Fedora Linux 8779 Published by

Fedora Linux has received numerous security updates, including koji-1.35.1-1.fc40, xen-4.18.3-2.fc40, xen-4.17.5-2.fc39, firefox-131.0.2-1.fc41, webkit2gtk4.0-2.46.1-2.fc41, unbound-1.21.1-1.fc41, and xen-4.19.0.fc41:

[SECURITY] Fedora 40 Update: koji-1.35.1-1.fc40
[SECURITY] Fedora 40 Update: xen-4.18.3-2.fc40
[SECURITY] Fedora 39 Update: xen-4.17.5-2.fc39
[SECURITY] Fedora 41 Update: firefox-131.0.2-1.fc41
[SECURITY] Fedora 41 Update: webkit2gtk4.0-2.46.1-2.fc41
[SECURITY] Fedora 41 Update: unbound-1.21.1-1.fc41
[SECURITY] Fedora 41 Update: xen-4.19.0-4.fc41




[SECURITY] Fedora 40 Update: koji-1.35.1-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-7ee01adadc
2024-10-10 01:59:38.617923
--------------------------------------------------------------------------------

Name : koji
Product : Fedora 40
Version : 1.35.1
Release : 1.fc40
URL : https://pagure.io/koji/
Summary : Build system tools
Description :
Koji is a system for building and tracking RPMS. The base package
contains shared libraries and the command-line interface.

--------------------------------------------------------------------------------
Update Information:

Update to 1.35.1. Includes fix for CVE-2024-9427
--------------------------------------------------------------------------------
ChangeLog:

* Tue Oct 8 2024 Kevin Fenzi [kevin@scrye.com] - 1.35.1-1
- Update to 1.35.1. Fixes rhbz#2316304
- Fixes CVE-2024-9427
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2316304 - CVE-2024-9427 koji: Escape HTML tag characters in the query string [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2316304
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-7ee01adadc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: xen-4.18.3-2.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-051cf1553e
2024-10-10 01:59:38.617746
--------------------------------------------------------------------------------

Name : xen
Product : Fedora 40
Version : 4.18.3
Release : 2.fc40
URL : http://xen.org/
Summary : Xen is a virtual machine monitor
Description :
This package contains the XenD daemon and xm command line
tools, needed to manage virtual machines running under the
Xen hypervisor

--------------------------------------------------------------------------------
Update Information:

x86: Deadlock in vlapic_error() [XSA-462, CVE-2024-45817]
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 24 2024 Michael Young [m.a.young@durham.ac.uk] - 4.18.3-2
- x86: Deadlock in vlapic_error() [XSA-462, CVE-2024-45817]
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2314782 - CVE-2024-45817 xen: Deadlock in vlapic_error() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314782
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-051cf1553e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 39 Update: xen-4.17.5-2.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-020dbf247c
2024-10-10 00:50:40.803278
--------------------------------------------------------------------------------

Name : xen
Product : Fedora 39
Version : 4.17.5
Release : 2.fc39
URL : http://xen.org/
Summary : Xen is a virtual machine monitor
Description :
This package contains the XenD daemon and xm command line
tools, needed to manage virtual machines running under the
Xen hypervisor

--------------------------------------------------------------------------------
Update Information:

x86: Deadlock in vlapic_error() [XSA-462, CVE-2024-45817]
update to xen-4.17.5
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 24 2024 Michael Young [m.a.young@durham.ac.uk] - 4.17.5-2
- x86: Deadlock in vlapic_error() [XSA-462, CVE-2024-45817]
* Sat Sep 14 2024 Michael Young [m.a.young@durham.ac.uk] - 4.17.5-1
- update to xen-4.17.5
remove or adjust patches now included or superceded upstream
now need to enable systemd explicitly
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2314782 - CVE-2024-45817 xen: Deadlock in vlapic_error() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314782
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-020dbf247c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: firefox-131.0.2-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-d85494e836
2024-10-10 00:15:44.893600
--------------------------------------------------------------------------------

Name : firefox
Product : Fedora 41
Version : 131.0.2
Release : 1.fc41
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

--------------------------------------------------------------------------------
Update Information:

Updated to latest upstream (131.0.2)
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 9 2024 Martin Stransky [stransky@redhat.com] - 131.0.2-1
- Updated to 131.0.2
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-d85494e836' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: webkit2gtk4.0-2.46.1-2.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-92d80d7f9a
2024-10-10 00:15:44.893528
--------------------------------------------------------------------------------

Name : webkit2gtk4.0
Product : Fedora 41
Version : 2.46.1
Release : 2.fc41
URL : https://www.webkitgtk.org/
Summary : WebKitGTK for GTK 3 and libsoup 2
Description :
WebKitGTK is the port of the WebKit web rendering engine to the
GTK platform. This package contains WebKitGTK for GTK 3 and libsoup 2.

--------------------------------------------------------------------------------
Update Information:

Update to 2.46.1
--------------------------------------------------------------------------------
ChangeLog:

* Thu Oct 3 2024 Michael Catanzaro [mcatanzaro@redhat.com] - 2.46.1-2
- Add patch to fix build with LLVM 19
* Tue Oct 1 2024 Pete Walter [pwalter@fedoraproject.org] - 2.46.1-1
- Update to 2.46.1
* Tue Oct 1 2024 Pete Walter [pwalter@fedoraproject.org] - 2.46.0-2
- Add missing sysprof-capture-4 BuildRequires
* Wed Sep 18 2024 Pete Walter [pwalter@fedoraproject.org] - 2.46.0-1
- Update to 2.46.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2314731 - CVE-2024-44187 webkit2gtk4.0: A malicious website may exfiltrate data cross-origin [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2314731
[ 2 ] Bug #2314733 - CVE-2024-40857 webkit2gtk4.0: Processing maliciously crafted web content may lead to universal cross site scripting [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2314733
[ 3 ] Bug #2314743 - CVE-2024-27851 webkit2gtk4.0: Processing maliciously crafted web content may lead to arbitrary code execution [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2314743
[ 4 ] Bug #2314747 - CVE-2024-23271 webkit2gtk4.0: A malicious website may cause unexpected cross-origin behavior [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2314747
[ 5 ] Bug #2314749 - CVE-2024-27838 webkit2gtk4.0: A maliciously crafted webpage may be able to fingerprint the user [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2314749
[ 6 ] Bug #2314752 - CVE-2024-27833 webkit2gtk4.0: Processing maliciously crafted web content may lead to arbitrary code execution [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2314752
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-92d80d7f9a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: unbound-1.21.1-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-a5d6cd9f0a
2024-10-10 00:15:44.893496
--------------------------------------------------------------------------------

Name : unbound
Product : Fedora 41
Version : 1.21.1
Release : 1.fc41
URL : https://nlnetlabs.nl/projects/unbound/
Summary : Validating, recursive, and caching DNS(SEC) resolver
Description :
Unbound is a validating, recursive, and caching DNS(SEC) resolver.

The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.

Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.

--------------------------------------------------------------------------------
Update Information:

Fixed builds on F41. Fixes CVE-2024-8508
https://github.com/NLnetLabs/unbound/releases/tag/release-1.21.1
--------------------------------------------------------------------------------
ChangeLog:

* Thu Oct 3 2024 Petr Menšík - 1.21.1-1
- Update to 1.21.1 (rbhz#2316313)
* Thu Oct 3 2024 Petr Menšík - 1.21.0-4
- Disable SHA1 support to work with new default crypto-policy
* Wed Sep 25 2024 Petr Menšík - 1.21.0-3
- Remove additional subdirectory for python3 build
* Wed Sep 25 2024 Petr Menšík - 1.21.0-2
- Enable native dynamic modules
* Wed Sep 25 2024 Petr Menšík - 1.21.0-1
- Update to 1.21.0 (rhbz#2305092)
* Sat Jul 20 2024 Fedora Release Engineering - 1.20.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2301344 - unbound: FTBFS in Fedora rawhide/f41
https://bugzilla.redhat.com/show_bug.cgi?id=2301344
[ 2 ] Bug #2303461 - CVE-2024-43167 unbound: NULL Pointer Dereference in Unbound [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303461
[ 3 ] Bug #2305092 - unbound-1.21.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2305092
[ 4 ] Bug #2316313 - unbound-1.21.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2316313
[ 5 ] Bug #2316358 - CVE-2024-8508 unbound: Unbounded name compression could lead to Denial of Service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2316358
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-a5d6cd9f0a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 41 Update: xen-4.19.0-4.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-60809cb44e
2024-10-10 00:15:44.893266
--------------------------------------------------------------------------------

Name : xen
Product : Fedora 41
Version : 4.19.0
Release : 4.fc41
URL : http://xen.org/
Summary : Xen is a virtual machine monitor
Description :
This package contains the XenD daemon and xm command line
tools, needed to manage virtual machines running under the
Xen hypervisor

--------------------------------------------------------------------------------
Update Information:

x86: Deadlock in vlapic_error() [XSA-462, CVE-2024-45817]
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 24 2024 Michael Young - 4.19.0-4
- x86: Deadlock in vlapic_error() [XSA-462, CVE-2024-45817]
* Wed Sep 4 2024 Miroslav Suchý - 4.19.0-3
- convert license to SPDX
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2314782 - CVE-2024-45817 xen: Deadlock in vlapic_error() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314782
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-60809cb44e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------