Resolved Bugs
1252861 – openssh: Incorrectly set TTYs to be world-writable
1252862 – openssh: Incorrectly set TTYs to be world-writable [fedora-all]
1252844 – openssh: Privilege separation weakness related to PAM support
1252854 – openssh: Privilege separation weakness related to PAM support [fedora-all]
1252852 – openssh: Use-after-free bug related to PAM support
1252853 – openssh: Use-after-free bug related to PAM support [fedora-all]
1251777 – pam_ssh_agent_auth does not work with gnome-keyring-daemon or ssh-agent<br
This update brings fixes for vulnerabilities published with openssh-7.0 and is fixing pam_ssh_agent_auth module to be functional again.

This update fixes CVE-2015-5186. The issue is that ausearch/report did not escape terminal emulator sequences when interpreting untrusted data.

Resolved Bugs
1253250 – CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM
1253252 – CVE-2015-5161 php-ZendFramework2: php-ZendFramework: XML external entity injection (XXE) on PHP FPM [fedora-all]<br
Zend Framework Upstream ChangeLogs:
* [Version 2.4.7](http://framework.zend.com/changelog/2.4.7/)
* [Version 2.4.6](http://framework.zend.com/changelog/2.4.6/)
* [Version 2.4.5](http://framework.zend.com/changelog/2.4.5/)
* [Version 2.4.4](http://framework.zend.com/changelog/2.4.4/)
* [Version 2.4.3](http://framework.zend.com/changelog/2.4.3/)
* [Version 2.4.2](http://framework.zend.com/changelog/2.4.2/)
* [Version 2.4.1](http://framework.zend.com/changelog/2.4.1/)
* [Version 2.4.0](http://framework.zend.com/changelog/2.4.0/)

For list of changes see: https://www.mozilla.org/en-US/firefox/40.0/releasenotes/
For list of changes see: https://www.mozilla.org/en-US/firefox/40.0/releasenotes/
For list of changes see: https://www.mozilla.org/en-US/firefox/40.0/releasenotes/

Update to 10.0.21

Resolved Bugs
1253252 – CVE-2015-5161 php-ZendFramework2: php-ZendFramework: XML external entity injection (XXE) on PHP FPM [fedora-all]
1253250 – CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM<br
Zend Framework Upstream ChangeLogs:
* [Version 2.4.7](http://framework.zend.com/changelog/2.4.7/)
* [Version 2.4.6](http://framework.zend.com/changelog/2.4.6/)
* [Version 2.4.5](http://framework.zend.com/changelog/2.4.5/)
* [Version 2.4.4](http://framework.zend.com/changelog/2.4.4/)
* [Version 2.4.3](http://framework.zend.com/changelog/2.4.3/)
* [Version 2.4.2](http://framework.zend.com/changelog/2.4.2/)
* [Version 2.4.1](http://framework.zend.com/changelog/2.4.1/)
* [Version 2.4.0](http://framework.zend.com/changelog/2.4.0/)

Resolved Bugs
1249259 – php-twig-v1.20.0 is available<br
## 1.20.0 (2015-08-12)
* forbid access to the Twig environment from templates and internal parts of Twig_Template
* fixed limited RCEs when in sandbox mode
* deprecated Twig_Template::getEnvironment()
* deprecated the _self variable for usage outside of the from and import tags
* added Twig_BaseNodeVisitor to ease the compatibility of node visitors between 1.x and 2.x
## 1.19.0 (2015-07-31)
* fixed wrong error message when including an undefined template in a child template
* added support for variadic filters, functions, and tests
* added support for extra positional arguments in macros
* added ignore_missing flag to the source function
* fixed batch filter with zero items
* deprecated Twig_Environment::clearTemplateCache()
* fixed sandbox disabling when using the include function

Resolved Bugs
1252844 – openssh: Privilege separation weakness related to PAM support
1252854 – openssh: Privilege separation weakness related to PAM support [fedora-all]
1252852 – openssh: Use-after-free bug related to PAM support
1252853 – openssh: Use-after-free bug related to PAM support [fedora-all]
1245969 – CVE-2015-5600 openssh: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices
1245971 – CVE-2015-5600 openssh: authentication limits (MaxAuthTries) bypass [fedora-all]<br
This update provides fixes for vulnerabilities published with openssh-7.0
Security fix for CVE-2015-5600