Resolved Bugs
1138101 – CVE-2013-6497 ClamAV: -a segmentation fault when processing files
1165527 – CVE-2013-6497 ClamAV: -a segmentation fault when processing files [epel-all]<br
ClamAV 0.98.5
=============
ClamAV 0.98.5 also includes these new features and bug fixes:
* Support for the XDP file format and extracting, decoding, and scanning PDF files within XDP files. Addition of shared library support for LLVM versions 3.1 – 3.5 for the purpose of just-in-time(JIT) compilation of ClamAV bytecode signatures. Andreas Cadhalpun submitted the patch implementing this support.
* Enhancements to the clambc command line utility to assist ClamAV bytecode signature authors by providing introspection into compiled bytecode programs.
* Resolution of many of the warning messages from ClamAV compilation.
* Improved detection of malicious PE files.
* Security fix for ClamAV crash when using ‘clamscan -a’. This issue was identified by Kurt Siefried of Red Hat.
* Security fix for ClamAV crash when scanning maliciously crafted yoda’s crypter files. This issue, as well as several other bugs fixed in this release, were identified by Damien Millescamp of Oppida.
* ClamAV 0.98.5 now works with OpenSSL in FIPS compliant mode. Thanks to Reinhard Max for supplying the patch.
* Bug fixes and other feature enhancements.
Please see the ChangeLog file or GIT log for further details.

Resolved Bugs
1063671 – CVE-2014-1934 python-eyed3: insecure temporary file creation<br
– Fixed CVE-2014-1934.

Resolved Bugs
1063671 – CVE-2014-1934 python-eyed3: insecure temporary file creation<br
– Fixed CVE-2014-1934.

Resolved Bugs
1138101 – CVE-2013-6497 ClamAV: -a segmentation fault when processing files
1165526 – CVE-2013-6497 ClamAV: -a segmentation fault when processing files [fedora-all]<br
ClamAV 0.98.5
=============
ClamAV 0.98.5 also includes these new features and bug fixes:
* Support for the XDP file format and extracting, decoding, and scanning PDF files within XDP files. Addition of shared library support for LLVM versions 3.1 – 3.5 for the purpose of just-in-time(JIT) compilation of ClamAV bytecode signatures. Andreas Cadhalpun submitted the patch implementing this support.
* Enhancements to the clambc command line utility to assist ClamAV bytecode signature authors by providing introspection into compiled bytecode programs.
* Resolution of many of the warning messages from ClamAV compilation.
* Improved detection of malicious PE files.
* Security fix for ClamAV crash when using ‘clamscan -a’. This issue was identified by Kurt Siefried of Red Hat.
* Security fix for ClamAV crash when scanning maliciously crafted yoda’s crypter files. This issue, as well as several other bugs fixed in this release, were identified by Damien Millescamp of Oppida.
* ClamAV 0.98.5 now works with OpenSSL in FIPS compliant mode. Thanks to Reinhard Max for supplying the patch.
* Bug fixes and other feature enhancements.
Please see the ChangeLog file or GIT log for further details.

Resolved Bugs
1161527 – CVE-2014-7819 rubygem-sprockets: arbitrary file existence disclosure
1164331 – CVE-2014-7819 rubygem-sprockets: arbitrary file existence disclosure [fedora-all]<br
Contains fix for CVE-2014-7819 rubygem-sprockets: arbitrary file existence disclosure

Resolved Bugs
1161900 – nodejs: CVE-2014-3566 fixed upstream in new stable release v0.10.33
1152789 – CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack<br
This release handles the recent POODLE vulnerability by disabling SSLv2/SSLv3
by default for the most predominate uses of TLS in Node.js.
It took longer than expected to get this release accomplished in a way that
would provide appropriate default security settings, while minimizing the
surface area for the behavior change we were introducing. It was also important
that we validated that our changes were being applied in the variety of
configurations we support in our APIs.
With this release, we are confident that the only behavior change is that of
the default allowed protocols do not include SSLv2 or SSLv3. Though you are
still able to programatically consume those protocols if necessary.
Included is the documentation that you can find at
https://nodejs.org/api/tls.html#tls_protocol_support that describes how this
works going forward for client and server implementations.
—
Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these
protocols are **disabled**. They are considered insecure and could be easily
compromised as was shown by CVE-2014-3566. However, in some situations, it
may cause problems with legacy clients/servers (such as Internet Explorer 6).
If you wish to enable SSLv2 or SSLv3, run node with the `–enable-ssl2` or
`–enable-ssl3` flag respectively. In future versions of Node.js SSLv2 and
SSLv3 will not be compiled in by default.
There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly
specifying `secureProtocol` to `’SSLv3_method’` or `’SSLv2_method’`.
The default protocol method Node.js uses is `SSLv23_method` which would be more
accurately named `AutoNegotiate_method`. This method will try and negotiate
from the highest level down to whatever the client supports. To provide a
secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3
and SSLv2 by setting the `secureOptions` to be
`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
`–enable-ssl3`, or `–enable-ssl2`, or `SSLv3_method` as `secureProtocol`).
If you have set `securityOptions` to anything, we will not override your
options.
The ramifications of this behavior change:
* If your application is behaving as a secure server, clients who are `SSLv3`
only will now not be able to appropriately negotiate a connection and will be
refused. In this case your server will emit a `clientError` event. The error
message will include `’wrong version number’`.
* If your application is behaving as a secure client and communicating with a
server that doesn’t support methods more secure than SSLv3 then your connection
won’t be able to negotiate and will fail. In this case your client will emit a
an `error` event. The error message will include `’wrong version number’`.
—
2014.10.20, node.js Version 0.10.33 (Stable)
* child_process: properly support optional args (cjihrig)
* crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)
This is a behavior change, by default we will not allow the negotiation to
SSLv2 or SSLv3. If you want this behavior, run Node.js with either
`–enable-ssl2` or `–enable-ssl3` respectively.
This does not change the behavior for users specifically requesting
`SSLv2_method` or `SSLv3_method`. While this behavior is not advised, it is
assumed you know what you’re doing since you’re specifically asking to use
these methods.
—
2014.10.21, libuv Version 0.10.29 (Stable)
Relevant changes since version 0.10.28:
* linux: try epoll_pwait if epoll_wait is missing (Michael Hudson-Doyle)

Resolved Bugs
1139181 – CVE-2014-4877 wget: FTP symlink arbitrary filesystem access
1157633 – CVE-2014-4877 wget: FTP symlink arbitrary filesystem access [fedora-all]
1159643 – Download progress prints new line<br
add fix for arches with unsigned char
security update
Fix the progress bar issue (#1159643)

Resolved Bugs
1059331 – CVE-2014-1693 erlang-inets: command injection flaw in FTP module
1059333 – CVE-2014-1693 erlang: erlang-inets: command injection flaw in FTP module [fedora-all]
784693 – Too many dependencies from Erlang<br
* Fixed CVE-2014-1693 (backported fix from ver. 17.x.x, see patch no. 17)
* Trimmed dependency chain

Resolved Bugs
1165078 – lsyncd: command injection through backticks in a filename
1165080 – lsyncd: command injection through backticks in a filename [fedora-all]<br
Fix bad shell argument escaping

Resolved Bugs
1161900 – nodejs: CVE-2014-3566 fixed upstream in new stable release v0.10.33
1152789 – CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack<br
This release handles the recent POODLE vulnerability by disabling SSLv2/SSLv3
by default for the most predominate uses of TLS in Node.js.
It took longer than expected to get this release accomplished in a way that
would provide appropriate default security settings, while minimizing the
surface area for the behavior change we were introducing. It was also important
that we validated that our changes were being applied in the variety of
configurations we support in our APIs.
With this release, we are confident that the only behavior change is that of
the default allowed protocols do not include SSLv2 or SSLv3. Though you are
still able to programatically consume those protocols if necessary.
Included is the documentation that you can find at
https://nodejs.org/api/tls.html#tls_protocol_support that describes how this
works going forward for client and server implementations.
—
Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these
protocols are **disabled**. They are considered insecure and could be easily
compromised as was shown by CVE-2014-3566. However, in some situations, it
may cause problems with legacy clients/servers (such as Internet Explorer 6).
If you wish to enable SSLv2 or SSLv3, run node with the `–enable-ssl2` or
`–enable-ssl3` flag respectively. In future versions of Node.js SSLv2 and
SSLv3 will not be compiled in by default.
There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly
specifying `secureProtocol` to `’SSLv3_method’` or `’SSLv2_method’`.
The default protocol method Node.js uses is `SSLv23_method` which would be more
accurately named `AutoNegotiate_method`. This method will try and negotiate
from the highest level down to whatever the client supports. To provide a
secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3
and SSLv2 by setting the `secureOptions` to be
`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
`–enable-ssl3`, or `–enable-ssl2`, or `SSLv3_method` as `secureProtocol`).
If you have set `securityOptions` to anything, we will not override your
options.
The ramifications of this behavior change:
* If your application is behaving as a secure server, clients who are `SSLv3`
only will now not be able to appropriately negotiate a connection and will be
refused. In this case your server will emit a `clientError` event. The error
message will include `’wrong version number’`.
* If your application is behaving as a secure client and communicating with a
server that doesn’t support methods more secure than SSLv3 then your connection
won’t be able to negotiate and will fail. In this case your client will emit a
an `error` event. The error message will include `’wrong version number’`.
—
2014.10.20, node.js Version 0.10.33 (Stable)
* child_process: properly support optional args (cjihrig)
* crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)
This is a behavior change, by default we will not allow the negotiation to
SSLv2 or SSLv3. If you want this behavior, run Node.js with either
`–enable-ssl2` or `–enable-ssl3` respectively.
This does not change the behavior for users specifically requesting
`SSLv2_method` or `SSLv3_method`. While this behavior is not advised, it is
assumed you know what you’re doing since you’re specifically asking to use
these methods.
—
2014.10.21, libuv Version 0.10.29 (Stable)
Relevant changes since version 0.10.28:
* linux: try epoll_pwait if epoll_wait is missing (Michael Hudson-Doyle)