[EPEL-devel] Fedora EPEL 7 updates-testing report

[updates]

The following Fedora EPEL 7 Security updates need testing:
 Age  URL
 551  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-1087   
dokuwiki-0-0.24.20140929c.el7
 313  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-dac7ed832f   
mcollective-2.8.4-1.el7
  76  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-e0c08a1414   
php-PHPMailer-5.2.16-2.el7
  32  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-23fa04bf1c   
redis-3.2.3-1.el7
  30  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-4b8dd3488d   
knot-1.6.8-1.el7
  15  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-e8f4ff76b3   
chicken-4.11.0-3.el7
  11  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-62fd4a9900   
phpMyAdmin-4.4.15.8-2.el7
   9  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-c1dbac22db   
elog-3.1.1-7.el7
   3  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-2a2061ee5f   
php-adodb-5.15-10.el7
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7e2d0ee701   
wordpress-4.6.1-1.el7
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-12c4b7b928   
php-horde-Horde-Core-2.26.1-1.el7
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-c7c4c1e885   
php-horde-Horde-Mime-Viewer-2.2.1-1.el7
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-175e2d3d7c   
php-horde-Horde-Text-Filter-2.3.5-1.el7
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-f71c0650c3   
php-horde-horde-5.2.12-1.el7
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-77f23b948f   
GraphicsMagick-1.3.25-1.el7
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-0e40142bd3   
pdns-3.4.10-1.el7
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-6d70ae9a57   
chromium-53.0.2785.101-1.el7


The following builds have been pushed to Fedora EPEL 7 updates-testing

am-utils-6.2.0-20.el7
chromium-53.0.2785.101-1.el7
gitolite3-3.6.6-1.el7
kbibtex-0.6-4.el7
pdns-3.4.10-1.el7
perl-MCE-1.805-1.el7
php-ircmaxell-random-lib-1.2.0-1.el7
python-arrow-0.8.0-3.el7
python-fmn-rules-0.9.1-1.el7
python-pyvmomi-6.0.0.2016.6-1.el7
python3-dateutil-2.4.2-3.el7

Details about builds:



 am-utils-6.2.0-20.el7 (FEDORA-EPEL-2016-8bddd3a8a4)
 Automount utilities including an updated version of Amd

Update Information:

- sync with updtream git and add a couple of bug fixes.




 chromium-53.0.2785.101-1.el7 (FEDORA-EPEL-2016-6d70ae9a57)
 A WebKit (Blink) powered web browser

Update Information:

Stable update to 53.0.2785.101.  Security fix for CVE-2016-5147, CVE-2016-5148,
CVE-2016-5149, CVE-2016-5150, CVE-2016-5151, CVE-2016-5152, CVE-2016-5153,
CVE-2016-5154, CVE-2016-5155, CVE-2016-5156, CVE-2016-5157, CVE-2016-5158,
CVE-2016-5159, CVE-2016-5161, CVE-2016-5162, CVE-2016-5163, CVE-2016-5164,
CVE-2016-5165, CVE-2016-5166, CVE-2016-5160, CVE-2016-5167  Also applies fix for
chrome-remote-desktop where HOME env variable was not properly set via systemd
service.    Remove fedora only Requires, use bundled harfbuzz because el7
system lib is too old.    Disabled hidpi option in Chromium. Cleanup
widevine handling so that third party addon package can exist. Add
Requires(post) for selinux deps. Fix provides/requires to not include private
libs.

References:

  [ 1 ] Bug #1372229 - CVE-2016-5167 chromium-browser: various fixes from 
internal audits
https://bugzilla.redhat.com/show_bug.cgi?id=1372229
  [ 2 ] Bug #1372228 - CVE-2016-5160 chromium-browser: extensions web 
accessible resources bypass
https://bugzilla.redhat.com/show_bug.cgi?id=1372228
  [ 3 ] Bug #1372227 - CVE-2016-5166 chromium-browser: smb relay attack via 
save page as
https://bugzilla.redhat.com/show_bug.cgi?id=1372227
  [ 4 ] Bug #1372225 - CVE-2016-5165 chromium-browser: script injection in 
devtools
https://bugzilla.redhat.com/show_bug.cgi?id=1372225
  [ 5 ] Bug #1372224 - CVE-2016-5164 chromium-browser: universal xss using 
devtools
https://bugzilla.redhat.com/show_bug.cgi?id=1372224
  [ 6 ] Bug #1372223 - CVE-2016-5163 chromium-browser: address bar spoofing
https://bugzilla.redhat.com/show_bug.cgi?id=1372223
  [ 7 ] Bug #137 - CVE-2016-5162 chromium-browser: extensions web 
accessible resources bypass
https://bugzilla.redhat.com/show_bug.cgi?id=137
  [ 8 ] Bug #1372221 - CVE-2016-5161 chromium-browser: type confusion in blink
https://bugzilla.redhat.com/show_bug.cgi?id=1372221

[EPEL-devel] Re: nodejs update

[Joe Orton]

On Thu, Sep 08, 2016 at 01:27:54PM -0400, Stephen Gallagher wrote:
> > * Node.js 4.x and 6.x both *strictly* require functionality from OpenSSL 
> > 1.0.2
> > and cannot run (or indeed build) against OpenSSL 1.0.1. Currently, both 
> > EPEL 6
> > and EPEL 7 have 1.0.1 in their buildroots. I am not aware of any solution 
> > (SCL
> > or otherwise) for linking EPEL to a newer version of OpenSSL.

Have you got details on what exactly is required from 1.0.2?  Is it ALPN 
support?

I strongly suspect it will be possible (with sufficient effort) to patch 
node to build against older OpenSSL, albeit at the cost of losing some 
features.  

There is a trade-off here between disabling 1.0.2 features & waiting for 
RHEL OpenSSL to catch up, versus having to maintain & patch a copy of 
OpenSSL 1.0.2 in addition to the RHEL OpenSSL.  i.e. someone is ready to 
deal with patching all future Critical security issues in a bundled 
OpenSSL.

Regards, Joe

-- 
Joe Orton // Red Hat Core Services
___
epel-devel mailing list
epel-devel@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/epel-devel@lists.fedoraproject.org