Resolved Bugs
1178825 – arj: two directory traversal flaws [fedora-all]
1207181 – CVE-2015-2782 arj: free on invalid pointer due to to buffer overflow [fedora-all]
1196753 – arj: buffer overflow write access initiated by a size read from a crafted archive [fedora-all]
1178824 – CVE-2015-0556 CVE-2015-0557 arj: two directory traversal flaws
1207180 – CVE-2015-2782 arj: free on invalid pointer due to to buffer overflow
1196751 – arj: buffer overflow write access initiated by a size read from a crafted archive<br
– Added patch from Debian to avoid free on invalid pointer due to a buffer overflow (#1196751, #1207180)
– Added patch from Debian for symlink directory traversal (#1178824)
– Added patch from Debian to fix the directory traversal via //multiple/leading/slash (#1178824)

Update to latest release, which includes security fixes.
Update to 2.1.6, per changes described at:
http://postgis.net/2015/03/20/postgis-2.1.6
enable json-c for postigs, but disable it for upgrade part
Rebuild for Proj 4.9.1

Resolved Bugs
1207217 – perl-DBD-Firebird: buffer overflow in error messages handling in IB_SQLtimeformat() [fedora-all]
1207216 – perl-DBD-Firebird: buffer overflow in error messages handling in IB_SQLtimeformat()<br
DBD::Firebird 1.19 [2015-03-22]
===============================
* Fix $VERSION in Firebird.pm
* Fix typo in ISC_PASSWORD spelling
* Positive logic and early return
* Allow re-executing/fetch on prepared sth [RT#92810, Tux]
* Add rests for $dbh->{Name} and others
* Implement $dbh->{Name}
* Fix attributions to Mike Pomraning
* use strict and warnings in all modules
* add a test for inserting/fetching float and double numbers as an attempt to reproduce RT#101650
* fix File::Which configure prerequisite declaration [RT#101672, dmn]
* 03-dbh-attr.t: plan tests after creating the TestFirebird object
* Buffer Overflow in dbdimp.c
* use snprintf instead of sprintf everywhere

Resolved Bugs
1207216 – perl-DBD-Firebird: buffer overflow in error messages handling in IB_SQLtimeformat()
1207217 – perl-DBD-Firebird: buffer overflow in error messages handling in IB_SQLtimeformat() [fedora-all]<br
DBD::Firebird 1.19 [2015-03-22]
===============================
* Fix $VERSION in Firebird.pm
* Fix typo in ISC_PASSWORD spelling
* Positive logic and early return
* Allow re-executing/fetch on prepared sth [RT#92810, Tux]
* Add rests for $dbh->{Name} and others
* Implement $dbh->{Name}
* Fix attributions to Mike Pomraning
* use strict and warnings in all modules
* add a test for inserting/fetching float and double numbers as an attempt to reproduce RT#101650
* fix File::Which configure prerequisite declaration [RT#101672, dmn]
* 03-dbh-attr.t: plan tests after creating the TestFirebird object
* Buffer Overflow in dbdimp.c
* use snprintf instead of sprintf everywhere

Resolved Bugs
1208072 – mediawiki: mediawiki: security issues fixed in the 1.24.2, 1.23.9, and 1.19.24 releases
1208073 – mediawiki: mediawiki: security issues fixed in the 1.24.2, 1.23.9, and 1.19.24 releases [fedora-all]<br
Changes since 1.23.8
* (bug T85848, bug T71210) SECURITY: Don’t parse XMP blocks that contain XML entities, to prevent various DoS attacks.
* (bug T85848) SECURITY: Don’t allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
* (bug T88310) SECURITY: Always expand xml entities when checking SVG’s.
* (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
* (bug T85855) SECURITY: Don’t execute another user’s CSS or JS on preview.
* (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer’s privacy.
* (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.

Resolved Bugs
1208072 – mediawiki: mediawiki: security issues fixed in the 1.24.2, 1.23.9, and 1.19.24 releases
1208073 – mediawiki: mediawiki: security issues fixed in the 1.24.2, 1.23.9, and 1.19.24 releases [fedora-all]<br
Changes since 1.24.1
* (bug T85848, bug T71210) SECURITY: Don’t parse XMP blocks that contain XML entities, to prevent various DoS attacks.
* (bug T85848) SECURITY: Don’t allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
* (bug T88310) SECURITY: Always expand xml entities when checking SVG’s.
* (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
* (bug T85855) SECURITY: Don’t execute another user’s CSS or JS on preview.
* (bug T64685) SECURITY: Allow setting maximal password length to prevent DoS when using PBKDF2.
* (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer’s privacy.
* Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.
* (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.
* (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.

Resolved Bugs
1178824 – CVE-2015-0556 CVE-2015-0557 arj: two directory traversal flaws
1178825 – arj: two directory traversal flaws [fedora-all]
1207181 – CVE-2015-2782 arj: free on invalid pointer due to to buffer overflow [fedora-all]
1196753 – arj: buffer overflow write access initiated by a size read from a crafted archive [fedora-all]
1207180 – CVE-2015-2782 arj: free on invalid pointer due to to buffer overflow
1196751 – arj: buffer overflow write access initiated by a size read from a crafted archive<br
– Added patch from Debian to avoid free on invalid pointer due to a buffer overflow (#1196751, #1207180)
– Added patch from Debian for symlink directory traversal (#1178824)
– Added patch from Debian to fix the directory traversal via //multiple/leading/slash (#1178824)