Fedora EPEL 5 updates-testing report

Fri Feb 1 13:21:30 UTC 2013

The following Fedora EPEL 5 Security updates need testing:
 Age  URL
  10  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-0148/drupal7-7.19-1.el5
 285  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3.2.10-5.el5
 180  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6608/Django-1.1.4-2.el5
  62  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-13612/drupal6-ctools-1.10-1.el5
   8  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-0171/moodle-1.9.19-5.el5
   8  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-0173/couchdb-1.0.4-2.el5.1
  10  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-0116/drupal6-6.28-1.el5
  10  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-0139/proftpd-1.3.3g-2.el5
   0  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-0237/wordpress-3.5.1-1.el5.1

The following builds have been pushed to Fedora EPEL 5 updates-testing

    drupal7-date_ical-2.3-1.el5
    jglobus-2.0.5-0.1.rc2.el5
    wordpress-3.5.1-1.el5.1

Details about builds:

================================================================================
 drupal7-date_ical-2.3-1.el5 (FEDORA-EPEL-2013-0229)
 Allows creation of an iCal feed in Views
--------------------------------------------------------------------------------
Update Information:

Update to upstream 2.3 release
Update to upstream 2.2 release
--------------------------------------------------------------------------------
ChangeLog:

--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #904736 - drupal7-date_ical-2.3 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=904736
  [ 2 ] Bug #903583 - drupal7-date_ical-2.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=903583
--------------------------------------------------------------------------------

================================================================================
 jglobus-2.0.5-0.1.rc2.el5 (FEDORA-EPEL-2013-0236)
 Globus Java client libraries
--------------------------------------------------------------------------------
Update Information:

JGlobus version 2.0.5 release candidate 2.

New packages jglobus-myproxy and jglobus-axisg

--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 29 2013 Mattias Ellert <mattias.ellert at fysast.uu.se> - 2.0.5-0.1.rc2
- 2.0.5 release candidate 2
- New jglobus-myproxy package
- New jglobus-axisg package
--------------------------------------------------------------------------------

================================================================================
 wordpress-3.5.1-1.el5.1 (FEDORA-EPEL-2013-0237)
 Blog tool and publishing platform
--------------------------------------------------------------------------------
Update Information:

WordPress 3.5.1 is now available. Version 3.5.1 is the first maintenance release of 3.5, fixing 37 bugs. It is also a security release for all previous WordPress versions. Which include:

* Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
* Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
* Networks: Suggest proper rewrite rules when creating a new network.
* Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
* Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail.
* Suppress some warnings that could occur when a plugin misused the database or user APIs.

WordPress 3.5.1 also addresses the following security issues:

* A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
* Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
* A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.

--------------------------------------------------------------------------------
ChangeLog:

* Wed Jan 30 2013 Remi Collet <rcollet at redhat.com> - 3.5.1-1.1
- fix simplepie links (for all branches)
* Wed Jan 30 2013 Remi Collet <rcollet at redhat.com> - 3.5.1-1
- version 3.5.1, various bug and security fixes:
  CVE-2013-0235, CVE-2013-0236 and CVE-2013-0237
- drop -f option from rm to break build if
  upstream archive content change
- protect akismet content (from upstream .htaccess)
* Wed Jan  2 2013 Remi Collet <rcollet at redhat.com> - 3.5-3
- fix links to system PHPMailer library
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #904120 - CVE-2013-0235 wordpress: Server-side request forgery and remote port scanning using pingbacks
        https://bugzilla.redhat.com/show_bug.cgi?id=904120
  [ 2 ] Bug #904121 - wordpress: XSS flaws via shortcodes and HTTP POST content
        https://bugzilla.redhat.com/show_bug.cgi?id=904121
  [ 3 ] Bug #904122 - wordpress: XSS in the external Plupload library
        https://bugzilla.redhat.com/show_bug.cgi?id=904122
--------------------------------------------------------------------------------