Index: branches/fc13-dev/server/fedora/specs/ghostscript.spec.patch =================================================================== --- branches/fc13-dev/server/fedora/specs/ghostscript.spec.patch (revision 1614) +++ (revision ) @@ -1,44 +1,0 @@ ---- ghostscript.spec 2010-07-16 01:35:28.000000000 -0400 -+++ ghostscript.spec 2010-07-16 01:55:49.000000000 -0400 -@@ -5,7 +5,7 @@ - Name: ghostscript - Version: %{gs_ver} - --Release: 6%{?dist} -+Release: 6.scripts%{scriptsversion}%{?dist} - - # Included CMap data is Redistributable, no modification permitted, - # see http://bugzilla.redhat.com/487510 -@@ -35,6 +35,8 @@ - Patch17: ghostscript-tiff-default-strip-size.patch - Patch18: ghostscript-tiff-fixes.patch - -+Patch100: ghostscript-CVE-2010-1628.patch -+ - Requires: urw-fonts >= 1.1, ghostscript-fonts - BuildRequires: xz - BuildRequires: libjpeg-devel, libXt-devel -@@ -151,6 +153,9 @@ - # Backported some more TIFF fixes (bug #573970). - %patch18 -p1 -b .tiff-fixes - -+# Avoid an exploitable overflow (scripts.mit.edu local patch). -+%patch100 -p1 -b .CVE-2010-1628 -+ - # Convert manual pages to UTF-8 - from8859_1() { - iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" -@@ -332,6 +337,13 @@ - %{_libdir}/libgs.so - - %changelog -+* Fri Jul 16 2010 Geoffrey Thomas 8.71-6.scripts -+- Include the patch -+ http://bugs.ghostscript.com/attachment.cgi?id=6350 -+ to fix CVE-2010-1628 (potential arbitrary code execution via -+ an overflow), from the upstream bug report: -+ http://bugs.ghostscript.com/show_bug.cgi?id=691295 -+ - * Tue Mar 16 2010 Tim Waugh 8.71-6 - - Backported some more TIFF fixes (bug #573970). - - Use upstream fix for TIFF default strip size (bug #571520). Index: branches/fc13-dev/server/fedora/specs/httpd.spec.patch =================================================================== --- branches/fc13-dev/server/fedora/specs/httpd.spec.patch (revision 1614) +++ branches/fc13-dev/server/fedora/specs/httpd.spec.patch (revision 1615) @@ -1,10 +1,10 @@ ---- httpd.spec.orig 2010-08-26 21:00:40.771666965 -0400 -+++ httpd.spec 2010-08-26 21:01:56.601668199 -0400 +--- httpd.spec.orig 2010-07-27 11:55:33.000000000 -0400 ++++ httpd.spec 2010-09-06 20:45:28.000000000 -0400 @@ -7,7 +7,7 @@ Summary: Apache HTTP Server Name: httpd - Version: 2.2.15 --Release: 1%{?dist}.1 -+Release: 1%{?dist}.1.scripts.%{scriptsversion} + Version: 2.2.16 +-Release: 1%{?dist} ++Release: 1%{?dist}.scripts.%{scriptsversion} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz @@ -33,5 +33,5 @@ %description devel The httpd-devel package contains the APXS binary and other files -@@ -102,6 +111,7 @@ +@@ -103,6 +112,7 @@ Requires(post): openssl >= 0.9.7f-4, /bin/cat Requires(pre): httpd @@ -41,5 +41,5 @@ %description -n mod_ssl -@@ -129,6 +139,13 @@ +@@ -130,6 +140,13 @@ # Patch in vendor/release string sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 @@ -55,5 +55,5 @@ vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'` if test "x${vmmn}" != "x%{mmn}"; then -@@ -177,10 +194,12 @@ +@@ -178,10 +195,12 @@ --with-apr=%{_prefix} --with-apr-util=%{_prefix} \ --enable-suexec --with-suexec \ Index: branches/fc13-dev/server/fedora/specs/krb5.spec.patch =================================================================== --- branches/fc13-dev/server/fedora/specs/krb5.spec.patch (revision 1614) +++ branches/fc13-dev/server/fedora/specs/krb5.spec.patch (revision 1615) @@ -1,16 +1,16 @@ ---- krb5.spec.orig 2010-05-18 14:16:44.000000000 -0400 -+++ krb5.spec 2010-05-20 10:20:32.000000000 -0400 -@@ -16,7 +16,7 @@ - Summary: The Kerberos network authentication system. +--- krb5.spec.orig 2010-05-18 14:16:09.000000000 -0400 ++++ krb5.spec 2010-09-06 20:56:47.000000000 -0400 +@@ -10,7 +10,7 @@ + Summary: The Kerberos network authentication system Name: krb5 - Version: 1.6.3 --Release: 31%{?dist} -+Release: 31%{?dist}.scripts.%{scriptsversion} + Version: 1.7.1 +-Release: 10%{?dist} ++Release: 10%{?dist}.scripts.%{scriptsversion} # Maybe we should explode from the now-available-to-everybody tarball instead? - # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar + # http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar Source0: krb5-%{version}.tar.gz -@@ -114,6 +114,8 @@ - Patch88: krb5-1.6.1-cs22427.patch - Patch89: krb5-CVE-2010-1321-1.6.1.patch +@@ -90,6 +90,8 @@ + Patch101: http://web.mit.edu/kerberos/advisories/2010-004-patch.txt + Patch102: krb5-CVE-2010-1321-1.7.1.patch +Patch1000: krb5-kuserok-scripts.patch @@ -19,18 +19,18 @@ URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries -@@ -155,6 +157,7 @@ +@@ -134,6 +136,7 @@ + %package libs + Summary: The shared libraries used by Kerberos 5 Group: System Environment/Libraries - Prereq: grep, /sbin/ldconfig, sh-utils - Obsoletes: krb5-configs +Provides: scripts-krb5-libs %description libs Kerberos is a network authentication system. The krb5-libs package -@@ -1478,6 +1481,7 @@ - %patch87 -p0 -b .kpasswd_ipv6 - %patch88 -p0 -b .cs22427 - %patch89 -p1 -b .CVE-2010-1321 +@@ -1631,6 +1634,7 @@ + %patch100 -p0 -b .2010-002 + %patch101 -p1 -b .2010-004 + %patch102 -p1 -b .CVE-2010-1321 +%patch1000 -p1 -b .kuserok - cp src/krb524/README README.krb524 gzip doc/*.ps + sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex Index: branches/fc13-dev/server/fedora/specs/libpng.spec.patch =================================================================== --- branches/fc13-dev/server/fedora/specs/libpng.spec.patch (revision 1614) +++ (revision ) @@ -1,24 +1,0 @@ ---- libpng.spec 2010-03-15 13:26:15.000000000 -0400 -+++ libpng.spec 2010-07-14 00:07:10.000000000 -0400 -@@ -1,8 +1,8 @@ - Summary: A library of functions for manipulating PNG image format files - Name: libpng - Epoch: 2 --Version: 1.2.43 --Release: 1%{?dist} -+Version: 1.2.44 -+Release: 1.scripts.%{scriptsversion}%{?dist} - License: zlib - Group: System Environment/Libraries - URL: http://www.libpng.org/pub/png/ -@@ -94,6 +94,10 @@ - rm -rf $RPM_BUILD_ROOT - - %changelog -+* Tue Jul 13 2010 Geoffrey Thomas 2:1.2.44-1 -+- Update to libpng 1.2.44, includes fixes for CVE-2010-1205 and CVE-2010-2249 -+ (This is equivalent to Tom Lane's 2:1.2.44-1 change from non-EOL'd distros) -+ - * Mon Mar 15 2010 Tom Lane 2:1.2.43-1 - - Update to libpng 1.2.43, includes fix for CVE-2010-0205 - Related: #566234 Index: branches/fc13-dev/server/fedora/specs/openssh.spec.patch =================================================================== --- branches/fc13-dev/server/fedora/specs/openssh.spec.patch (revision 1614) +++ branches/fc13-dev/server/fedora/specs/openssh.spec.patch (revision 1615) @@ -1,23 +1,23 @@ ---- openssh.spec.orig 2010-03-30 02:27:53.000000000 -0400 -+++ openssh.spec 2010-03-30 02:30:09.000000000 -0400 -@@ -63,7 +63,7 @@ +--- openssh.spec.orig 2010-05-31 06:20:02.000000000 -0400 ++++ openssh.spec 2010-09-06 21:53:21.000000000 -0400 +@@ -74,7 +74,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh - Version: 5.2p1 --Release: 6%{?dist}%{?rescue_rel} -+Release: 6%{?dist}%{?rescue_rel}.scripts.%{scriptsversion} + Version: 5.4p1 +-Release: %{openssh_rel}%{?dist}%{?rescue_rel} ++Release: %{openssh_rel}%{?dist}%{?rescue_rel}.scripts.%{scriptsversion} URL: http://www.openssh.com/portable.html + #URL1: http://pamsshagentauth.sourceforge.net #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz - #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc -@@ -74,6 +74,8 @@ - Source1: openssh-nukeacss.sh - Source2: sshd.pam +@@ -88,6 +88,8 @@ Source3: sshd.init + Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2 + Source5: pam_ssh_agent-rmheaders +Patch1000: openssh-5.0p1-multihomed.patch +Patch1001: openssh-4.7p1-gssapi-name-in-env.patch - Patch0: openssh-5.2p1-redhat.patch - Patch2: openssh-5.1p1-skip-initial.patch - Patch3: openssh-3.8.1p1-krb5-config.patch -@@ -161,6 +163,7 @@ + Patch0: openssh-5.4p1-redhat.patch + Patch2: openssh-5.3p1-skip-initial.patch + Patch4: openssh-5.2p1-vendor.patch +@@ -175,6 +177,7 @@ Requires(post): chkconfig >= 0.9, /sbin/service Requires(pre): /usr/sbin/useradd @@ -27,7 +27,7 @@ %package askpass Summary: A passphrase dialog for OpenSSH and X -@@ -231,6 +234,9 @@ - %patch65 -p1 -b .fips - %patch67 -p1 -b .selabel +@@ -267,6 +270,9 @@ + %patch75 -p1 -b .dso + %patch76 -p1 -b .bz595935 +%patch1000 -p1 -b .multihomed Index: branches/fc13-dev/server/fedora/specs/shadow-utils.spec.patch =================================================================== --- branches/fc13-dev/server/fedora/specs/shadow-utils.spec.patch (revision 1614) +++ branches/fc13-dev/server/fedora/specs/shadow-utils.spec.patch (revision 1615) @@ -1,14 +1,14 @@ ---- shadow-utils.spec.orig 2010-03-12 00:48:00.000000000 -0500 -+++ shadow-utils.spec 2010-03-12 00:55:36.000000000 -0500 +--- shadow-utils.spec.orig 2010-07-20 05:29:54.000000000 -0400 ++++ shadow-utils.spec 2010-09-06 21:53:21.000000000 -0400 @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils - Version: 4.1.4.1 --Release: 5%{?dist} -+Release: 5.scripts.%{scriptsversion}%{?dist} + Version: 4.1.4.2 +-Release: 8%{?dist} ++Release: 8.scripts.%{scriptsversion}%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 -@@ -21,6 +21,7 @@ +@@ -26,6 +26,7 @@ Requires: audit-libs >= 1.6.5 Requires: setup @@ -18,22 +18,2 @@ %description The shadow-utils package includes the necessary programs for -@@ -60,7 +61,8 @@ - --with-selinux \ - --without-libcrack \ - --without-libpam \ -- --disable-shared -+ --disable-shared \ -+ --with-group-name-max-length=32 - make - - %install -@@ -182,6 +184,9 @@ - %{_mandir}/man8/vigr.8* - - %changelog -+* Fri Mar 12 2010 Mitchell Berger 2:4.1.4.1-5.scripts -+- change max group name length back to 32 -+ - * Wed Aug 05 2009 Peter Vrabec 2:4.1.4.1-5 - - increase threshold for uid/gid reservations to 200 (#515667) -