Resolved Bugs
1151276 – CVE-2014-8088 php-ZendFramework: null byte issue, connect to LDAP without knowing the password (ZF2014-05)
1151277 – CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)
1151278 – php-ZendFramework2: various flaws [fedora-all]<br
# Security Fixes
– **ZF2014-05**: Due to an issue that existed in PHP’s LDAP extension, it is possible to perform an unauthenticated simple bind against a LDAP server by using a null byte for the password, regardless of whether or not the user normally requires a password. We have provided a patch in order to protect users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all versions of PHP 5.3 and below). If you use ZendLdap and are on an affected version of PHP, we recommend upgrading immediately.
– **ZF2014-06**: A potential SQL injection vector existed when using a SQL Server adapter to manually quote values due to the fact that it was not escaping null bytes. Code was added to ensure null bytes are escaped, and thus mitigate the SQLi vector. We do not recommend manually quoting values, but if you do, and use the SQL Server adapter without PDO, we recommend upgrading immediately.

Resolved Bugs
1157647 – CVE-2014-7815 qemu: vnc: insufficient bits_per_pixel from the client sanitization [fedora-all]
1157641 – CVE-2014-7815 qemu: vnc: insufficient bits_per_pixel from the client sanitization
1153038 – CVE-2014-3689 qemu: vmware_vga: insufficient parameter validation in rectangle functions [fedora-all]
1153035 – CVE-2014-3689 qemu: vmware_vga: insufficient parameter validation in rectangle functions<br
* CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization (bz #1157647, bz #1157641)
* CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)

Resolved Bugs
1038413 – fedup stage2 keymap will always be US again for F20-F21 due to anaconda not writing vconsole.keymap kernel parameter any more (#1035316)
1153816 – Fedup needs to support upgrading into a Productized Fedora 21
1066679 – CVE-2013-6494 fedup: /var/tmp/fedora-upgrade temporary directory creation vulnerability<br
* Adds `–product=PRODUCT` flag, required for upgrades to F21
* Uses host’s config files in `upgrade.img`, which should fix various upgrade problems (e.g. incorrect keyboard layout when unlocking disks due to missing `vconsole.conf`)
* Logging improvements: complete upgrade log should appear in system journal

Resolved Bugs
1038413 – fedup stage2 keymap will always be US again for F20-F21 due to anaconda not writing vconsole.keymap kernel parameter any more (#1035316)
1153816 – Fedup needs to support upgrading into a Productized Fedora 21
1066679 – CVE-2013-6494 fedup: /var/tmp/fedora-upgrade temporary directory creation vulnerability
1044987 – fedup-0.8.0-3.fc20.noarch exits if doulble ckicking on the window to max/min it
1045090 – [abrt] fedup: download.py:133:setup_repos:ValueError: need more than 1 value to unpack
1044083 – [abrt] fedup: commandline.py:197:device_setup:NameError: global name ‘message’ is not defined
1043981 – [abrt] fedup: fedup-cli:216:main:AttributeError: ‘ProblemSummary’ object has no attribute ‘format_details’
1047005 – [abrt] fedup: download.py:276:find_replacement:AttributeError: ‘NoneType’ object has no attribute ‘pkgtup'<br
* Adds `–product=PRODUCT` flag, required for upgrades to F21
* Uses host’s config files in `upgrade.img`, which should fix various upgrade problems (e.g. incorrect keyboard layout when unlocking disks due to missing `vconsole.conf`)
* Logging improvements: complete upgrade log should appear in system journal
* Adds a warning for upgrades without a new kernel
* Fixes a bunch of crashes

Resolved Bugs
1157647 – CVE-2014-7815 qemu: vnc: insufficient bits_per_pixel from the client sanitization [fedora-all]
1157641 – CVE-2014-7815 qemu: vnc: insufficient bits_per_pixel from the client sanitization
1153038 – CVE-2014-3689 qemu: vmware_vga: insufficient parameter validation in rectangle functions [fedora-all]
1153035 – CVE-2014-3689 qemu: vmware_vga: insufficient parameter validation in rectangle functions<br
* CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization (bz #1157647, bz #1157641)
* CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)
Fix dep on numactl-devel to be build time not install time

Resolved Bugs
1045257 – CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack
1157992 – CVE-2013-4517 xml-security: Apache Santuario XML Security for Java: Java XML Signature DoS Attack [fedora-all]<br
Security fix for CVE-2013-4517

Resolved Bugs
1038413 – fedup stage2 keymap will always be US again for F20-F21 due to anaconda not writing vconsole.keymap kernel parameter any more (#1035316)
1153816 – Fedup needs to support upgrading into a Productized Fedora 21
1066679 – CVE-2013-6494 fedup: /var/tmp/fedora-upgrade temporary directory creation vulnerability<br
* Adds `–product=PRODUCT` flag, required for upgrades to F21
* Uses host’s config files in `upgrade.img`, which should fix various upgrade problems (e.g. incorrect keyboard layout when unlocking disks due to missing `vconsole.conf`)
* Logging improvements: complete upgrade log should appear in system journal

Resolved Bugs
1151276 – CVE-2014-8088 php-ZendFramework: null byte issue, connect to LDAP without knowing the password (ZF2014-05)
1151277 – CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)
1151280 – php-ZendFramework2: various flaws [epel-6]<br
# Security Fixes
– **ZF2014-05**: Due to an issue that existed in PHP’s LDAP extension, it is possible to perform an unauthenticated simple bind against a LDAP server by using a null byte for the password, regardless of whether or not the user normally requires a password. We have provided a patch in order to protect users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all versions of PHP 5.3 and below). If you use ZendLdap and are on an affected version of PHP, we recommend upgrading immediately.
– **ZF2014-06**: A potential SQL injection vector existed when using a SQL Server adapter to manually quote values due to the fact that it was not escaping null bytes. Code was added to ensure null bytes are escaped, and thus mitigate the SQLi vector. We do not recommend manually quoting values, but if you do, and use the SQL Server adapter without PDO, we recommend upgrading immediately.

Resolved Bugs
1045257 – CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack
1157992 – CVE-2013-4517 xml-security: Apache Santuario XML Security for Java: Java XML Signature DoS Attack [fedora-all]<br
Security fix for CVE-2013-4517

This is a rebase to 2.6 with a couple of fixes applied to address security fixes.
Note they usually are extra options that need
to be enabled manually so that we won’t break functionality:
– CVE-2011-3389: Make it possible to deny use of “BEAST” vulnerable ciphers
– CVE-2012-4929: Disable compression to be safe from “CRIME”
– CVE-2005-2090: Chunked encofing response splitting (no awkward name here)
– CVE-2014-3566: Allow disabling SSLv3 (and others), to be safe from “POODLE”
– A redirect XSS fix
Backporting the fixes to 2.4 looked like a difficult task.
Please test thoroughly and downkarma the update if it is unacceptable for you.