The following Fedora 18 Security updates need testing: Age URL 37 https://admin.fedoraproject.org/updates/FEDORA-2013-21875/389-ds-base-1.3.0.... 23 https://admin.fedoraproject.org/updates/FEDORA-2013-22949/net-snmp-5.7.2-7.f... 20 https://admin.fedoraproject.org/updates/FEDORA-2013-23140/python-setuptools-... 17 https://admin.fedoraproject.org/updates/FEDORA-2013-23291/thunderbird-24.2.0... 11 https://admin.fedoraproject.org/updates/FEDORA-2013-23662/rubygem-actionpack... 11 https://admin.fedoraproject.org/updates/FEDORA-2013-23663/ibus-chewing-1.4.4... 5 https://admin.fedoraproject.org/updates/FEDORA-2013-23951/gitolite3-3.5.3.1-... 3 https://admin.fedoraproject.org/updates/FEDORA-2013-23988/varnish-3.0.5-1.fc... 0 https://admin.fedoraproject.org/updates/FEDORA-2013-24142/asterisk-11.7.0-1.... 0 https://admin.fedoraproject.org/updates/FEDORA-2013-24155/libsrtp-1.4.4-9.20...
The following Fedora 18 Critical Path updates have yet to be approved: Age URL 324 https://admin.fedoraproject.org/updates/FEDORA-2013-2192/nautilus-3.6.3-5.fc... 9 https://admin.fedoraproject.org/updates/FEDORA-2013-23716/selinux-policy-3.1... 7 https://admin.fedoraproject.org/updates/FEDORA-2013-23882/libbluray-0.5.0-2....
The following builds have been pushed to Fedora 18 updates-testing
asterisk-11.7.0-1.fc18 gtk-gnutella-1.0.0-1.fc18 libsrtp-1.4.4-9.20101004cvs.fc18 php-Faker-1.3.0-1.fc18 php-Monolog-1.7.0-1.fc18 php-PhpCollection-0.3.1-1.fc18 php-Raven-0.8.0-2.20131209gitdac9333.fc18 php-scssphp-0.0.9-1.fc18 vcsh-1.20131229-1.fc18
Details about builds:
================================================================================ asterisk-11.7.0-1.fc18 (FEDORA-2013-24142) The Open Source PBX -------------------------------------------------------------------------------- Update Information:
* Sat Dec 28 2013 Jeffrey Ollie jeff@ocjtech.us - 11.7.0-1: - The Asterisk Development Team has announced the release of Asterisk 11.7.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 11.7.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- app_confbridge: Can now set the language used for announcements - to the conference. - (Closes issue ASTERISK-19983. Reported by Jonathan White) - - * --- app_queue: Fix CLI "queue remove member" queue_log entry. - (Closes issue ASTERISK-21826. Reported by Oscar Esteve) - - * --- chan_sip: Do not increment the SDP version between 183 and 200 - responses. - (Closes issue ASTERISK-21204. Reported by NITESH BANSAL) - - * --- chan_sip: Allow a sip peer to accept both AVP and AVPF calls - (Closes issue ASTERISK-22005. Reported by Torrey Searle) - - * --- chan_sip: Fix Realtime Peer Update Problem When Un-registering - And Expires Header In 200ok - (Closes issue ASTERISK-22428. Reported by Ben Smithurst) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.7.0
* Sat Dec 28 2013 Jeffrey Ollie jeff@ocjtech.us - 11.6.1-1: - The Asterisk Development Team has announced security releases for Certified - Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security - releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4, - 10.12.4-digiumphones, and 11.6.1. - - These releases are available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of these versions resolve the following issues: - - * A buffer overflow when receiving odd length 16 bit messages in app_sms. An - infinite loop could occur which would overwrite memory when a message is - received into the unpacksms16() function and the length of the message is an - odd number of bytes. - - * Prevent permissions escalation in the Asterisk Manager Interface. Asterisk - now marks certain individual dialplan functions as 'dangerous', which will - inhibit their execution from external sources. - - A 'dangerous' function is one which results in a privilege escalation. For - example, if one were to read the channel variable SHELL(rm -rf /) Bad - Things(TM) could happen; even if the external source has only read - permissions. - - Execution from external sources may be enabled by setting 'live_dangerously' - to 'yes' in the [options] section of asterisk.conf. Although doing so is not - recommended. - - These issues and their resolutions are described in the security advisories. - - For more information about the details of these vulnerabilities, please read - security advisories AST-2013-006 and AST-2013-007, which were - released at the same time as this announcement. - - For a full list of changes in the current releases, please see the ChangeLogs: - - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/Chan... - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/Chan... - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.... - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.1... - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.1... - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6... - - The security advisories are available at: - - * http://downloads.asterisk.org/pub/security/AST-2013-006.pdf - * http://downloads.asterisk.org/pub/security/AST-2013-007.pdf
* Sat Dec 28 2013 Jeffrey Ollie jeff@ocjtech.us - 11.6.0-1: - The Asterisk Development Team has announced the release of Asterisk 11.6.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 11.6.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- Confbridge: empty conference not being torn down - (Closes issue ASTERISK-21859. Reported by Chris Gentle) - - * --- Let Queue wrap up time influence member availability - (Closes issue ASTERISK-22189. Reported by Tony Lewis) - - * --- Fix a longstanding issue with MFC-R2 configuration that - prevented users - (Closes issue ASTERISK-21117. Reported by Rafael Angulo) - - * --- chan_iax2: Fix saving the wrong expiry time in astdb. - (Closes issue ASTERISK-22504. Reported by Stefan Wachtler) - - * --- Fix segfault for certain invalid WebSocket input. - (Closes issue ASTERISK-21825. Reported by Alfred Farrugia) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.6.0
-------------------------------------------------------------------------------- ChangeLog:
* Sat Dec 28 2013 Jeffrey Ollie jeff@ocjtech.us - 11.7.0-1: - The Asterisk Development Team has announced the release of Asterisk 11.7.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 11.7.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- app_confbridge: Can now set the language used for announcements - to the conference. - (Closes issue ASTERISK-19983. Reported by Jonathan White) - - * --- app_queue: Fix CLI "queue remove member" queue_log entry. - (Closes issue ASTERISK-21826. Reported by Oscar Esteve) - - * --- chan_sip: Do not increment the SDP version between 183 and 200 - responses. - (Closes issue ASTERISK-21204. Reported by NITESH BANSAL) - - * --- chan_sip: Allow a sip peer to accept both AVP and AVPF calls - (Closes issue ASTERISK-22005. Reported by Torrey Searle) - - * --- chan_sip: Fix Realtime Peer Update Problem When Un-registering - And Expires Header In 200ok - (Closes issue ASTERISK-22428. Reported by Ben Smithurst) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.7.0 * Sat Dec 28 2013 Jeffrey Ollie jeff@ocjtech.us - 11.6.1-1: - The Asterisk Development Team has announced security releases for Certified - Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security - releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4, - 10.12.4-digiumphones, and 11.6.1. - - These releases are available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of these versions resolve the following issues: - - * A buffer overflow when receiving odd length 16 bit messages in app_sms. An - infinite loop could occur which would overwrite memory when a message is - received into the unpacksms16() function and the length of the message is an - odd number of bytes. - - * Prevent permissions escalation in the Asterisk Manager Interface. Asterisk - now marks certain individual dialplan functions as 'dangerous', which will - inhibit their execution from external sources. - - A 'dangerous' function is one which results in a privilege escalation. For - example, if one were to read the channel variable SHELL(rm -rf /) Bad - Things(TM) could happen; even if the external source has only read - permissions. - - Execution from external sources may be enabled by setting 'live_dangerously' - to 'yes' in the [options] section of asterisk.conf. Although doing so is not - recommended. - - These issues and their resolutions are described in the security advisories. - - For more information about the details of these vulnerabilities, please read - security advisories AST-2013-006 and AST-2013-007, which were - released at the same time as this announcement. - - For a full list of changes in the current releases, please see the ChangeLogs: - - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/Chan... - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/Chan... - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.... - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.1... - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.1... - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6... - - The security advisories are available at: - - * http://downloads.asterisk.org/pub/security/AST-2013-006.pdf - * http://downloads.asterisk.org/pub/security/AST-2013-007.pdf * Sat Dec 28 2013 Jeffrey Ollie jeff@ocjtech.us - 11.6.0-1: - The Asterisk Development Team has announced the release of Asterisk 11.6.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 11.6.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- Confbridge: empty conference not being torn down - (Closes issue ASTERISK-21859. Reported by Chris Gentle) - - * --- Let Queue wrap up time influence member availability - (Closes issue ASTERISK-22189. Reported by Tony Lewis) - - * --- Fix a longstanding issue with MFC-R2 configuration that - prevented users - (Closes issue ASTERISK-21117. Reported by Rafael Angulo) - - * --- chan_iax2: Fix saving the wrong expiry time in astdb. - (Closes issue ASTERISK-22504. Reported by Stefan Wachtler) - - * --- Fix segfault for certain invalid WebSocket input. - (Closes issue ASTERISK-21825. Reported by Alfred Farrugia) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.6.0 * Mon Oct 21 2013 Jeffrey Ollie jeff@ocjtech.us - 11.5.1-3: - Disable hardened build, as it's apparently causing problems loading modules. -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1043917 - asterisk: asterisk manager user dialplan permission escalation https://bugzilla.redhat.com/show_bug.cgi?id=1043917 [ 2 ] Bug #1043918 - CVE-2013-7100 asterisk: buffer overflow when receiving odd length 16 bit SMS message https://bugzilla.redhat.com/show_bug.cgi?id=1043918 --------------------------------------------------------------------------------
================================================================================ gtk-gnutella-1.0.0-1.fc18 (FEDORA-2013-24126) GUI based Gnutella Client -------------------------------------------------------------------------------- Update Information:
Update to 1.0.0 -------------------------------------------------------------------------------- ChangeLog:
* Mon Dec 30 2013 Dmitry Butskoy Dmitry@Butskoy.name - 1.0.0-1 - Upgrade to 1.0.0 * Sat Aug 3 2013 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 0.98.4-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Tue Apr 23 2013 Jon Ciesla limburgher@gmail.com - 0.98.4-3 - Drop desktop vendor tag. * Thu Feb 14 2013 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 0.98.4-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild --------------------------------------------------------------------------------
================================================================================ libsrtp-1.4.4-9.20101004cvs.fc18 (FEDORA-2013-24155) An implementation of the Secure Real-time Transport Protocol (SRTP) -------------------------------------------------------------------------------- Update Information:
Fix CVE-2013-2139 - buffer overflow in application of crypto profiles -------------------------------------------------------------------------------- ChangeLog:
* Mon Dec 30 2013 Tom Callaway spot@fedoraproject.org - 1.4.4-9.20101004cvs - apply fix for CVE-2013-2139 from https://github.com/cisco/libsrtp/pull/27 * Sat Aug 3 2013 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 1.4.4-8.20101004cvs - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Thu Feb 14 2013 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 1.4.4-7.20101004cvs - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild -------------------------------------------------------------------------------- References:
[ 1 ] Bug #970697 - CVE-2013-2139 libsrtp: buffer overflow in application of crypto profiles https://bugzilla.redhat.com/show_bug.cgi?id=970697 --------------------------------------------------------------------------------
================================================================================ php-Faker-1.3.0-1.fc18 (FEDORA-2013-24111) A PHP library that generates fake data -------------------------------------------------------------------------------- Update Information:
v1.3.0 (2013-12-16)
New Features * Added unique() modifier * Added optional() modifier (weotch) * Added Image generation powered by LoremPixel (weotch) * Added IDE insights to allow better intellisense/phpStorm autocompletion (thallisphp) * Added IBAN generator for every currently known locale that uses it (nineinchnick) * Added Payment providers (creditCardType, creditCardNumber, creditCardExpirationDate, creditCardExpirationDateString) (pomaxa) * Added Color provider with hexColor, rgbColor, rgbColorAsArray, rgbCssColor, safeColorName, and colorName formatters (lsv)
New / Improved Locales * Added English (South Africa) (en_ZA) person, address, Internet and phone number providers (dmfaux) * Added Spanish (es_ES) Internet provider (eusonlito) * Added English Philippines (en_PH) address provider (kamote) * Added Brazilian (pt_BR) email provider data (KennedyTedesco) * Added Peruvian (es_PE) person, address, phone number, and company providers (cslucano) * Added Ukrainian (uk_UA) color provider (ruden) * Fixed Ukrainian (uk_UA) namespace and email translitteration (ruden) * Added Romanian (Moldova) (ro_MD) person, address, and phone number providers (AlexanderC) * Added Romanian (ro_RO) address and person providers (calina-c) * Added Polish (pl_PL) address provider, personal identity number and pesel number generator (nineinchnick) * Added Turkish (tr_TR) address provider, and improved internet provider (hasandz) * Added Greek (el_GR) person, address, and phone number providers (georgeharito) * Added Australian (en_AU) address, Internet, and phone number providers (rcuddy) * Added French (fr_FR) phone number formats (vchabot) * Added Japanese (ja_JP) person, address, Internet, phone number, and company providers (kumamidori) * Added Russian (ru_RU) color providers, driver license and passport number formats (pomaxa) * Added Latvian (lv_LV) person, address, Internet, and phone number providers (pomaxa) * Added Brazilian (pt_BR) Internet provider (vjnrv) * Added more Czech (cs_CZ) lastnames (petrkle) * Added Chinese Simplified (zh_CN) person, address, Internet, and phone number providers (tlikai)
Bug Fixes * Fixed state generator in Australian (en_AU) provider (sebklaus) * Fixed IDE insights for locale specific providers (ulrikjohansson) * Fixed integer values overflowing on signed INTEGER columns on Doctrine populator (Thinkscape) * Fixed spelling error in French (fr_FR) address provider (leihog) * Fixed Italian (it_IT) email provider (garak) * Fixed UK country code (pgscandeias) * Fixed missing timezone with dateTimeBetween (baldurrensch) * Fixed call to undefined method cardType in Payment (WMeldon) * Fixed Doctrine populator to use ObjectManager instead of EntityManagerInterface (mgiustiniani) * Fixed docblock for Provider\Base::unique() (pschultz) * Fixed Propel column number guesser to use signed range of values (gunnarlium) * Fixed phpDoc in Doctrine Entity populator (rogamoore) * Fixed typo in the Person provider documentation (jtreminio) * Fixed Russian (ru_RU) person format (alexshadow007)
Miscellaneous * Added improvements based on SensioLabsInsights analysis * Fixed Typos (pborelli) * Added support for associative arrays in randomElement (aRn0D) -------------------------------------------------------------------------------- ChangeLog:
* Sun Dec 29 2013 Shawn Iwinski shawn.iwinski@gmail.com 1.3.0-1 - Updated to 1.3.0 (BZ #1044436) - Spec cleanup * Sun Aug 4 2013 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 1.2.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1044436 - php-Faker-1.3.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1044436 --------------------------------------------------------------------------------
================================================================================ php-Monolog-1.7.0-1.fc18 (FEDORA-2013-24107) Sends your logs to files, sockets, inboxes, databases and various web services -------------------------------------------------------------------------------- Update Information:
1.7.0 (2013-11-14) * Added ElasticSearchHandler to send logs to an Elastic Search server * Added DynamoDbHandler and ScalarFormatter to send logs to Amazon's Dynamo DB * Added SyslogUdpHandler to send logs to a remote syslogd server * Added LogglyHandler to send logs to a Loggly account * Added $level to IntrospectionProcessor so it only adds backtraces when needed * Added $version to LogstashFormatter to allow using the new v1 Logstash format * Added $appName to NewRelicHandler * Added configuration of Pushover notification retries/expiry * Added $maxColumnWidth to NativeMailerHandler to change the 70 chars default * Added chainability to most setters for all handlers * Fixed RavenHandler batch processing so it takes the message from the record with highest priority * Fixed HipChatHandler batch processing so it sends all messages at once * Fixed issues with eAccelerator * Fixed and improved many small things -------------------------------------------------------------------------------- ChangeLog:
* Mon Dec 30 2013 Shawn Iwinski shawn.iwinski@gmail.com 1.7.0-1 - Updated to 1.7.0 (BZ #1030923) - Added dynamo sub-package - Spec cleanup -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1030923 - php-Monolog-1.7.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1030923 --------------------------------------------------------------------------------
================================================================================ php-PhpCollection-0.3.1-1.fc18 (FEDORA-2013-24141) General purpose collection library for PHP -------------------------------------------------------------------------------- Update Information:
Updated to 0.3.1 * Adds map() method -------------------------------------------------------------------------------- ChangeLog:
* Mon Dec 30 2013 Shawn Iwinski shawn.iwinski@gmail.com 0.3.1-1 - Updated to 0.3.1 (BZ #1045915) - Spec cleanup * Sun Aug 4 2013 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 0.3.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1045915 - php-PhpCollection-0.3.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=1045915 --------------------------------------------------------------------------------
================================================================================ php-Raven-0.8.0-2.20131209gitdac9333.fc18 (FEDORA-2013-24081) A PHP client for Sentry -------------------------------------------------------------------------------- Update Information:
Updated to snapshot 2013-12-09 commit dac93338d1fe17d665dfdea5f529c89b3a0df7df (0.8.0 + additional commits)
Commits: https://github.com/getsentry/raven-php/commits/dac93338d1fe17d665dfdea5f529c... -------------------------------------------------------------------------------- ChangeLog:
* Mon Dec 30 2013 Shawn Iwinski shawn.iwinski@gmail.com 0.8.0-2.20131209gitdac9333 - Updated to latest snapshot * Sun Dec 29 2013 Shawn Iwinski shawn.iwinski@gmail.com 0.8.0-1 - Updated to 0.8.0 (BZ #1037543) - Spec cleanup -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1037543 - php-Raven-0.8.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1037543 --------------------------------------------------------------------------------
================================================================================ php-scssphp-0.0.9-1.fc18 (FEDORA-2013-24151) A compiler for SCSS written in PHP -------------------------------------------------------------------------------- Update Information:
v0.0.9
Bug fixes: * @for/@while inside @content block (@sergeylukin) * functions in mixin_content (@timonbaetz) * infinite loop when target extends itself (@oscherler) * function arguments are lost inside of @content block
Enhancements: * allow setting number precision (@kasperisager) * public function helpers (toBool, get, findImport, assertList, assertColor, assertNumber, throwError) (@Burgov, @atdt) * add optional cache buster prefix to serve() method (@iMoses) -------------------------------------------------------------------------------- ChangeLog:
* Sun Dec 29 2013 Shawn Iwinski shawn.iwinski@gmail.com 0.0.9-1 - Updated to 0.0.9 (BZ #1046671) - Spec cleanup -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1046671 - php-scssphp-0.0.9 is available https://bugzilla.redhat.com/show_bug.cgi?id=1046671 --------------------------------------------------------------------------------
================================================================================ vcsh-1.20131229-1.fc18 (FEDORA-2013-24137) Version Control System for $HOME -------------------------------------------------------------------------------- Update Information:
Bumped version to 1.20131229 -------------------------------------------------------------------------------- ChangeLog:
-------------------------------------------------------------------------------- References:
[ 1 ] Bug #1047227 - vcsh-1.20131229 is available https://bugzilla.redhat.com/show_bug.cgi?id=1047227 --------------------------------------------------------------------------------