Category Archives: Fedora

Fedora – Security Updates

Fedora

Fedora 21 Security Update: mediawiki-1.24.1-1.fc21

Resolved Bugs
1175828 – mediawiki: multiple vulnerabilities
1175829 – mediawiki: multiple vulnerabilities [fedora-all]<br
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.rn* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.rn* (bug T74222) The original patch for T74222 was reverted as unnecessary.rn* Fixed a couple of entries in RELEASE-NOTES-1.24.rn* (bug T76168) OutputPage: Add accessors for some protected properties.rn* (bug T74834) Make 1.24 branch directly installable under PostgreSQL.

Fedora

Fedora 19 Security Update: php-5.5.20-2.fc19

Resolved Bugs
1175718 – CVE-2014-8142 php: use after free vulnerability in unserialize()
1176156 – CVE-2014-8142 php: use after free vulnerability in unserialize() [fedora-all]<br
18 Dec 2014, PHP 5.5.20\r\n\r\nCore:\r\n* Fixed bug #68091 (Some Zend headers lack appropriate extern “C” blocks). (Adam)\r\n* Fixed bug #68185 (“Inconsistent insteadof definition.”- incorrectly triggered). (Julien)\r\n* Fixed bug #68370 (“unset($this)” can make the program crash). (Laruence)\r\n* Fixed bug #68545 (NULL pointer dereference in unserialize.c). (Anatol)\r\n* Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142) (Stefan Esser)\r\n\r\nDate:\r\n* Fixed day_of_week function as it could sometimes return negative values internally. (Derick)\r\n\r\nFPM:\r\n* Fixed bug #68381 (fpm_unix_init_main ignores log_level). (David Zuelke, Remi)\r\n* Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses). (Remi)\r\n* Fixed bug #68421 (access.format=’%R’ doesn’t log ipv6 address). (Remi)\r\n* Fixed bug #68423 (PHP-FPM will no longer load all pools). (Remi)\r\n* Fixed bug #68428 (listen.allowed_clients is IPv4 only). (Remi)\r\n* Fixed bug #68452 (php-fpm man page is oudated). (Remi)\r\n* Fixed request #68458 (Change pm.start_servers default warning to notice). (David Zuelke, Remi)\r\n* Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access). (Remi)\r\n* Fixed request #68391 (php-fpm conf files loading order). (Florian Margaine, Remi)\r\n* Fixed bug #68478 (access.log don’t use prefix). (Remi)\r\n\r\nMcrypt:\r\n* Fixed possible read after end of buffer and use after free. (Dmitry)\r\n\r\nPDO_pgsql:\r\n* Fixed bug #66584 (Segmentation fault on statement deallocation) (Matteo)\r\n* Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction) (Matteo)\r\n* Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving)\r\n (Matteo)\r\n\r\nzlib:\r\n* Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64) (Sascha Kettler, Matteo)

Fedora

Fedora 19 Security Update: mediawiki-1.23.8-1.fc19

Resolved Bugs
1175828 – mediawiki: multiple vulnerabilities
1175829 – mediawiki: multiple vulnerabilities [fedora-all]<br
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.rn* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.rn* (bug T74222) The original patch for T74222 was reverted as unnecessary.rn

Fedora

Fedora 19 Security Update: kernel-3.14.27-100.fc19

Resolved Bugs
1172765 – CVE-2014-8134 kernel: x86: espfix not working for 32-bit KVM paravirt guests
1172769 – CVE-2014-8134 kernel: x86: espfix not working for 32-bit KVM paravirt guests [fedora-all]
1170691 – CVE-2014-9090 kernel: espfix64: local DoS via do_double_fault() due to improper handling of faults associated with SS segment register
1163762 – CVE-2010-5313 CVE-2014-7842 kernel: kvm: reporting emulation failures to userspace
1163767 – CVE-2014-7842 kernel: kvm: reporting emulation failures to userspace [fedora-all]
1163087 – CVE-2014-7841 kernel: net: sctp: NULL pointer dereference in af->from_addr_param on malformed packet
1163095 – CVE-2014-7841 kernel: net: sctp: NULL pointer dereference in af->from_addr_param on malformed packet [fedora-all]
1161565 – CVE-2014-7825 CVE-2014-7826 kernel: insufficient syscall number validation in perf and ftrace subsystems
1161572 – CVE-2014-7826 CVE-2014-7825 kernel: insufficient syscall number validation in perf and ftrace subsystems [fedora-all]<br
The 3.14.27 stable update contains a number of important fixes across the tree.nThe 3.14.26 update contains a number of important fixes across the treenThe 3.14.25 stable update contains a number of important fixes across the tree.nThe 3.14.24 stable update contains a number of important fixes across the tree.