Fedora Linux 8811 Published by

Fedora Linux has received various security updates, such as unbound-1.21.1-3.fc40, p7zip-16.02-31.fc40, aws-2020-16.1.fc40, chromium-129.0.6668.89-1.fc39, aws-2020-12.1.fc39, and webkitgtk-2.46.1-1.fc41:

[SECURITY] Fedora 40 Update: unbound-1.21.1-3.fc40
[SECURITY] Fedora 40 Update: p7zip-16.02-31.fc40
[SECURITY] Fedora 40 Update: aws-2020-16.1.fc40
[SECURITY] Fedora 39 Update: chromium-129.0.6668.89-1.fc39
[SECURITY] Fedora 39 Update: aws-2020-12.1.fc39
[SECURITY] Fedora 41 Update: webkitgtk-2.46.1-1.fc41




[SECURITY] Fedora 40 Update: unbound-1.21.1-3.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-c07e065747
2024-10-06 02:10:55.593791
--------------------------------------------------------------------------------

Name : unbound
Product : Fedora 40
Version : 1.21.1
Release : 3.fc40
URL : https://nlnetlabs.nl/projects/unbound/
Summary : Validating, recursive, and caching DNS(SEC) resolver
Description :
Unbound is a validating, recursive, and caching DNS(SEC) resolver.

The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.

Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.

--------------------------------------------------------------------------------
Update Information:

Fixes CVE-2024-8508
https://github.com/NLnetLabs/unbound/releases/tag/release-1.21.1
--------------------------------------------------------------------------------
ChangeLog:

* Thu Oct 3 2024 Petr Menšík - 1.21.1-3
- Remove additional subdirectory for python3 build
* Thu Oct 3 2024 Petr Menšík - 1.21.1-2
- Enable native dynamic modules
* Thu Oct 3 2024 Petr Menšík - 1.21.1-1
- Update to 1.21.1 (rbhz#2316313)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2303461 - CVE-2024-43167 unbound: NULL Pointer Dereference in Unbound [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303461
[ 2 ] Bug #2316313 - unbound-1.21.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2316313
[ 3 ] Bug #2316358 - CVE-2024-8508 unbound: Unbounded name compression could lead to Denial of Service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2316358
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-c07e065747' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 40 Update: p7zip-16.02-31.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-5c99e1d579
2024-10-06 02:10:55.593798
--------------------------------------------------------------------------------

Name : p7zip
Product : Fedora 40
Version : 16.02
Release : 31.fc40
URL : http://p7zip.sourceforge.net/
Summary : Very high compression ratio file archiver
Description :
p7zip is a port of 7za.exe for Unix. 7-Zip is a file archiver with a very high
compression ratio. The original version can be found at http://www.7-zip.org/.

--------------------------------------------------------------------------------
Update Information:

Fix wrapper to hide password from process history
--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct 4 2024 Sérgio Basto - 16.02-31
- Fix wrapper to hide password from process history
* Wed Sep 4 2024 Miroslav Suchý - 16.02-30
- convert license to SPDX
* Thu Jul 18 2024 Fedora Release Engineering - 16.02-29
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #1547484 - Encryption password disclosure
https://bugzilla.redhat.com/show_bug.cgi?id=1547484
[ 2 ] Bug #2316073 - 7z wrapper jeopardizing the effort to hide password from commandline parameters
https://bugzilla.redhat.com/show_bug.cgi?id=2316073
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-5c99e1d579' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 40 Update: aws-2020-16.1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-63f98f8c60
2024-10-06 02:10:55.593602
--------------------------------------------------------------------------------

Name : aws
Product : Fedora 40
Version : 2020
Release : 16.1.fc40
URL : http://libre.adacore.com/tools/aws
Summary : Ada Web Server
Description :
AWS is a complete framework to develop Web based applications.
The main part of the framework is the embedded Web server.
This small yet powerful Web server can be embedded into your application
so your application will be able to talk with a standard Web browser
Around this Web server a lot of services have been developed.

--------------------------------------------------------------------------------
Update Information:

CVE-2024-41708: Ada Web Server did not use a cryptographically secure
pseudorandom number generator.
AWS.Utils.Random and AWS.Utils.Random_String used Ada.Numerics.Discrete_Random,
which is not designed to be cryptographically secure. Random_String also
introduced a bias in the generated pseudorandom string values, where the values
"1" and "2" had a much higher frequency than any other character.
The internal state of the Mersenne Twister PRNG could be revealed, and lead to a
session hijacking attack.
This update fixes the problem by using /dev/urandom instead of Discrete_Random.
More details: https://docs.adacore.com/corp/security-
advisories/SEC.AWS-0040-v2.pdf
--------------------------------------------------------------------------------
ChangeLog:

* Fri Sep 27 2024 Björn Persson - 2020-16.1
- Fixed to use /dev/urandom instead of a non-cryptographic PRNG.
Resolves: CVE-2024-41708 (RHBZ#2314766)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2314766 - CVE-2024-41708 aws: Random Number Generator of Ada is not cryptographically secure [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314766
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-63f98f8c60' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 39 Update: chromium-129.0.6668.89-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-7aba3c1531
2024-10-06 01:25:35.527082
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 39
Version : 129.0.6668.89
Release : 1.fc39
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

update to 129.0.6668.89
High CVE-2024-7025: Integer overflow in Layout
High CVE-2024-9369: Insufficient data validation in Mojo
High CVE-2024-9370: Inappropriate implementation in V8
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 2 2024 Than Ngo [than@redhat.com] - 129.0.6668.89-1
- update to 129.0.6668.89
* High CVE -2024-7025: Integer overflow in Layout
* High CVE-2024-9369: Insufficient data validation in Mojo
* High CVE-2024-9370: Inappropriate implementation in V8
* Mon Sep 30 2024 Than Ngo [than@redhat.com] - 129.0.6668.70-3
- add clang-19 support
* Fri Sep 27 2024 Dominik Mierzejewski [dominik@greysector.net] - 129.0.6668.70-2
- Rebuilt for FFmpeg 7
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2314382 - CVE-2021-38023 chromium: Use after free in Extensions in Google Chrome [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314382
[ 2 ] Bug #2314384 - CVE-2018-20072 chromium: Insufficient data validation in PDF in Google Chrome [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314384
[ 3 ] Bug #2314582 - CVE-2024-9121 chromium: Inappropriate implementation in V8 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314582
[ 4 ] Bug #2314584 - CVE-2024-9120 chromium: Use after free in Dawn [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314584
[ 5 ] Bug #2314589 - CVE-2024-9123 chromium: Integer overflow in Skia in Google Chrome [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314589
[ 6 ] Bug #2314590 - CVE-2024-9122 chromium: Type Confusion in V8 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314590
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-7aba3c1531' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 39 Update: aws-2020-12.1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-d940f25a53
2024-10-06 01:25:35.526962
--------------------------------------------------------------------------------

Name : aws
Product : Fedora 39
Version : 2020
Release : 12.1.fc39
URL : http://libre.adacore.com/tools/aws
Summary : Ada Web Server
Description :
AWS is a complete framework to develop Web based applications.
The main part of the framework is the embedded Web server.
This small yet powerful Web server can be embedded into your application
so your application will be able to talk with a standard Web browser
Around this Web server a lot of services have been developed.

--------------------------------------------------------------------------------
Update Information:

CVE-2024-41708: Ada Web Server did not use a cryptographically secure
pseudorandom number generator.
AWS.Utils.Random and AWS.Utils.Random_String used Ada.Numerics.Discrete_Random,
which is not designed to be cryptographically secure. Random_String also
introduced a bias in the generated pseudorandom string values, where the values
"1" and "2" had a much higher frequency than any other character.
The internal state of the Mersenne Twister PRNG could be revealed, and lead to a
session hijacking attack.
This update fixes the problem by using /dev/urandom instead of Discrete_Random.
More details: https://docs.adacore.com/corp/security-
advisories/SEC.AWS-0040-v2.pdf
--------------------------------------------------------------------------------
ChangeLog:

* Fri Sep 27 2024 Björn Persson - 2020-12.1
- Fixed to use /dev/urandom instead of a non-cryptographic PRNG.
Resolves: CVE-2024-41708 (RHBZ#2314766)
* Wed Jul 19 2023 Fedora Release Engineering - 2020-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2314766 - CVE-2024-41708 aws: Random Number Generator of Ada is not cryptographically secure [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314766
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-d940f25a53' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 41 Update: webkitgtk-2.46.1-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-b142cc07d0
2024-10-06 00:14:35.556440
--------------------------------------------------------------------------------

Name : webkitgtk
Product : Fedora 41
Version : 2.46.1
Release : 1.fc41
URL : https://www.webkitgtk.org/
Summary : GTK web content engine library
Description :
WebKitGTK is the port of the WebKit web rendering engine to the
GTK platform.

--------------------------------------------------------------------------------
Update Information:

Fix login QR code not shown in WhatsApp web.
Disable PSON by default again in GTK 3 API versions.
Disable DMABuf video sink by default to prevent file descriptor leaks.
Fix several crashes and rendering issues.
Use Skia instead of cairo for 2D rendering and enable GPU rendering by default.
Enable offscreen canvas by default.
Add support for system tracing with Sysprof.
Implement printing using the Print portal.
Add new API to load settings from a config file.
Add a new setting to enable or disable the 2D canvas acceleration (enabled by
default).
Undeprecate console messages API and make it available in 6.0 API.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Sep 30 2024 Michael Catanzaro - 2.46.1-1
- Update to 2.46.1
* Tue Sep 17 2024 Dan Horák - 2.46.0-2
- enable build with clang on ppc64le
* Tue Sep 17 2024 Michael Catanzaro - 2.46.0-1
- Upgrade to 2.46.0
* Mon Sep 9 2024 Michael Catanzaro - 2.45.92-3
- Revert use of -fdebug-types-section flag
* Wed Sep 4 2024 Michael Catanzaro - 2.45.92-2
- Disable LTO on ppc64le
* Tue Sep 3 2024 Michael Catanzaro - 2.45.92-1
- Update to 2.45.92
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2314732 - CVE-2024-44187 webkitgtk: A malicious website may exfiltrate data cross-origin [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314732
[ 2 ] Bug #2314759 - CVE-2024-40866 webkitgtk: Visiting a malicious website may lead to address bar spoofing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2314759
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-b142cc07d0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------