AlmaLinux 2318 Published by

AlmaLinux has been updated with a number of security patches, some of which are ruby:3.3, pcp, expat, openssl, fence-agents, pcp, firefox, and thunderbird:

ALSA-2024:6785: ruby:3.3 security update (Moderate)
ALSA-2024:6848: pcp security update (Important)
ALSA-2024:6754: expat security update (Moderate)
ALSA-2024:6783: openssl security update (Moderate)
ALSA-2024:6726: fence-agents security update (Important)
ALSA-2024:6837: pcp security update (Important)
ALSA-2024:6681: firefox security update (Important)
ALSA-2024:6683: thunderbird security update (Important)




ALSA-2024:6785: ruby:3.3 security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-09-19

Summary:

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

Security Fix(es):

* rexml: DoS vulnerability in REXML (CVE-2024-39908)
* rexml: rubygem-rexml: DoS when parsing an XML having many specific characters such as whitespace character, >] and ]> (CVE-2024-41123)
* rexml: DoS vulnerability in REXML (CVE-2024-41946)
* rexml: DoS vulnerability in REXML (CVE-2024-43398)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-6785.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:6848: pcp security update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2024-09-20

Summary:

Performance Co-Pilot (PCP) is a suite of tools, services, and libraries for acquisition, archiving, and analysis of system-level performance measurements. Its light-weight distributed architecture makes it particularly well-suited to centralized analysis of complex systems.

Security Fix(es):

* pcp: pmpost symlink attack allows escalating pcp to root user (CVE-2024-45770)
* pcp: pmcd heap corruption through metric pmstore operations (CVE-2024-45769)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-6848.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:6754: expat security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-09-19

Summary:

Expat is a C library for parsing XML documents.

Security Fix(es):

* libexpat: Negative Length Parsing Vulnerability in libexpat (CVE-2024-45490)
* libexpat: Integer Overflow or Wraparound (CVE-2024-45491)
* libexpat: integer overflow (CVE-2024-45492)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-6754.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:6783: openssl security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-09-19

Summary:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Security Fix(es):

* openssl: Possible denial of service in X.509 name checks (CVE-2024-6119)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-6783.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:6726: fence-agents security update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2024-09-18

Summary:

The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster.

Security Fix(es):

* pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools (CVE-2024-6345)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-6726.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:6837: pcp security update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2024-09-20

Summary:

Performance Co-Pilot (PCP) is a suite of tools, services, and libraries for acquisition, archiving, and analysis of system-level performance measurements. Its light-weight distributed architecture makes it particularly well-suited to centralized analysis of complex systems.

Security Fix(es):

* pcp: pmpost symlink attack allows escalating pcp to root user (CVE-2024-45770)
* pcp: pmcd heap corruption through metric pmstore operations (CVE-2024-45769)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2024-6837.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:6681: firefox security update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2024-09-20

Summary:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

* firefox: 115.15/128.2 ESR ()
* mozilla: Type confusion when looking up a property name in a "with" block (CVE-2024-8381)
* mozilla: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran (CVE-2024-8382)
* mozilla: Firefox did not ask before openings news: links in an external application (CVE-2024-8383)
* mozilla: Garbage collection could mis-color cross-compartment objects in OOM conditions (CVE-2024-8384)
* mozilla: WASM type confusion involving ArrayTypes (CVE-2024-8385)
* mozilla: SelectElements could be shown over another site if popups are allowed (CVE-2024-8386)
* mozilla: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2 (CVE-2024-8387)
* mozilla: Type Confusion in Async Generators in Javascript Engine (CVE-2024-7652)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-6681.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:6683: thunderbird security update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2024-09-20

Summary:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* thunderbird: 115.15/128.2 ()
* mozilla: Type confusion when looking up a property name in a "with" block (CVE-2024-8381)
* mozilla: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran (CVE-2024-8382)
* mozilla: Garbage collection could mis-color cross-compartment objects in OOM conditions (CVE-2024-8384)
* mozilla: WASM type confusion involving ArrayTypes (CVE-2024-8385)
* mozilla: SelectElements could be shown over another site if popups are allowed (CVE-2024-8386)
* mozilla: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2 (CVE-2024-8387)
* thunderbird: Crash when aborting verification of OTR chat (CVE-2024-8394)
* mozilla: Type Confusion in Async Generators in Javascript Engine (CVE-2024-7652)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-6683.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team