Category Archives: Fedora

Fedora – Security Updates

Fedora

Fedora 19 Security Update: fedup-0.9.0-2.fc19

Leave a comment

Resolved Bugs
1159292 – Machine automatically shutdown during upgrade in less than 15 minutes
1038413 – fedup stage2 keymap will always be US again for F20-F21 due to anaconda not writing vconsole.keymap kernel parameter any more (#1035316)
1153816 – Fedup needs to support upgrading into a Productized Fedora 21
1066679 – CVE-2013-6494 fedup: /var/tmp/fedora-upgrade temporary directory creation vulnerability
1044987 – fedup-0.8.0-3.fc20.noarch exits if doulble ckicking on the window to max/min it
1045090 – [abrt] fedup: download.py:133:setup_repos:ValueError: need more than 1 value to unpack
1044083 – [abrt] fedup: commandline.py:197:device_setup:NameError: global name ‘message’ is not defined
1043981 – [abrt] fedup: fedup-cli:216:main:AttributeError: ‘ProblemSummary’ object has no attribute ‘format_details’
1047005 – [abrt] fedup: download.py:276:find_replacement:AttributeError: ‘NoneType’ object has no attribute ‘pkgtup'<br
This update works around a serious problem in Fedora 21 Beta which makes systems automatically shut down 15 minutes into the upgrade.
Other improvements:
* Adds `–product=PRODUCT` flag, required for upgrades to F21
* Uses host’s config files in `upgrade.img`, which should fix various upgrade problems (e.g. incorrect keyboard layout when unlocking disks due to missing `vconsole.conf`)
* Logging improvements: complete upgrade log should appear in system journal
* Adds a warning for upgrades without a new kernel
* Fixes a bunch of crashes

Fedora

Fedora 20 Security Update: python3-3.3.2-18.fc20

Leave a comment

Resolved Bugs
1113529 – CVE-2014-4650 python3: python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs [fedora-all]
1112285 – CVE-2014-4616 python: missing boundary check in JSON module
1112294 – python3: python: JSON module – reading arbitrary process memory [fedora-all]<br
Fix for CVE-2014-4650: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs.
Fix for CVE-2014-4650

Fedora

Fedora 19 Security Update: claws-mail-plugins-3.11.1-1.fc19,claws-mail-3.11.1-2.fc19,libetpan-1.6-1.fc19

Leave a comment

Resolved Bugs
1153970 – claws-mail: disable SSLv3 completely
569478 – upstream bug 2769: crash when activating offline mode during IMAP remote activity
601982 – [abrt] crash in claws-mail-3.7.6-1.fc13: in compose_close at compose.c:11016 (SIGABRT)
977924 – [abrt] IMAP interruption side-effects / claws-mail-3.9.2-1.fc19: folder_item_get_msginfo_by_msgid: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
982533 – [abrt] IMAP interruptions side-effects / claws-mail-3.9.2-1.fc19: g_malloc0: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
990650 – [abrt] claws-mail-3.9.2-3.fc19: standard_calloc: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
1011098 – [abrt] claws-mail-3.9.2-7.fc19: g_malloc0: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
1010993 – [abrt] claws-mail-3.9.2-7.fc19: gdata plugin gnutls_init in _int_malloc: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
1035851 – [abrt] mark as read / claws-mail-3.9.2-7.fc19: gtk_cmctree_is_viewable: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
1036346 – [abrt] claws-mail-3.9.2-7.fc20: g_malloc0: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
1063035 – [abrt] claws-mail: allocator_memalign(): claws-mail killed by SIGSEGV
1070480 – Claws-Mail IMAP related memory corruption crash while waiting for server response and a network reconnection happens
1071327 – [abrt] claws-mail: g_malloc(): claws-mail killed by SIGSEGV
1076387 – [abrt] claws-mail: summary_delete_row(): claws-mail killed by SIGSEGV
1078996 – [abrt] claws-mail: malloc crash from within _cairo_polygon_intersect(): claws-mail killed by SIGSEGV
1079509 – [abrt] claws-mail: folder_item_get_msginfo_by_msgid(): claws-mail killed by SIGSEGV
1079620 – [abrt] claws-mail: set_cell_contents(): claws-mail killed by SIGSEGV
1081224 – [abrt] claws-mail: summary_set_row_marks(): claws-mail killed by SIGSEGV
1085382 – [abrt] claws-mail: g_malloc(): claws-mail killed by SIGSEGV
1090300 – [abrt] claws-mail: row_is_selected(): claws-mail killed by SIGSEGV
1096041 – [abrt] IMAP interruptions side-effects / g_malloc0(): claws-mail killed by SIGSEGV
1096895 – [abrt] IMAP interruptions side-effects / at malloc.c:3645 / _cairo_traps_grow(): claws-mail killed by SIGSEGV
1110255 – claws-mail: stack-based off-by-one in HTML parsing [fedora-all]<br
* SSLv3 server connections are now disabled by default, in response to the POODLE vulnerability, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566.
* Several PGP/Core plugin improvements
* A new version of the RSSyl plugin, completely redesigned and rewritten.
* The results of TAB address completion in the Compose window have improved ordering.
* Due to popular demand, use of the Up key in the message body in the Compose window stops at the top of the message body and does not continue up to the header fields. This reverts the behaviour introduced in version 3.10.0.
* In the Compose window, when navigating with the arrow keys, selecting, and thus modifying, the Account selector is now prevented.
* In the Compose window, a mnemonic (s) has been added to the Subject line.
* The Queue folder is highlighted if there are messages in its sub-folders and the tree is collapsed.
* When sorting messages by ‘thread date’, clicking the ‘Date’ column header will now toggle between ascending/descending and will not switch to ‘date’ sorting.
* A new QuickSearch filter has been added that searches a header’s content only. H S : messages which contain S in the value of any header.
* A Reply-To field has been added to the main Template configuration.
* The menubar can now be hidden, default hotkey: F12.
* Fancy plugin: A user-controlled stylesheet can now be used.
* Python plugin: Add flag attributes to MessageInfo object.
* Python plugin: Make ‘account’ property of ComposeWindow read/write.
* Libravatar plugin: a network timeout option has been added.
* Use ‘gnutls_priority’ hidden account preference for POP3 and STARTTLS connections, in addition to SMTP.
* RSSyl plugin: Enable use of .netrc to store network credentials.
* The tbird2claws.py script, for converting a Thunderbird mailbox to a Claws Mail mailbox, now handles sub-directory recursion.
* Updated translations
* Various Bugfixes
New in 3.10.1:
* Add an account preference to allow automatically accepting unknown and changed SSL certificates, if they’re valid (that is, if the root CA is trusted by the distro).
* RFE 3196, ‘When changing quicksearch Search Type, set focus to search input box’
* PGP/Core plugin: Generate 2048 bit RSA keys.
* Major code cleanup.
* Extended claws-mail.desktop with Compose and Receive actions.
* Updated Bulgarian, Brazilian Portuguese, Czech, Dutch, Esperanto, Finnish, French, German,Hebrew, Hungarian, Indonesian, Lithuanian, Slovak, Spanish, and Swedish translations.
* Bug fixes
New in 3.10.0:
* Complete SSL certificate chains are now saved, and if built with Libetpan 1.4.1, the IMAP SSL connection’s certificate chain is made available. Both of these allow correct certificate verification instead of a bogus ‘No certificate issuer found’ status.
* Auto-configuration of account email servers, based on SRV records, is now possible. (GLib >= 2.22 is required.)
* Added a preference to avoid automatically drafting emails that are to be sent encrypted, (Configuration/Preferences/Compose/Writing).
* Messages saved as Drafts are now saved as New, highlighting the Drafts folder, in order to draw the attention to unfinished mails there.
* It is now possible to add a ‘Replace signature’ button to the Compose window toolbar.
* Quotation wrapping and undo/redo in the Compose window has been improved.
* ‘Reply to all’ now excludes your own address.
* The ‘Generate X-Mailer header’ option has been renamed ‘Add user agent header’ and applies to both X-Mailer and X-Newsreader headers.
* Added hidden preferences, ‘address_search_wildcard’ and ‘folder_search_wildcard’, to choose between matching from start of the folder name/address or any part of the name. (Activating these options restores the previous behaviour.)
* Added hidden preference ‘enable_avatars’ to control the internal capture/render process, and which allows disabling it by external plugins for example.
* ‘Check for new folders’ now only updates the folder list, not updating the contents of folders. If needed, it can be followed by ‘Check for new messages’
* When using Redirect, the redirecting account’s address is used in the SMTP MAIL FROM instead of the original sender’s address.
* NEW: Libravatar plugin, which displays avatars from https://www.libravatar.org/
* Added support for an arbitrary number and sources of ‘avatars’ and images for email senders, and migrated Face and X-Face headers.
* Avatars are now included when printing mails.
* The GPG keyring can now be used as the source for address auto-completion.
* The vCalendar and RSSyl plugins now have an option to disable SSL certificate verification (and check them by default).
* The ClamAV plugin now pops up an error message only once instead of repeatedly
* Updated the man page and the manual.
* Updated Brazilian Portuguese, British English, Czech, Dutch, Finnish, French, Hebrew, Hungarian, Indonesian, Lithuanian, Slovak, Spanish, and Swedish translations.
* Added Esperanto translation.

Fedora

Fedora 20 Security Update: claws-mail-plugins-3.11.1-1.fc20,claws-mail-3.11.1-2.fc20,libetpan-1.6-1.fc20

Leave a comment

Resolved Bugs
1153970 – claws-mail: disable SSLv3 completely
569478 – upstream bug 2769: crash when activating offline mode during IMAP remote activity
601982 – [abrt] crash in claws-mail-3.7.6-1.fc13: in compose_close at compose.c:11016 (SIGABRT)
977924 – [abrt] IMAP interruption side-effects / claws-mail-3.9.2-1.fc19: folder_item_get_msginfo_by_msgid: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
982533 – [abrt] IMAP interruptions side-effects / claws-mail-3.9.2-1.fc19: g_malloc0: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
990650 – [abrt] claws-mail-3.9.2-3.fc19: standard_calloc: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
1011098 – [abrt] claws-mail-3.9.2-7.fc19: g_malloc0: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
1010993 – [abrt] claws-mail-3.9.2-7.fc19: gdata plugin gnutls_init in _int_malloc: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
1035851 – [abrt] mark as read / claws-mail-3.9.2-7.fc19: gtk_cmctree_is_viewable: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
1036346 – [abrt] claws-mail-3.9.2-7.fc20: g_malloc0: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
1063035 – [abrt] claws-mail: allocator_memalign(): claws-mail killed by SIGSEGV
1070480 – Claws-Mail IMAP related memory corruption crash while waiting for server response and a network reconnection happens
1071327 – [abrt] claws-mail: g_malloc(): claws-mail killed by SIGSEGV
1076387 – [abrt] claws-mail: summary_delete_row(): claws-mail killed by SIGSEGV
1078996 – [abrt] claws-mail: malloc crash from within _cairo_polygon_intersect(): claws-mail killed by SIGSEGV
1079509 – [abrt] claws-mail: folder_item_get_msginfo_by_msgid(): claws-mail killed by SIGSEGV
1079620 – [abrt] claws-mail: set_cell_contents(): claws-mail killed by SIGSEGV
1081224 – [abrt] claws-mail: summary_set_row_marks(): claws-mail killed by SIGSEGV
1085382 – [abrt] claws-mail: g_malloc(): claws-mail killed by SIGSEGV
1090300 – [abrt] claws-mail: row_is_selected(): claws-mail killed by SIGSEGV
1096041 – [abrt] IMAP interruptions side-effects / g_malloc0(): claws-mail killed by SIGSEGV
1096895 – [abrt] IMAP interruptions side-effects / at malloc.c:3645 / _cairo_traps_grow(): claws-mail killed by SIGSEGV
1110255 – claws-mail: stack-based off-by-one in HTML parsing [fedora-all]<br
* SSLv3 server connections are now disabled by default, in response to the POODLE vulnerability, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566.
* Several PGP/Core plugin improvements
* A new version of the RSSyl plugin, completely redesigned and rewritten.
* The results of TAB address completion in the Compose window have improved ordering.
* Due to popular demand, use of the Up key in the message body in the Compose window stops at the top of the message body and does not continue up to the header fields. This reverts the behaviour introduced in version 3.10.0.
* In the Compose window, when navigating with the arrow keys, selecting, and thus modifying, the Account selector is now prevented.
* In the Compose window, a mnemonic (s) has been added to the Subject line.
* The Queue folder is highlighted if there are messages in its sub-folders and the tree is collapsed.
* When sorting messages by ‘thread date’, clicking the ‘Date’ column header will now toggle between ascending/descending and will not switch to ‘date’ sorting.
* A new QuickSearch filter has been added that searches a header’s content only. H S : messages which contain S in the value of any header.
* A Reply-To field has been added to the main Template configuration.
* The menubar can now be hidden, default hotkey: F12.
* Fancy plugin: A user-controlled stylesheet can now be used.
* Python plugin: Add flag attributes to MessageInfo object.
* Python plugin: Make ‘account’ property of ComposeWindow read/write.
* Libravatar plugin: a network timeout option has been added.
* Use ‘gnutls_priority’ hidden account preference for POP3 and STARTTLS connections, in addition to SMTP.
* RSSyl plugin: Enable use of .netrc to store network credentials.
* The tbird2claws.py script, for converting a Thunderbird mailbox to a Claws Mail mailbox, now handles sub-directory recursion.
* Updated translations
* Various Bugfixes
New in 3.10.1:
* Add an account preference to allow automatically accepting unknown and changed SSL certificates, if they’re valid (that is, if the root CA is trusted by the distro).
* RFE 3196, ‘When changing quicksearch Search Type, set focus to search input box’
* PGP/Core plugin: Generate 2048 bit RSA keys.
* Major code cleanup.
* Extended claws-mail.desktop with Compose and Receive actions.
* Updated Bulgarian, Brazilian Portuguese, Czech, Dutch, Esperanto, Finnish, French, German,Hebrew, Hungarian, Indonesian, Lithuanian, Slovak, Spanish, and Swedish translations.
* Bug fixes
New in 3.10.0:
* Complete SSL certificate chains are now saved, and if built with Libetpan 1.4.1, the IMAP SSL connection’s certificate chain is made available. Both of these allow correct certificate verification instead of a bogus ‘No certificate issuer found’ status.
* Auto-configuration of account email servers, based on SRV records, is now possible. (GLib >= 2.22 is required.)
* Added a preference to avoid automatically drafting emails that are to be sent encrypted, (Configuration/Preferences/Compose/Writing).
* Messages saved as Drafts are now saved as New, highlighting the Drafts folder, in order to draw the attention to unfinished mails there.
* It is now possible to add a ‘Replace signature’ button to the Compose window toolbar.
* Quotation wrapping and undo/redo in the Compose window has been improved.
* ‘Reply to all’ now excludes your own address.
* The ‘Generate X-Mailer header’ option has been renamed ‘Add user agent header’ and applies to both X-Mailer and X-Newsreader headers.
* Added hidden preferences, ‘address_search_wildcard’ and ‘folder_search_wildcard’, to choose between matching from start of the folder name/address or any part of the name. (Activating these options restores the previous behaviour.)
* Added hidden preference ‘enable_avatars’ to control the internal capture/render process, and which allows disabling it by external plugins for example.
* ‘Check for new folders’ now only updates the folder list, not updating the contents of folders. If needed, it can be followed by ‘Check for new messages’
* When using Redirect, the redirecting account’s address is used in the SMTP MAIL FROM instead of the original sender’s address.
* NEW: Libravatar plugin, which displays avatars from https://www.libravatar.org/
* Added support for an arbitrary number and sources of ‘avatars’ and images for email senders, and migrated Face and X-Face headers.
* Avatars are now included when printing mails.
* The GPG keyring can now be used as the source for address auto-completion.
* The vCalendar and RSSyl plugins now have an option to disable SSL certificate verification (and check them by default).
* The ClamAV plugin now pops up an error message only once instead of repeatedly
* Updated the man page and the manual.
* Updated Brazilian Portuguese, British English, Czech, Dutch, Finnish, French, Hebrew, Hungarian, Indonesian, Lithuanian, Slovak, Spanish, and Swedish translations.
* Added Esperanto translation.

Fedora

Fedora EPEL 6 Security Update: facter-1.6.18-7.el6

Leave a comment

Resolved Bugs
1101346 – CVE-2014-3248 puppet: Ruby modules could be loaded from the current working directory
1107891 – CVE-2014-3248 facter: puppet: Ruby modules could be loaded from the current working directory [fedora-19]
1107892 – CVE-2014-3248 facter: puppet: Ruby modules could be loaded from the current working directory [epel-all]<br
1101346 – CVE-2014-3248: puppet: Ruby modules could be loaded from the current working directory
1107891 – CVE-2014-3248: facter: puppet: Ruby modules could be loaded from the current working directory [fedora-19]
Also picks up latests minor tweaks from F19 branch.
Patch facter 1.6 series for Bug 1107891 – CVE-2014-3248
See http://puppetlabs.com/security/cve/cve-2014-3248 for more
information from upstream.