date:20210511

[EPEL-devel] Fedora EPEL 7 updates-testing report

2021-05-11 Thread updates

The following Fedora EPEL 7 Security updates need testing:
 Age  URL
  11  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-3f4ec3ba2a   
sympa-6.2.62-1.el7
  11  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-23a46d718e   
libopenmpt-0.5.8-1.el7
   7  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-314d2feba2   
chromium-90.0.4430.93-1.el7
   7  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-80d45ac7ec   
ansible-2.9.21-1.el7
   4  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-680600d10f   
python-impacket-0.9.22-3.el7


The following builds have been pushed to Fedora EPEL 7 updates-testing

djvulibre-3.5.25.3-23.el7
remmina-1.4.16-1.el7
rust-1.52.1-1.el7

Details about builds:



 djvulibre-3.5.25.3-23.el7 (FEDORA-EPEL-2021-352a65d3bc)
 DjVu viewers, encoders, and utilities

Update Information:

Security fix for CVE-2021-3500, CVE-2021-32490, CVE-2021-32491, CVE-2021-32492
and CVE-2021-32493.

ChangeLog:

* Tue May 11 2021 Marek Kasik  - 3.5.25.3-23
- Avoid unsigned short overflow in GBitmap when allocating row buffer
- Resolves: #1958181
* Tue May 11 2021 Marek Kasik  - 3.5.25.3-22
- Avoid stack overflow in DjVuPort by remembering which file we are opening
- Resolves: #1958164
* Tue May 11 2021 Marek Kasik  - 3.5.25.3-21
- Check input pool for NULL
- Resolves: #1958179
* Tue May 11 2021 Marek Kasik  - 3.5.25.3-20
- Avoid integer overflow when allocating bitmap
- Resolves: #1958177
* Tue May 11 2021 Marek Kasik  - 3.5.25.3-19
- Check image size for 0
- Resolves: #1958171

References:

  [ 1 ] Bug #1943684 - CVE-2021-32491 djvulibre: Integer overflow in function 
render() in tools/ddjvu via crafted djvu file
https://bugzilla.redhat.com/show_bug.cgi?id=1943684
  [ 2 ] Bug #1943685 - CVE-2021-3500 djvulibre: Stack overflow in function 
DJVU::DjVuDocument::get_djvu_file()  via crafted djvu file
https://bugzilla.redhat.com/show_bug.cgi?id=1943685
  [ 3 ] Bug #1943686 - CVE-2021-32492 djvulibre: Out of bounds read in function 
DJVU::DataPool::has_data() via crafted djvu file
https://bugzilla.redhat.com/show_bug.cgi?id=1943686
  [ 4 ] Bug #1943690 - CVE-2021-32493 djvulibre: Heap buffer overflow in 
function DJVU::GBitmap::decode() via crafted djvu file
https://bugzilla.redhat.com/show_bug.cgi?id=1943690
  [ 5 ] Bug #1943693 - CVE-2021-32490 djvulibre: Out of bounds write in 
function DJVU::filter_bv()  via crafted djvu file
https://bugzilla.redhat.com/show_bug.cgi?id=1943693




 remmina-1.4.16-1.el7 (FEDORA-EPEL-2021-59507e9515)
 Remote Desktop Client

Update Information:

Update to bugfix release 1.4.16.

ChangeLog:

* Tue May 11 2021 Simone Caronni  - 1.4.16-1
- Update to 1.4.16.
* Tue May 11 2021 Simone Caronni  - 1.4.15-1
- Update to 1.4.15.
* Mon May 10 2021 Simone Caronni  - 1.4.14-1
- Update to 1.4.14.
* Thu Apr 15 2021 Simone Caronni  - 1.4.13-2
- Rebuild for updated FreeRDP.

References:

  [ 1 ] Bug #1950762 - [abrt] remmina: 
gdk_x11_device_manager_xi2_translate_event(): remmina killed by SIGSEGV
https://bugzilla.redhat.com/show_bug.cgi?id=1950762
  [ 2 ] Bug #1951423 - [abrt] remmina: interval_valid(): remmina killed by 
SIGSEGV
https://bugzilla.redhat.com/show_bug.cgi?id=1951423
  [ 3 ] Bug #1952899 - [abrt] remmina: vasprintf(): remmina killed by SIGSEGV
https://bugzilla.redhat.com/show_bug.cgi?id=1952899
  [ 4 ] Bug #1958923 - remmina-1.4.14 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1958923




 rust-1.52.1-1.el7 (FEDORA-EPEL-2021-130c9b8560)
 The Rust Programming Language

Update Information:

Rust 1.52.1 disables incremental compilation by default, due to existing bugs
that now surface as internal compiler errors when caught by 1.52's new
verification. See the [blog post](https://blog.rust-
lang.org/2021/05/10/Rust-1.52.1.html) for a deeper explanation.    Update to
Rust 1.52.0:  - Separate output for `cargo clippy` and `cargo check`. -
Stabilized APIs  See the [blog post](https://blog.rust-
lang.org/20

[EPEL-devel] Re: dpkg Requires po4a >= 0.59 on epel 8 but version available is po4a-0.52-4.el8

2021-05-11 Thread Carl George

PowerTools is the CentOS equivalent of the RHEL CRB repository.  EPEL
doesn't have any control over it.  You'll have to convince the RHEL
maintainer to rebase that package.

https://bugzilla.redhat.com/enter_bug.cgi?product=Red Hat Enterprise
Linux 8&component=po4a&version=CentOS Stream


On Tue, May 11, 2021 at 6:13 PM Sérgio Basto  wrote:
>
> Hi,
> Since this commit [1] I need po4a >= 0.59 to build dpkg , but [2],
> po4a is in powertools repo [3]  , can we do something to update it ?
>
> Thank you.
>
>
> [1]
> https://github.com/guillemj/dpkg/commit/a74a91310260efe55cc986506fe208ae2776a45a
>
> [2]
> https://git.centos.org/rpms/po4a/
> import po4a-0.52-4.el8  CentOS Sources committed 2 years ago
>
> [3]
> dnf repoquery po4a --qf "%{repoid} %{sourcerpm}" --quiet
> powertools po4a-0.52-4.el8.src.rpm
>
> --
> Sérgio M. B.
> ___
> epel-devel mailing list -- epel-devel@lists.fedoraproject.org
> To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure



-- 
Carl George
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[EPEL-devel] Re: Fwd: fmt soname bump in EPEL7

2021-05-11 Thread Leon Fauster


On 11.05.21 14:02, Christoph Karl wrote:

Hi!

On 11.05.21 at 12:30 Leon Fauster wrote:

While reading this I noticed that the recent fluidsynth-libs update
also introduced a soname bump. Affected EPEL packages
- audacious-plugins-amidi
- qsynth


Yes, this was me. I am already trying to clean up this.




BTW: As also stated here:

https://lists.centos.org/pipermail/centos-devel/2021-May/076864.html

previous releases (multiple) are not kept but I was assuming that its
possible to downgrade at least to ONE version before but it isn't.

- Was there ever a downgrade option in EPEL?

CentOS Stream suffered from that but covered yet:

https://lists.centos.org/pipermail/centos-devel/2021-May/076839.html

Would it not be beneficially? Especially for such cases like these ...

--
Leon
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[EPEL-devel] dpkg Requires po4a >= 0.59 on epel 8 but version available is po4a-0.52-4.el8

2021-05-11 Thread Sérgio Basto

Hi,
Since this commit [1] I need po4a >= 0.59 to build dpkg , but [2], 
po4a is in powertools repo [3]  , can we do something to update it ?  

Thank you.


[1]
https://github.com/guillemj/dpkg/commit/a74a91310260efe55cc986506fe208ae2776a45a

[2]
https://git.centos.org/rpms/po4a/
import po4a-0.52-4.el8  CentOS Sources committed 2 years ago 

[3]
dnf repoquery po4a --qf "%{repoid} %{sourcerpm}" --quiet
powertools po4a-0.52-4.el8.src.rpm

-- 
Sérgio M. B.
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[EPEL-devel] Re: Fwd: fmt soname bump in EPEL7

2021-05-11 Thread Troy Dawson

On Tue, May 11, 2021 at 2:02 PM Kevin Fenzi  wrote:

> On Tue, May 11, 2021 at 09:35:40PM +0200, Leon Fauster wrote:
> > On 11.05.21 14:02, Christoph Karl wrote:
> > > Hi!
> > >
> > > On 11.05.21 at 12:30 Leon Fauster wrote:
> > > > While reading this I noticed that the recent fluidsynth-libs update
> > > > also introduced a soname bump. Affected EPEL packages
> > > > - audacious-plugins-amidi
> > > > - qsynth
> > >
> > > Yes, this was me. I am already trying to clean up this.
> > >
> >
> >
> > BTW: As also stated here:
> >
> > https://lists.centos.org/pipermail/centos-devel/2021-May/076864.html
> >
> > previous releases (multiple) are not kept but I was assuming that its
> > possible to downgrade at least to ONE version before but it isn't.
> >
> > - Was there ever a downgrade option in EPEL?
>
> no.
>
> > CentOS Stream suffered from that but covered yet:
> >
> > https://lists.centos.org/pipermail/centos-devel/2021-May/076839.html
> >
> > Would it not be beneficially? Especially for such cases like these ...
>
> There's a number of reasons we haven't implemented this over the years:
> tooling isn't setup for it easily, desire to not keep publishing
> insecure/broken/vulnerable packages, etc. We could revist it again, but
> it's not something that would change quickly.
>

CentOS Stream 8 can have major changes, with little warning of those
changes.  An example is qt5 was recently updated to qt5-5.15, from 5.12.
If they hadn't implemented the backup stuff before that, all new KDE users
would be stuck.
So, CentOS Stream has very good motivation to make that change to their
repo.

EPEL is supposed to be stable.  With things like what happened on this
thread, being the exception, instead of the rule.
We do realize that at each RHEL minor release, things can change, and
because of that we archive/backup when this happens.  So, in one sense, we
do have a backup, just not an active backup.  It's more like a six month
snapshot.

Summary:  EPEL and CentOS Stream have different release cadence and
policies.

Troy
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[EPEL-devel] Re: Fwd: fmt soname bump in EPEL7

2021-05-11 Thread Kevin Fenzi

On Tue, May 11, 2021 at 09:35:40PM +0200, Leon Fauster wrote:
> On 11.05.21 14:02, Christoph Karl wrote:
> > Hi!
> > 
> > On 11.05.21 at 12:30 Leon Fauster wrote:
> > > While reading this I noticed that the recent fluidsynth-libs update
> > > also introduced a soname bump. Affected EPEL packages
> > > - audacious-plugins-amidi
> > > - qsynth
> > 
> > Yes, this was me. I am already trying to clean up this.
> > 
> 
> 
> BTW: As also stated here:
> 
> https://lists.centos.org/pipermail/centos-devel/2021-May/076864.html
> 
> previous releases (multiple) are not kept but I was assuming that its
> possible to downgrade at least to ONE version before but it isn't.
> 
> - Was there ever a downgrade option in EPEL?

no.

> CentOS Stream suffered from that but covered yet:
> 
> https://lists.centos.org/pipermail/centos-devel/2021-May/076839.html
> 
> Would it not be beneficially? Especially for such cases like these ...

There's a number of reasons we haven't implemented this over the years:
tooling isn't setup for it easily, desire to not keep publishing
insecure/broken/vulnerable packages, etc. We could revist it again, but
it's not something that would change quickly. 

kevin


signature.asc
Description: PGP signature
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[EPEL-devel] [Fedocal] Reminder meeting : EPEL Steering Committee

2021-05-11 Thread tdawson

Dear all,

You are kindly invited to the meeting:
   EPEL Steering Committee on 2021-05-12 from 16:00:00 to 17:00:00 US/Eastern
   At fedora-meet...@irc.freenode.net

The meeting will be about:
This is the weekly EPEL Steering Committee Meeting.

A general agenda is the following:

#meetingname EPEL
#topic Intros
#topic Old Business
#topic EPEL-7
#topic EPEL-8
#topic EPEL-9
#topic Openfloor
#endmeeting




Source: https://calendar.fedoraproject.org//meeting/9854/

___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[EPEL-devel] [Fedocal] Reminder meeting : EPEL Steering Committee

2021-05-11 Thread tdawson

Dear all,

You are kindly invited to the meeting:
   EPEL Steering Committee on 2021-05-12 from 16:00:00 to 17:00:00 US/Eastern
   At fedora-meet...@irc.freenode.net

The meeting will be about:
This is the weekly EPEL Steering Committee Meeting.

A general agenda is the following:

#meetingname EPEL
#topic Intros
#topic Old Business
#topic EPEL-7
#topic EPEL-8
#topic EPEL-9
#topic Openfloor
#endmeeting




Source: https://apps.fedoraproject.org/calendar/meeting/9854/

___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[EPEL-devel] Re: Fwd: fmt soname bump in EPEL7

2021-05-11 Thread Leon Fauster


On 11.05.21 06:45, kefu chai wrote:

Hi folks,

i pushed the updated libfmt v6 to EPEL7 as a fix of [1]. it upgraded
libfmt v3.01 to libfmt 6.2.1, and introduced a soname bump for
libfmt.so. so packages depending on libfmt should be rebuilt to pick
up the new library.



While reading this I noticed that the recent fluidsynth-libs update
also introduced a soname bump. Affected EPEL packages
- audacious-plugins-amidi
- qsynth

--
Leon
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[EPEL-devel] unintended soname bump on fluidsynth-libs in epel8

2021-05-11 Thread Christoph Karl


Hi all!

Trying to fix two security issues
https://bugzilla.redhat.com/show_bug.cgi?id=194953
and
https://bugzilla.redhat.com/show_bug.cgi?id=1955611
I did an unintended soname bump on fluidsynth-libs.

For EPEL7 the package could be unpushed,
but for EPEL8 it is already in stable.

For EPEL7:
>sudo dnf repoquery --source --whatrequires '*libfluidsynth.so*'
Last metadata expiration check: 1:03:10 ago on Tue May 11 13:42:43 2021.
audacious-plugins-4.0.5-3.el7.src.rpm
fluidsynth-1.1.6-7.el7.src.rpm

For EPEL8:
>sudo dnf repoquery --source --whatrequires '*libfluidsynth.so*'
Last metadata expiration check: 1:06:14 ago on Tue May 11 13:42:49 2021.
audacious-plugins-4.0.5-3.el8.src.rpm
fluidsynth-2.1.8-3.el8.src.rpm
qsynth-0.6.3-2.el8.src.rpm

Sorry for the problems.

Best Regrads
Christoph
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[EPEL-devel] Re: Fwd: fmt soname bump in EPEL7

2021-05-11 Thread Christoph Karl


Hi!

On 11.05.21 at 12:30 Leon Fauster wrote:

While reading this I noticed that the recent fluidsynth-libs update
also introduced a soname bump. Affected EPEL packages
- audacious-plugins-amidi
- qsynth


Yes, this was me.
I am already trying to clean up this.

Best Regards
Christoph
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[EPEL-devel] Re: Fwd: fmt soname bump in EPEL7

2021-05-11 Thread Felix Schwarz



Am 11.05.21 um 06:45 schrieb kefu chai:

i pushed the updated libfmt v6 to EPEL7 as a fix of [1]. it upgraded
libfmt v3.01 to libfmt 6.2.1, and introduced a soname bump for
libfmt.so. so packages depending on libfmt should be rebuilt to pick
up the new library.


It would be helpful if you could also list the affected packages (repoquery).

Felix
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[EPEL-devel] Fedora EPEL 7 updates-testing report

[EPEL-devel] Re: dpkg Requires po4a >= 0.59 on epel 8 but version available is po4a-0.52-4.el8

[EPEL-devel] Re: Fwd: fmt soname bump in EPEL7

[EPEL-devel] dpkg Requires po4a >= 0.59 on epel 8 but version available is po4a-0.52-4.el8

[EPEL-devel] Re: Fwd: fmt soname bump in EPEL7

[EPEL-devel] Re: Fwd: fmt soname bump in EPEL7

[EPEL-devel] [Fedocal] Reminder meeting : EPEL Steering Committee

[EPEL-devel] [Fedocal] Reminder meeting : EPEL Steering Committee

[EPEL-devel] Re: Fwd: fmt soname bump in EPEL7

[EPEL-devel] unintended soname bump on fluidsynth-libs in epel8

[EPEL-devel] Re: Fwd: fmt soname bump in EPEL7

[EPEL-devel] Re: Fwd: fmt soname bump in EPEL7

12 matches

Site Navigation

Mail list logo

Footer information