Resolved Bugs
1133787 – CVE-2013-7398 async-http-client: missing hostname verification for SSL certificates [fedora-all]
1133773 – CVE-2013-7398 async-http-client: missing hostname verification for SSL certificates
1133789 – CVE-2013-7397 async-http-client: SSL/TLS certificate verification is disabled under certain conditions [fedora-all]
1133769 – CVE-2013-7397 async-http-client: SSL/TLS certificate verification is disabled under certain conditions<br
Security fix for CVE-2013-7398, CVE-2013-7397

This update addresses a security vulnerability identified as CVE-2015-1863 . More information on this vulnerability is provided by upstream at https://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt . An extract:
Attacker (or a system controlled by the attacker) needs to be within radio range of the vulnerable system to send a suitably constructed management frame that triggers a P2P peer device information to be created or updated.
The vulnerability is easiest to exploit while the device has started an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control interface command in progress). However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress.

Resolved Bugs
1198153 – CVE-2015-0837 CVE-2014-3591 mingw-libgcrypt: various flaws [fedora-all]<br
Update to 1.6.3 which fixes CVE-2014-3591 CVE-2015-0837

Resolved Bugs
1203855 – CVE-2015-0209 CVE-2015-0293 CVE-2015-0287 CVE-2015-0286 CVE-2015-0289 CVE-2015-0288 mingw-openssl: various flaws [fedora-all]<br
Update to OpenSSL 1.0.2a which fixes various CVE’s

This update addresses a security vulnerability identified as CVE-2015-1863 . More information on this vulnerability is provided by upstream at https://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt . An extract:
Attacker (or a system controlled by the attacker) needs to be within radio range of the vulnerable system to send a suitably constructed management frame that triggers a P2P peer device information to be created or updated.
The vulnerability is easiest to exploit while the device has started an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control interface command in progress). However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress.

Resolved Bugs
1110110 – CVE-2014-0225 Spring Framework: Information disclosure via SSRF
1110333 – CVE-2014-0225 springframework: Spring Framework: Information disclosure via SSRF [fedora-all]<br
Security fix for CVE-2014-0225

Resolved Bugs
1180063 – CVE-2014-8150 mingw-curl: curl: URL request injection vulnerability in parseurlandfillconn() [fedora-all]
1214795 – CVE-2015-3143 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 mingw-curl: various flaws [fedora-all]<br
Update to 7.42.0 which fixes various CVE’s

Resolved Bugs
1198153 – CVE-2015-0837 CVE-2014-3591 mingw-libgcrypt: various flaws [fedora-all]<br
Update to 1.6.3 which fixes CVE-2014-3591 CVE-2015-0837

Resolved Bugs
1180063 – CVE-2014-8150 mingw-curl: curl: URL request injection vulnerability in parseurlandfillconn() [fedora-all]
1214795 – CVE-2015-3143 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 mingw-curl: various flaws [fedora-all]<br
Update to 7.42.0 which fixes various CVE’s

Resolved Bugs
1214973 – /usr/lib64/samba/wbclient is not in the ldconfig lookup path
1213373 – Backport upstream patch<br
Update to Samba 4.2.1
Fix libwbclient.so alternatives bug
Fix systemd compatibility bug