AlmaLinux 2325 Published by

AlmaLinux has been updated with multiple security enhancements, including updates for skopeo, libsndfile, pam, mpg123, containernetworking-plugins, edk2, unbound. php:8.2, gstreamer1-plugins-good, python3.11-urllib3, gstreamer1-plugins-base, PHP version 8.1, kernel, Python versions 3.11, 3.12, and 3.9: 3.9.21.

ALSA-2024:11217: skopeo security update (Important)
ALSA-2024:11237: libsndfile:1.0.31 security update (Moderate)
ALSA-2024:11250: pam security update (Moderate)
ALSA-2024:11242: mpg123:1.32.9 security update (Moderate)
ALSA-2024:11216: containernetworking-plugins security update (Moderate)
ALSA-2024:11219: edk2:20240524 security update (Moderate)
ALSA-2024:11232: unbound:1.16.2 security update (Moderate)
ALSA-2024:10949: php:8.2 security update (Moderate)
ALSA-2024:11122: gstreamer1-plugins-good security update (Important)
ALSA-2024:11238: python3.11-urllib3 security update (Moderate)
ALSA-2024:11123: gstreamer1-plugins-base security update (Important)
ALSA-2024:10950: php:8.1 security update (Moderate)
ALSA-2024:10939: kernel security update (Moderate)
ALSA-2024:11111: python3.11 security update (Moderate)
ALSA-2024:10978: python3.12 security update (Important)
ALSA-2024:10983: python3.9:3.9.21 security update (Moderate)




ALSA-2024:11217: skopeo security update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2024-12-23

Summary:

The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files.

Security Fix(es):

* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-11217.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:11237: libsndfile:1.0.31 security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-12-23

Summary:

libsndfile is a C library for reading and writing files containing sampled sound, such as AIFF, AU, or WAV.

Security Fix(es):

* libsndfile: Segmentation fault error in ogg_vorbis.c:417 vorbis_analysis_wrote() (CVE-2024-50612)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-11237.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:11250: pam security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-12-23

Summary:

Pluggable Authentication Modules (PAM) provide a system to set up authentication policies without the need to recompile programs to handle authentication.

Security Fix(es):

* pam: libpam: Libpam vulnerable to read hashed password (CVE-2024-10041)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-11250.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:11242: mpg123:1.32.9 security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-12-23

Summary:

The mpg123 packages contain real time MPEG 1.0/2.0/2.5 audio player/decoder for layers 1, 2, and 3 (most commonly MPEG 1.0 layer 3 also known as MP3), as well as re-usable decoding and output libraries.

Security Fix(es):

* mpg123: Buffer overflow when writing decoded PCM samples (CVE-2024-10573)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-11242.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:11216: containernetworking-plugins security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-12-23

Summary:

The Container Network Interface (CNI) project consists of a specification and libraries for writing plug-ins for configuring network interfaces in Linux containers, along with a number of supported plug-ins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted.

Security Fix(es):

* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-11216.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:11219: edk2:20240524 security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-12-23

Summary:

EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM.

Security Fix(es):

* edk2: Integer overflows in PeCoffLoaderRelocateImage (CVE-2024-38796)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-11219.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:11232: unbound:1.16.2 security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-12-23

Summary:

The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.

Security Fix(es):

* unbound: Unbounded name compression could lead to Denial of Service (CVE-2024-8508)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-11232.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:10949: php:8.2 security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-12-16

Summary:

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Security Fix(es):

* php: host/secure cookie bypass due to partial CVE-2022-31629 fix (CVE-2024-2756)
* php: password_verify can erroneously return true, opening ATO risk (CVE-2024-3096)
* php: Filter bypass in filter_var (FILTER_VALIDATE_URL) (CVE-2024-5458)
* php: Erroneous parsing of multipart form data (CVE-2024-8925)
* php: cgi.force_redirect configuration is bypassable due to the environment variable collision (CVE-2024-8927)
* php: PHP-FPM Log Manipulation Vulnerability (CVE-2024-9026)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-10949.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:11122: gstreamer1-plugins-good security update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2024-12-23

Summary:

GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license.

Security Fix(es):

* gstreamer1-plugins-good: uninitialized stack memory in Matroska/WebM demuxer (CVE-2024-47540)
* gstreamer1-plugins-good: OOB-write in isomp4/qtdemux.c (CVE-2024-47537)
* gstreamer1-plugins-good: OOB-write in convert_to_s334_1a (CVE-2024-47539)
* gstreamer1-plugins-good: null pointer dereference in gst_gdk_pixbuf_dec_flush (CVE-2024-47613)
* gstreamer1-plugins-good: integer overflows in MP4/MOV demuxer and memory allocator that can lead to out-of-bounds writes (CVE-2024-47606)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-11122.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:11238: python3.11-urllib3 security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-12-23

Summary:

The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.

Security Fix(es):

* urllib3: Request body not stripped after redirect from 303 status changes request method to GET (CVE-2023-45803)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-11238.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:11123: gstreamer1-plugins-base security update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2024-12-23

Summary:

GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-base packages contain a collection of well-maintained base plug-ins.

Security Fix(es):

* gstreamer1-plugins-base: GStreamer has a stack-buffer overflow in vorbis_handle_identification_packet (CVE-2024-47538)
* gstreamer1-plugins-base: out-of-bounds write in Ogg demuxer (CVE-2024-47615)
* gstreamer1-plugins-base: stack-buffer overflow in gst_opus_dec_parse_header (CVE-2024-47607)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-11123.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:10950: php:8.1 security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-12-16

Summary:

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Security Fix(es):

* php: host/secure cookie bypass due to partial CVE-2022-31629 fix (CVE-2024-2756)
* php: password_verify can erroneously return true, opening ATO risk (CVE-2024-3096)
* php: Filter bypass in filter_var (FILTER_VALIDATE_URL) (CVE-2024-5458)
* php: Erroneous parsing of multipart form data (CVE-2024-8925)
* php: cgi.force_redirect configuration is bypassable due to the environment variable collision (CVE-2024-8927)
* php: PHP-FPM Log Manipulation Vulnerability (CVE-2024-9026)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-10950.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:10939: kernel security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-12-16

Summary:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: net/smc: fix illegal rmb_desc access in SMC-D connection dump (CVE-2024-26615)
* kernel: block: initialize integrity buffer to zero before writing it to media (CVE-2024-43854)
* kernel: iommu: Restore lost return in iommu_report_device_fault() (CVE-2024-44994)
* kernel: netfilter: flowtable: initialise extack before use (CVE-2024-45018)
* kernel: selinux,smack: don't bypass permissions check in inode_setsecctx hook (CVE-2024-46695)
* kernel: net: avoid potential underflow in qdisc_pkt_len_init() with UFO (CVE-2024-49949)
* kernel: netfilter: nft_payload: sanitize offset and length before calling skb_checksum() (CVE-2024-50251)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-10939.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:11111: python3.11 security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-12-23

Summary:

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: Virtual environment (venv) activation scripts don't quote paths (CVE-2024-9287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-11111.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:10978: python3.12 security update (Important)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2024-12-16

Summary:

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: Virtual environment (venv) activation scripts don't quote paths (CVE-2024-9287)
* python: Unbounded memory buffering in SelectorSocketTransport.writelines() (CVE-2024-12254)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-10978.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team



ALSA-2024:10983: python3.9:3.9.21 security update (Moderate)


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 9
Type: Security
Severity: Moderate
Release date: 2024-12-16

Summary:

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: Virtual environment (venv) activation scripts don't quote paths (CVE-2024-9287)
* python: Improper validation of IPv6 and IPvFuture addresses (CVE-2024-11168)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-10983.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team