[SECURITY] Fedora 40 Update: tor-0.4.8.12-2.fc40
[SECURITY] Fedora 39 Update: httpd-2.4.62-2.fc39
[SECURITY] Fedora 39 Update: bind-dyndb-ldap-11.10-26.fc39
[SECURITY] Fedora 39 Update: bind-9.18.28-2.fc39
[SECURITY] Fedora 40 Update: tor-0.4.8.12-2.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-3f9eb3c86c
2024-08-16 13:06:34.143852
--------------------------------------------------------------------------------
Name : tor
Product : Fedora 40
Version : 0.4.8.12
Release : 2.fc40
URL : https://www.torproject.org
Summary : Anonymizing overlay network for TCP
Description :
The Tor network is a group of volunteer-operated servers that allows people to
improve their privacy and security on the Internet. Tor's users employ this
network by connecting through a series of virtual tunnels rather than making a
direct connection, thus allowing both organizations and individuals to share
information over public networks without compromising their privacy. Along the
same line, Tor is an effective censorship circumvention tool, allowing its
users to reach otherwise blocked destinations or content. Tor can also be used
as a building block for software developers to create new communication tools
with built-in privacy features.
This package contains the Tor software that can act as either a server on the
Tor network, or as a client to connect to the Tor network.
--------------------------------------------------------------------------------
Update Information:
Re-add systemd-devel as build dependency so the daemon knows how to notify
systemd that it was started - fixes bz#2302910
--------------------------------------------------------------------------------
ChangeLog:
* Tue Aug 6 2024 Marcel Härry - 0.4.8.12-2
- Re-add systemd-devel as build dependency so the daemon knows how to notify systemd that it was started - fixes bz#2302910
* Sat Aug 3 2024 Marcel Härry - 0.4.8.12-1
- update to latest upstream release https://forum.torproject.org/t/stable-release-0-4-8-12/13060
- Security fixes: bz#2248564, bz#2281499, bz#2281500, bz#2281502, bz#2281503
- switch to sysusers based user provisioning approach - fixes bz#2252618
- Add legacy openssl build dependency from F41 on - fixes FTBS / bz#2301334
- since we can now drop EL7 support we can also cleanup systemd handling
* Sat Jul 20 2024 Fedora Release Engineering - 0.4.8.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2252618 - Tor.service fails to start
https://bugzilla.redhat.com/show_bug.cgi?id=2252618
[ 2 ] Bug #2281499 - CVE-2024-35312 tor: STUB circuits incorrect length [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2281499
[ 3 ] Bug #2281503 - CVE-2024-35313 tor: STUB circuits incorrect length [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2281503
[ 4 ] Bug #2302910 - tor-0.4.8.12-1.fc40 systemd unit constantly restarts due to timeout even though it successfully started
https://bugzilla.redhat.com/show_bug.cgi?id=2302910
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-3f9eb3c86c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 39 Update: httpd-2.4.62-2.fc39
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-ef8a7031e7
2024-08-17 01:50:55.915304
--------------------------------------------------------------------------------
Name : bind
Product : Fedora 39
Version : 9.18.28
Release : 2.fc39
URL : https://www.isc.org/downloads/bind/
Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Description :
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating properly.
--------------------------------------------------------------------------------
Update Information:
Update to BIND 9.18.28
Security Fixes
A malicious DNS client that sent many queries over TCP but never read the
responses could cause a server to respond slowly or not at all for other
clients. This has been fixed. (CVE-2024-0760) [GL #4481]
It is possible to craft excessively large resource records sets, which have the
effect of slowing down database processing. This has been addressed by adding a
configurable limit to the number of records that can be stored per name and type
in a cache or zone database. The default is 100, which can be tuned with the new
max-records-per-type option. [GL #497] [GL #3405]
It is possible to craft excessively large numbers of resource record types for a
given owner name, which has the effect of slowing down database processing. This
has been addressed by adding a configurable limit to the number of records that
can be stored per name and type in a cache or zone database. The default is 100,
which can be tuned with the new max-types-per-name option. (CVE-2024-1737) [GL
#3403]
ISC would like to thank Toshifumi Sakaguchi who independently discovered and
responsibly reported the issue to ISC. [GL #4548]
Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause
excessive CPU load, leading to a denial-of-service condition. Support for SIG(0)
message validation was removed from this version of named. (CVE-2024-1975) [GL
#4480]
Due to a logic error, lookups that triggered serving stale data and required
lookups in local authoritative zone data could have resulted in an assertion
failure. This has been fixed. (CVE-2024-4076) [GL #4507]
Potential data races were found in our DoH implementation, related to HTTP/2
session object management and endpoints set object management after
reconfiguration. These issues have been fixed. [GL #4473]
ISC would like to thank Dzintars and Ivo from nic.lv for bringing this to our
attention.
When looking up the NS records of parent zones as part of looking up DS records,
it was possible for named to trigger an assertion failure if serve-stale was
enabled. This has been fixed. [GL #4661]
https://downloads.isc.org/isc/bind9/9.18.28/doc/arm/html/notes.html
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 31 2024 Petr Menšík - 32:9.18.28-2
- Conflict explicitly with more bind subpackages
- Make relative documentation links
* Fri Jul 26 2024 Jonathan Wright - 32:9.18.28-1
- update to 9.18.28 rhbz#2299467
- Fixes CVE-2024-4076
- Fixes CVE-2024-1975
- Fixes CVE-2024-1737
- Fixes CVE-2024-0760
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2299467 - bind-9.18.28 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2299467
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-ef8a7031e7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 39 Update: bind-dyndb-ldap-11.10-26.fc39
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-ef8a7031e7
2024-08-17 01:50:55.915304
--------------------------------------------------------------------------------
Name : bind-dyndb-ldap
Product : Fedora 39
Version : 11.10
Release : 26.fc39
URL : https://releases.pagure.org/bind-dyndb-ldap
Summary : LDAP back-end plug-in for BIND
Description :
This package provides an LDAP back-end plug-in for BIND. It features
support for dynamic updates and internal caching, to lift the load
off of your LDAP server.
--------------------------------------------------------------------------------
Update Information:
Update to BIND 9.18.28
Security Fixes
A malicious DNS client that sent many queries over TCP but never read the
responses could cause a server to respond slowly or not at all for other
clients. This has been fixed. (CVE-2024-0760) [GL #4481]
It is possible to craft excessively large resource records sets, which have the
effect of slowing down database processing. This has been addressed by adding a
configurable limit to the number of records that can be stored per name and type
in a cache or zone database. The default is 100, which can be tuned with the new
max-records-per-type option. [GL #497] [GL #3405]
It is possible to craft excessively large numbers of resource record types for a
given owner name, which has the effect of slowing down database processing. This
has been addressed by adding a configurable limit to the number of records that
can be stored per name and type in a cache or zone database. The default is 100,
which can be tuned with the new max-types-per-name option. (CVE-2024-1737) [GL
#3403]
ISC would like to thank Toshifumi Sakaguchi who independently discovered and
responsibly reported the issue to ISC. [GL #4548]
Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause
excessive CPU load, leading to a denial-of-service condition. Support for SIG(0)
message validation was removed from this version of named. (CVE-2024-1975) [GL
#4480]
Due to a logic error, lookups that triggered serving stale data and required
lookups in local authoritative zone data could have resulted in an assertion
failure. This has been fixed. (CVE-2024-4076) [GL #4507]
Potential data races were found in our DoH implementation, related to HTTP/2
session object management and endpoints set object management after
reconfiguration. These issues have been fixed. [GL #4473]
ISC would like to thank Dzintars and Ivo from nic.lv for bringing this to our
attention.
When looking up the NS records of parent zones as part of looking up DS records,
it was possible for named to trigger an assertion failure if serve-stale was
enabled. This has been fixed. [GL #4661]
https://downloads.isc.org/isc/bind9/9.18.28/doc/arm/html/notes.html
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 31 2024 Petr Menšík - 11.10-26
- Rebuilt for BIND 9.18.28 (#2299467)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2299467 - bind-9.18.28 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2299467
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-ef8a7031e7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 39 Update: bind-9.18.28-2.fc39
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-ef8a7031e7
2024-08-17 01:50:55.915304
--------------------------------------------------------------------------------
Name : bind
Product : Fedora 39
Version : 9.18.28
Release : 2.fc39
URL : https://www.isc.org/downloads/bind/
Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Description :
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating properly.
--------------------------------------------------------------------------------
Update Information:
Update to BIND 9.18.28
Security Fixes
A malicious DNS client that sent many queries over TCP but never read the
responses could cause a server to respond slowly or not at all for other
clients. This has been fixed. (CVE-2024-0760) [GL #4481]
It is possible to craft excessively large resource records sets, which have the
effect of slowing down database processing. This has been addressed by adding a
configurable limit to the number of records that can be stored per name and type
in a cache or zone database. The default is 100, which can be tuned with the new
max-records-per-type option. [GL #497] [GL #3405]
It is possible to craft excessively large numbers of resource record types for a
given owner name, which has the effect of slowing down database processing. This
has been addressed by adding a configurable limit to the number of records that
can be stored per name and type in a cache or zone database. The default is 100,
which can be tuned with the new max-types-per-name option. (CVE-2024-1737) [GL
#3403]
ISC would like to thank Toshifumi Sakaguchi who independently discovered and
responsibly reported the issue to ISC. [GL #4548]
Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause
excessive CPU load, leading to a denial-of-service condition. Support for SIG(0)
message validation was removed from this version of named. (CVE-2024-1975) [GL
#4480]
Due to a logic error, lookups that triggered serving stale data and required
lookups in local authoritative zone data could have resulted in an assertion
failure. This has been fixed. (CVE-2024-4076) [GL #4507]
Potential data races were found in our DoH implementation, related to HTTP/2
session object management and endpoints set object management after
reconfiguration. These issues have been fixed. [GL #4473]
ISC would like to thank Dzintars and Ivo from nic.lv for bringing this to our
attention.
When looking up the NS records of parent zones as part of looking up DS records,
it was possible for named to trigger an assertion failure if serve-stale was
enabled. This has been fixed. [GL #4661]
https://downloads.isc.org/isc/bind9/9.18.28/doc/arm/html/notes.html
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 31 2024 Petr Menšík - 32:9.18.28-2
- Conflict explicitly with more bind subpackages
- Make relative documentation links
* Fri Jul 26 2024 Jonathan Wright - 32:9.18.28-1
- update to 9.18.28 rhbz#2299467
- Fixes CVE-2024-4076
- Fixes CVE-2024-1975
- Fixes CVE-2024-1737
- Fixes CVE-2024-0760
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2299467 - bind-9.18.28 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2299467
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-ef8a7031e7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
