Resolved Bugs
1131823 – CVE-2014-3603 OpenSAML Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification
1132022 – CVE-2014-3603 opensaml-java: OpenSAML Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification [fedora-all]
1219740 – Upgrade to 1.5.0 or newer<br
* OpenSAML Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification

Resolved Bugs
1214609 – CVE-2015-3150 abrt: abrt-dbus does not guard against crafted problem directory path arguments [fedora-all]
1216975 – CVE-2015-3159 abrt: missing process environment sanitizaton in abrt-action-install-debuginfo-to-abrt-cache [fedora-all]
1214452 – CVE-2015-3151 abrt: directory traversals in several D-Bus methods implemented by abrt-dbus [fedora-all]
1212871 – CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure [fedora-all]
1212821 – CVE-2015-3142 abrt: abrt-hook-ccpp writes core dumps to existing files owned by others [fedora-all]
1213485 – Can’t extract files from downloaded debuginfo package
1169774 – failure to extract debuginfo
1193656 – abrt-gui renders crash list white-on-white when using dark theme
986876 – RFE: Disallow core dump upload entirely
1212865 – CVE-2015-1869 abrt: default event scripts follow symbolic links [fedora-all]
1218239 – CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt [fedora-all]
1179752 – undocumented options in abrt-cli<br
Security fixes for:
* CVE-2015-3315
* CVE-2015-3142
* CVE-2015-1869
* CVE-2015-1870
* CVE-2015-3151
* CVE-2015-3150
* CVE-2015-3159
abrt:
=====
* Move the default dump location from /var/tmp/abrt to /var/spool/abrt
* Use root for owner of all dump directories
* Stop reading hs_error.log from /tmp
* Don not save the system logs by default
* Don not save dmesg if kernel.dmesg_restrict=1
libreport:
==========
* Harden the code against directory traversal, symbolic and hard link attacks
* Fix a bug causing that the first value of AlwaysExcludedElements was ignored
* Fix missing icon for the “Stop” button icon name
* Improve development documentation
* Translations updates
gnome-abrt:
===========
* Use DBus to get problem data for detail dialog
* Fix an error introduced with the details on System page
* Enabled the Details also for the System problems

Resolved Bugs
1232896 – CVE-2015-3230 389-ds-base: nsSSL3Ciphers preference not enforced server side (regression) [fedora-all]<br
release 1.3.3.12

Resolved Bugs
1232972 – drupal7-7.38 is available<br
– Release 7.38 is a security fix release
– Upstream release notes: https://www.drupal.org/drupal-7.38-release-notes

Resolved Bugs
1216975 – CVE-2015-3159 abrt: missing process environment sanitizaton in abrt-action-install-debuginfo-to-abrt-cache [fedora-all]
1214609 – CVE-2015-3150 abrt: abrt-dbus does not guard against crafted problem directory path arguments [fedora-all]
1214452 – CVE-2015-3151 abrt: directory traversals in several D-Bus methods implemented by abrt-dbus [fedora-all]
1212871 – CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure [fedora-all]
1212865 – CVE-2015-1869 abrt: default event scripts follow symbolic links [fedora-all]
1212821 – CVE-2015-3142 abrt: abrt-hook-ccpp writes core dumps to existing files owned by others [fedora-all]
1218239 – CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt [fedora-all]
1179752 – undocumented options in abrt-cli
1213485 – Can’t extract files from downloaded debuginfo package
1169774 – failure to extract debuginfo
1193656 – abrt-gui renders crash list white-on-white when using dark theme
986876 – RFE: Disallow core dump upload entirely<br
Security fixes for:
* CVE-2015-3315
* CVE-2015-3142
* CVE-2015-1869
* CVE-2015-1870
* CVE-2015-3151
* CVE-2015-3150
* CVE-2015-3159
abrt:
=====
* Move the default dump location from /var/tmp/abrt to /var/spool/abrt
* Use root for owner of all dump directories
* Stop reading hs_error.log from /tmp
* Don not save the system logs by default
* Don not save dmesg if kernel.dmesg_restrict=1
libreport:
==========
* Harden the code against directory traversal, symbolic and hard link attacks
* Fix a bug causing that the first value of AlwaysExcludedElements was ignored
* Fix missing icon for the “Stop” button icon name
* Improve development documentation
* Translations updates
gnome-abrt:
===========
* Use DBus to get problem data for detail dialog
* Fix an error introduced with the details on System page
* Enabled the Details also for the System problems

Resolved Bugs
1231871 – CVE-2015-4556 chicken: out-of-bounds read in CHICKEN Scheme’s string-translate* procedure<br
Apply patch to work around out of bounds bug: BZ 1231871.

**1.1.20** – 9 June 2015. Fix for a potential security vulnerability arising from unescaped double-quote character in single-quoted attribute value of some deprecated elements when tag transformation is enabled; recognition for non-(HTML4) standard ‘allowfullscreen’ attribute of ‘iframe.’

Resolved Bugs
1131823 – CVE-2014-3603 OpenSAML Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification
1132022 – CVE-2014-3603 opensaml-java: OpenSAML Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification [fedora-all]
1219740 – Upgrade to 1.5.0 or newer<br
* OpenSAML Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification

Resolved Bugs
1232971 – drupal6-6.36 is available<br
– Release 6.36 is a security fix release
– Upstream release notes: https://www.drupal.org/drupal-6.36-release-notes

Resolved Bugs
1195771 – support “–pinnedpubkey” option (feature REQ)
1228363 – curl-config broken when i686 version installed on x86_64
1233818 – CVE-2015-3237 CVE-2015-3236 curl: various flaws [fedora-all]
1233814 – CVE-2015-3237 curl: SMB send off unrelated memory contents
1233816 – CVE-2015-3236 curl: lingering HTTP credentials in connection re-use<br
– implement public key pinning for NSS backend (#1195771)
– fix lingering HTTP credentials in connection re-use (CVE-2015-3236)
– prevent SMB from sending off unrelated memory contents (CVE-2015-3237)
– curl-config –libs now works on x86_64 without libcurl-devel.x86_64 (#1228363)