The following Fedora EPEL 7 Security updates need testing:
Age URL
42 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-4a9fc09599 openjpeg2-2.3.1-10.el7
7 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-f1768ebc94 opensmtpd-6.8.0p2-1.el7
4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-e06cd0281c zabbix30-3.0.31-1.el7
3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-e30a25d6d0 chromium-88.0.4324.96-1.el7
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-4e3398c399 libssh-0.7.7-1.el7
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-c09d7045f3 seamonkey-2.53.6-1.el7
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-ba217a684f monitorix-3.13.1-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
clamav-0.103.0-3.el7
composer-1.10.20-1.el7
libabigail-1.8.1-1.el7
Details about builds:
================================================================================
clamav-0.103.0-3.el7 (FEDORA-EPEL-2021-76471a2936)
End-user tools for the Clam Antivirus scanner
--------------------------------------------------------------------------------
Update Information:
clamonacc: Fix stack buffer overflow with old curl
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 27 2021 S��rgio Basto <sergio(a)serjux.com> - 0.103.0-3
- Add upstream patch clamonacc: Fix stack buffer overflow with old curl
* Tue Jan 26 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 0.103.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1918444 - clamonacc crashes repeatedly in 0.103.0-1 packages from EPEL for CentOS and RHEL 7
https://bugzilla.redhat.com/show_bug.cgi?id=1918444
--------------------------------------------------------------------------------
================================================================================
composer-1.10.20-1.el7 (FEDORA-EPEL-2021-d8b60671c5)
Dependency Manager for PHP
--------------------------------------------------------------------------------
Update Information:
**Version 1.10.20** - 2021-01-27 * Fixed exclude-from-classmap causing regex
issues when having too many paths * Fixed compatibility issue with Symfony 4/5
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 28 2021 Remi Collet <remi(a)remirepo.net> - 1.10.20-1
- update to 1.10.20
--------------------------------------------------------------------------------
================================================================================
libabigail-1.8.1-1.el7 (FEDORA-EPEL-2021-b8c247baf4)
Set of ABI analysis tools
--------------------------------------------------------------------------------
Update Information:
Update to upstream fixes up to libabigail-1.8.1
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 27 2021 Dodji Seketeli <dodji(a)redhat.com> - 1.8.1-1
- Update to upstream fixes up to libabigail-1.8.1
This encompasses this fixes, compared to the last 1.8 release:
ir: Add better comments to types_have_similar_structure
mainpage: Update web page for 1.8 release
Bug 26992 - Try harder to resolve declaration-only classes
Bug 27204 - potential loss of some aliased ELF function symbols
Ignore duplicated functions and those not associated with ELF symbols
Bug 27236 - Pointer comparison wrongly fails because of typedef change
Bug 27233 - fedabipkgdiff fails on package gnupg2 from Fedora 33
Bug 27232 - fedabipkgdiff fails on gawk from Fedora 33
dwarf-reader: Support fast DW_FORM_line_strp string comparison
gen-changelog.py: Update call to subprocess.Popen & cleanup
Bug 27255 - fedabipkgdiff fails on nfs-utils on Fedora 33
abidiff: support --dump-diff-tree with --leaf-changes-only
ir: Arrays are indirect types for type structure similarity purposes
Add qualifier / typedef / array / pointer test
abg-ir: Optimize calls to std::string::find() for a single char.
abipkgdiff: Address operator precedence warning
--------------------------------------------------------------------------------
Dear all,
You are kindly invited to the meeting:
EPEL Steering Committee on 2021-01-29 from 17:00:00 to 18:00:00 US/Eastern
At fedora-meeting(a)irc.freenode.net
The meeting will be about:
This is the weekly EPEL Steering Committee Meeting.
A general agenda is the following:
#meetingname EPEL
#topic Intros
#topic Old Business
#topic EPEL-7
#topic EPEL-8
#topic Openfloor
#endmeeting
Source: https://apps.fedoraproject.org/calendar/meeting/9854/
The following Fedora EPEL 8 Security updates need testing:
Age URL
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-83ab5bb91b opensmtpd-6.8.0p2-1.el8
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-b68969af8c chromium-88.0.4324.96-1.el8
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-403074b7e0 seamonkey-2.53.6-1.el8
The following builds have been pushed to Fedora EPEL 8 updates-testing
R-qtl-1.47.9-1.el8
lua-readline-2.8-1.el8
monitorix-3.13.1-1.el8
nx-libs-3.5.99.25-4.el8
rlwrap-0.44-1.el8
youtube-dl-2021.01.24.1-1.el8
yubico-piv-tool-2.2.0-1.el8
Details about builds:
================================================================================
R-qtl-1.47.9-1.el8 (FEDORA-EPEL-2021-b797df647f)
Tools for analyzing QTL experiments
--------------------------------------------------------------------------------
Update Information:
R-qtl 1.47-9
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 27 2021 Mattias Ellert <mattias.ellert(a)physics.uu.se> - 1.47.9-1
- Update to 1.47-9
* Mon Jan 25 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.46.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Aug 10 2020 Tom Callaway <spot(a)fedoraproject.org> - 1.46.2-5
- rebuild for FlexiBLAS R
* Sat Aug 1 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.46.2-4
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.46.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
lua-readline-2.8-1.el8 (FEDORA-EPEL-2021-21532ad9b8)
Lua interface to the readline and history libraries
--------------------------------------------------------------------------------
Update Information:
- Update to 2.8 - Fix the reported version, it was not bumped for 2.8 - Use
Fedora-specific linker flags (thanks to Robert Scheck
<robert(a)fedoraproject.org>) - Add basic loadability checks (Robert) - Pull in
lua-rpm-macros explicitly on EL <= 7
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 26 2021 Michel Alexandre Salim <salimma(a)fedoraproject.org> - 2.8-1
- Update to 2.8
- Fix the reported version, it was not bumped for 2.8
- Use Fedora-specific linker flags (thanks to Robert Scheck <robert(a)fedoraproject.org>)
- Add basic loadability checks (Robert)
- Pull in lua-rpm-macros explicitly on EL <= 7
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1914667 - Lack of Fedora-specific linker flags
https://bugzilla.redhat.com/show_bug.cgi?id=1914667
[ 2 ] Bug #1914686 - lua-readline-2.8 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1914686
--------------------------------------------------------------------------------
================================================================================
monitorix-3.13.1-1.el8 (FEDORA-EPEL-2021-aadbebf090)
A free, open source, lightweight system monitoring tool
--------------------------------------------------------------------------------
Update Information:
This new version fixes a security bug introduced in the 3.13.0 version that lead
the HTTP built-in server to bypass the Basic Authentication when the option
hosts_deny is not defined, which is the default. Besides this fix, this version
also updates the main configuration file to add the option hosts_deny = all by
default inside the auth subsection, in an attempt to make the default behaviour
more clear. All users using the 3.13.0 version are advised and encouraged to
upgrade to this new version, which resolves the security issue. ---- This
new version introduces three new modules: the long-awaited pgsql.pm capable of
monitoring up to 9 databases of an unlimited number of PostgreSQL servers, the
redis.pm and tinyproxy.pm which are both also capable of monitoring an unlimited
number of Redis and Tinyproxy servers respectively. This version also includes
some interesting new features. The new CSS theming support will allow people to
create their own color themes. The new support for the ss command in port.pm and
nginx.pm modules. The ability to map the device names and also to include a
title name in disk.pm module. The new stacked visualization of network stats
available on a number of modules, and more. Also with this new version,
Monitorix is able to be executed as a regular user instead of root. This is of
course subject to the capabilities of each module to get statistics without
using the superuser. The rest of new features, changes and bugs fixed are, as
always, reflected in the Changes file.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 27 2021 Jordi Sanfeliu <jordi(a)fibranet.cat> - 3.13.1-1
- Updated to 3.13.1.
* Fri Jan 22 2021 Jordi Sanfeliu <jordi(a)fibranet.cat> - 3.13.0-1
- Updated to 3.13.0.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1919169 - monitorix-3.13.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1919169
[ 2 ] Bug #1920998 - monitorix-3.13.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1920998
--------------------------------------------------------------------------------
================================================================================
nx-libs-3.5.99.25-4.el8 (FEDORA-EPEL-2021-3b4b144e1b)
NX X11 protocol compression libraries
--------------------------------------------------------------------------------
Update Information:
Disable extraneous debug logging that can fill disks
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 26 2021 Orion Poplawski <orion(a)nwra.com> - 3.5.99.25-4
- Add upstream patch to quiet logging
* Tue Jan 26 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.5.99.25-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1916491 - nxagent logs exessively to session.log
https://bugzilla.redhat.com/show_bug.cgi?id=1916491
--------------------------------------------------------------------------------
================================================================================
rlwrap-0.44-1.el8 (FEDORA-EPEL-2021-92f4e70166)
Wrapper for GNU readline
--------------------------------------------------------------------------------
Update Information:
## New Features - rlwrap is now aware of multi-byte characters and correctly
handles prompts (or things that look like prompts, e.g. progress indicators)
that contain them. - rlwrap filters can now also filter signals (see
RlwrapFilter(3pm)), changing them, or providing extra input to the rlwrapped
command. - Key sequences can now be bound to rlwrap-direct-keypress (using a new
readline command rlwrap-direct-prefix) (contributed by Yuri d'Elia) ## Bug
fixes - now works with the readline 8.1 (which exposed an old bug caused by
rlwrap mis-handling enabled bracketed-paste) - binding accept-line to a key
would make pressing that key mess up the display
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 26 2021 Michel Alexandre Salim <salimma(a)fedoraproject.org> - 0.44-1
- Update to 0.44
* Fri Dec 4 2020 Jeff Law <law(a)redhat.com> - 0.43-8
- Fix out of bounds read in configure generated code caught by gcc-11
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1918577 - upgrade rlwrap
https://bugzilla.redhat.com/show_bug.cgi?id=1918577
[ 2 ] Bug #1920859 - rlwrap-7c1e432 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1920859
--------------------------------------------------------------------------------
================================================================================
youtube-dl-2021.01.24.1-1.el8 (FEDORA-EPEL-2021-417125ab38)
A small command-line program to download online videos
--------------------------------------------------------------------------------
Update Information:
Update to version 2021.01.24.1 ---- Update to version 2021.01.16
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 27 2021 David Schw��rer <davidsch(a)fedoraproject.org> - 2021.01.24.1-1
- Update to 2021.01.24.1
* Mon Jan 18 2021 David Schw��rer <davidsch(a)fedoraproject.org> - 2021.01.16-1
- Update to 2021.01.16
* Fri Jan 8 2021 David Schw��rer <davidsch(a)fedoraproject.org> - 2021.01.08-1
- Update to 2021.01.08
* Tue Jan 5 2021 David Schw��rer <davidsch(a)fedoraproject.org> - 2021.01.03-2
- Update to 2021.01.03
* Sun Jan 3 2021 David Schw��rer <davidsch(a)fedoraproject.org> - 2021.01.03-1
- Update to 2021.01.03
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1916977 - youtube-dl-2021.01.16 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1916977
[ 2 ] Bug #1920080 - youtube-dl-2021.01.24.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1920080
--------------------------------------------------------------------------------
================================================================================
yubico-piv-tool-2.2.0-1.el8 (FEDORA-EPEL-2021-60c6c91676)
Tool for interacting with the PIV applet on a YubiKey
--------------------------------------------------------------------------------
Update Information:
Finally EPEL8 release!
--------------------------------------------------------------------------------
ChangeLog:
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1918362 - yubico-piv-tool-2.2.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1918362
--------------------------------------------------------------------------------
The following Fedora EPEL 7 Security updates need testing:
Age URL
41 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-4a9fc09599 openjpeg2-2.3.1-10.el7
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-f1768ebc94 opensmtpd-6.8.0p2-1.el7
3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-e06cd0281c zabbix30-3.0.31-1.el7
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-e30a25d6d0 chromium-88.0.4324.96-1.el7
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-4e3398c399 libssh-0.7.7-1.el7
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-c09d7045f3 seamonkey-2.53.6-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
R-qtl-1.47.9-1.el7
monitorix-3.13.1-1.el7
nx-libs-3.5.99.25-4.el7
youtube-dl-2021.01.24.1-1.el7
Details about builds:
================================================================================
R-qtl-1.47.9-1.el7 (FEDORA-EPEL-2021-46fabd09df)
Tools for analyzing QTL experiments
--------------------------------------------------------------------------------
Update Information:
R-qtl 1.47-9
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 27 2021 Mattias Ellert <mattias.ellert(a)physics.uu.se> - 1.47.9-1
- Update to 1.47-9
* Mon Jan 25 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.46.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Aug 10 2020 Tom Callaway <spot(a)fedoraproject.org> - 1.46.2-5
- rebuild for FlexiBLAS R
* Sat Aug 1 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.46.2-4
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.46.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jun 5 2020 Tom Callaway <spot(a)fedoraproject.org> - 1.46.2-2
- rebuild for R 4
--------------------------------------------------------------------------------
================================================================================
monitorix-3.13.1-1.el7 (FEDORA-EPEL-2021-ba217a684f)
A free, open source, lightweight system monitoring tool
--------------------------------------------------------------------------------
Update Information:
This new version fixes a security bug introduced in the 3.13.0 version that lead
the HTTP built-in server to bypass the Basic Authentication when the option
hosts_deny is not defined, which is the default. Besides this fix, this version
also updates the main configuration file to add the option hosts_deny = all by
default inside the auth subsection, in an attempt to make the default behaviour
more clear. All users using the 3.13.0 version are advised and encouraged to
upgrade to this new version, which resolves the security issue. ---- This new
version introduces three new modules: the long-awaited pgsql.pm capable of
monitoring up to 9 databases of an unlimited number of PostgreSQL servers, the
redis.pm and tinyproxy.pm which are both also capable of monitoring an unlimited
number of Redis and Tinyproxy servers respectively. This version also includes
some interesting new features. The new CSS theming support will allow people to
create their own color themes. The new support for the ss command in port.pm and
nginx.pm modules. The ability to map the device names and also to include a
title name in disk.pm module. The new stacked visualization of network stats
available on a number of modules, and more. Also with this new version,
Monitorix is able to be executed as a regular user instead of root. This is of
course subject to the capabilities of each module to get statistics without
using the superuser. The rest of new features, changes and bugs fixed are, as
always, reflected in the Changes file.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 27 2021 Jordi Sanfeliu <jordi(a)fibranet.cat> - 3.13.1-1
- Updated to 3.13.1.
* Fri Jan 22 2021 Jordi Sanfeliu <jordi(a)fibranet.cat> - 3.13.0-1
- Updated to 3.13.0.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1919169 - monitorix-3.13.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1919169
[ 2 ] Bug #1920998 - monitorix-3.13.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1920998
--------------------------------------------------------------------------------
================================================================================
nx-libs-3.5.99.25-4.el7 (FEDORA-EPEL-2021-cf7a3c6e2b)
NX X11 protocol compression libraries
--------------------------------------------------------------------------------
Update Information:
Disable extraneous debug logging that can fill disks
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 26 2021 Orion Poplawski <orion(a)nwra.com> - 3.5.99.25-4
- Add upstream patch to quiet logging
* Tue Jan 26 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.5.99.25-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1916491 - nxagent logs exessively to session.log
https://bugzilla.redhat.com/show_bug.cgi?id=1916491
--------------------------------------------------------------------------------
================================================================================
youtube-dl-2021.01.24.1-1.el7 (FEDORA-EPEL-2021-19bb0eb2b6)
A small command-line program to download online videos
--------------------------------------------------------------------------------
Update Information:
Update to version 2021.01.24.1 ---- Update to version 2021.01.16
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 27 2021 David Schw��rer <davidsch(a)fedoraproject.org> - 2021.01.24.1-1
- Update to 2021.01.24.1
* Mon Jan 18 2021 David Schw��rer <davidsch(a)fedoraproject.org> - 2021.01.16-1
- Update to 2021.01.16
* Fri Jan 8 2021 David Schw��rer <davidsch(a)fedoraproject.org> - 2021.01.08-1
- Update to 2021.01.08
* Tue Jan 5 2021 David Schw��rer <davidsch(a)fedoraproject.org> - 2021.01.03-2
- Update to 2021.01.03
* Sun Jan 3 2021 David Schw��rer <davidsch(a)fedoraproject.org> - 2021.01.03-1
- Update to 2021.01.03
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1916977 - youtube-dl-2021.01.16 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1916977
[ 2 ] Bug #1920080 - youtube-dl-2021.01.24.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1920080
--------------------------------------------------------------------------------
This last week in the EPEL Steering Committee meeting, we talked about
what happens when an EPEL package gets pulled in and released in RHEL.
There were a couple of people who said that had happened to them and
they were totally un-aware that it was going to happen.
I contacted a couple people in Red Hat and found out that part of the
New Package procedure includes an EPEL check. If the package is in
EPEL they are supposed to contact the EPEL maintainer. They are also
supposed to have the NVR higher than the EPEL version.
This is a new procedure, implemented in June 2020.
If you are a EPEL package maintainer, and your package was pulled into
RHEL 7 or 8, and you were not contacted, please let me know. Red Hat
wants this procedure to work, because when things go wrong, it affects
their customers.
Their current way of finding out who to contact is to do the following
curl https://src.fedoraproject.org/_dg/bzoverrides/rpms/<package name>
example
$ curl https://src.fedoraproject.org/_dg/bzoverrides/rpms/git-lfs
{
"epel_assignee": "carlwgeorge",
"fedora_assignee": "qulogic"
}
If anyone knows of a better way to find the EPEL maintainer, please
let me know and I'll pass it on.
Troy Dawson
The following Fedora EPEL 8 Security updates need testing:
Age URL
4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-83ab5bb91b opensmtpd-6.8.0p2-1.el8
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-b68969af8c chromium-88.0.4324.96-1.el8
The following builds have been pushed to Fedora EPEL 8 updates-testing
java-latest-openjdk-15.0.2.0.7-0.rolling.el8
netbox-2.10.4-1.el8
python-cheroot-8.5.2-1.el8
seamonkey-2.53.6-1.el8
tito-0.6.16-1.el8
tkrzw-0.9.3-5.el8
Details about builds:
================================================================================
java-latest-openjdk-15.0.2.0.7-0.rolling.el8 (FEDORA-EPEL-2021-6beabd2b7a)
OpenJDK 15 Runtime Environment
--------------------------------------------------------------------------------
Update Information:
OpenJDK 15 January update
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jan 22 2021 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:15.0.2.0.7-0.rolling
- Update to jdk-15.0.2.0+7
- Add release notes for 15.0.1.0 & 15.0.2.0
- Use JEP-322 Time-Based Versioning so we can handle a future 11.0.9.1-like release correctly.
- Still use 15.0.x rather than 15.0.x.0 for file naming, as the trailing zero is omitted from tags.
- Cleanup debug package descriptions and version number placement.
- Remove unused patch files.
* Tue Jan 19 2021 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:15.0.1.9-10.rolling
- Use -march=i686 for x86 builds if -fcf-protection is detected (needs CMOV)
* Tue Dec 22 2020 Jiri Vanek <jvanek(a)redhat.com> - 1:15.0.1.9-9.rolling
- fixed missing condition for fastdebug packages being counted as debug ones
* Sat Dec 19 2020 Jiri Vanek <jvanek(a)redhat.com> - 1:15.0.1.9-8.rolling
- removed lib-style provides for fastdebug_suffix_unquoted
* Sat Dec 19 2020 Jiri Vanek <jvanek(a)redhat.com> - 1:15.0.1.9-6.rolling
- many cosmetic changes taken from more maintained jdk11
- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches
instead of various hardcoded ifarches
- updated systemtap
- added requires excludes for debug pkgs
- removed redundant logic around jsa files
- added runtime requires of lksctp-tools and libXcomposite%
- added and used Source15 TestSecurityProperties.java, but is made always positive as jdk15 now does not honor system policies
- s390x excluded form fastdebug build
* Thu Dec 17 2020 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:15.0.1.9-5.rolling
- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched
- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly
- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures
* Wed Dec 9 2020 Jiri Vanek <jvanek(a)redhat.com> - 1:15.0.1.9-4.rolling
- moved wrongly placed licenses to accompany other ones
- this bad placement was killng parallel-installability and thus having bad impact to leapp if used
* Tue Dec 1 2020 Jiri Vanek <jvanek(a)redhat.com> - 1:15.0.1.9-3.rolling
- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch
- no longer copying of java->alt-java as it is created by patch600
--------------------------------------------------------------------------------
================================================================================
netbox-2.10.4-1.el8 (FEDORA-EPEL-2021-3a253243ce)
IP address management (IPAM) and data center infrastructure management (DCIM)
--------------------------------------------------------------------------------
Update Information:
Update to 2.10.4
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 26 2021 Igor Raits <ignatenkobrain(a)fedoraproject.org> - 2.10.4-1
- Update to 2.10.4
--------------------------------------------------------------------------------
================================================================================
python-cheroot-8.5.2-1.el8 (FEDORA-EPEL-2021-848a87b9dc)
Highly-optimized, pure-python HTTP server
--------------------------------------------------------------------------------
Update Information:
update to 8.5.2
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 19 2021 Dan Radez <dradez(a)redhat.com> - 8.5.2-1
- update to 8.5.2
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1920461 - cheroot (cherrypy) indefinitely hangs under a moderate rate of requests and never recovers
https://bugzilla.redhat.com/show_bug.cgi?id=1920461
--------------------------------------------------------------------------------
================================================================================
seamonkey-2.53.6-1.el8 (FEDORA-EPEL-2021-403074b7e0)
Web browser, e-mail, news, IRC client, HTML editor
--------------------------------------------------------------------------------
Update Information:
Update to 2.53.6
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jan 22 2021 Dmitry Butskoy <Dmitry(a)Butskoy.name> 2.53.6-1
- update to 2.53.6
- add media-document patch (mozbz#1677768)
- build with own GNUmakefile, spec file cleanup
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1919103 - seamonkey-2.53.6.source is available
https://bugzilla.redhat.com/show_bug.cgi?id=1919103
--------------------------------------------------------------------------------
================================================================================
tito-0.6.16-1.el8 (FEDORA-EPEL-2021-6aab938561)
A tool for managing rpm based git projects
--------------------------------------------------------------------------------
Update Information:
- Fix manpage generation on Fedora Rawhide (F34) - Ignore spectool warnings -
Skip nonexisting extra sources - Fix `copy_extra_sources` for remote URLs - Use
`--no-rebuild-srpm` for scratch builds in KojiReleaser
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 26 2021 Jakub Kadlcik <frostyx(a)email.cz> 0.6.16-1
- Fix manpage generation on Fedora Rawhide (F34)
- Ignore spectool warnings
- Skip nonexisting extra sources
- Fix copy_extra_sources for remote URLs
- Use --no-rebuild-srpm for scratch builds in KojiReleaser
--------------------------------------------------------------------------------
================================================================================
tkrzw-0.9.3-5.el8 (FEDORA-EPEL-2021-714f2c3ae3)
A straightforward implementation of DBM
--------------------------------------------------------------------------------
Update Information:
Link new RHBZ bug for ExcludeArch ---- 'Required: pkgconfig' removed from
-devel
--------------------------------------------------------------------------------
ChangeLog:
--------------------------------------------------------------------------------
Hi,
I'm working on adding pybind11 to RHEL 8 and so I wanted to let you, the
EPEL maintainer, know what's coming.
I'm preparing pybind11 for a new Python stack in RHEL, so it will not
conflict in name or files with your subpackages `python2-pybind11` and
`python3-pybind11` (for Python 3.6) because their files are namespaced
with the Python version.
However, as the pybind11-devel package has files that are not namespaced
with the Python version, the devel package in RHEL *will* conflict with
the files of yours. I have added a conflicts tag so this is handled
properly by yum.
The most important thing to note is that the RHEL pybind11 packages will
be in a non-default stream of a module in the CRB repo. Users will have
to enable both the CRB and the module/stream explicitly to see the packages.
Therefore, I belive you don't need to take any action and can keep your
package as is, even after pybind11 is released in RHEL.
The relevant guidelines rule [0]:
"In EPEL8 or later, it is also permitted to provide an alternative
non-modular package to any package found only in a non-default RHEL module."
[0] https://fedoraproject.org/wiki/EPEL/GuidelinesAndPolicies#Policy
All the best, and let me know if you have any questions,
Tomas Orsava
The following Fedora EPEL 8 Security updates need testing:
Age URL
3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-83ab5bb91b opensmtpd-6.8.0p2-1.el8
The following builds have been pushed to Fedora EPEL 8 updates-testing
GraphicsMagick-1.3.36-2.el8
beakerlib-1.23-1.el8
bpytop-1.0.61-1.el8
chromium-88.0.4324.96-1.el8
icewm-2.1.1-1.el8
lua-rpm-macros-1-3.el8
perl-LWP-Online-1.08-29.el8
Details about builds:
================================================================================
GraphicsMagick-1.3.36-2.el8 (FEDORA-EPEL-2021-a67c7cb2e0)
An ImageMagick fork, offering faster image generation and better quality
--------------------------------------------------------------------------------
Update Information:
Fix urw-font bundling on epel-8 builds
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 25 2021 Rex Dieter <rdieter(a)fedoraproject.org> - 1.3.36-2
- fix bundled urw font install (#1911008)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1919997 - Unable to read font
https://bugzilla.redhat.com/show_bug.cgi?id=1919997
--------------------------------------------------------------------------------
================================================================================
beakerlib-1.23-1.el8 (FEDORA-EPEL-2021-e89b265534)
A shell-level integration testing library
--------------------------------------------------------------------------------
Update Information:
- TestResults state indicator - profiling code - rebased yash to 1.1 - fixed
rlAssertLesser - fixed failed library load name logging ---- - ability to
parse fmf id references - ability the use simpler library name - library(foo),
{url: '../foo.git', name: '/'}, meaming the library is n the root folder -
ability put library even deeper in the tree - library(foo/path/to/the/library),
{url: '../foo.git', name: '/path/to/the/library'} - rebased yash to 1.0 - and
few more minor fixes
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 26 2021 Dalibor Pospisil <dapospis(a)redhat.com> - 1.23-1
- TestResults state indicator
- profiling code
- rebased yash to 1.1
- fixed rlAssertLesser
- fixed failed library load name logging
* Fri Jan 15 2021 Dalibor Pospisil <dapospis(a)redhat.com> - 1.22-1
- ability to parse fmf id references
- ability the use simpler library name - library(foo), {url: '../foo.git', name: '/'}, meaming the library is n the root folder
- ability put library even deeper in the tree - library(foo/path/to/the/library), {url: '../foo.git', name: '/path/to/the/library'}
- rebased yash to 1.0
- and few more minor fixes
--------------------------------------------------------------------------------
================================================================================
bpytop-1.0.61-1.el8 (FEDORA-EPEL-2021-d3023e0da5)
Linux/OSX/FreeBSD resource monitor
--------------------------------------------------------------------------------
Update Information:
Update to latest version
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 25 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.61-1
- build(update): 1.0.61
* Sat Jan 23 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.60-1
- build(update): 1.0.60
* Mon Jan 11 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.59-1
- build(update): 1.0.59
* Sun Jan 10 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.58-1
- build(update): 1.0.58
* Wed Jan 6 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.57-1
- build(update): 1.0.57
* Tue Jan 5 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.56-1
- build(update): 1.0.56
* Sat Jan 2 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.55-1
- build(update): 1.0.55
* Thu Dec 31 2020 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.54-1
- build(update): 1.0.54
* Wed Dec 30 2020 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.53-1
- build(update): 1.0.53
* Sat Dec 19 2020 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.51-1
- build(update): 1.0.51
--------------------------------------------------------------------------------
================================================================================
chromium-88.0.4324.96-1.el8 (FEDORA-EPEL-2021-b68969af8c)
A WebKit (Blink) powered web browser
--------------------------------------------------------------------------------
Update Information:
This is probably not the update you want. Let me be clear, it does fix the
security vulnerabilities in this list: CVE-2020-16044 CVE-2021-21118
CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123
CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129
CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134
CVE-2021-21135 CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139
CVE-2021-21140 CVE-2021-21141 CVE-2021-21117 CVE-2021-21128 But it will not
behave like Google Chrome does. Google has announced that it is cutting off
access to the Sync and "other Google Exclusive" APIs from all builds except
Google Chrome. This will make the EPEL Chromium build significantly less
functional (along with every other distro packaged Chromium). It is noteworthy
that Google _gave_ the builders of distribution Chromium packages these access
rights back in 2013 via API keys, specifically so that we could have open source
builds of Chromium with (near) feature parity to Chrome. And now they're taking
it away. The reasoning given for this change? Google does not want users to be
able to "access their personal Chrome Sync data (such as bookmarks) ... with a
non-Google, Chromium-based browser." They're not closing a security hole,
they're just requiring that everyone use Chrome. Or to put it bluntly, they do
not want you to access their Google API functionality without using proprietary
software (Google Chrome). There is no good reason for Google to do this, other
than to force people to use Chrome. I gave a lot of thought to whether I wanted
to continue to maintain the Chromium package in EPEL, given that many (most?)
users will be confused/annoyed when API functionality like sync and geolocation
stops working for no good reason. Ultimately, I decided to continue for now,
because there were at least some users who didn't mind, and if I stopped,
someone else would start over and run blindly into this problem. I would say
that you might want to reconsider whether you want to use Chromium or not. If
you want the full "Google" experience, you can run the proprietary Chrome. If
you want to use a FOSS browser that isn't hobbled, there is a Firefox package in
whatever EL flavor you're using. Oh, last, but not least, Google isn't shutting
off the API access until March 15, 2021, but I have gone ahead and disabled it
starting with this update. I'd rather you read about it here (even though most
users will never see this) than have it just happen. ---- Update Chromium to
87.0.4280.141. Fixes: CVE-2021-21106 CVE-2021-21107 CVE-2021-21108
CVE-2021-21109 CVE-2021-21110 CVE-2021-21111 CVE-2021-21112 CVE-2021-21113
CVE-2020-16043 CVE-2021-21114 CVE-2020-15995 CVE-2021-21115 CVE-2021-21116
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 20 2021 Tom Callaway <spot(a)fedoraproject.org> - 88.0.4324.96-1
- 88 goes from beta to stable
- disable use of api keys (Google shut off API access)
* Wed Jan 13 2021 Tom Callaway <spot(a)fedoraproject.org>
- update to 87.0.4280.141
* Wed Dec 30 2020 Tom Callaway <spot(a)fedoraproject.org> - 88.0.4324.50-1
- update to 88.0.4324.50
- drop patches 74 & 75 (applied upstream)
* Thu Dec 17 2020 Tom Callaway <spot(a)fedoraproject.org>
- add two patches for missing headers to build with gcc 11
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1913624 - CVE-2021-21106 chromium-browser: Use after free in autofill
https://bugzilla.redhat.com/show_bug.cgi?id=1913624
[ 2 ] Bug #1913625 - CVE-2021-21107 chromium-browser: Use after free in drag and drop
https://bugzilla.redhat.com/show_bug.cgi?id=1913625
[ 3 ] Bug #1913626 - CVE-2021-21108 chromium-browser: Use after free in media
https://bugzilla.redhat.com/show_bug.cgi?id=1913626
[ 4 ] Bug #1913627 - CVE-2021-21109 chromium-browser: Use after free in payments
https://bugzilla.redhat.com/show_bug.cgi?id=1913627
[ 5 ] Bug #1913629 - CVE-2021-21110 chromium-browser: Use after free in safe browsing
https://bugzilla.redhat.com/show_bug.cgi?id=1913629
[ 6 ] Bug #1913630 - CVE-2021-21111 chromium-browser: Insufficient policy enforcement in WebUI
https://bugzilla.redhat.com/show_bug.cgi?id=1913630
[ 7 ] Bug #1913631 - CVE-2021-21112 chromium-browser: Use after free in Blink
https://bugzilla.redhat.com/show_bug.cgi?id=1913631
[ 8 ] Bug #1913632 - CVE-2021-21113 chromium-browser: Heap buffer overflow in Skia
https://bugzilla.redhat.com/show_bug.cgi?id=1913632
[ 9 ] Bug #1913633 - CVE-2020-16043 chromium-browser: Insufficient data validation in networking
https://bugzilla.redhat.com/show_bug.cgi?id=1913633
[ 10 ] Bug #1913634 - CVE-2021-21114 chromium-browser: Use after free in audio
https://bugzilla.redhat.com/show_bug.cgi?id=1913634
[ 11 ] Bug #1913635 - CVE-2020-15995 chromium-browser: Out of bounds write in V8
https://bugzilla.redhat.com/show_bug.cgi?id=1913635
[ 12 ] Bug #1913636 - CVE-2021-21115 chromium-browser: Use after free in safe browsing
https://bugzilla.redhat.com/show_bug.cgi?id=1913636
[ 13 ] Bug #1913637 - CVE-2021-21116 chromium-browser: Heap buffer overflow in audio
https://bugzilla.redhat.com/show_bug.cgi?id=1913637
[ 14 ] Bug #1918218 - CVE-2021-21118 chromium-browser: Insufficient data validation in V8
https://bugzilla.redhat.com/show_bug.cgi?id=1918218
[ 15 ] Bug #1918219 - CVE-2021-21119 chromium-browser: Use after free in Media
https://bugzilla.redhat.com/show_bug.cgi?id=1918219
[ 16 ] Bug #1918220 - CVE-2021-21120 chromium-browser: Use after free in WebSQL
https://bugzilla.redhat.com/show_bug.cgi?id=1918220
[ 17 ] Bug #1918222 - CVE-2021-21121 chromium-browser: Use after free in Omnibox
https://bugzilla.redhat.com/show_bug.cgi?id=1918222
[ 18 ] Bug #1918223 - CVE-2021-21122 chromium-browser: Use after free in Blink
https://bugzilla.redhat.com/show_bug.cgi?id=1918223
[ 19 ] Bug #1918224 - CVE-2021-21123 chromium-browser: Insufficient data validation in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918224
[ 20 ] Bug #1918225 - CVE-2021-21124 chromium-browser: Potential user after free in Speech Recognizer
https://bugzilla.redhat.com/show_bug.cgi?id=1918225
[ 21 ] Bug #1918226 - CVE-2021-21125 chromium-browser: Insufficient policy enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918226
[ 22 ] Bug #1918227 - CVE-2021-21126 chromium-browser: Insufficient policy enforcement in extensions
https://bugzilla.redhat.com/show_bug.cgi?id=1918227
[ 23 ] Bug #1918228 - CVE-2021-21127 chromium-browser: Insufficient policy enforcement in extensions
https://bugzilla.redhat.com/show_bug.cgi?id=1918228
[ 24 ] Bug #1918229 - CVE-2021-21129 chromium-browser: Insufficient policy enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918229
[ 25 ] Bug #1918230 - CVE-2021-21130 chromium-browser: Insufficient policy enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918230
[ 26 ] Bug #1918231 - CVE-2021-21131 chromium-browser: Insufficient policy enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918231
[ 27 ] Bug #1918232 - CVE-2021-21132 chromium-browser: Inappropriate implementation in DevTools
https://bugzilla.redhat.com/show_bug.cgi?id=1918232
[ 28 ] Bug #1918233 - CVE-2021-21133 chromium-browser: Insufficient policy enforcement in Downloads
https://bugzilla.redhat.com/show_bug.cgi?id=1918233
[ 29 ] Bug #1918235 - CVE-2021-21134 chromium-browser: Incorrect security UI in Page Info
https://bugzilla.redhat.com/show_bug.cgi?id=1918235
[ 30 ] Bug #1918236 - CVE-2021-21135 chromium-browser: Inappropriate implementation in Performance API
https://bugzilla.redhat.com/show_bug.cgi?id=1918236
[ 31 ] Bug #1918237 - CVE-2021-21136 chromium-browser: Insufficient policy enforcement in WebView
https://bugzilla.redhat.com/show_bug.cgi?id=1918237
[ 32 ] Bug #1918238 - CVE-2021-21137 chromium-browser: Inappropriate implementation in DevTools
https://bugzilla.redhat.com/show_bug.cgi?id=1918238
[ 33 ] Bug #1918239 - CVE-2021-21138 chromium-browser: Use after free in DevTools
https://bugzilla.redhat.com/show_bug.cgi?id=1918239
[ 34 ] Bug #1918240 - CVE-2021-21139 chromium-browser: Inappropriate implementation in iframe sandbox
https://bugzilla.redhat.com/show_bug.cgi?id=1918240
[ 35 ] Bug #1918241 - CVE-2021-21140 chromium-browser: Uninitialized Use in USB
https://bugzilla.redhat.com/show_bug.cgi?id=1918241
[ 36 ] Bug #1918242 - CVE-2021-21141 chromium-browser: Insufficient policy enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918242
--------------------------------------------------------------------------------
================================================================================
icewm-2.1.1-1.el8 (FEDORA-EPEL-2021-1daf1e3147)
Window manager designed for speed, usability, and consistency
--------------------------------------------------------------------------------
Update Information:
Update to 2.1.1 ---- Update to latest version
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 25 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 2.1.1-1
- build(update): 2.1.1
* Sat Jan 23 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 2.1.0-1
- build(update): 2.1.0
--------------------------------------------------------------------------------
================================================================================
lua-rpm-macros-1-3.el8 (FEDORA-EPEL-2021-85d639bb48)
The common Lua RPM macros
--------------------------------------------------------------------------------
Update Information:
- Modify several conditionals to support RHEL 9+ and drop ancient Fedora 17 -
Add explicit conflict with older lua-devel - Require rpm, not redhat-rpm-config
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 1 2020 Miro Hron��ok <mhroncok(a)redhat.com> - 1-3
- Modify several conditionals to support RHEL 9+ and drop ancient Fedora 17
- Add explicit conflict with older lua-devel
- Require rpm, not redhat-rpm-config
--------------------------------------------------------------------------------
================================================================================
perl-LWP-Online-1.08-29.el8 (FEDORA-EPEL-2021-279e83be5c)
Check whether your process has an access to the web
--------------------------------------------------------------------------------
Update Information:
This release provides a new perl-LWP-Online package which checks whether a host
is connected to the Internet.
--------------------------------------------------------------------------------
ChangeLog:
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1919732 - Please build perl-LWP-Online for EPEL 8
https://bugzilla.redhat.com/show_bug.cgi?id=1919732
--------------------------------------------------------------------------------
The following Fedora EPEL 7 Security updates need testing:
Age URL
38 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-4a9fc09599 openjpeg2-2.3.1-10.el7
3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-f1768ebc94 opensmtpd-6.8.0p2-1.el7
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-e06cd0281c zabbix30-3.0.31-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
beakerlib-1.23-1.el7
chromium-88.0.4324.96-1.el7
lua-rpm-macros-1-3.el7
purple-facebook-0.9.6-7.el7
Details about builds:
================================================================================
beakerlib-1.23-1.el7 (FEDORA-EPEL-2021-3ffe638633)
A shell-level integration testing library
--------------------------------------------------------------------------------
Update Information:
- TestResults state indicator - profiling code - rebased yash to 1.1 - fixed
rlAssertLesser - fixed failed library load name logging ---- - ability to
parse fmf id references - ability the use simpler library name - library(foo),
{url: '../foo.git', name: '/'}, meaming the library is n the root folder -
ability put library even deeper in the tree - library(foo/path/to/the/library),
{url: '../foo.git', name: '/path/to/the/library'} - rebased yash to 1.0 - and
few more minor fixes
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 26 2021 Dalibor Pospisil <dapospis(a)redhat.com> - 1.23-1
- TestResults state indicator
- profiling code
- rebased yash to 1.1
- fixed rlAssertLesser
- fixed failed library load name logging
* Fri Jan 15 2021 Dalibor Pospisil <dapospis(a)redhat.com> - 1.22-1
- ability to parse fmf id references
- ability the use simpler library name - library(foo), {url: '../foo.git', name: '/'}, meaming the library is n the root folder
- ability put library even deeper in the tree - library(foo/path/to/the/library), {url: '../foo.git', name: '/path/to/the/library'}
- rebased yash to 1.0
- and few more minor fixes
--------------------------------------------------------------------------------
================================================================================
chromium-88.0.4324.96-1.el7 (FEDORA-EPEL-2021-e30a25d6d0)
A WebKit (Blink) powered web browser
--------------------------------------------------------------------------------
Update Information:
This is probably not the update you want. Let me be clear, it does fix the
security vulnerabilities in this list: CVE-2020-16044 CVE-2021-21118
CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123
CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129
CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134
CVE-2021-21135 CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139
CVE-2021-21140 CVE-2021-21141 CVE-2021-21117 CVE-2021-21128 But it will not
behave like Google Chrome does. Google has announced that it is cutting off
access to the Sync and "other Google Exclusive" APIs from all builds except
Google Chrome. This will make the EPEL Chromium build significantly less
functional (along with every other distro packaged Chromium). It is noteworthy
that Google _gave_ the builders of distribution Chromium packages these access
rights back in 2013 via API keys, specifically so that we could have open source
builds of Chromium with (near) feature parity to Chrome. And now they're taking
it away. The reasoning given for this change? Google does not want users to be
able to "access their personal Chrome Sync data (such as bookmarks) ... with a
non-Google, Chromium-based browser." They're not closing a security hole,
they're just requiring that everyone use Chrome. Or to put it bluntly, they do
not want you to access their Google API functionality without using proprietary
software (Google Chrome). There is no good reason for Google to do this, other
than to force people to use Chrome. I gave a lot of thought to whether I wanted
to continue to maintain the Chromium package in EPEL, given that many (most?)
users will be confused/annoyed when API functionality like sync and geolocation
stops working for no good reason. Ultimately, I decided to continue for now,
because there were at least some users who didn't mind, and if I stopped,
someone else would start over and run blindly into this problem. I would say
that you might want to reconsider whether you want to use Chromium or not. If
you want the full "Google" experience, you can run the proprietary Chrome. If
you want to use a FOSS browser that isn't hobbled, there is a Firefox package in
whatever EL flavor you're using. Oh, last, but not least, Google isn't shutting
off the API access until March 15, 2021, but I have gone ahead and disabled it
starting with this update. I'd rather you read about it here (even though most
users will never see this) than have it just happen. ---- Update Chromium to
87.0.4280.141. Fixes: CVE-2021-21106 CVE-2021-21107 CVE-2021-21108
CVE-2021-21109 CVE-2021-21110 CVE-2021-21111 CVE-2021-21112 CVE-2021-21113
CVE-2020-16043 CVE-2021-21114 CVE-2020-15995 CVE-2021-21115 CVE-2021-21116
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 20 2021 Tom Callaway <spot(a)fedoraproject.org> - 88.0.4324.96-1
- 88 goes from beta to stable
- disable use of api keys (Google shut off API access)
* Wed Jan 13 2021 Tom Callaway <spot(a)fedoraproject.org>
- update to 87.0.4280.141
* Wed Dec 30 2020 Tom Callaway <spot(a)fedoraproject.org> - 88.0.4324.50-1
- update to 88.0.4324.50
- drop patches 74 & 75 (applied upstream)
* Thu Dec 17 2020 Tom Callaway <spot(a)fedoraproject.org>
- add two patches for missing headers to build with gcc 11
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1913624 - CVE-2021-21106 chromium-browser: Use after free in autofill
https://bugzilla.redhat.com/show_bug.cgi?id=1913624
[ 2 ] Bug #1913625 - CVE-2021-21107 chromium-browser: Use after free in drag and drop
https://bugzilla.redhat.com/show_bug.cgi?id=1913625
[ 3 ] Bug #1913626 - CVE-2021-21108 chromium-browser: Use after free in media
https://bugzilla.redhat.com/show_bug.cgi?id=1913626
[ 4 ] Bug #1913627 - CVE-2021-21109 chromium-browser: Use after free in payments
https://bugzilla.redhat.com/show_bug.cgi?id=1913627
[ 5 ] Bug #1913629 - CVE-2021-21110 chromium-browser: Use after free in safe browsing
https://bugzilla.redhat.com/show_bug.cgi?id=1913629
[ 6 ] Bug #1913630 - CVE-2021-21111 chromium-browser: Insufficient policy enforcement in WebUI
https://bugzilla.redhat.com/show_bug.cgi?id=1913630
[ 7 ] Bug #1913631 - CVE-2021-21112 chromium-browser: Use after free in Blink
https://bugzilla.redhat.com/show_bug.cgi?id=1913631
[ 8 ] Bug #1913632 - CVE-2021-21113 chromium-browser: Heap buffer overflow in Skia
https://bugzilla.redhat.com/show_bug.cgi?id=1913632
[ 9 ] Bug #1913633 - CVE-2020-16043 chromium-browser: Insufficient data validation in networking
https://bugzilla.redhat.com/show_bug.cgi?id=1913633
[ 10 ] Bug #1913634 - CVE-2021-21114 chromium-browser: Use after free in audio
https://bugzilla.redhat.com/show_bug.cgi?id=1913634
[ 11 ] Bug #1913635 - CVE-2020-15995 chromium-browser: Out of bounds write in V8
https://bugzilla.redhat.com/show_bug.cgi?id=1913635
[ 12 ] Bug #1913636 - CVE-2021-21115 chromium-browser: Use after free in safe browsing
https://bugzilla.redhat.com/show_bug.cgi?id=1913636
[ 13 ] Bug #1913637 - CVE-2021-21116 chromium-browser: Heap buffer overflow in audio
https://bugzilla.redhat.com/show_bug.cgi?id=1913637
[ 14 ] Bug #1918218 - CVE-2021-21118 chromium-browser: Insufficient data validation in V8
https://bugzilla.redhat.com/show_bug.cgi?id=1918218
[ 15 ] Bug #1918219 - CVE-2021-21119 chromium-browser: Use after free in Media
https://bugzilla.redhat.com/show_bug.cgi?id=1918219
[ 16 ] Bug #1918220 - CVE-2021-21120 chromium-browser: Use after free in WebSQL
https://bugzilla.redhat.com/show_bug.cgi?id=1918220
[ 17 ] Bug #1918222 - CVE-2021-21121 chromium-browser: Use after free in Omnibox
https://bugzilla.redhat.com/show_bug.cgi?id=1918222
[ 18 ] Bug #1918223 - CVE-2021-21122 chromium-browser: Use after free in Blink
https://bugzilla.redhat.com/show_bug.cgi?id=1918223
[ 19 ] Bug #1918224 - CVE-2021-21123 chromium-browser: Insufficient data validation in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918224
[ 20 ] Bug #1918225 - CVE-2021-21124 chromium-browser: Potential user after free in Speech Recognizer
https://bugzilla.redhat.com/show_bug.cgi?id=1918225
[ 21 ] Bug #1918226 - CVE-2021-21125 chromium-browser: Insufficient policy enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918226
[ 22 ] Bug #1918227 - CVE-2021-21126 chromium-browser: Insufficient policy enforcement in extensions
https://bugzilla.redhat.com/show_bug.cgi?id=1918227
[ 23 ] Bug #1918228 - CVE-2021-21127 chromium-browser: Insufficient policy enforcement in extensions
https://bugzilla.redhat.com/show_bug.cgi?id=1918228
[ 24 ] Bug #1918229 - CVE-2021-21129 chromium-browser: Insufficient policy enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918229
[ 25 ] Bug #1918230 - CVE-2021-21130 chromium-browser: Insufficient policy enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918230
[ 26 ] Bug #1918231 - CVE-2021-21131 chromium-browser: Insufficient policy enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918231
[ 27 ] Bug #1918232 - CVE-2021-21132 chromium-browser: Inappropriate implementation in DevTools
https://bugzilla.redhat.com/show_bug.cgi?id=1918232
[ 28 ] Bug #1918233 - CVE-2021-21133 chromium-browser: Insufficient policy enforcement in Downloads
https://bugzilla.redhat.com/show_bug.cgi?id=1918233
[ 29 ] Bug #1918235 - CVE-2021-21134 chromium-browser: Incorrect security UI in Page Info
https://bugzilla.redhat.com/show_bug.cgi?id=1918235
[ 30 ] Bug #1918236 - CVE-2021-21135 chromium-browser: Inappropriate implementation in Performance API
https://bugzilla.redhat.com/show_bug.cgi?id=1918236
[ 31 ] Bug #1918237 - CVE-2021-21136 chromium-browser: Insufficient policy enforcement in WebView
https://bugzilla.redhat.com/show_bug.cgi?id=1918237
[ 32 ] Bug #1918238 - CVE-2021-21137 chromium-browser: Inappropriate implementation in DevTools
https://bugzilla.redhat.com/show_bug.cgi?id=1918238
[ 33 ] Bug #1918239 - CVE-2021-21138 chromium-browser: Use after free in DevTools
https://bugzilla.redhat.com/show_bug.cgi?id=1918239
[ 34 ] Bug #1918240 - CVE-2021-21139 chromium-browser: Inappropriate implementation in iframe sandbox
https://bugzilla.redhat.com/show_bug.cgi?id=1918240
[ 35 ] Bug #1918241 - CVE-2021-21140 chromium-browser: Uninitialized Use in USB
https://bugzilla.redhat.com/show_bug.cgi?id=1918241
[ 36 ] Bug #1918242 - CVE-2021-21141 chromium-browser: Insufficient policy enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918242
--------------------------------------------------------------------------------
================================================================================
lua-rpm-macros-1-3.el7 (FEDORA-EPEL-2021-04c8b733bd)
The common Lua RPM macros
--------------------------------------------------------------------------------
Update Information:
- Modify several conditionals to support RHEL 9+ and drop ancient Fedora 17 -
Add explicit conflict with older lua-devel - Require rpm, not redhat-rpm-config
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 1 2020 Miro Hron��ok <mhroncok(a)redhat.com> - 1-3
- Modify several conditionals to support RHEL 9+ and drop ancient Fedora 17
- Add explicit conflict with older lua-devel
- Require rpm, not redhat-rpm-config
--------------------------------------------------------------------------------
================================================================================
purple-facebook-0.9.6-7.el7 (FEDORA-EPEL-2021-a73924ae7b)
Facebook protocol plugin for purple2
--------------------------------------------------------------------------------
Update Information:
- Add patch fixing taNewMessage bug. - Add patch bumping FB_ORCA_AGENT version.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 25 2021 Bj��rn Esser <besser82(a)fedoraproject.org> - 0.9.6-7
- Add patch fixing taNewMessage bug
- Add patch bumping FB_ORCA_AGENT version
* Tue Jul 28 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 0.9.6-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1919561 - Pidgin does not connect to FB anymore (patch exists)
https://bugzilla.redhat.com/show_bug.cgi?id=1919561
--------------------------------------------------------------------------------