Fedora 41 Update: webkitgtk-2.46.6-1.fc41
Fedora 41 Update: libheif-1.19.5-3.fc41
Fedora 41 Update: nginx-mod-vts-0.2.3-3.fc41
Fedora 41 Update: nginx-mod-naxsi-1.6-9.fc41
Fedora 41 Update: nginx-mod-modsecurity-1.0.3-16.fc41
Fedora 41 Update: nginx-mod-fancyindex-0.5.2-10.fc41
Fedora 41 Update: nginx-1.26.3-1.fc41
Fedora 40 Update: krb5-1.21.3-3.fc40
Fedora 40 Update: nginx-mod-modsecurity-1.0.3-16.fc40
Fedora 40 Update: libheif-1.19.5-3.fc40
Fedora 40 Update: nginx-1.26.3-1.fc40
Fedora 40 Update: nginx-mod-naxsi-1.6-9.fc40
Fedora 40 Update: nginx-mod-vts-0.2.3-3.fc40
Fedora 40 Update: nginx-mod-fancyindex-0.5.2-8.fc40
[SECURITY] Fedora 41 Update: webkitgtk-2.46.6-1.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-3e8ed13bf0
2025-02-15 02:35:33.711279+00:00
--------------------------------------------------------------------------------
Name : webkitgtk
Product : Fedora 41
Version : 2.46.6
Release : 1.fc41
URL : https://www.webkitgtk.org/
Summary : GTK web content engine library
Description :
WebKitGTK is the port of the WebKit web rendering engine to the
GTK platform.
--------------------------------------------------------------------------------
Update Information:
Update to WebKitGTK 2.46.6:
Fix a crash when enabling Skia CPU rendering.
Fix several crashes and rendering issues.
Fix CVE-2024-54543, CVE-2025-24143, CVE-2025-24150, CVE-2025-24158,
CVE-2025-24162
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 11 2025 Michael Catanzaro [mcatanzaro@redhat.com] - 2.46.6-1
- Update to WebKitGTK 2.46.6
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2344951 - CVE-2024-54543 webkitgtk: Processing maliciously crafted web content may lead to memory corruption [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2344951
[ 2 ] Bug #2344953 - CVE-2025-24162 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2344953
[ 3 ] Bug #2344964 - CVE-2025-24143 webkitgtk: A maliciously crafted webpage may be able to fingerprint the user [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2344964
[ 4 ] Bug #2344967 - CVE-2025-24150 webkitgtk: Copying a URL from Web Inspector may lead to command injection [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2344967
[ 5 ] Bug #2344969 - CVE-2025-24158 webkitgtk: Processing web content may lead to a denial-of-service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2344969
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-3e8ed13bf0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: libheif-1.19.5-3.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-8fdb7be3cb
2025-02-15 02:35:33.711225+00:00
--------------------------------------------------------------------------------
Name : libheif
Product : Fedora 41
Version : 1.19.5
Release : 3.fc41
URL : https://github.com/strukturag/libheif
Summary : HEIF and AVIF file format decoder and encoder
Description :
libheif is an ISO/IEC 23008-12:2017 HEIF and AVIF (AV1 Image File Format)
file format decoder and encoder.
--------------------------------------------------------------------------------
Update Information:
Latest upstream release. It adds support for tiles and fixes reading images
generated by iOS 18+. See https://github.com/strukturag/libheif/releases for
more details about the changes since 1.17.6.
NOTE: heif-convert tool was renamed to heif-dec.
How to test:
Download and unzip sample images from mastodon issue #31570. Try opening them
with e.g. loupe or gimp. They fail to open with libheif-1.17.6, but should open
successfully with libheif-1.19.5.
Fixes CVE-2024-41311 .
--------------------------------------------------------------------------------
ChangeLog:
* Wed Feb 5 2025 Robert-AndrÃMauchin [zebob.m@gmail.com] - 1.19.5-3
- Rebuilt for aom 3.11.0
* Fri Jan 17 2025 Fedora Release Engineering [releng@fedoraproject.org] - 1.19.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Sun Nov 24 2024 Packit [hello@packit.dev] - 1.19.5-1
- Update to version 1.19.5
- Resolves: rhbz#2327307
* Sun Nov 17 2024 Dominik Mierzejewski [dominik@greysector.net] - 1.19.3-3
- disable OpenJPH encoder support to work-around crashes
* Sat Nov 16 2024 SÃ
- Add support to multilib in devel sub-package
- Resolves: rhbz#2279891
* Tue Nov 12 2024 Dominik Mierzejewski [dominik@greysector.net] - 1.19.3-1
- update to 1.19.3 (resolves rhbz#2295525)
- drop obsolete patches
- enable OpenH264, OpenJPH (64-bit only) and Brotli decoders
- run tests unconditionally, they no longer require special build options
- drop conditional hevc subpackage
- use fewer wildcards in the file lists
- stop building rav1e and svt AV1 encoders as plugins
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2319289 - CVE-2024-41311 libheif: OOB read and write via ImageOverlay::parse() [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2319289
[ 2 ] Bug #2332519 - Update libheif
https://bugzilla.redhat.com/show_bug.cgi?id=2332519
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-8fdb7be3cb' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 41 Update: nginx-mod-vts-0.2.3-3.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-66ebd291f8
2025-02-15 02:35:33.711202+00:00
--------------------------------------------------------------------------------
Name : nginx-mod-vts
Product : Fedora 41
Version : 0.2.3
Release : 3.fc41
URL : https://github.com/vozlt/nginx-module-vts
Summary : Nginx virtual host traffic status module
Description :
Nginx virtual host traffic status module.
--------------------------------------------------------------------------------
Update Information:
Changes with nginx 1.26.3 05 Feb 2025
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 6 2025 Felix Kaechele [felix@kaechele.ca] - 0.2.3-3
- Rebuild for nginx 1.26.3
* Fri Jan 17 2025 Fedora Release Engineering [releng@fedoraproject.org] - 0.2.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Thu Jan 2 2025 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 0.2.3-1
- Update to 0.2.3 rhbz#2335121
* Mon Sep 2 2024 Miroslav Suchý [msuchy@redhat.com] - 0.2.2-11
- convert license to SPDX
* Mon Aug 26 2024 Felix Kaechele [felix@kaechele.ca] - 0.2.2-10
- Rebuild for nginx 1.26.2... again.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user
https://bugzilla.redhat.com/show_bug.cgi?id=2277663
[ 2 ] Bug #2344198 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2344198
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-66ebd291f8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 41 Update: nginx-mod-naxsi-1.6-9.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-66ebd291f8
2025-02-15 02:35:33.711202+00:00
--------------------------------------------------------------------------------
Name : nginx-mod-naxsi
Product : Fedora 41
Version : 1.6
Release : 9.fc41
URL : https://github.com/wargio/naxsi
Summary : nginx web application firewall module
Description :
naxsi is an nginx module that provides score based Web Application Firewall
(WAF) abilities in a highly granular fashion.
--------------------------------------------------------------------------------
Update Information:
Changes with nginx 1.26.3 05 Feb 2025
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 6 2025 Felix Kaechele [felix@kaechele.ca] - 1.6-9
- Rebuild for nginx 1.26.3
* Fri Jan 17 2025 Fedora Release Engineering [releng@fedoraproject.org] - 1.6-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Mon Aug 26 2024 Felix Kaechele [felix@kaechele.ca] - 1.6-7
- Rebuild for nginx 1.26.2... again.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user
https://bugzilla.redhat.com/show_bug.cgi?id=2277663
[ 2 ] Bug #2344198 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2344198
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-66ebd291f8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: nginx-mod-modsecurity-1.0.3-16.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-66ebd291f8
2025-02-15 02:35:33.711202+00:00
--------------------------------------------------------------------------------
Name : nginx-mod-modsecurity
Product : Fedora 41
Version : 1.0.3
Release : 16.fc41
URL : https://github.com/SpiderLabs/ModSecurity-nginx
Summary : ModSecurity v3 nginx connector
Description :
The ModSecurity-nginx connector is the connection point between nginx and
libmodsecurity (ModSecurity v3). Said another way, this project provides a
communication channel between nginx and libmodsecurity. This connector is
required to use LibModSecurity with nginx.
The ModSecurity-nginx connector takes the form of an nginx module. The module
simply serves as a layer of communication between nginx and ModSecurity
--------------------------------------------------------------------------------
Update Information:
Changes with nginx 1.26.3 05 Feb 2025
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 6 2025 Felix Kaechele [felix@kaechele.ca] - 1.0.3-16
- Rebuild for nginx 1.26.3
* Fri Jan 17 2025 Fedora Release Engineering [releng@fedoraproject.org] - 1.0.3-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Mon Aug 26 2024 Felix Kaechele [felix@kaechele.ca] - 1.0.3-14
- Rebuild for nginx 1.26.2... again.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user
https://bugzilla.redhat.com/show_bug.cgi?id=2277663
[ 2 ] Bug #2344198 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2344198
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-66ebd291f8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: nginx-mod-fancyindex-0.5.2-10.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-66ebd291f8
2025-02-15 02:35:33.711202+00:00
--------------------------------------------------------------------------------
Name : nginx-mod-fancyindex
Product : Fedora 41
Version : 0.5.2
Release : 10.fc41
URL : https://github.com/aperezdc/ngx-fancyindex
Summary : Nginx FancyIndex module
Description :
The Fancy Index module makes possible the generation of file listings,
like the built-in autoindex module does, but adding a touch of style.
This is possible because the module allows a certain degree of
customization of the generated content:
* Custom headers. Either local or stored remotely.
* Custom footers. Either local or stored remotely.
* Add you own CSS style rules.
* Allow choosing to sort elements by name (default),
modification time, or size; both ascending (default),
or descending.
--------------------------------------------------------------------------------
Update Information:
Changes with nginx 1.26.3 05 Feb 2025
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 6 2025 Felix Kaechele [felix@kaechele.ca] - 0.5.2-10
- Rebuild for nginx 1.26.3
* Fri Jan 17 2025 Fedora Release Engineering [releng@fedoraproject.org] - 0.5.2-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user
https://bugzilla.redhat.com/show_bug.cgi?id=2277663
[ 2 ] Bug #2344198 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2344198
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-66ebd291f8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: nginx-1.26.3-1.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-66ebd291f8
2025-02-15 02:35:33.711202+00:00
--------------------------------------------------------------------------------
Name : nginx
Product : Fedora 41
Version : 1.26.3
Release : 1.fc41
URL : https://nginx.org
Summary : A high performance web server and reverse proxy server
Description :
Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
IMAP protocols, with a strong focus on high concurrency, performance and low
memory usage.
--------------------------------------------------------------------------------
Update Information:
Changes with nginx 1.26.3 05 Feb 2025
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 6 2025 Felix Kaechele [felix@kaechele.ca] - 2:1.26.3-1
- update to 1.26.3
- fixes SSL session reuse vulnerability (CVE-2025-23419)
- drop zlib-ng patch, the issue was addressed upstream
* Wed Feb 5 2025 Luboš Uhliarik [luhliari@redhat.com] - 2:1.26.2-6
- Use systemd-sysusers
* Mon Feb 3 2025 Joe Orton [jorton@redhat.com] - 2:1.26.2-5
- Add systemd instantiated service nginx@.service, allowing e.g. "systemctl
start nginx@foobar.service" to start an instance of nginx using
/etc/nginx/foobar.conf as the configuration.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user
https://bugzilla.redhat.com/show_bug.cgi?id=2277663
[ 2 ] Bug #2344198 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2344198
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-66ebd291f8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 40 Update: krb5-1.21.3-3.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-61b9344baf
2025-02-15 02:22:06.812127+00:00
--------------------------------------------------------------------------------
Name : krb5
Product : Fedora 40
Version : 1.21.3
Release : 3.fc40
URL : https://web.mit.edu/kerberos/www/
Summary : The Kerberos network authentication system
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of sending passwords over the network in unencrypted form.
--------------------------------------------------------------------------------
Update Information:
Prevent overflow when calculating ulog block size (CVE-2025-24528)
Support PKCS11 EC client certs in PKINIT
kdb5_util: fix DB entry flags on modification
Add ECDH support for PKINIT (RFC5349)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 11 2025 Julien Rische [jrische@redhat.com] - 1.21.3-3
- Prevent overflow when calculating ulog block size (CVE-2025-24528)
Resolves: rhbz#2342810
- Support PKCS11 EC client certs in PKINIT
Resolves: rhbz#2341962
- kdb5_util: fix DB entry flags on modification
Resolves: rhbz#2336555
- Add ECDH support for PKINIT (RFC5349)
Resolves: rhbz#2214326
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2214326 - [RFE] Add ECDH support for PKINIT (RFC5349) [fedora]
https://bugzilla.redhat.com/show_bug.cgi?id=2214326
[ 2 ] Bug #2336555 - kdb5_util: fix DB entry flags on modification [fedora]
https://bugzilla.redhat.com/show_bug.cgi?id=2336555
[ 3 ] Bug #2341962 - Support PKCS11 EC client certs in PKINIT [fedora]
https://bugzilla.redhat.com/show_bug.cgi?id=2341962
[ 4 ] Bug #2342810 - CVE-2025-24528 krb5: overflow when calculating ulog block size [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2342810
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-61b9344baf' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 40 Update: nginx-mod-modsecurity-1.0.3-16.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-016ed44ddc
2025-02-15 02:22:06.812098+00:00
--------------------------------------------------------------------------------
Name : nginx-mod-modsecurity
Product : Fedora 40
Version : 1.0.3
Release : 16.fc40
URL : https://github.com/SpiderLabs/ModSecurity-nginx
Summary : ModSecurity v3 nginx connector
Description :
The ModSecurity-nginx connector is the connection point between nginx and
libmodsecurity (ModSecurity v3). Said another way, this project provides a
communication channel between nginx and libmodsecurity. This connector is
required to use LibModSecurity with nginx.
The ModSecurity-nginx connector takes the form of an nginx module. The module
simply serves as a layer of communication between nginx and ModSecurity
--------------------------------------------------------------------------------
Update Information:
Changes with nginx 1.26.3 05 Feb 2025
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 6 2025 Felix Kaechele [felix@kaechele.ca] - 1.0.3-16
- Rebuild for nginx 1.26.3
* Fri Jan 17 2025 Fedora Release Engineering [releng@fedoraproject.org] - 1.0.3-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Mon Aug 26 2024 Felix Kaechele [felix@kaechele.ca] - 1.0.3-14
- Rebuild for nginx 1.26.2... again.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user
https://bugzilla.redhat.com/show_bug.cgi?id=2277663
[ 2 ] Bug #2344197 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2344197
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-016ed44ddc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 40 Update: libheif-1.19.5-3.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-666aaa6a0d
2025-02-15 02:22:06.812110+00:00
--------------------------------------------------------------------------------
Name : libheif
Product : Fedora 40
Version : 1.19.5
Release : 3.fc40
URL : https://github.com/strukturag/libheif
Summary : HEIF and AVIF file format decoder and encoder
Description :
libheif is an ISO/IEC 23008-12:2017 HEIF and AVIF (AV1 Image File Format)
file format decoder and encoder.
--------------------------------------------------------------------------------
Update Information:
Latest upstream release. It adds support for tiles and fixes reading images
generated by iOS 18+. See https://github.com/strukturag/libheif/releases for
more details about the changes since 1.17.6.
NOTE: heif-convert tool was renamed to heif-dec.
How to test:
Download and unzip sample images from mastodon issue #31570. Try opening them
with e.g. loupe or gimp. They fail to open with libheif-1.17.6, but should open
successfully with libheif-1.19.5.
Fixes CVE-2024-41311 .
--------------------------------------------------------------------------------
ChangeLog:
* Wed Feb 5 2025 Robert-AndrÃ
- Rebuilt for aom 3.11.0
* Fri Jan 17 2025 Fedora Release Engineering [releng@fedoraproject.org] - 1.19.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Sun Nov 24 2024 Packit [hello@packit.dev] - 1.19.5-1
- Update to version 1.19.5
- Resolves: rhbz#2327307
* Sun Nov 17 2024 Dominik Mierzejewski [dominik@greysector.net] - 1.19.3-3
- disable OpenJPH encoder support to work-around crashes
* Sat Nov 16 2024 SÃ
- Add support to multilib in devel sub-package
- Resolves: rhbz#2279891
* Tue Nov 12 2024 Dominik Mierzejewski [dominik@greysector.net] - 1.19.3-1
- update to 1.19.3 (resolves rhbz#2295525)
- drop obsolete patches
- enable OpenH264, OpenJPH (64-bit only) and Brotli decoders
- run tests unconditionally, they no longer require special build options
- drop conditional hevc subpackage
- use fewer wildcards in the file lists
- stop building rav1e and svt AV1 encoders as plugins
* Thu Jul 18 2024 Fedora Release Engineering [releng@fedoraproject.org] - 1.17.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2319289 - CVE-2024-41311 libheif: OOB read and write via ImageOverlay::parse() [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2319289
[ 2 ] Bug #2332519 - Update libheif
https://bugzilla.redhat.com/show_bug.cgi?id=2332519
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-666aaa6a0d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 40 Update: nginx-1.26.3-1.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-016ed44ddc
2025-02-15 02:22:06.812098+00:00
--------------------------------------------------------------------------------
Name : nginx
Product : Fedora 40
Version : 1.26.3
Release : 1.fc40
URL : https://nginx.org
Summary : A high performance web server and reverse proxy server
Description :
Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
IMAP protocols, with a strong focus on high concurrency, performance and low
memory usage.
--------------------------------------------------------------------------------
Update Information:
Changes with nginx 1.26.3 05 Feb 2025
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 6 2025 Felix Kaechele [felix@kaechele.ca] - 2:1.26.3-1
- update to 1.26.3
- fixes SSL session reuse vulnerability (CVE-2025-23419)
- drop zlib-ng patch, the issue was addressed upstream
* Wed Feb 5 2025 Luboš Uhliarik [luhliari@redhat.com] - 2:1.26.2-6
- Use systemd-sysusers
* Mon Feb 3 2025 Joe Orton [jorton@redhat.com] - 2:1.26.2-5
- Add systemd instantiated service nginx@.service, allowing e.g. "systemctl
start nginx@foobar.service" to start an instance of nginx using
/etc/nginx/foobar.conf as the configuration.
* Sat Feb 1 2025 Björn Esser [besser82@fedoraproject.org] - 2:1.26.2-4
- Add explicit BR: libxcrypt-devel
* Sat Feb 1 2025 Felix Kaechele [felix@kaechele.ca] - 2:1.26.2-3
- Add zlib-ng patch to fix rhbz#2343318
* Fri Jan 17 2025 Fedora Release Engineering [releng@fedoraproject.org] - 2:1.26.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user
https://bugzilla.redhat.com/show_bug.cgi?id=2277663
[ 2 ] Bug #2344197 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2344197
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-016ed44ddc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 40 Update: nginx-mod-naxsi-1.6-9.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-016ed44ddc
2025-02-15 02:22:06.812098+00:00
--------------------------------------------------------------------------------
Name : nginx-mod-naxsi
Product : Fedora 40
Version : 1.6
Release : 9.fc40
URL : https://github.com/wargio/naxsi
Summary : nginx web application firewall module
Description :
naxsi is an nginx module that provides score based Web Application Firewall
(WAF) abilities in a highly granular fashion.
--------------------------------------------------------------------------------
Update Information:
Changes with nginx 1.26.3 05 Feb 2025
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 6 2025 Felix Kaechele [felix@kaechele.ca] - 1.6-9
- Rebuild for nginx 1.26.3
* Fri Jan 17 2025 Fedora Release Engineering [releng@fedoraproject.org] - 1.6-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Mon Aug 26 2024 Felix Kaechele [felix@kaechele.ca] - 1.6-7
- Rebuild for nginx 1.26.2... again.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user
https://bugzilla.redhat.com/show_bug.cgi?id=2277663
[ 2 ] Bug #2344197 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2344197
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-016ed44ddc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 40 Update: nginx-mod-vts-0.2.3-3.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-016ed44ddc
2025-02-15 02:22:06.812098+00:00
--------------------------------------------------------------------------------
Name : nginx-mod-vts
Product : Fedora 40
Version : 0.2.3
Release : 3.fc40
URL : https://github.com/vozlt/nginx-module-vts
Summary : Nginx virtual host traffic status module
Description :
Nginx virtual host traffic status module.
--------------------------------------------------------------------------------
Update Information:
Changes with nginx 1.26.3 05 Feb 2025
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 6 2025 Felix Kaechele [felix@kaechele.ca] - 0.2.3-3
- Rebuild for nginx 1.26.3
* Fri Jan 17 2025 Fedora Release Engineering [releng@fedoraproject.org] - 0.2.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Thu Jan 2 2025 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 0.2.3-1
- Update to 0.2.3 rhbz#2335121
* Mon Sep 2 2024 Miroslav Suchý [msuchy@redhat.com] - 0.2.2-11
- convert license to SPDX
* Mon Aug 26 2024 Felix Kaechele [felix@kaechele.ca] - 0.2.2-10
- Rebuild for nginx 1.26.2... again.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user
https://bugzilla.redhat.com/show_bug.cgi?id=2277663
[ 2 ] Bug #2344197 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2344197
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-016ed44ddc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 40 Update: nginx-mod-fancyindex-0.5.2-8.fc40
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-016ed44ddc
2025-02-15 02:22:06.812098+00:00
--------------------------------------------------------------------------------
Name : nginx-mod-fancyindex
Product : Fedora 40
Version : 0.5.2
Release : 8.fc40
URL : https://github.com/aperezdc/ngx-fancyindex
Summary : Nginx FancyIndex module
Description :
The Fancy Index module makes possible the generation of file listings,
like the built-in autoindex module does, but adding a touch of style.
This is possible because the module allows a certain degree of
customization of the generated content:
* Custom headers. Either local or stored remotely.
* Custom footers. Either local or stored remotely.
* Add you own CSS style rules.
* Allow choosing to sort elements by name (default),
modification time, or size; both ascending (default),
or descending.
--------------------------------------------------------------------------------
Update Information:
Changes with nginx 1.26.3 05 Feb 2025
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 6 2025 Felix Kaechele [felix@kaechele.ca] - 0.5.2-8
- Rebuild for nginx 1.26.3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user
https://bugzilla.redhat.com/show_bug.cgi?id=2277663
[ 2 ] Bug #2344197 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2344197
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-016ed44ddc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
