Fedora EPEL 6 updates-testing report

updates at fedoraproject.org updates at fedoraproject.org
Sat Oct 1 01:33:46 UTC 2011 

The following Fedora EPEL 6 Security updates need testing:

    https://admin.fedoraproject.org/updates/rt3-3.8.10-2.el6.1
    https://admin.fedoraproject.org/updates/puppet-2.6.6-3.el6
    https://admin.fedoraproject.org/updates/Django-1.2.7-1.el6
    https://admin.fedoraproject.org/updates/bugzilla-3.4.11-1.el6
    https://admin.fedoraproject.org/updates/drupal6-views_bulk_operations-1.11-1.el6
    https://admin.fedoraproject.org/updates/bcfg2-1.1.3-1.el6
    https://admin.fedoraproject.org/updates/phpMyAdmin-3.4.5-1.el6
    https://admin.fedoraproject.org/updates/perl-FCGI-0.71-4.el6


The following builds have been pushed to Fedora EPEL 6 updates-testing

    Django-1.2.7-1.el6
    drupal6-pathauto-2.0-0.4.rc2.el6
    facter-1.6.1-1.el6
    firebird-2.5.1.26349.O-1.el6
    gromacs-4.5.5-1.el6
    puppet-2.6.6-3.el6
    python-asciitable-0.7.1-1.el6

Details about builds:


================================================================================
 Django-1.2.7-1.el6 (FEDORA-EPEL-2011-4574)
 A high-level Python Web framework
--------------------------------------------------------------------------------
Update Information:

Previous update actually misses several patches related to the security vulnerabilities it intended to address
--------------------------------------------------------------------------------
ChangeLog:

* Fri Sep 30 2011 Michel Salim <salimma at fedoraproject.org> - 1.2.7-1
- Update to 1.2.7, properly fixing security flaws (# 737366)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #742466 - Django: v1.3.1, v1.2.7 multiple security flaws [epel-6]
        https://bugzilla.redhat.com/show_bug.cgi?id=742466
--------------------------------------------------------------------------------


================================================================================
 drupal6-pathauto-2.0-0.4.rc2.el6 (FEDORA-EPEL-2011-4569)
 Automatically generates path aliases
--------------------------------------------------------------------------------
Update Information:

Updated to 2.0.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Sep 30 2011 Peter Borsa <asrob at claire> - 2.0-0.4.rc2
- Updated to 2.0 version.
* Tue Feb  8 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
--------------------------------------------------------------------------------


================================================================================
 facter-1.6.1-1.el6 (FEDORA-EPEL-2011-4571)
 Ruby module for collecting simple facts about a host operating system
--------------------------------------------------------------------------------
Update Information:

Upstream bugfix release.  Refer to the release announcement for full details:

http://groups.google.com/group/puppet-users/browse_thread/thread/d2061ec6263c5d88
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 29 2011 Todd Zullinger <tmz at pobox.com> - 1.6.1-1
- Update to 1.6.1
- Minor spec file reformatting
--------------------------------------------------------------------------------


================================================================================
 firebird-2.5.1.26349.O-1.el6 (FEDORA-EPEL-2011-4570)
 SQL relational database management system
--------------------------------------------------------------------------------
Update Information:

- new upstream (bug fix release)
- added patch from upstream to fix Firebird CORE-3610
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 29 2011 Philippe Makowski <makowski at fedoraproject.org>  2.5.1.26349.0-1
- new upstream (bug fix release)
- added patch from upstream to fix Firebird CORE-3610
--------------------------------------------------------------------------------


================================================================================
 gromacs-4.5.5-1.el6 (FEDORA-EPEL-2011-4564)
 Fast, Free and Flexible Molecular Dynamics
--------------------------------------------------------------------------------
Update Information:

Bugfix update to 4.5.5, see http://lists.gromacs.org/pipermail/gmx-users/2011-September/064683.html for release info.
First build in EL6.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #739875 - gromacs-4.5.5 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=739875
  [ 2 ] Bug #739212 - EL-6 branch is missing
        https://bugzilla.redhat.com/show_bug.cgi?id=739212
--------------------------------------------------------------------------------


================================================================================
 puppet-2.6.6-3.el6 (FEDORA-EPEL-2011-4568)
 A network tool for managing many disparate systems
--------------------------------------------------------------------------------
Update Information:

The following vulnerabilities have been discovered and fixed:

* CVE-2011-3870, a symlink attack via a user's SSH authorized_keys file  
* CVE-2011-3869, a symlink attack via a user's .k5login file  
* CVE-2011-3871, a privilege escalation attack via the temp file  used by the puppet resource application  
* A low-risk file indirector injection attack  

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb
A vulnerability was discovered in puppet that would allow an attacker to install a valid X509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application.  For Fedora and EPEL, this is the puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install a valid X509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application.  For Fedora and EPEL, this is the puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install a valid X509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application.  For Fedora and EPEL, this is the puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install a valid X509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application.  For Fedora and EPEL, this is the puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install a valid X509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application.  For Fedora and EPEL, this is the puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is vulnerable to this issue.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 29 2011 Todd Zullinger <tmz at pobox.com> - 2.6.6-3
- Apply upstream patches for CVE-2011-3869, CVE-2011-3870, CVE-2011-3871, and
  upstream #9793
* Tue Sep 27 2011 Todd Zullinger <tmz at pobox.com> - 2.6.6-2
- Apply upstream patch for CVE-2011-3848
--------------------------------------------------------------------------------


================================================================================
 python-asciitable-0.7.1-1.el6 (FEDORA-EPEL-2011-4560)
 Extensible ASCII table reader and writer
--------------------------------------------------------------------------------
Update Information:

This is a minor feature and bug-fix release

  * Add a method inconsistent_handler() to the BaseReader class as a hook to handle rows with an inconsistent number of data columns (contributed by Erik Tollerud).

  * Output a more informative error message when guessing fails.
    
  * Fix issues in column type handling, mostly related to the MemoryReader class which is used for writing tables.

  * Fix a problem in guessing where user-supplied args were not filtering the guess possibilities correctly.

  * Fix problem reading a single column, string-only table with MemoryReader on MacOS.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Sep 30 2011 Sergio Pascual <sergiopr at fedoraproject.org> - 0.7.1-1
- New upstream version, with bugfixes
--------------------------------------------------------------------------------

More information about the epel-devel-list mailing list