Fedora EPEL 4 updates-testing report

updates at fedoraproject.org updates at fedoraproject.org
Tue Oct 4 18:36:00 UTC 2011 

The following Fedora EPEL 4 Security updates need testing:

    https://admin.fedoraproject.org/updates/phpPgAdmin-5.0.3-1.el4
    https://admin.fedoraproject.org/updates/puppet-0.25.5-2.el4


The following builds have been pushed to Fedora EPEL 4 updates-testing

    check_postgres-2.18.0-1.el4
    phpPgAdmin-5.0.3-1.el4
    puppet-0.25.5-2.el4

Details about builds:


================================================================================
 check_postgres-2.18.0-1.el4 (FEDORA-EPEL-2011-4587)
 PostgreSQL monitoring script
--------------------------------------------------------------------------------
Update Information:

Update to 2.18.0, per changes described at
  https://mail.endcrypt.com/pipermail/check_postgres-announce/2011-October/000027.html

--------------------------------------------------------------------------------
ChangeLog:

* Mon Oct  3 2011 - Devrim GUNDUZ <devrim at gunduz.org> 2.18.0-1
- Update to 2.18.0, per changes described at
  https://mail.endcrypt.com/pipermail/check_postgres-announce/2011-October/000027.html
* Tue Feb 15 2011 - Devrim GUNDUZ <devrim at gunduz.org> 2.16.0-1
- Update to 2.16.0
* Wed Mar 10 2010 - Devrim GUNDUZ <devrim at gunduz.org> 2.14.3-1
- Update to 2.14.3
--------------------------------------------------------------------------------


================================================================================
 phpPgAdmin-5.0.3-1.el4 (FEDORA-EPEL-2011-4594)
 Web-based PostgreSQL administration
--------------------------------------------------------------------------------
Update Information:

* Update to 5.0.3, per changes described at:
   http://sourceforge.net/mailarchive/forum.php?thread_name=4E897F6C.90905%40free.fr&forum_name=phppgadmin-news

which also fixes a security flaw:
http://www.openwall.com/lists/oss-security/2011/10/04/1
--------------------------------------------------------------------------------
ChangeLog:

* Mon Oct  3 2011 Devrim Gunduz <devrim at gunduz.org> 5.0.3-1
- Update to 5.0.3, per changes described at:
  http://sourceforge.net/mailarchive/forum.php?thread_name=4E897F6C.90905%40free.fr&forum_name=phppgadmin-news
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #743205 - phpPgAdmin: Multiple XSS flaws fixed in v5.0.3
        https://bugzilla.redhat.com/show_bug.cgi?id=743205
--------------------------------------------------------------------------------


================================================================================
 puppet-0.25.5-2.el4 (FEDORA-EPEL-2011-4581)
 A network tool for managing many disparate systems
--------------------------------------------------------------------------------
Update Information:

The following vulnerabilities have been discovered and fixed:

    * CVE-2011-3848, a directory traversal attack
    * CVE-2011-3870, a symlink attack via a user's SSH authorized_keys file
    * CVE-2011-3869, a symlink attack via a user's .k5login file
    * CVE-2011-3871, a privilege escalation attack via the temp file used by the puppet resource application
    * A low-risk file indirector injection attack

Further details can be found in the upstream announcements:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406  
http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb

Additionally, fixes for several bugs are included:

    * Yumrepo deprecation error (http://projects.puppetlabs.com/issues/4252)
    * Handle CR/LF in puppet.conf (http://projects.puppetlabs.com/issues/3514)
    * Capture stderr from exec resources (http://projects.puppetlabs.com/issues/2359)
--------------------------------------------------------------------------------
ChangeLog:

* Mon Oct  3 2011 Todd Zullinger <tmz at pobox.com> - 0.25.5-2
- Apply upstream patches for CVE-2011-3848, CVE-2011-3869, CVE-2011-3870,
  CVE-2011-3871
- Create and own /usr/share/puppet/modules (#615432)
- Silence deprecation warnings in yumrepo type (#615175, upstream #4252)
- Handle CR/LF in puppet.conf (upstream #3514)
- Capture stderr from exec resources (upstream #2359)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #742644 - CVE-2011-3870 puppet: SSH authorized_keys symlink attack
        https://bugzilla.redhat.com/show_bug.cgi?id=742644
  [ 2 ] Bug #742645 - CVE-2011-3869 puppet: K5login content attack
        https://bugzilla.redhat.com/show_bug.cgi?id=742645
  [ 3 ] Bug #742649 - CVE-2011-3871 puppet: predictable temporary file using RAL
        https://bugzilla.redhat.com/show_bug.cgi?id=742649
  [ 4 ] Bug #742174 - CVE-2011-3848 puppet: Directory traversal attack by processing certain x509 certificate signing requests
        https://bugzilla.redhat.com/show_bug.cgi?id=742174
--------------------------------------------------------------------------------

More information about the epel-devel-list mailing list