The following Fedora EPEL 5 Security updates need testing: Age URL 412 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3.2.1... 307 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6608/Django-1.1.4-2... 113 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-0366/openconnect-4.... 46 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5517/git-1.8.2.1-1.... 14 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5968/transifex-clie... 10 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5990/mod_security-2... 10 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5991/cgit-0.9.2-1.e... 10 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5996/socat-1.7.2.2-... 6 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6047/nrpe-2.14-3.el... 3 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6086/libguestfs-1.2... 2 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6089/ssmtp-2.61-20.... 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10388/perl-Module-S... 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10389/rrdtool-1.2.2...
The following builds have been pushed to Fedora EPEL 5 updates-testing
perl-Module-Signature-0.73-1.el5 python-virtualenv-1.7.2-2.el5 rrdtool-1.2.27-4.el5
Details about builds:
================================================================================ perl-Module-Signature-0.73-1.el5 (FEDORA-EPEL-2013-10388) CPAN signature management utilities and modules -------------------------------------------------------------------------------- Update Information:
This update ensures that digest modules are only loaded from absolute paths in @INC, avoiding a potential arbitrary code execution problem (CVE-2013-2145).
There are also a variety of internal package clean-ups. -------------------------------------------------------------------------------- ChangeLog:
* Fri Jun 7 2013 Paul Howarth paul@city-fan.org - 0.73-1 - Update to 0.73 - Support for gpg under these alternate names: gpg gpg2 gnupg gnupg2 - Don't check gpg version if gpg does not exist - Constrain the user-specified digest name to /^\w+\d+$/ - Only allow loading Digest::* from absolute paths in @INC (CVE-2013-2145) - This release by AUDREYT -> update source URL - Include Andreas Koenig's GPG key in the SRPM and import it in %prep so that we don't need to get it from a keyserver in %check - Make building non-interactive - Specify all dependencies - Don't need to remove empty directories from the buildroot - Drop %defattr, redundant since rpm 4.4 - Use %{_fixperms} macro rather than our own chmod incantation -------------------------------------------------------------------------------- References:
[ 1 ] Bug #971096 - CVE-2013-2145 perl-Module-Signature: arbitrary code execution when verifying SIGNATURE https://bugzilla.redhat.com/show_bug.cgi?id=971096 --------------------------------------------------------------------------------
================================================================================ python-virtualenv-1.7.2-2.el5 (FEDORA-EPEL-2013-10396) Tool to create isolated Python environments -------------------------------------------------------------------------------- Update Information:
* Switch to an older version of virtualenv because the 1.9.x branch doesn't work with python-2.4 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #969395 - virtualenv does not work anymore because Python 2.4 support was dropped in virtualenv 1.9 https://bugzilla.redhat.com/show_bug.cgi?id=969395 --------------------------------------------------------------------------------
================================================================================ rrdtool-1.2.27-4.el5 (FEDORA-EPEL-2013-10389) Round Robin Database Tool to store and display time-series data -------------------------------------------------------------------------------- Update Information:
This is an update that adds explicit check to the imginfo format. It may prevent crash/exploit of user space applications which pass user supplied format to the library call without checking. -------------------------------------------------------------------------------- References:
[ 1 ] Bug #969311 - CVE-2013-2131 rrdtool: crashes on format string exploit [epel-5] https://bugzilla.redhat.com/show_bug.cgi?id=969311 --------------------------------------------------------------------------------
epel-devel@lists.fedoraproject.org