Fedora 41 Update: perl-Module-ScanDeps-1.37-1.fc41
Fedora 41 Update: python-aiohttp-3.10.5-3.fc41
Fedora 41 Update: mingw-python3-3.11.10-2.fc41
Fedora 41 Update: mingw-libsoup-2.74.3-8.fc41
Fedora 41 Update: mingw-glib2-2.82.2-1.fc41
Fedora 40 Update: nss-3.106.0-1.fc40
Fedora 40 Update: firefox-133.0-1.fc40
Fedora 40 Update: perl-Module-ScanDeps-1.37-1.fc40
Fedora 40 Update: php-8.3.14-1.fc40
Fedora 40 Update: mingw-python-waitress-2.1.2-7.fc40
Fedora 40 Update: python-aiohttp-3.9.5-2.fc40
Fedora 40 Update: libsoup3-3.4.4-5.fc40
[SECURITY] Fedora 41 Update: perl-Module-ScanDeps-1.37-1.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-c05ef21f1f
2024-11-28 03:19:40.039883+00:00
--------------------------------------------------------------------------------
Name : perl-Module-ScanDeps
Product : Fedora 41
Version : 1.37
Release : 1.fc41
URL : https://metacpan.org/release/Module-ScanDeps
Summary : Recursively scan Perl code for dependencies
Description :
This module scans potential modules used by perl programs and returns a
hash reference. Its keys are the module names as they appear in %INC (e.g.
Test/More.pm). The values are hash references.
--------------------------------------------------------------------------------
Update Information:
1.37
- fix parsing of "use if ..."
Fixes errors in PAR::Packer test t/90-rt59710.t
- add test for _parse_libs()
1.36
- Fix CVE-2024-10224: Unsanitized input leads to LPE
- use three-argument open()
- replace 'eval "..."' constructs
Note: this version was not released on CPAN because of
Coordinated Release Date for CVE
- README: add "Source Repository" and "Contact" info
switch "Please submit bug reports to ..." to GitHub issues
- add preload rule for MooX::HandlesVia
cf. https://github.com/rschupp/PAR-Packer/issues/88
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 20 2024 Jitka Plesnikova [jplesnik@redhat.com] - 1.37-1
- 1.37 bump (rhbz#2327393); Fix CVE-2024-10224
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2327530 - CVE-2024-10224 perl-Module-ScanDeps: local privilege escalation via unsanitized input [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2327530
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-c05ef21f1f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: python-aiohttp-3.10.5-3.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-49df7093ac
2024-11-28 03:19:40.039737+00:00
--------------------------------------------------------------------------------
Name : python-aiohttp
Product : Fedora 41
Version : 3.10.5
Release : 3.fc41
URL : https://github.com/aio-libs/aiohttp
Summary : Python HTTP client/server for asyncio
Description :
Python HTTP client/server for asyncio which supports both the client and the
server side of the HTTP protocol, client and server websocket, and webservers
with middlewares and pluggable routing.
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2024-52304
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 19 2024 Benjamin A. Beasley [code@musicinmybrain.net] - 3.10.5-3
- Security fix for CVE-2024-52304 (fixes RHBZ#2327155)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2327155 - CVE-2024-52304 python-aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2327155
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-49df7093ac' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: mingw-python3-3.11.10-2.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-e6b1e638d1
2024-11-28 03:19:40.039643+00:00
--------------------------------------------------------------------------------
Name : mingw-python3
Product : Fedora 41
Version : 3.11.10
Release : 2.fc41
URL : https://www.python.org/
Summary : MinGW Windows python3
Description :
MinGW Windows python3
--------------------------------------------------------------------------------
Update Information:
Backport fix for CVE-2024-9287
Update to python-3.11.0.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Nov 18 2024 Sandro Mani [manisandro@gmail.com] - 3.11.10-2
- Backport fix for CVE-2024-9287
* Sat Nov 9 2024 Sandro Mani [manisandro@gmail.com] - 3.11.10-1
- Update to 3.11.10
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2321653 - CVE-2024-9287 mingw-python3: Virtual environment (venv) activation scripts don't quote paths [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2321653
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-e6b1e638d1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: mingw-libsoup-2.74.3-8.fc41
--
[SECURITY] Fedora 41 Update: mingw-glib2-2.82.2-1.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-67869f1cb3
2024-11-28 03:19:40.039613+00:00
--------------------------------------------------------------------------------
Name : mingw-glib2
Product : Fedora 41
Version : 2.82.2
Release : 1.fc41
URL : http://www.gtk.org
Summary : MinGW Windows GLib2 library
Description :
MinGW Windows Glib2 library.
--------------------------------------------------------------------------------
Update Information:
Update to 2.82.2, fixes CVE-2024-52533.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Oct 21 2024 Sandro Mani [manisandro@gmail.com] - 2.82.2-1
- Update to 2.82.2
* Mon Sep 23 2024 Sandro Mani [manisandro@gmail.com] - 2.82.1-1
- Update to 2.82.1
* Tue Aug 27 2024 Sandro Mani [manisandro@gmail.com] - 2.82.0-1
- Update to 2.82.0
* Mon Aug 19 2024 Sandro Mani [manisandro@gmail.com] - 2.81.2-1
- Update to 2.81.2
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2325362 - CVE-2024-52533 mingw-glib2: buffer overflow in set_connect_msg() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325362
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-67869f1cb3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 40 Update: nss-3.106.0-1.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-ea7b2e66a1
2024-11-28 02:44:05.515475+00:00
--------------------------------------------------------------------------------
Name : nss
Product : Fedora 40
Version : 3.106.0
Release : 1.fc40
URL : http://www.mozilla.org/projects/security/pki/nss/
Summary : Network Security Services
Description :
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.
--------------------------------------------------------------------------------
Update Information:
Update NSS to 3.106.0
Update to Firefox 133.0
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 19 2024 Bojan Smojver [bojan@rexursive.com] - 3.106.0-1
- Update NSS to 3.106.0
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-ea7b2e66a1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 40 Update: firefox-133.0-1.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-ea7b2e66a1
2024-11-28 02:44:05.515475+00:00
--------------------------------------------------------------------------------
Name : firefox
Product : Fedora 40
Version : 133.0
Release : 1.fc40
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.
--------------------------------------------------------------------------------
Update Information:
Update NSS to 3.106.0
Update to Firefox 133.0
--------------------------------------------------------------------------------
ChangeLog:
* Fri Nov 22 2024 Martin Stransky [stransky@redhat.com] - 133.0-1
- Updated to latest upstream (133.0)
* Mon Nov 18 2024 Martin Stransky [stransky@redhat.com] - 132.0.2-2
- Added memory saving flags to x86_64
* Fri Nov 15 2024 Martin Stransky [stransky@redhat.com] - 132.0.2-1
- Updated to 132.0.2
- Try to reduce build mem usage on ppc64le
* Thu Nov 7 2024 Jan Grulich [jgrulich@redhat.com] - 132.0.1-2
- PipeWire camera: use better unique device name for camera devices
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-ea7b2e66a1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 40 Update: perl-Module-ScanDeps-1.37-1.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-8adf4a4b24
2024-11-28 02:44:05.515391+00:00
--------------------------------------------------------------------------------
Name : perl-Module-ScanDeps
Product : Fedora 40
Version : 1.37
Release : 1.fc40
URL : https://metacpan.org/release/Module-ScanDeps
Summary : Recursively scan Perl code for dependencies
Description :
This module scans potential modules used by perl programs and returns a
hash reference. Its keys are the module names as they appear in %INC (e.g.
Test/More.pm). The values are hash references.
--------------------------------------------------------------------------------
Update Information:
1.37
- fix parsing of "use if ..."
Fixes errors in PAR::Packer test t/90-rt59710.t
- add test for _parse_libs()
1.36
- Fix CVE-2024-10224: Unsanitized input leads to LPE
- use three-argument open()
- replace 'eval "..."' constructs
Note: this version was not released on CPAN because of
Coordinated Release Date for CVE
- README: add "Source Repository" and "Contact" info
switch "Please submit bug reports to ..." to GitHub issues
- add preload rule for MooX::HandlesVia
cf. https://github.com/rschupp/PAR-Packer/issues/88
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 20 2024 Jitka Plesnikova [jplesnik@redhat.com] - 1.37-1
- 1.37 bump (rhbz#2327393); Fix CVE-2024-10224
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2327529 - CVE-2024-10224 perl-Module-ScanDeps: local privilege escalation via unsanitized input [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2327529
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-8adf4a4b24' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 40 Update: php-8.3.14-1.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-e0d390d35b
2024-11-28 02:44:05.515315+00:00
--------------------------------------------------------------------------------
Name : php
Product : Fedora 40
Version : 8.3.14
Release : 1.fc40
URL : http://www.php.net/
Summary : PHP scripting language for creating dynamic web sites
Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated web pages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.
--------------------------------------------------------------------------------
Update Information:
PHP version 8.3.14 (21 Nov 2024)
CLI:
Fixed bug GH-16373 (Shebang is not skipped for router script in cli-server
started through shebang). (ilutov)
Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data
Processing in CLI SAPI Interface). (nielsdos)
COM:
Fixed out of bound writes to SafeArray data. (cmb)
Core:
Fixed bug GH-16168 (php 8.1 and earlier crash immediately when compiled with
Xcode 16 clang on macOS 15). (nielsdos)
Fixed bug GH-16371 (Assertion failure in Zend/zend_weakrefs.c:646). (Arnaud)
Fixed bug GH-16515 (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call
trampoline). (ilutov)
Fixed bug GH-16509 (Incorrect line number in function redeclaration error).
(ilutov)
Fixed bug GH-16508 (Incorrect line number in inheritance errors of delayed early
bound classes). (ilutov)
Fixed bug GH-16648 (Use-after-free during array sorting). (ilutov)
Curl:
Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if
curl_multi_add_handle fails). (timwolla)
Date:
Fixed bug GH-16454 (Unhandled INF in date_sunset() with tiny $utcOffset). (cmb)
Fixed bug GH-14732 (date_sun_info() fails for non-finite values). (cmb)
DBA:
Fixed bug GH-16390 (dba_open() can segfault for "pathless" streams). (cmb)
DOM:
Fixed bug GH-16316 (DOMXPath breaks when not initialized properly). (nielsdos)
Add missing hierarchy checks to replaceChild. (nielsdos)
Fixed bug GH-16336 (Attribute intern document mismanagement). (nielsdos)
Fixed bug GH-16338 (Null-dereference in ext/dom/node.c). (nielsdos)
Fixed bug GH-16473 (dom_import_simplexml stub is wrong). (nielsdos)
Fixed bug GH-16533 (Segfault when adding attribute to parent that is not an
element). (nielsdos)
Fixed bug GH-16535 (UAF when using document as a child). (nielsdos)
Fixed bug GH-16593 (Assertion failure in DOM->replaceChild). (nielsdos)
Fixed bug GH-16595 (Another UAF in DOM -> cloneNode). (nielsdos)
EXIF:
Fixed bug GH-16409 (Segfault in exif_thumbnail when not dealing with a real
file). (nielsdos, cmb)
FFI:
Fixed bug GH-16397 (Segmentation fault when comparing FFI object). (nielsdos)
Filter:
Fixed bug GH-16523 (FILTER_FLAG_HOSTNAME accepts ending hyphen). (cmb)
FPM:
Fixed bug GH-16628 (FPM logs are getting corrupted with this log statement).
(nielsdos)
GD:
Fixed bug GH-16334 (imageaffine overflow on matrix elements). (David Carlier)
Fixed bug GH-16427 (Unchecked libavif return values). (cmb)
Fixed bug GH-16559 (UBSan abort in ext/gd/libgd/gd_interpolation.c:1007).
(nielsdos)
GMP:
Fixed floating point exception bug with gmp_pow when using large exposant
values. (David Carlier).
Fixed bug GH-16411 (gmp_export() can cause overflow). (cmb)
Fixed bug GH-16501 (gmp_random_bits() can cause overflow). (David Carlier)
Fixed gmp_pow() overflow bug with large base/exponents. (David Carlier)
Fixed segfaults and other issues related to operator overloading with GMP
objects. (Girgias)
LDAP:
Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932)
(nielsdos)
MBstring:
Fixed bug GH-16361 (mb_substr overflow on start/length arguments). (David
Carlier)
MySQLnd:
Fixed bug GHSA-h35g-vwh6-m678 (Leak partial content of the heap through heap
buffer over-read). (CVE-2024-8929) (Jakub Zelenka)
Opcache:
Fixed bug GH-16408 (Array to string conversion warning emitted in optimizer).
(ilutov)
OpenSSL:
Fixed bug GH-16357 (openssl may modify member types of certificate arrays).
(cmb)
Fixed bug GH-16433 (Large values for openssl_csr_sign() $days overflow). (cmb)
Fix various memory leaks on error conditions in openssl_x509_parse(). (nielsdos)
PDO DBLIB:
Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB
writes). (CVE-2024-11236) (nielsdos)
PDO Firebird:
Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter causing
OOB writes). (CVE-2024-11236) (nielsdos)
PDO ODBC:
Fixed bug GH-16450 (PDO_ODBC can inject garbage into field values). (cmb)
Phar:
Fixed bug GH-16406 (Assertion failure in ext/phar/phar.c:2808). (nielsdos)
PHPDBG:
Fixed bug GH-16174 (Empty string is an invalid expression for ev). (cmb)
Reflection:
Fixed bug GH-16601 (Memory leak in Reflection constructors). (nielsdos)
Session:
Fixed bug GH-16385 (Unexpected null returned by session_set_cookie_params).
(nielsdos)
Fixed bug GH-16290 (overflow on cookie_lifetime ini value). (David Carlier)
SOAP:
Fixed bug GH-16318 (Recursive array segfaults soap encoding). (nielsdos)
Fixed bug GH-16429 (Segmentation fault access null pointer in SoapClient).
(nielsdos)
Sockets:
Fixed bug with overflow socket_recvfrom $length argument. (David Carlier)
SPL:
Fixed bug GH-16337 (Use-after-free in SplHeap). (nielsdos)
Fixed bug GH-16464 (Use-after-free in SplDoublyLinkedList::offsetSet()).
(ilutov)
Fixed bug GH-16479 (Use-after-free in SplObjectStorage::setInfo()). (ilutov)
Fixed bug GH-16478 (Use-after-free in SplFixedArray::unset()). (ilutov)
Fixed bug GH-16588 (UAF in Observer->serialize). (nielsdos)
Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed
SplFileObject::__constructor). (Girgias)
Fixed bug GH-16589 (UAF in SplDoublyLinked->serialize()). (nielsdos)
Fixed bug GH-14687 (segfault on SplObjectIterator instance). (David Carlier)
Fixed bug GH-16604 (Memory leaks in SPL constructors). (nielsdos)
Fixed bug GH-16646 (UAF in ArrayObject::unset() and
ArrayObject::exchangeArray()). (ilutov)
Standard:
Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with
bail enabled). (ilutov)
Streams:
Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might
allow for CRLF injection in URIs). (CVE-2024-11234) (Jakub Zelenka)
Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with convert.quoted-
printable-decode filter). (CVE-2024-11233) (nielsdos)
SysVMsg:
Fixed bug GH-16592 (msg_send() crashes when a type does not properly
serialized). (David Carlier / cmb)
SysVShm:
Fixed bug GH-16591 (Assertion error in shm_put_var). (nielsdos, cmb)
XMLReader:
Fixed bug GH-16292 (Segmentation fault in ext/xmlreader/php_xmlreader.c).
(nielsdos)
Zlib:
Fixed bug GH-16326 (Memory management is broken for bad dictionaries.) (cmb)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 19 2024 Remi Collet [remi@remirepo.net] - 8.3.14-1
- Update to 8.3.14 - http://www.php.net/releases/8_3_14.php
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2328035 - CVE-2024-8929 php: Leak partial content of the heap through heap buffer over-read in mysqlnd [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2328035
[ 2 ] Bug #2328614 - CVE-2024-11234 php: Configuring a proxy in a stream context might allow for CRLF injection in URIs [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2328614
[ 3 ] Bug #2328673 - CVE-2024-11236 php: Integer overflow in the firebird and dblib quoters causing OOB writes [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2328673
[ 4 ] Bug #2328738 - CVE-2024-11233 php: Single byte overread with convert.quoted-printable-decode filter [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2328738
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-e0d390d35b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 40 Update: mingw-python-waitress-2.1.2-7.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-5abfdba2b7
2024-11-28 02:44:05.515273+00:00
--------------------------------------------------------------------------------
Name : mingw-python-waitress
Product : Fedora 40
Version : 2.1.2
Release : 7.fc40
URL : https://github.com/Pylons/waitress
Summary : MinGW Windows Python waitress library
Description :
MinGW Windows Python waitress library.
--------------------------------------------------------------------------------
Update Information:
Backport fixes for CVE-2024-49768 and CVE-2024-49769.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 19 2024 Sandro Mani [manisandro@gmail.com] - 2.1.2-7
- Backport fixes for CVE-2024-49768 and CVE-2024-49769
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2322474 - CVE-2024-49769 mingw-python-waitress: Waitress has a denial of service leading to high CPU usage/resource exhaustion [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2322474
[ 2 ] Bug #2322492 - CVE-2024-49768 mingw-python-waitress: request processing race condition in HTTP pipelining with invalid first request [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2322492
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-5abfdba2b7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 40 Update: python-aiohttp-3.9.5-2.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-04ceb82dc7
2024-11-28 02:44:05.515261+00:00
--------------------------------------------------------------------------------
Name : python-aiohttp
Product : Fedora 40
Version : 3.9.5
Release : 2.fc40
URL : https://github.com/aio-libs/aiohttp
Summary : Python HTTP client/server for asyncio
Description :
Python HTTP client/server for asyncio which supports both the client and the
server side of the HTTP protocol, client and server websocket, and webservers
with middlewares and pluggable routing.
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2024-52304
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 19 2024 Benjamin A. Beasley [code@musicinmybrain.net] - 3.9.5-2
- Security fix for CVE-2024-52304 (fixes RHBZ#2327154)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2327154 - CVE-2024-52304 python-aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2327154
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-04ceb82dc7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 40 Update: libsoup3-3.4.4-5.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-bd09057dd2
2024-11-28 02:44:05.515188+00:00
--------------------------------------------------------------------------------
Name : libsoup3
Product : Fedora 40
Version : 3.4.4
Release : 5.fc40
URL : https://wiki.gnome.org/Projects/libsoup
Summary : Soup, an HTTP library implementation
Description :
Libsoup is an HTTP library implementation in C. It was originally part
of a SOAP (Simple Object Access Protocol) implementation called Soup, but
the SOAP and non-SOAP parts have now been split into separate packages.
libsoup uses the Glib main loop and is designed to work well with GTK
applications. This enables GNOME applications to access HTTP servers
on the network in a completely asynchronous fashion, very similar to
the Gtk+ programming model (a synchronous operation mode is also
supported for those who want it), but the SOAP parts were removed
long ago.
--------------------------------------------------------------------------------
Update Information:
Add patches to fix:
CVE-2024-52530 libsoup3: HTTP request smuggling via stripping null bytes from
the ends of header names (bug #2325358)
CVE-2024-52532 libsoup3: infinite loop while reading websocket data (bug
#2325356)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 12 2024 Milan Crha [mcrha@redhat.com] - 3.4.4-5
- Add a patch to fix CVE-2024-52532 (infinite loop while reading websocket
data)
* Tue Nov 12 2024 Milan Crha [mcrha@redhat.com] - 3.4.4-4
- Add a patch to fix CVE-2024-52530 (headers: Strictly don't allow NUL
bytes)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2325356 - CVE-2024-52532 libsoup3: infinite loop while reading websocket data [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325356
[ 2 ] Bug #2325358 - CVE-2024-52530 libsoup3: HTTP request smuggling via stripping null bytes from the ends of header names [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325358
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-bd09057dd2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
