ways[4], which could potentially represent an exploitable security vulnerability; this has been assigned CVE-2023-29465[5]. There is no immediate patch available; while one could surely be constructed, the sagemath project plans to incorporate the factorization algorithm directly in sagemath and discontinue support of the vulnerable command-line tool rather than fixing it[6]. Since sagemath is not packaged in any of the EPEL releases, and flintqs is therefore a leaf package, I plan to handle this security report by retiring flintqs in all three EPELs. This email is the beginning of that process as prescribed in the EPEL Retirement Policy: Process: Security Reasons[7]. I doubt there will be any objections, but the process requires a one-week discussion period, so I will follow up on the epel-announce list and do the retirements no earlier than 2023-03-17. [1] https://src.fedoraproject.org/rpms/flintqs [2] https://bugzilla.redhat.com/show_bug.cgi?id=2185301 [3] https://github.com/sagemath/FlintQS/issues/3 [4] https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File [5] https://nvd.nist.gov/vuln/detail/CVE-2023-29465 [6] https://github.com/sagemath/sage/pull/35419 [7] https://docs.fedoraproject.org/en-US/epel/epel-policy-retirement/#process_security_reasons ___ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue