Tue Sep  9 22:48:58 UTC 2014
a/btrfs-progs-20140909-x86_64-1.txz:  Upgraded.
n/net-snmp-5.7.2.1-x86_64-1.txz:  Upgraded.
  Patched to properly report Btrfs mounts in hrFS/hrStorage tables.
  Thanks to Jakub Jankowski.
+--------------------------+
Tue Sep  9 18:01:05 UTC 2014
a/kernel-firmware-20140909git-noarch-1.txz:  Upgraded.
a/kernel-generic-3.14.18-x86_64-1.txz:  Upgraded.
a/kernel-huge-3.14.18-x86_64-1.txz:  Upgraded.
a/kernel-modules-3.14.18-x86_64-1.txz:  Upgraded.
d/kernel-headers-3.14.18-x86-1.txz:  Upgraded.
k/kernel-source-3.14.18-noarch-1.txz:  Upgraded.
l/seamonkey-solibs-2.29-x86_64-1.txz:  Upgraded.
xap/rdesktop-1.8.2-x86_64-1.txz:  Upgraded.
xap/seamonkey-2.29-x86_64-1.txz:  Upgraded.
  This update contains security fixes and improvements.
  (* Security fix *)
isolinux/initrd.img:  Rebuilt.
  Use syslinux-nomtools on the installer.  Thanks to Didier Spaier.
kernels/*:  Upgraded.
usb-and-pxe-installers/usbboot.img:  Rebuilt.
  Use syslinux-nomtools on the installer.  Thanks to Didier Spaier.
+--------------------------+

Wed Sep 24 22:52:53 UTC 2014
a/bash-4.3.025-x86_64-1.txz:  Upgraded.
  This update fixes a vulnerability in bash related to how environment
  variables are processed:  trailing code in function definitions was
  executed, independent of the variable name.  In many common configurations
  (such as the use of CGI scripts), this vulnerability is exploitable over
  the network.  Thanks to Stephane Chazelas for discovering this issue.
  For more information, see:
    http://seclists.org/oss-sec/2014/q3/650
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
  (* Security fix *)
l/mozilla-nss-3.16.5-x86_64-1.txz:  Upgraded.
  Fixed an RSA Signature Forgery vulnerability.
  For more information, see:
    https://www.mozilla.org/security/announce/2014/mfsa2014-73.html
  (* Security fix *)
+--------------------------+

Thu Sep 25 19:55:13 UTC 2014
a/bash-4.3.025-x86_64-2.txz:  Rebuilt.
  Patched an additional trailing string processing vulnerability discovered
  by Tavis Ormandy.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
  (* Security fix *)
ap/lxc-1.0.6-x86_64-1.txz:  Upgraded.
  Fixed bash completion file.  Thanks to dunric.
+--------------------------+

Fri Sep 26 22:23:32 UTC 2014
a/bash-4.3.026-x86_64-1.txz:  Upgraded.
  This is essentially a rebuild as the preliminary patch for CVE-2014-7169
  has been accepted by upstream and is now signed.  This also bumps the
  patchlevel, making it easy to tell this is the fixed version.
  Possibly more changes to come, given the ongoing discussions on oss-sec.
+--------------------------+

Sun Sep 28 23:07:39 UTC 2014
l/seamonkey-solibs-2.29.1-x86_64-1.txz:  Upgraded.
xap/mozilla-firefox-32.0.3-x86_64-1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/firefox.html
  (* Security fix *)
xap/mozilla-thunderbird-31.1.2-x86_64-1.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
  (* Security fix *)
xap/seamonkey-2.29.1-x86_64-1.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html
  (* Security fix *)
+--------------------------+

Mon Sep 29 18:41:23 UTC 2014
a/bash-4.3.027-x86_64-1.txz:  Upgraded.
  Another bash update.  Here's some information included with the patch:
    "This patch changes the encoding bash uses for exported functions to avoid
    clashes with shell variables and to avoid depending only on an environment
    variable's contents to determine whether or not to interpret it as a shell
    function."
  After this update, an environment variable will not go through the parser
  unless it follows this naming structure:  BASH_FUNC_*%%
  Most scripts never expected to import functions from environment variables,
  so this change (although not backwards compatible) is not likely to break
  many existing scripts.  It will, however, close off access to the parser as
  an attack surface in the vast majority of cases.  There's already another
  vulnerability similar to CVE-2014-6271 for which there is not yet a fix,
  but this hardening patch prevents it (and likely many more similar ones).
  Thanks to Florian Weimer and Chet Ramey.
  (* Security fix *)
+--------------------------+

Sun Oct  5 00:38:31 UTC 2014
a/elilo-3.16-x86_64-1.txz:  Upgraded.
  Thanks to fsLeg for the extra bit of sed that was needed to build the
  latest version.
+--------------------------+

Tue Oct 14 23:45:01 UTC 2014
xap/mozilla-firefox-33.0-x86_64-1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/firefox.html
  (* Security fix *)
xap/mozilla-thunderbird-31.2.0-x86_64-1.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
  (* Security fix *)
+--------------------------+

Wed Oct 15 17:28:59 UTC 2014
a/openssl-solibs-1.0.1j-x86_64-1.txz:  Upgraded.
  (* Security fix *)
n/openssl-1.0.1j-x86_64-1.tx:  Upgraded.
  This update fixes several security issues:
  SRTP Memory Leak (CVE-2014-3513):
    A flaw in the DTLS SRTP extension parsing code allows an attacker, who
    sends a carefully crafted handshake message, to cause OpenSSL to fail
    to free up to 64k of memory causing a memory leak. This could be
    exploited in a Denial Of Service attack.
  Session Ticket Memory Leak (CVE-2014-3567):
    When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
    integrity of that ticket is first verified. In the event of a session
    ticket integrity check failing, OpenSSL will fail to free memory
    causing a memory leak. By sending a large number of invalid session
    tickets an attacker could exploit this issue in a Denial Of Service
    attack.
  SSL 3.0 Fallback protection:
    OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
    to block the ability for a MITM attacker to force a protocol
    downgrade.
    Some client applications (such as browsers) will reconnect using a
    downgraded protocol to work around interoperability bugs in older
    servers. This could be exploited by an active man-in-the-middle to
    downgrade connections to SSL 3.0 even if both sides of the connection
    support higher protocols. SSL 3.0 contains a number of weaknesses
    including POODLE (CVE-2014-3566).
  Build option no-ssl3 is incomplete (CVE-2014-3568):
    When OpenSSL is configured with "no-ssl3" as a build option, servers
    could accept and complete a SSL 3.0 handshake, and clients could be
    configured to send them.
  For more information, see:
    https://www.openssl.org/news/secadv_20141015.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
  (* Security fix *)
+--------------------------+

Tue Oct 21 02:10:33 UTC 2014
e/emacs-24.4-x86_64-1.txz:  Upgraded.
+--------------------------+
Mon Oct 20 22:21:45 UTC 2014
n/openssh-6.7p1-x86_64-1.txz:  Upgraded.
  This update fixes a security issue that allows remote servers to trigger
  the skipping of SSHFP DNS RR checking by presenting an unacceptable
  HostCertificate.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653
  (* Security fix *)
+--------------------------+

Fri Oct 24 04:55:44 UTC 2014
a/glibc-solibs-2.20-x86_64-1.txz:  Upgraded.
a/glibc-zoneinfo-2014i-noarch-1.txz:  Upgraded.
  Upgraded to tzcode2014i and tzdata2014i.
l/glibc-2.20-x86_64-1.txz:  Upgraded.
  This update fixes several security issues, and adds an extra security
  hardening patch from Florian Weimer.  Thanks to mancha for help with
  tracking and backporting patches.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4424
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4412
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4237
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4788
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4458
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0475
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040
  (* Security fix *)
l/glibc-i18n-2.20-x86_64-1.txz:  Upgraded.
l/glibc-profile-2.20-x86_64-1.txz:  Upgraded.
xap/pidgin-2.10.10-x86_64-1.txz:  Upgraded.
  This update fixes several security issues:
  Insufficient SSL certificate validation (CVE-2014-3694)
  Remote crash parsing malformed MXit emoticon (CVE-2014-3695)
  Remote crash parsing malformed Groupwise message (CVE-2014-3696)
  Malicious smiley themes could alter arbitrary files (CVE-2014-3697)
  Potential information leak from XMPP (CVE-2014-3698)
    For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3694
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3695
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3696
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3697
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3698
  (* Security fix *)
+--------------------------+

Sat Oct 25 04:30:31 UTC 2014
xap/gimp-2.8.14-x86_64-1.txz:  Upgraded.
+--------------------------+
Fri Oct 24 21:11:15 UTC 2014
a/glibc-solibs-2.20-x86_64-2.txz:  Rebuilt.
d/gcc-4.8.3-x86_64-2.txz:  Rebuilt.
  Patched bug pr61801, which caused some failures with glibc-2.20.
d/gcc-g++-4.8.3-x86_64-2.txz:  Rebuilt.
d/gcc-gfortran-4.8.3-x86_64-2.txz:  Rebuilt.
d/gcc-gnat-4.8.3-x86_64-2.txz:  Rebuilt.
d/gcc-go-4.8.3-x86_64-2.txz:  Rebuilt.
d/gcc-java-4.8.3-x86_64-2.txz:  Rebuilt.
d/gcc-objc-4.8.3-x86_64-2.txz:  Rebuilt.
l/glibc-2.20-x86_64-2.txz:  Rebuilt.
  Recompiled with patched gcc.
l/glibc-i18n-2.20-x86_64-2.txz:  Rebuilt.
l/glibc-profile-2.20-x86_64-2.txz:  Rebuilt.
+--------------------------+

Wed Oct 29 18:21:12 UTC 2014
ap/moc-2.5.0-x86_64-1.txz:  Upgraded.
n/wget-1.16-x86_64-1.txz:  Upgraded.
  This update fixes a symlink vulnerability that could allow an attacker
  to write outside of the expected directory.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
  (* Security fix *)
+--------------------------+

Fri Nov  7 21:02:55 UTC 2014
a/bash-4.3.030-x86_64-1.txz:  Upgraded.
  Applied all upstream patches.  The previously applied patch requiring
  a specific prefix/suffix in order to parse variables for functions
  closed all of the known vulnerabilities anyway, but it's clear that
  until all the patches were applied that the "is this still vulnerable"
  questions were not going to end...
a/btrfs-progs-20141107-x86_64-1.txz:  Upgraded.
  Added the header files to the package.  Thanks to Vincent Batts.
a/kernel-firmware-20141106git-noarch-1.txz:  Upgraded.
a/kernel-generic-3.14.23-x86_64-1.txz:  Upgraded.
a/kernel-huge-3.14.23-x86_64-1.txz:  Upgraded.
a/kernel-modules-3.14.23-x86_64-1.txz:  Upgraded.
ap/mpg123-1.21.0-x86_64-1.txz:  Upgraded.
d/kernel-headers-3.14.23-x86-1.txz:  Upgraded.
k/kernel-source-3.14.23-noarch-1.txz:  Upgraded.
xfce/xfce4-weather-plugin-0.8.4-x86_64-1.txz:  Upgraded.
isolinux/initrd.img:  Rebuilt.
kernels/*:  Upgraded.
usb-and-pxe-installers/usbboot.img:  Rebuilt.
+--------------------------+
Tue Nov  4 00:05:23 UTC 2014
ap/mariadb-5.5.40-x86_64-1.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6507
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6469
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6555
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6496
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6464
  (* Security fix *)
l/seamonkey-solibs-2.30-x86_64-1.txz:  Upgraded.
n/php-5.4.34-x86_64-1.txz:  Upgraded.
  This update fixes bugs and security issues.
  #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)
  #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)
  #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668
  (* Security fix *)
xap/mozilla-firefox-33.0.2-x86_64-1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/firefox.html
  (* Security fix *)
xap/seamonkey-2.30-x86_64-1.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html
  (* Security fix *)
+--------------------------+

Tue Nov 11 04:53:57 UTC 2014
xap/mozilla-firefox-33.1-x86_64-1.txz:  Upgraded.
+--------------------------+

Thu Nov 13 20:45:54 UTC 2014
ap/mariadb-5.5.40-x86_64-2.txz:  Rebuilt.
  Reverted change to my_config.h that breaks compiling many applications
  that link against the MariaDB libraries.
  Thanks to Willy Sudiarto Raharjo.
xap/pidgin-2.10.10-x86_64-2.txz:  Rebuilt.
  Fix Gadu-Gadu protocol when GnuTLS is not used.  Thanks to mancha.
+--------------------------+