Security

- 0.103.6
  + CVE-2022-20770
  + CVE-2022-20796
  + CVE-2022-20771
  + CVE-2022-20785
  + CVE-2022-20792
- 2.5.0 (fixed CVE-2013-4289, CVE-2013-4290, CVE-2019-6988, 
  CVE-2018-20846, CVE-2018-16376, CVE-2021-29338)
- 7.83.1
- Fixes:
  * CVE-2022-30115: HSTS bypass via trailing dot
  * CVE-2022-27782: TLS and SSH connection too eager reuse
  * CVE-2022-27781: CERTINFO never-ending busy-loop
  * CVE-2022-27780: percent-encoded path separator in URL host
  * CVE-2022-27779: cookie for trailing dot TLD
  * CVE-2022-27778: curl removes wrong file on error
- 3.2.12 -> 3.2.13
- Fixes:
  * CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra()
  * CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL
- 2.33.1 -> 2.33.2 (fixes: CVE-2022-24765).
- Backported upstream security fixes (fixes CVE-2019-6111, CVE-2019-6109).
- 2.4.53 (Fixes:  CVE-2022-23943, CVE-2022-22721,  CVE-2022-22720, CVE-2022-22719)
- 9.11.36 -> 9.11.37 (fixes: CVE-2021-25220).
- 1.19.2 (Fixes: CVE-2021-37750)
- New version 9.5.7
- This is a security release, upgrading is recommended
- Security fixes:
 + CVE-2022-21720 : SQL injection using custom CSS administration form
 + CVE-2022-21719 : Reflected XSS using reload button
- 4.4.1 (Fixes: CVE-2021-45387, CVE-2021-45386)
- 7.4.28 (Fixes: CVE-2021-21708)
- New version.
- Security fixes:
  + CVE-2022-23613: Privilege escalation on xrdp-sesman
- NMU (fixes: CVE-2021-4034).
- Applied upstream fix for a trivially exploitable local root vulnerability,
  see https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
- Updated to 2.4.3 (with multiple security fixes).
- Fixes:
  + CVE-2021-45960 issues with left shift by >= 29 places in function storeAtts that
    can lead to realloc misbehavior;
  + CVE-2021-46143 Integer overflow on variable m_groupSize in function doProlog;
  + CVE-2022-22822 Integer overflows near memory allocation in function addBinding;
  + CVE-2022-22823 Integer overflows near memory allocation in function build_model;
  + CVE-2022-22824 Integer overflows near memory allocation in function defineAttribute;
  + CVE-2022-22825 Integer overflows near memory allocation in function lookup;
  + CVE-2022-22826 Integer overflows near memory allocation in function nextScaffoldPart;
  + CVE-2022-22827 Integer overflows near memory allocation in function storeAtts.
- new version 1.37.1 (with rpmrb script)
- (T292763, CVE-2021-44854) (T271037, CVE-2021-44856)
- (T297322, CVE-2021-44857) (T297322, CVE-2021-44858)
- (T297574, CVE-2021-45038) (T293589, CVE-2021-44855) (T294686)
- Update to latest regression fixes for samba-4.14.10:
  + CVE-2021-3670 ldb: Confirm the request has not yet timed out
- Version bump to 5.4.154-2.23
- Update to upstream 5.4.163
- Sync with sisyphus std-def-5.4.163-alt1
(Fixes: CVE-2017-6074 CVE-2020-16119 CVE-2021-3640)
- Build compressed kernel image
- Version bump to 5.4.154-2.23
- Update to upstream 5.4.163
- Sync with sisyphus std-def-5.4.163-alt1
(Fixes: CVE-2017-6074 CVE-2020-16119 CVE-2021-3640)
- Build compressed kernel image
- Version bump to 5.4.154-2.23
- Update to upstream 5.4.163
- Sync with sisyphus std-def-5.4.163-alt1
(Fixes: CVE-2017-6074 CVE-2020-16119 CVE-2021-3640)
- Build compressed kernel image
- Version bump to 5.4.154-2.23
- Update to upstream 5.4.163
- Sync with sisyphus std-def-5.4.163-alt1
(Fixes: CVE-2017-6074 CVE-2020-16119 CVE-2021-3640)
- Build compressed kernel image
- Version bump to 5.4.154-2.23
- Update to upstream 5.4.163
- Sync with sisyphus std-def-5.4.163-alt1
(Fixes: CVE-2017-6074 CVE-2020-16119 CVE-2021-3640)
- Build compressed kernel image
- new version 1.0.13 (Fixes: CVE-2021-43612)
- migrate /var/run -> /run
- 2.1.37 -> 2.1.38 (fixes for CVE-2021-44227).
- 1.10.6 -> 1.10.7 (Fixes: CVE-2021-41158, CVE-2021-41145, CVE-2021-41157,
  CVE-2021-41105, CVE-2021-37624, CVE-2021-36513)
- Applied SUSE combchar.diff to prevent DoS via crafted UTF-8 character
  sequence (fixes CVE-2021-26937).
- E2K: apply mcst patches, including CVE-2018-6621 fix
- 0.2.5 (fixed CVE-2021-39358)
- 2.0 (fixed CVE-2021-3403, CVE-2021-3404)
- E2K:
  + added mcst patches, mostly as-is except:
    - 0003-Add-copy-optimizations.patch: partially obsolete
    - 0006-Add-bug-workaround.patch: obsolete for arch > e2kv2
    - 0010-Restore-DRI1-support.{add,mod}.patch: need more reverts
    - 0040-Fix-CVE-2018-14665.patch: applied elsewhere upstream
    and specifically, including:
    - 0010-restore-DRI1-support-for-e1c.patch
    - mga2 related patch from mcst#5155
  + warning-related ftbfs workarounds

Branches
sisyphus
sisyphus_e2k
sisyphus_mipsel
sisyphus_riscv64
p10
p10_e2k
e2kv4
noarch
e2kv5
e2k
p9
p9_e2k
p9_mipsel
p8
c9f2
c7

clamav May 20, 2022, 01:30 PM	May 20, 2022, 01:30 PM
Version: 0.103.6-alt1
Summary: Clam Antivirus scanner
Changelog:
- 0.103.6 + CVE-2022-20770 + CVE-2022-20796 + CVE-2022-20771 + CVE-2022-20785 + CVE-2022-20792

libopenjpeg2.0 May 14, 2022, 12:52 AM	May 14, 2022, 12:52 AM
Version: 2.5.0-alt1
Summary: JPEG 2000 codec library (API version 2.0)
Changelog:
- 2.5.0 (fixed CVE-2013-4289, CVE-2013-4290, CVE-2019-6988, CVE-2018-20846, CVE-2018-16376, CVE-2021-29338)

curl May 11, 2022, 11:29 AM	May 11, 2022, 11:29 AM
Version: 7.83.1-alt1
Summary: Gets a file from a FTP, GOPHER or HTTP server
Changelog:
- 7.83.1 - Fixes: * CVE-2022-30115: HSTS bypass via trailing dot * CVE-2022-27782: TLS and SSH connection too eager reuse * CVE-2022-27781: CERTINFO never-ending busy-loop * CVE-2022-27780: percent-encoded path separator in URL host * CVE-2022-27779: cookie for trailing dot TLD * CVE-2022-27778: curl removes wrong file on error

python3-module-django Apr 12, 2022, 08:26 AM	Apr 12, 2022, 08:26 AM
Version: 3.2.13-alt1
Summary: A high-level Python 3 Web framework that encourages rapid development and clean, pragmatic design.
Changelog:
- 3.2.12 -> 3.2.13 - Fixes: * CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra() * CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL

git Mar 24, 2022, 02:31 AM	Mar 24, 2022, 02:31 AM
Version: 2.33.2-alt1
Summary: Git core and tools
Changelog:
- 2.33.1 -> 2.33.2 (fixes: CVE-2022-24765).

openssh Mar 22, 2022, 07:40 PM	Mar 22, 2022, 07:40 PM
Version: 7.9p1-alt4.p10.1
Summary: OpenSSH free Secure Shell (SSH) implementation
Changelog:
- Backported upstream security fixes (fixes CVE-2019-6111, CVE-2019-6109).

apache2 Mar 20, 2022, 02:55 PM	Mar 20, 2022, 02:55 PM
Version: 2.4.53-alt1
Summary: The most widely used Web server on the Internet
Changelog:
- 2.4.53 (Fixes: CVE-2022-23943, CVE-2022-22721, CVE-2022-22720, CVE-2022-22719)

bind Mar 17, 2022, 04:28 PM	Mar 17, 2022, 04:28 PM
Version: 9.11.37-alt1
Summary: ISC BIND - DNS server
Changelog:
- 9.11.36 -> 9.11.37 (fixes: CVE-2021-25220).

krb5 Mar 15, 2022, 01:17 PM	Mar 15, 2022, 01:17 PM
Version: 1.19.3-alt1
Summary: The Kerberos network authentication system
Changelog:
- 1.19.2 (Fixes: CVE-2021-37750)

glpi Mar 11, 2022, 09:50 AM	Mar 11, 2022, 09:50 AM
Version: 9.5.7-alt1
Summary: IT and asset management software
Changelog:
- New version 9.5.7 - This is a security release, upgrading is recommended - Security fixes: + CVE-2022-21720 : SQL injection using custom CSS administration form + CVE-2022-21719 : Reflected XSS using reload button

tcpreplay Feb 23, 2022, 09:56 AM	Feb 23, 2022, 09:56 AM
Version: 4.4.1-alt1
Summary: A tool to replay captured network traffic
Changelog:
- 4.4.1 (Fixes: CVE-2021-45387, CVE-2021-45386)

php7 Feb 19, 2022, 11:19 AM	Feb 19, 2022, 11:19 AM
Version: 7.4.28-alt1
Summary: The PHP7 scripting language
Changelog:
- 7.4.28 (Fixes: CVE-2021-21708)

xrdp Feb 8, 2022, 10:17 AM	Feb 8, 2022, 10:17 AM
Version: 0.9.18.1-alt1
Summary: An open source remote desktop protocol (RDP) server
Changelog:
- New version. - Security fixes: + CVE-2022-23613: Privilege escalation on xrdp-sesman

polkit Jan 26, 2022, 09:10 PM	Jan 26, 2022, 09:10 PM
Version: 0.115-alt2.2
Summary: PolicyKit Authorization Framework
Changelog:
- NMU (fixes: CVE-2021-4034). - Applied upstream fix for a trivially exploitable local root vulnerability, see https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

lldpd Dec 2, 2021, 01:02 AM	Dec 2, 2021, 01:02 AM
Version: 1.0.13-alt1
Summary: Link Layer Discovery Protocol Daemon
Changelog:
- new version 1.0.13 (Fixes: CVE-2021-43612) - migrate /var/run -> /run

mailman Dec 1, 2021, 07:44 PM	Dec 1, 2021, 07:44 PM
Version: 2.1.38-alt1
Summary: Mailing list manager with built in web access
Changelog:
- 2.1.37 -> 2.1.38 (fixes for CVE-2021-44227).

ffmpeg3.3 Nov 3, 2021, 04:14 AM	Nov 3, 2021, 04:14 AM
Version: 3.3.9-alt2.E2K.1
Summary: A command line toolbox to manipulate, convert and stream multimedia content
Changelog:
- E2K: apply mcst patches, including CVE-2018-6621 fix

libgfbgraph Oct 30, 2021, 09:02 AM	Oct 30, 2021, 09:02 AM
Version: 0.2.5-alt1
Summary: A GObject library for Facebook Graph API
Changelog:
- 0.2.5 (fixed CVE-2021-39358)

expat Jan 18, 2022, 03:17 PM	Jan 18, 2022, 03:17 PM
Version: 2.4.3-alt1
Summary: An XML parser written in C
Changelog:
- Updated to 2.4.3 (with multiple security fixes). - Fixes: + CVE-2021-45960 issues with left shift by >= 29 places in function storeAtts that can lead to realloc misbehavior; + CVE-2021-46143 Integer overflow on variable m_groupSize in function doProlog; + CVE-2022-22822 Integer overflows near memory allocation in function addBinding; + CVE-2022-22823 Integer overflows near memory allocation in function build_model; + CVE-2022-22824 Integer overflows near memory allocation in function defineAttribute; + CVE-2022-22825 Integer overflows near memory allocation in function lookup; + CVE-2022-22826 Integer overflows near memory allocation in function nextScaffoldPart; + CVE-2022-22827 Integer overflows near memory allocation in function storeAtts.

mediawiki Dec 19, 2021, 05:36 AM	Dec 19, 2021, 05:36 AM
Version: 1.37.1-alt1
Summary: A wiki engine, typical installation (with Apache2 and MySQL support)
Changelog:
- new version 1.37.1 (with rpmrb script) - (T292763, CVE-2021-44854) (T271037, CVE-2021-44856) - (T297322, CVE-2021-44857) (T297322, CVE-2021-44858) - (T297574, CVE-2021-45038) (T293589, CVE-2021-44855) (T294686)

libldb Dec 13, 2021, 03:26 AM	Dec 13, 2021, 03:26 AM
Version: 2.3.2-alt2
Summary: A schema-less, ldap like, API and database
Changelog:
- Update to latest regression fixes for samba-4.14.10: + CVE-2021-3670 ldb: Confirm the request has not yet timed out

kernel-image-elbrus-1cp Dec 4, 2021, 12:57 AM	Dec 4, 2021, 12:57 AM
Version: 5.4.163-alt2.23.1
Summary: The Linux kernel (the core of the Linux operating system)
Changelog:
- Version bump to 5.4.154-2.23 - Update to upstream 5.4.163 - Sync with sisyphus std-def-5.4.163-alt1 (Fixes: CVE-2017-6074 CVE-2020-16119 CVE-2021-3640) - Build compressed kernel image

kernel-image-elbrus-8c Dec 3, 2021, 10:45 PM	Dec 3, 2021, 10:45 PM
Version: 5.4.163-alt2.23.1
Summary: The Linux kernel (the core of the Linux operating system)
Changelog:
- Version bump to 5.4.154-2.23 - Update to upstream 5.4.163 - Sync with sisyphus std-def-5.4.163-alt1 (Fixes: CVE-2017-6074 CVE-2020-16119 CVE-2021-3640) - Build compressed kernel image

kernel-image-elbrus-4c Dec 3, 2021, 10:44 PM	Dec 3, 2021, 10:44 PM
Version: 5.4.163-alt2.23.1
Summary: The Linux kernel (the core of the Linux operating system)
Changelog:
- Version bump to 5.4.154-2.23 - Update to upstream 5.4.163 - Sync with sisyphus std-def-5.4.163-alt1 (Fixes: CVE-2017-6074 CVE-2020-16119 CVE-2021-3640) - Build compressed kernel image

kernel-image-elbrus-8c2 Dec 3, 2021, 10:13 PM	Dec 3, 2021, 10:13 PM
Version: 5.4.163-alt2.23.1
Summary: The Linux kernel (the core of the Linux operating system)
Changelog:
- Version bump to 5.4.154-2.23 - Update to upstream 5.4.163 - Sync with sisyphus std-def-5.4.163-alt1 (Fixes: CVE-2017-6074 CVE-2020-16119 CVE-2021-3640) - Build compressed kernel image

kernel-image-elbrus-def Dec 3, 2021, 08:10 PM	Dec 3, 2021, 08:10 PM
Version: 5.4.163-alt2.23.1
Summary: The Linux kernel (the core of the Linux operating system)
Changelog:
- Version bump to 5.4.154-2.23 - Update to upstream 5.4.163 - Sync with sisyphus std-def-5.4.163-alt1 (Fixes: CVE-2017-6074 CVE-2020-16119 CVE-2021-3640) - Build compressed kernel image

freeswitch Nov 26, 2021, 01:39 PM	Nov 26, 2021, 01:39 PM
Version: 1.10.7-alt1
Summary: FreeSWITCH open source telephony platform
Changelog:
- 1.10.6 -> 1.10.7 (Fixes: CVE-2021-41158, CVE-2021-41145, CVE-2021-41157, CVE-2021-41105, CVE-2021-37624, CVE-2021-36513)

screen Nov 11, 2021, 03:28 PM	Nov 11, 2021, 03:28 PM
Version: 4.8.0-alt2
Summary: A screen manager that supports multiple sessions on one terminal
Changelog:
- Applied SUSE combchar.diff to prevent DoS via crafted UTF-8 character sequence (fixes CVE-2021-26937).

Repository: p10_e2k

Security

libytnef Sep 20, 2021, 10:54 PM	Sep 20, 2021, 10:54 PM
Version: 2.0-alt1
Summary: TNEF Stream Parser Library
Changelog:
- 2.0 (fixed CVE-2021-3403, CVE-2021-3404)

xorg-server Sep 20, 2021, 12:14 PM	Sep 20, 2021, 12:14 PM
Version: 1.20.13-alt2.E2K.1
Summary: Xserver - X Window System display server
Changelog:
- E2K: + added mcst patches, mostly as-is except: - 0003-Add-copy-optimizations.patch: partially obsolete - 0006-Add-bug-workaround.patch: obsolete for arch > e2kv2 - 0010-Restore-DRI1-support.{add,mod}.patch: need more reverts - 0040-Fix-CVE-2018-14665.patch: applied elsewhere upstream and specifically, including: - 0010-restore-DRI1-support-for-e1c.patch - mga2 related patch from mcst#5155 + warning-related ftbfs workarounds