Fedora EPEL 5 updates-testing report
updates at fedoraproject.org
updates at fedoraproject.org
Wed Dec 29 18:30:01 UTC 2010
The following Fedora EPEL 5 Security updates need testing:
https://admin.fedoraproject.org/updates/mantis-1.1.8-5.el5
https://admin.fedoraproject.org/updates/libsndfile-1.0.17-4.el5
https://admin.fedoraproject.org/updates/wordpress-2.8.6-3.el5
https://admin.fedoraproject.org/updates/collectd-4.10.2-1.el5
https://admin.fedoraproject.org/updates/perl-CGI-Simple-1.112-2.el5
The following builds have been pushed to Fedora EPEL 5 updates-testing
libisofs-0.6.40-1.el5
libnet-1.1.5-1.el5
libsndfile-1.0.17-4.el5
sems-1.3.1-2.el5
wordpress-2.8.6-3.el5
Details about builds:
================================================================================
libisofs-0.6.40-1.el5 (FEDORA-EPEL-2010-3856)
Library to create ISO 9660 disk images
--------------------------------------------------------------------------------
Update Information:
This release makes the prediction of the emerging image size less expensive and is able to make images bootable for SUN SPARC systems.
Changes towards previous version 0.6.38:
* New API call iso_write_opts_set_disc_label(), new system area type 3 = SUN Disk Label for booting SUN SPARC systems.
* New API call iso_write_opts_set_will_cancel() avoids start of write thread and is to be used to inquire the future image size.
* New error reply code ISO_DISPLACE_ROLLOVER for external data sources with address displacement.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Dec 28 2010 Robert Scheck <robert at fedoraproject.org> 0.6.40-1
- Upgrade to 0.6.40
--------------------------------------------------------------------------------
================================================================================
libnet-1.1.5-1.el5 (FEDORA-EPEL-2010-3854)
C library for portable packet creation and injection
--------------------------------------------------------------------------------
Update Information:
Upstream changes for libnet 1.1.5:
- IRIX: Get MAC address from ioctl(), not by spawning shell.
- Compile fix for IRIX (added includes)
- Don't explicitly check for UID 0, we may have capabilities even if not root.
- Cleaned up implementations of libnet_get_hwaddr(), some leaked memory, one returned a pointer to data on the stack, and the others return a pointer to static data. I'm settling on the non-reentrant static data form.
- Visual C++ compiler(v9.0) uses bitfield type as a hint to pad the bitfield, so struct was too long.
- Further simplify autogen.sh
- Removed dependency on net/bpf.h, and on pcap.h.
- LBL_ALIGN check is unused, removing.
- Don't include pcap.h if we've already got net/bpf.h, pcap has it's own bpf.
- Make libnet_get_hwaddr work in the last few releases of OpenBSD
- Get DLT types from the source, <pcap.h>.
- Use autoconf -ivf in autogen.sh
- Don't distribute libnet.h, it is generated by configure
- AIX build failures fixed, cause was inclusion of system headers libnet no longer uses
- Add a link to the old docs.
- Added links to github and sourceforge.
- Replace C99/C++ comments with traditional C comments.
- checksum would segfault if a IP checksum was requested for a non-ipv4 header
- Closer backwards compat, assume its ipv4 if it's not ipv6. This seems totally wrong, but so it goes.
- Try using the ip_len header field to guess the input buffer's size.
- libnet_do_checksum(), despite being "internal", is used by external code. libnet needs to maintain backwards API compatibility, tcpsic from the isic package is an example of a binary failing when calling the new API with the old arguments.
- merged icmpv6 patch in, but I believe either it or the sample/icmp6_unreach generates the cksum incorrectly
- Use libtool-1 or libtool-2 whatever available
- Avoid looking at /dev and /usr/include when cross-compiling Alon: The following code support cross compiling: 1. You CANNOT check for /usr/include stuff as cross compiler is installed else-where. Autoconf know how to do this, use its header detection logic and ask the result. 2. Testing for /dev/ can be done only when not cross compiling...
- Corrected target_os check, it was broke for linuxgnu, and m4 syntax was invalid Alon:The following change is needed in order to solve two issues: 1. linuxgnu and such target os. 2. You cannot set variable with space before '=' as it tries to execute the variable... 3. Print result of test in case of linux
- --with-link-layer broken, was using wrong macro name, and didn't include all link types
- ac_cv_c_bigendian is yes, not "big"
- Remove dead code.
- h_len is calculated for ip, udp, tcp, icmp, and igmp, so is allowed to be zero.
- libnet_t's fd should be initialized to an invalid value, or libnet_destroy() will close stdin.
- Alon's use of AC_CHECK_HEADERS fails to detect headers. Reverted part of 57acd56f09158decb69f301e7547ce8cde6ac63f
- With link_none, the link apis were failing with not error message.
- man doc makefile wasn't correctly referring to the srcdir
- Avoid mallocing zero bytes, it perturbs electric fence.
- autotools patches for cross compiling and seperate builddir
- html doc makefile wasn't correctly referring to the srcdir
- ip_offset is now calculated on the fly, and UDP and TCP no longer use h_len
- IP offset calculation should allow nesting of IP protocols.
- Remove gccisms in bitfield definitions.
- injection type of LIBNET_NONE, for packet construction without injection (also, more const correctness)
- Notes about checksumming.
- libnet_build_tcp was not returning the ptag.
- Packet boundaries are now passed to _do_checksum(), so it can validate its input. Hopefully, this will end the recurring segmentation faults due to buffer overruns.
- TCP building is triggering memory overwrites; closer examination shows the link list manipulation to be wrong, and the checksumming approach to be incapable of working. I reworked code to simplify and clarify how it works currently, in preparation to fixing it.
- Updated comments and notes.
- Null the pointer in the about-to-be-freed structure, not the one on the stack.
- Added missing pblock types, and made strings consistent with definitions.
- Change version policy, we will be 1.1.4 until 1.1.5 is released.
- Bring CHANGELOG up to date with today, and script used to generated it.
- Begin implementation and tests for repairing pblocks after an update.
- libnet_pblock_insert_before() didn't remove ptag2 from old location
- Clarifications in document comments.
- Don't doxygen process internal header libnet-headers.h
- Declared many constant arguments as const, const-correct code spews warnings when built against libnet.
- Include pcap DLT_ types from correct header, was using an internal one before.
- Declared many constant arguments as const, const-correct code spews warnings when built against libnet.
- Note about build_data, which doesn't update ip_offset, among other problems.
- libnet_clear_packet() wasn't clearing all packet context.
- Why don't TCP and UDP use the DATA pblock type?
- whitespace cleanup
- Add libnet_dll.c as extra, so its there for win32, and build libnet_link.c
- This file wasn't being built, and needed to include bpf to build.
- Forgot to make device a const string here, too.
- make string argument constant
- only ignore Makefile in libnet/
- Replace u_intX_t with C99 uintX_t.
- pclose() following popen(), not fclose()
- snoof & dlpi: don't free on libnet_link_close()
- Summarize changes for log.
- Reindented, removing hard tabs, and using consistent brace positioning.
- The non-standard types are no longer used.
- /sw/.. path doesn't always exist
- src/libnet_link_snoop.c: Only fclose if f!=NULL
- src/libnet_link_snoop.c: fixed snoop-based backend. Works on IRIX.
- Use uint64_t, not u_int64_t
- define a lying gethostbyname2() if it's not defined
- define STDOUT_FILENO if it's not defined
- configure.in: check for gethostbyname2
- configure.in: Check for uint{16,32,64}_t
- Configure switch to install samples
- Attempt at applying a patch to get installable samples, which doesn't work.
- Pointers not cleared after free could lead to double deallocation.
- Convert CRLF to LF.
- Auto* changes to work on OS X from git checkout.
- Update autobuild endianness and unaligned checks.
- Add srcdir to include path.
- Adjust srcdir and builddir so libnet can build out-of-tree
--------------------------------------------------------------------------------
ChangeLog:
* Tue Dec 28 2010 Robert Scheck <robert at fedoraproject.org> 1.1.5-1
- Upgrade to 1.1.5
* Fri Jul 9 2010 Robert Scheck <robert at fedoraproject.org> 1.1.4-4
- Added patch for capability support rather UID check (#589770)
--------------------------------------------------------------------------------
================================================================================
libsndfile-1.0.17-4.el5 (FEDORA-EPEL-2010-3855)
Library for reading and writing sound files
--------------------------------------------------------------------------------
Update Information:
- fixes CVE-2009-1788 : VOC file heap based buffer overflow
- fixes CVE-2009-1791 : AIFF file heap based buffer overflow
--------------------------------------------------------------------------------
ChangeLog:
* Thu Dec 23 2010 Michal Hlavinka <mhlavink at redhat.com> - 1.0.17-4
- fix CVE-2009-1788 : VOC file heap based buffer overflow (#502657)
- fix CVE-2009-1791 : AIFF file heap based buffer overflow (#502658)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #502657 - CVE-2009-1788 libsndfile VOC file heap based buffer overflow
https://bugzilla.redhat.com/show_bug.cgi?id=502657
[ 2 ] Bug #502658 - CVE-2009-1791 libsndfile AIFF file heap based buffer overflow
https://bugzilla.redhat.com/show_bug.cgi?id=502658
--------------------------------------------------------------------------------
================================================================================
sems-1.3.1-2.el5 (FEDORA-EPEL-2010-3860)
SIP Express Media Server, an extensible SIP media server
--------------------------------------------------------------------------------
Update Information:
- Fixed segfault in gateway module
- Properly install email template for voicemail module
- Don't start py_sems by default (causes issues with python2.7)
- Ver. 1.3.1 (Fully API/ABI compatible with previous version)
Ver 1.3.0 (with lots of bugfixes) - api and abi compatible with previous version.
Fixed severe issue, which caused segfaults
Several minor bugfixes and one big fix for regression in modules conference and early_media.
- Ver. 1.3.1 (Fully API/ABI compatible with previous version)
Ver 1.3.0 (with lots of bugfixes) - api and abi compatible with previous version.
Fixed severe issue, which caused segfaults
Several minor bugfixes and one big fix for regression in modules conference and early_media.
- Ver. 1.3.1 (Fully API/ABI compatible with previous version)
Ver 1.3.0 (with lots of bugfixes) - api and abi compatible with previous version.
Fixed severe issue, which caused segfaults
Several minor bugfixes and one big fix for regression in modules conference and early_media.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Dec 29 2010 Peter Lemenkov <lemenkov at gmail.com> 1.3.1-2
- Fixed segfault in gateway module
- Properly install email template for voicemail module
- Don't start py_sems by default (causes issues with python2.7)
* Mon Dec 27 2010 Peter Lemenkov <lemenkov at gmail.com> 1.3.1-1
- Ver. 1.3.1 (Bugfix release)
* Wed Sep 29 2010 Peter Lemenkov <lemenkov at gmail.com> 1.3.0-2
- Workaround for missing atomic built-ins in EPEL5 old gcc
* Mon Sep 27 2010 Peter Lemenkov <lemenkov at gmail.com> 1.3.0-1
- Ver. 1.3.0
- Dropped half of all patches
- Dropped binrpcctrl plugin
- Merged into core sipctrl plugin
* Thu Sep 9 2010 Rex Dieter <rdieter at fedoraproject.org> 1.2.1-7
- rebuild (sip)
* Fri Aug 20 2010 Peter Lemenkov <lemenkov at gmail.com> 1.2.1-6
- Fixed severe issue in early_announce module (see %patch12)
* Sat Jul 31 2010 Toshio Kuratomi <toshio at fedoraproject.org> 1.2.1-5
- rebuild for python 2.7
* Fri Jun 25 2010 Peter Lemenkov <lemenkov at gmail.com> 1.2.1-4
- Fixed escaping variables strategy for new CMake (and only for new CMake)
- Disable mysql++ in early_announce and conference modules
* Tue Jun 1 2010 Peter Lemenkov <lemenkov at gmail.com> 1.2.1-3
- Fixed config-file generation for EPEL (old CMake)
- Fixed MOD_NAME parameter passing
- Fixed few typos
* Fri May 7 2010 Peter Lemenkov <lemenkov at gmail.com> 1.2.1-2
- Fixed build for EPEL
* Fri Apr 30 2010 Peter Lemenkov <lemenkov at gmail.com> 1.2.1-1
- Ver. 1.2.1
- Dropped upstreamed patches
* Thu Apr 1 2010 Peter Lemenkov <lemenkov at gmail.com> 1.2.0-2
- Fix for CMake 2.4 added
* Wed Mar 31 2010 Peter Lemenkov <lemenkov at gmail.com> 1.2.0-1
- Ver. 1.2.0
- Switched to CMake (and fixed many packaging and linking issues)
- All old patches were either applied upstream or dropped (no longer required)
- Finally removed unixsockctrl interface
- New sub-packages: conference, dsm, early_announce
- Module py_sems was re-enabled
* Mon Nov 16 2009 Rex Dieter <rdieter at fedoraproject.org> 1.1.1-7
- drop BR: sip-devel
--------------------------------------------------------------------------------
================================================================================
wordpress-2.8.6-3.el5 (FEDORA-EPEL-2010-3857)
WordPress blogging software
--------------------------------------------------------------------------------
Update Information:
Security fix:
http://core.trac.wordpress.org/changeset/16625
--------------------------------------------------------------------------------
ChangeLog:
* Thu Dec 23 2010 Jon Ciesla <limb at jcomserv.net> - 2.8.6-3
- Change Requires from httpd to webserver, BZ 523480.
- Patch for Hello Dolly lyrics, BZ 663966.
- Patch for security vulnerability, BZ 659319.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #659265 - CVE-2010-4257 Wordpress: SQL injection flaw by processing trackbacks
https://bugzilla.redhat.com/show_bug.cgi?id=659265
--------------------------------------------------------------------------------
More information about the epel-devel-list
mailing list