The following Fedora EPEL 6 Security updates need testing:
https://admin.fedoraproject.org/updates/clamav-0.97-9.el6 https://admin.fedoraproject.org/updates/cgit-0.9-1.el6 https://admin.fedoraproject.org/updates/couchdb-1.0.2-1.el6 https://admin.fedoraproject.org/updates/pywebdav-0.9.4.1-1.el6 https://admin.fedoraproject.org/updates/asterisk-1.8.3-1.el6 https://admin.fedoraproject.org/updates/perl-Mail-Box-2.097-1.el6 https://admin.fedoraproject.org/updates/pure-ftpd-1.0.30-1.el6
The following builds have been pushed to Fedora EPEL 6 updates-testing
clamav-0.97-9.el6 flies-python-client-0.8.1-1.el6 grib_api-1.9.8-2.el6 nsd-3.2.7-5.el6 perl-VOMS-Lite-0.11-1.el6 pure-ftpd-1.0.30-1.el6 znc-0.098-0.3.rc1.el6
Details about builds:
================================================================================ clamav-0.97-9.el6 (FEDORA-EPEL-2011-2805) Anti-virus software -------------------------------------------------------------------------------- Update Information:
https://www.redhat.com/archives/epel-devel-list/2011-March/msg00075.html
-------------------------------------------------------------------------------- ChangeLog:
* Tue Mar 15 2011 Jan-Frode Myklebust janfrode@tanso.net - 0.97-7 - rpm-provide all old package names that are now obsoleted * Mon Mar 14 2011 Jan-Frode Myklebust janfrode@tanso.net - 0.97-6 - clam-db obsoletes old clamav-data-empty. * Sun Mar 13 2011 Jan-Frode Myklebust janfrode@tanso.net - 0.97-4 - Add back clamd-wrapper to stay compatible with users of old packaging (amavisd-new). * Wed Feb 23 2011 Nick Bebout nb@fedoraproject.org - 0.097-3 - Move db to /var/lib/clamav - Ship empty directory /etc/clamd.d for amavisd-new * Thu Feb 17 2011 Kevin Fenzi kevin@tummy.com - 0.97-2 - Disable llvm. * Tue Feb 8 2011 Kevin Fenzi kevin@tummy.com - 0.97-1 - Update to 0.97 - Fix up for current guidelines. -------------------------------------------------------------------------------- References:
[ 1 ] Bug #579370 - Update to newest version 0.96 https://bugzilla.redhat.com/show_bug.cgi?id=579370 [ 2 ] Bug #679793 - CVE-2011-1003 clamav: Double free error by reading VBA project strings [epel-4] https://bugzilla.redhat.com/show_bug.cgi?id=679793 [ 3 ] Bug #538425 - Wrong milter.conf file template in clamav-milter https://bugzilla.redhat.com/show_bug.cgi?id=538425 [ 4 ] Bug #580676 - CVE-2010-0098 CVE-2010-1311 Multiple clamav vulnerabilities [Fedora all] https://bugzilla.redhat.com/show_bug.cgi?id=580676 [ 5 ] Bug #667203 - CVE-2010-1639 Clam AntiVirus: Heap-based overflow, when processing malicious PDF file(s) [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=667203 [ 6 ] Bug #655636 - clamav-scanner, clamav-scanner-sysvinit in EPEL https://bugzilla.redhat.com/show_bug.cgi?id=655636 [ 7 ] Bug #495502 - 0.95.1 is busted https://bugzilla.redhat.com/show_bug.cgi?id=495502 [ 8 ] Bug #679794 - CVE-2011-1003 clamav: Double free error by reading VBA project strings [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=679794 --------------------------------------------------------------------------------
================================================================================ flies-python-client-0.8.1-1.el6 (FEDORA-EPEL-2011-2799) Python Client for Flies Server -------------------------------------------------------------------------------- ChangeLog:
* Thu Mar 10 2011 James Ni jni@redhat.com - 0.8.1 - Fix bugs(issue 272, issue 274) of retrieve the translation * Mon Mar 7 2011 James Ni jni@redhat.com - 0.8.0 - Stable release * Wed Feb 23 2011 James Ni jni@redhat.com - 0.7.6-1 - Rename the command line option, add a Logger class for better output, set copytrans default value to true, make the extensions to a list of gettext and comment. * Tue Feb 22 2011 James Ni jni@redhat.com - 0.7.4-1 - Fix issue 245:stop processing when type 'n', Add version service, rename the command line option and help info, add InternalServerError * Mon Feb 21 2011 James Ni jni@redhat.com - 0.7.3-1 - Fix issue 244, issue 245, issue 247 and issue 30, add command list for 'flies publican', rewrite the README * Fri Feb 18 2011 James Ni jni@redhat.com - 0.7.2-1 - Rename the gettextutil to publicanutil, Remove the translator from textFlowTarget, Add more help info * Tue Feb 8 2011 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 0.7.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild * Mon Jan 24 2011 James Ni jni@redhat.com - 0.7.1-1 - Fix typo and make help more user-friendly * Mon Jan 24 2011 James Ni jni@redhat.com - 0.7.0-1 - Add copyTrans option to client * Tue Jan 4 2011 James Ni jni@redhat.com - 0.6.1-1 - Add exception handler for empty extensions --------------------------------------------------------------------------------
================================================================================ grib_api-1.9.8-2.el6 (FEDORA-EPEL-2011-2796) WMO FM-92 GRIB (v1,v2) interface accessible from C and FORTRAN programs -------------------------------------------------------------------------------- Update Information:
--------------------------------------------------------------------------------
================================================================================ nsd-3.2.7-5.el6 (FEDORA-EPEL-2011-2797) Fast and lean authoritative DNS Name Server -------------------------------------------------------------------------------- Update Information:
Upgraded to 3.2.7. fix use of NSD_AUTOREBUILD for cron. Add %ghost for /var/run/nsd, fix initscript to properly display ok/failed.
-------------------------------------------------------------------------------- ChangeLog:
* Wed Mar 9 2011 Paul Wouters paul@xelerance.com - 3.2.7-5 - Updated to 3.2.7 - Fix for nsd.init to report OK/FAILED properly (bz#525107) - Use ghost directive for /var/run/nsd (bz#656642) - Removed obsolete --enable-nsid - Remove bogus chowns for /var/*/nsdhm - Fix misnamed variable NSD_AUTORELOAD which should be NSD_AUTOREBUILD -------------------------------------------------------------------------------- References:
[ 1 ] Bug #656642 - Please Update Spec File to use %ghost on files in /var/run and /var/lock https://bugzilla.redhat.com/show_bug.cgi?id=656642 [ 2 ] Bug #535107 - need to use the new auto-group icon https://bugzilla.redhat.com/show_bug.cgi?id=535107 --------------------------------------------------------------------------------
================================================================================ perl-VOMS-Lite-0.11-1.el6 (FEDORA-EPEL-2011-2803) Perl extension for VOMS Attribute certificate creation -------------------------------------------------------------------------------- Update Information:
VOMS (virtual organisation membership service) is a system for managing grid level authorization data within multi-institutional collaborations via membership and roles within that membership.
VOMS::Lite provides a perl library and client tools for interacting with an existing voms service including the well known C impementation of voms. -------------------------------------------------------------------------------- References:
[ 1 ] Bug #565949 - Review Request: perl-VOMS-Lite - Perl extension for VOMS Attribute certificate creation https://bugzilla.redhat.com/show_bug.cgi?id=565949 --------------------------------------------------------------------------------
================================================================================ pure-ftpd-1.0.30-1.el6 (FEDORA-EPEL-2011-2804) Lightweight, fast and secure FTP server -------------------------------------------------------------------------------- Update Information:
Wietse Venema and Victor Duchovni discovered and reported an issue that could lead to a potential information disclosure.
An unencrypted FTP command immediately following STARTTLS request would get buffered and processed prior to SSL/TLS handshake, resulting in potential authentication bypass in case a client certificate authentication was configured to provide user identity.
A report of similar issue that was originally discovered in Postfix MTA contains further technical details and discusses possible impact: http://www.postfix.org/CVE-2011-0411.html
Users of pure-ftpd are advised to install this updated package which contains a fix for the issue. -------------------------------------------------------------------------------- ChangeLog:
* Mon Mar 14 2011 Michal Ingeli mi@v3.sk - 1.0.30-1 - version 1.0.30 - security bug fix #683221 by upstream -------------------------------------------------------------------------------- References:
[ 1 ] Bug #683221 - pure-ftpd: command injection during plaintext to TLS session switch https://bugzilla.redhat.com/show_bug.cgi?id=683221 --------------------------------------------------------------------------------
================================================================================ znc-0.098-0.3.rc1.el6 (FEDORA-EPEL-2011-2808) An advanced IRC bouncer -------------------------------------------------------------------------------- Update Information:
Upgrade to 0.098-rc1 -------------------------------------------------------------------------------- ChangeLog:
* Sat Mar 12 2011 Nick Bebout nb@fedoraproject.org - 0.098-0.3.rc1 - Update to znc-0.098-rc1 * Wed Mar 2 2011 Nick Bebout nb@fedoraproject.org - 0.098-0.2.beta - Update to znc-0.098-beta --------------------------------------------------------------------------------