The following Fedora 28 Security updates need testing: Age URL 171 https://bodhi.fedoraproject.org/updates/FEDORA-2018-d510cfd7eb jgraphx-3.6.0.0-6.fc28 120 https://bodhi.fedoraproject.org/updates/FEDORA-2018-d7aeaa74da nodejs-brace-expansion-1.1.11-1.fc28 119 https://bodhi.fedoraproject.org/updates/FEDORA-2018-bc073fdc1a nodejs-atob-2.1.1-1.fc28 112 https://bodhi.fedoraproject.org/updates/FEDORA-2018-9dd3f7c013 unrtf-0.21.9-8.fc28 80 https://bodhi.fedoraproject.org/updates/FEDORA-2018-28e9841baf docker-latest-1.13.1-37.git9cb56fd.fc28 23 https://bodhi.fedoraproject.org/updates/FEDORA-2018-1735cbc422 CImg-2.3.6-1.fc28 7 https://bodhi.fedoraproject.org/updates/FEDORA-2018-cc9adc4808 python-marshmallow-2.11.1-8.fc28 7 https://bodhi.fedoraproject.org/updates/FEDORA-2018-381ab64b59 haproxy-1.8.14-1.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-f1ca41a1a6 php-tcpdf-6.2.25-1.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-4f9f4d26f0 libmad-0.15.1b-26.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-f22b937f52 bind-9.11.4-10.P2.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-d0dff2abaa opensc-0.19.0-1.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-70fac49405 liblouis-2.6.2-16.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-f4558a5180 php-horde-Horde-Core-2.31.6-1.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-05d08fddf8 exempi-2.4.5-4.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-0071ad34f4 rust-1.29.1-2.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-520062dcb8 php-horde-horde-5.2.20-1.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-0edb45d9db kernel-headers-4.18.10-200.fc28 kernel-tools-4.18.10-200.fc28 kernel-4.18.10-200.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-1c9f3f4d9e php-horde-kronolith-4.2.25-1.fc28
The following Fedora 28 Critical Path updates have yet to be approved: Age URL 9 https://bodhi.fedoraproject.org/updates/FEDORA-2018-33c28dc24f dash-0.5.10.2-1.fc28 7 https://bodhi.fedoraproject.org/updates/FEDORA-2018-fab540a5d2 libguestfs-1.38.6-1.fc28 7 https://bodhi.fedoraproject.org/updates/FEDORA-2018-a59b06df46 glusterfs-4.1.5-1.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-8ec5f8ed8b pcre2-10.32-3.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-0edb45d9db kernel-headers-4.18.10-200.fc28 kernel-tools-4.18.10-200.fc28 kernel-4.18.10-200.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-05d08fddf8 exempi-2.4.5-4.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-ceecb4b128 xen-4.10.2-1.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-ecf764c0dc openssh-7.8p1-3.fc28 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-fab4056465 gnutls-3.6.4-1.fc28
The following builds have been pushed to Fedora 28 updates-testing
ansible-2.6.5-1.fc28 dgit-6.12-1.fc28 dpdk-17.11.2-2.fc28 elfutils-0.174-1.fc28 gnome-shell-extension-media-player-indicator-0-0.21.20180918gitd3201ea.fc28 gnome-shell-extension-netspeed-3.28-0.5.20180210gite3cea60.fc28 golang-github-thejerf-suture-3.0.0-1.fc28 golang-github-xtaci-smux-1.0.8-1.fc28 hub-2.5.1-1.fc28 jitterentropy-2.1.2-3.fc28 libxcrypt-4.2.1-1.fc28 lightdm-1.28.0-2.fc28 mediawiki-1.29.3-1.fc28 openas2-2.6.2-2.fc28 python-arpy-1.1.1-1.fc28 python-markdown2-2.3.6-1.fc28 wsjtx-1.9.1-2.fc28
Details about builds:
================================================================================ ansible-2.6.5-1.fc28 (FEDORA-2018-10484bb059) SSH-based configuration management, deployment, and task execution system -------------------------------------------------------------------------------- Update Information:
Update to 2.6.5 bugfix release. See https://github.com/ansible/ansible/blob/v2.6.5/changelogs/CHANGELOG-v2.6.rst for a full list of fixed bugs. -------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 28 2018 Kevin Fenzi kevin@scrye.com - 2.6.5-1 - Update to 2.6.5. --------------------------------------------------------------------------------
================================================================================ dgit-6.12-1.fc28 (FEDORA-2018-2d10449d46) Integration between git and Debian-style archives -------------------------------------------------------------------------------- Update Information:
- Rebuilt for new upstream version 6.12, fixes rhbz #1634209 -------------------------------------------------------------------------------- ChangeLog:
* Sat Sep 29 2018 Filipe Rosset rosset.filipe@gmail.com - 6.12-1 - Rebuilt for new upstream version 6.12, fixes rhbz #1634209 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1634209 - dgit-6.12 is available https://bugzilla.redhat.com/show_bug.cgi?id=1634209 --------------------------------------------------------------------------------
================================================================================ dpdk-17.11.2-2.fc28 (FEDORA-2018-3350c45b17) Set of libraries and drivers for fast packet processing -------------------------------------------------------------------------------- Update Information:
Fix build flags (bz 1548404) -------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 28 2018 Neil Horman nhorman@redhat.com - 2:17.11.2-2 - Fix build flags (bz 1548404) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1548404 - dpdk: Partial build flags injection https://bugzilla.redhat.com/show_bug.cgi?id=1548404 --------------------------------------------------------------------------------
================================================================================ elfutils-0.174-1.fc28 (FEDORA-2018-1eec1f0d17) A collection of utilities and DSOs to handle ELF files and DWARF data -------------------------------------------------------------------------------- Update Information:
Fixes CVE-2018-16062, CVE-2018-16402 and CVE-2018-16403. unstrip: Handle SHT_GROUP sections. strip: Handle mixed (out of order) allocated/non-allocated sections. elfcompress: Don't rewrite input file if no section data needs updating. Try harder to keep same file mode bits (suid) on rewrite. libelf, libdw and all tools now handle extended shnum and shstrndx correctly. -------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 14 2018 Mark Wielaard mjw@fedoraproject.org - 0.174-1 - New upstream release - libelf, libdw and all tools now handle extended shnum and shstrndx correctly (#1608390). - elfcompress: Don't rewrite input file if no section data needs updating. Try harder to keep same file mode bits (suid) on rewrite. - strip: Handle mixed (out of order) allocated/non-allocated sections. - unstrip: Handle SHT_GROUP sections. - backends: RISCV and M68K now have backend implementations to generate CFI based backtraces. - Fixes CVE-2018-16062, CVE-2018-16402 and CVE-2018-16403 (#1623753, #1625051, #1625056). * Tue Jul 31 2018 Florian Weimer fweimer@redhat.com - 0.173-8 - Rebuild with fixed binutils * Sun Jul 29 2018 Mark Wielaard mjw@fedoraproject.org - 0.173-7 - Add elfutils-0.173-strip-alloc-nonalloc.patch (#1609577) * Tue Jul 24 2018 Mark Wielaard mjw@fedoraproject.org - Drop libstdc++-devel BuildRequires. gcc-c++ will pull it in. * Tue Jul 24 2018 Mark Wielaard mjw@fedoraproject.org - 0.173-6 - Update elfutils-0.173-annobingroup.patch. * Sat Jul 21 2018 Mark Wielaard mjw@fedoraproject.org - 0.173-5 - Add BuildRequires gcc-c++ for demangle support. - Add elfutils-0.173-annobingroup.patch. * Sat Jul 21 2018 Mark Wielaard mjw@fedoraproject.org - 0.173-4 - Add elfutils-0.173-elfcompress.patch (#1607044) * Thu Jul 12 2018 Fedora Release Engineering releng@fedoraproject.org - 0.173-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Mon Jul 9 2018 Mark Wielaard mjw@fedoraproject.org - 0.173-2 - Update elfutils-0.173-new-notes-hack.patch for new annobin note. - Unbreak cyclic systemd dependency for buildroot container (#1599083) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1625050 - CVE-2018-16402 elfutils: Double-free due to double decompression of sections in crafted ELF causes crash https://bugzilla.redhat.com/show_bug.cgi?id=1625050 [ 2 ] Bug #1625055 - CVE-2018-16403 elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash https://bugzilla.redhat.com/show_bug.cgi?id=1625055 [ 3 ] Bug #1623752 - CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file https://bugzilla.redhat.com/show_bug.cgi?id=1623752 --------------------------------------------------------------------------------
================================================================================ gnome-shell-extension-media-player-indicator-0-0.21.20180918gitd3201ea.fc28 (FEDORA-2018-eb0d35fa00) Control MPRIS2 capable media players: Rhythmbox, Banshee, Clementine and more -------------------------------------------------------------------------------- Update Information:
- Update to 0-0.21.20180918gitd3201ea - Remove scriptlet glib-compile-schemas: This scriptlet SHOULD NOT be used in Fedora 24 or later. -------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 28 2018 Martin Gansser martinkg@fedoraproject.org - 0-0.21.20180918gitd3201ea - Update to new git snapshot 0-0.21.20180918gitd3201ea - Remove scriptlet glib-compile-schemas: This scriptlet SHOULD NOT be used in Fedora 24 or later. --------------------------------------------------------------------------------
================================================================================ gnome-shell-extension-netspeed-3.28-0.5.20180210gite3cea60.fc28 (FEDORA-2018-454182da18) A gnome-shell extension to show speed of the internet -------------------------------------------------------------------------------- Update Information:
- Add support for gnome 3.30 --------------------------------------------------------------------------------
================================================================================ golang-github-thejerf-suture-3.0.0-1.fc28 (FEDORA-2018-588de0f782) Supervisor trees for Go -------------------------------------------------------------------------------- Update Information:
Update to version 3.0.0. -------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 28 2018 Fabio Valentini decathorpe@gmail.com - 3.0.0-1 - Update to version 3.0.0. --------------------------------------------------------------------------------
================================================================================ golang-github-xtaci-smux-1.0.8-1.fc28 (FEDORA-2018-7fbe30bdf9) Simple Stream Multiplexing for golang -------------------------------------------------------------------------------- Update Information:
Update to version 1.0.8. -------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 28 2018 Fabio Valentini decathorpe@gmail.com - 1.0.8-1 - Update to version 1.0.8. * Sun Sep 2 2018 Fabio Valentini decathorpe@gmail.com - 1.0.7-2 - Update to use spec 3.0. --------------------------------------------------------------------------------
================================================================================ hub-2.5.1-1.fc28 (FEDORA-2018-0f2cdce632) A command-line wrapper for git with github shortcuts -------------------------------------------------------------------------------- Update Information:
Update to 2.5.1 `hub issue create`: ignore the .github/ISSUE_TEMPLATE directory instead of crashing `hub pull-request`: avoid re-requesting reviewers in case of CODEOWNERS `hub ci-status`: handle cases when Checks API is unavailable, like older GitHub Enterprise Handle HTTP 422 message format from server response Ignore crash for malformed ~/.config/hub file Clarify `hub init -g` documentation that it doesn't imply hub create `hub clone`: add more documentation about git protocol used -------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 28 2018 Stephen Gallagher sgallagh@redhat.com - 2.5.1-1 - Update to 2.5.1 - hub issue create: ignore the .github/ISSUE_TEMPLATE directory instead of crashing - hub pull-request: avoid re-requesting reviewers in case of CODEOWNERS - hub ci-status: handle cases when Checks API is unavailable, like older GitHub Enterprise - Handle HTTP 422 message format from server response - Ignore crash for malformed ~/.config/hub file - Clarify hub init -g documentation that it doesn't imply hub create - hub clone: add more documentation about git protocol used * Tue Jul 17 2018 Stephen Gallagher sgallagh@redhat.com - 2.5.0-2 - Fix generation of debuginfo for F29 --------------------------------------------------------------------------------
================================================================================ jitterentropy-2.1.2-3.fc28 (FEDORA-2018-33d2804809) Library implementing the jitter entropy source -------------------------------------------------------------------------------- Update Information:
New Package: jitterentropy -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1627510 - Review Request: jitterentropy - cpu based entropy extraction library https://bugzilla.redhat.com/show_bug.cgi?id=1627510 --------------------------------------------------------------------------------
================================================================================ libxcrypt-4.2.1-1.fc28 (FEDORA-2018-375b9bbcab) Extended crypt library for DES, MD5, Blowfish and others -------------------------------------------------------------------------------- Update Information:
- New upstream release - Add new manpages -------------------------------------------------------------------------------- ChangeLog:
* Sat Sep 29 2018 Bj��rn Esser besser82@fedoraproject.org - 4.2.1-1 - New upstream release - Add new manpages * Sat Sep 29 2018 Bj��rn Esser besser82@fedoraproject.org - 4.2.0-1 - New upstream release --------------------------------------------------------------------------------
================================================================================ lightdm-1.28.0-2.fc28 (FEDORA-2018-e0507831aa) A cross-desktop Display Manager -------------------------------------------------------------------------------- Update Information:
Adjust ordering of pam modules to ensure gnome_keyring/kwallet loads after system-auth -------------------------------------------------------------------------------- ChangeLog:
* Wed Sep 26 2018 Rex Dieter rdieter@fedoraproject.org - 1.28.0-2 - revert over-aggressive use of %name macro - lightdm.pam: move 'session...system-auth' before gnome_keyring/kwallet (#1581495,#1631220) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1631220 - Gnome keyring not unlocked on login https://bugzilla.redhat.com/show_bug.cgi?id=1631220 [ 2 ] Bug #1581495 - lightdm + pam-kwallet causes polkit issues https://bugzilla.redhat.com/show_bug.cgi?id=1581495 --------------------------------------------------------------------------------
================================================================================ mediawiki-1.29.3-1.fc28 (FEDORA-2018-e022ecbc52) A wiki engine -------------------------------------------------------------------------------- Update Information:
https://www.mediawiki.org/wiki/Release_notes/1.29#MediaWiki_1.29.3 - (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides 'newbie'. - (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's account lock. - (T180551) Fix LanguageSrTest for language converter - (T180552) Fix langauge converter parser test with self-close tags - (T180537) Remove $wgAuth usage from wrapOldPasswords.php - (T180485) InputBox: Have inputbox langconvert certain attributes - (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3. - (T172927) Drop vendor from MW release branch - (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array - Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency). - (T189567) the CLI installer (maintenance/install.php) learned to detect and include extensions. Pass --with- extensions to enable that feature. - (T182381) Mask deprecated call in WatchedItemUnitTest - (T190503) Let built-in web server (maintenance/dev) handle .php requests. - The karma qunit tests would fail on some configuration due to headers already sent. Check headers_sent() before sending cpPosTime headers - (T167507) selenium: Run Chrome headlessly. - selenium: Pass -no-sandbox to Chrome under Docker - (T191247) Use MediaWiki\SuppressWarnings around trigger_error() instead @ - (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel fails under SQLite. - (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds(). - (T179190) selenium: Move test running logic from package.json to selenium.sh. - (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48. - Add default edit rate limit of 90 edits/minute for all users. - (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported. - (T196672) The mtime of extension.json files is now able to be zero - (T180403) Validate $length in padleft/padright parser functions. - (T143790) Make $wgEmailConfirmToEdit only affect edit actions. - (T194237) Special:BotPasswords now requires reauthentication. - (T191608, T187638) Add 'logid' parameter to Special:Log. - (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case - (T193829) Indicate when a Bot Password needs reset. - (T151415) Log email changes. - (T118420) Unbreak Oracle installer. -------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 28 2018 Michael Cronenworth mike@cchtml.com - 1.29.3-1 - Update to 1.29.3 - https://www.mediawiki.org/wiki/Release_notes/1.29#MediaWiki_1.29.3 * Fri Jul 13 2018 Fedora Release Engineering releng@fedoraproject.org - 1.29.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Thu Feb 8 2018 Fedora Release Engineering releng@fedoraproject.org - 1.29.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1634170 - CVE-2018-0504 mediawiki: Information exposure when a log event is (partially) hidden [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1634170 [ 2 ] Bug #1634167 - CVE-2018-0505 mediawiki: BotPassword can bypass CentralAuth's account lock [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1634167 [ 3 ] Bug #1634162 - CVE-2018-0503 mediawiki: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1634162 --------------------------------------------------------------------------------
================================================================================ openas2-2.6.2-2.fc28 (FEDORA-2018-2807a71a57) Java-based implementation of the EDIINT AS2 standard -------------------------------------------------------------------------------- Update Information:
New upstream release with some workarounds for MDN related partner braindamage. Plus, we disable tcp_server by default and set factory passwords to ChangeMe. ---- This is an open Java implementation of the AS2 EDI transport standard. To test, you need to install multiple instances, or use actual EDI partners. For instance, if you are an Amazon EDI vendor, you can create a TEST connection to your openas2 instance and run Amazon tests. You need to use the Java keytool to create and exchange public keys to identify EDI partners. At some point, I need to add a Fedora README with more Fedora specific howtos. While this is an application designed to exchange business EDI documents, you can test by creating 2 or more instances, and exchanging any arbitrary files. AS2 doesn't look at the contents of documents other than to compute the hash for signatures. -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1633362 - MDN fails to decrypt for some partners https://bugzilla.redhat.com/show_bug.cgi?id=1633362 [ 2 ] Bug #1478210 - Review Request: openas2 - Java implementation of EDIINT AS2 https://bugzilla.redhat.com/show_bug.cgi?id=1478210 --------------------------------------------------------------------------------
================================================================================ python-arpy-1.1.1-1.fc28 (FEDORA-2018-9061fc257e) Library for accessing "ar" files -------------------------------------------------------------------------------- Update Information:
New package for Fedora. --------------------------------------------------------------------------------
================================================================================ python-markdown2-2.3.6-1.fc28 (FEDORA-2018-dd98177cad) A fast and complete Python implementation of Markdown -------------------------------------------------------------------------------- Update Information:
#### python-markdown2 2.3.6 #### - [pull #282] Add TOC depth option - [pull #283] Fix to add TOC html to output via CLI - [pull #284] Do not remove anchors in safe_mode - [pull #288] fixing cuddled-lists with a single list item - [pull #292] Fix Wrong rendering of last list element - [pull #295] link-patterns fix - [pull #300] Replace a deprecated method - [pull #301] DeprecationWarning: invalid escape sequence - [pull #302] Fix "make test" in Python 3 - [pull #303] Fix CVE-2018-5773 -------------------------------------------------------------------------------- ChangeLog:
* Sat Sep 29 2018 Thomas Moschny thomas.moschny@gmx.de - 2.3.6-1 - Update to 2.3.6. * Sat Jul 14 2018 Fedora Release Engineering releng@fedoraproject.org - 2.3.5-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Tue Jun 19 2018 Miro Hron��ok mhroncok@redhat.com - 2.3.5-4 - Rebuilt for Python 3.7 * Tue Jun 19 2018 Miro Hron��ok mhroncok@redhat.com - 2.3.5-3 - Rebuilt for Python 3.7 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1536923 - CVE-2018-5773 python-markdown2: Unsanitized input in markdown() method allows for cross-site scripting (XSS) [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1536923 --------------------------------------------------------------------------------
================================================================================ wsjtx-1.9.1-2.fc28 (FEDORA-2018-ec91ca4076) Weak Signal communication by K1JT -------------------------------------------------------------------------------- Update Information:
Rebuild for hamlib 3.3. -------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 28 2018 Richard Shaw hobbes1069@gmail.com - 1.9.1-2 - Rebuild for hamlib 3.3. * Sat Jul 14 2018 Fedora Release Engineering releng@fedoraproject.org - 1.9.1-1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1634049 - Upgrade to hamlib 3.3-1 breaks ICOM 7300 https://bugzilla.redhat.com/show_bug.cgi?id=1634049 --------------------------------------------------------------------------------