Fedora Linux 8485 Published by

The following security updates are available for Fedora:

Fedora 38 Update: atril-1.26.2-2.fc38
Fedora 38 Update: python-aiohttp-3.9.3-1.fc38
Fedora 38 Update: gnutls-3.8.3-1.fc38
Fedora 39 Update: chromium-121.0.6167.160-1.fc39
Fedora 39 Update: webkitgtk-2.42.5-1.fc39




Fedora 38 Update: atril-1.26.2-2.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-59a7d96d84
2024-02-09 01:50:00.832060
--------------------------------------------------------------------------------

Name : atril
Product : Fedora 38
Version : 1.26.2
Release : 2.fc38
URL : http://mate-desktop.org
Summary : Document viewer
Description :
Mate-document-viewer is simple document viewer.
It can display and print Portable Document Format (PDF),
PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files.
When supported by the document format, mate-document-viewer
allows searching for text, copying text to the clipboard,
hypertext navigation, table-of-contents bookmarks and editing of forms.

--------------------------------------------------------------------------------
Update Information:

fix gcc14 build error and another epub crash
use https://github.com/mate-desktop/atril/commit/479e927
use https://github.com/mate-desktop/atril/commit/d901a9d
update to 1.26.2
fix security security advisory
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jan 31 2024 Wolfgang Ulbrich [fedora@raveit.de] - 1.26.2-2
- fix gcc14 build error and another epub crash
- use https://github.com/mate-desktop/atril/commit/479e927
- use https://github.com/mate-desktop/atril/commit/d901a9d
* Wed Jan 24 2024 Wolfgang Ulbrich [fedora@raveit.de] - 1.26.2-1
- update to 1.26.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2258392 - CVE-2023-51698 atril: vulnerable to Command Injection Vulnerability [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2258392
[ 2 ] Bug #2258393 - CVE-2023-51698 atril: vulnerable to Command Injection Vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2258393
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-59a7d96d84' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 38 Update: python-aiohttp-3.9.3-1.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-0ddda4c691
2024-02-09 01:50:00.832021
--------------------------------------------------------------------------------

Name : python-aiohttp
Product : Fedora 38
Version : 3.9.3
Release : 1.fc38
URL : https://github.com/aio-libs/aiohttp
Summary : Python HTTP client/server for asyncio
Description :
Python HTTP client/server for asyncio which supports both the client and the
server side of the HTTP protocol, client and server websocket, and webservers
with middlewares and pluggable routing.

--------------------------------------------------------------------------------
Update Information:

Security update for CVE-2024-23334 and CVE-2024-23829
https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2
https://github.com/aio-libs/aiohttp/releases/tag/v3.9.3
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 30 2024 Benjamin A. Beasley [code@musicinmybrain.net] - 3.9.3-1
- Update to 3.9.3, security update for CVE-2024-23334 and CVE-2024-23829 (fix
RHBZ#2261891, fix RHBZ#2261910)
* Tue Jan 30 2024 Benjamin A. Beasley [code@musicinmybrain.net] - 3.9.1-4
- Skip a couple of spurious or insignificant test failures (close RHBZ#2261544)
* Fri Jan 26 2024 Fedora Release Engineering [releng@fedoraproject.org] - 3.9.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering [releng@fedoraproject.org] - 3.9.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2261887 - CVE-2024-23334 aiohttp: follow_symlinks directory traversal vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=2261887
[ 2 ] Bug #2261909 - CVE-2024-23829 python-aiohttp: http request smuggling
https://bugzilla.redhat.com/show_bug.cgi?id=2261909
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-0ddda4c691' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 38 Update: gnutls-3.8.3-1.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-c43a6cc3f8
2024-02-09 01:50:00.831558
--------------------------------------------------------------------------------

Name : gnutls
Product : Fedora 38
Version : 3.8.3
Release : 1.fc38
URL : http://www.gnutls.org/
Summary : A TLS protocol implementation
Description :
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.

--------------------------------------------------------------------------------
Update Information:

Rebase gnutls to version 3.8.3
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jan 24 2024 Zoltan Fridrich [zfridric@redhat.com] - 3.8.3-1
- [packit] 3.8.3 upstream release
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2246372 - [abrt] gnutls-utils: gnutls_x509_crt_deinit(): gnutls-cli killed by SIGSEGV
https://bugzilla.redhat.com/show_bug.cgi?id=2246372
[ 2 ] Bug #2254017 - gnutls should depend on nettle >= 3.9
https://bugzilla.redhat.com/show_bug.cgi?id=2254017
[ 3 ] Bug #2258576 - CVE-2024-0567 gnutls: rejects certificate chain with distributed trust [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2258576
[ 4 ] Bug #2258577 - CVE-2024-0553 gnutls: incomplete fix for CVE-2023-5981 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2258577
[ 5 ] Bug #2258587 - gnutls-3.8.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2258587
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-c43a6cc3f8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: chromium-121.0.6167.160-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-5745525066
2024-02-09 01:23:46.863652
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 39
Version : 121.0.6167.160
Release : 1.fc39
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 121.0.6167.160
High CVE-2024-1284: Use after free in Mojo
High CVE-2024-1283: Heap buffer overflow in Skia
--------------------------------------------------------------------------------
ChangeLog:

* Wed Feb 7 2024 Than Ngo [than@redhat.com] - 121.0.6167.160-1
- update to 121.0.6167.160
* High CVE-2024-1284: Use after free in Mojo
* High CVE-2024-1283: Heap buffer overflow in Skia
* Thu Feb 1 2024 Than Ngo [than@redhat.com] - 121.0.6167.139-2
- Support for 64K pages on Linux/AArch64
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2263135 - CVE-2024-1283 CVE-2024-1284 chromium: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2263135
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-5745525066' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: webkitgtk-2.42.5-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-97faaca23d
2024-02-09 01:23:46.863627
--------------------------------------------------------------------------------

Name : webkitgtk
Product : Fedora 39
Version : 2.42.5
Release : 1.fc39
URL : https://www.webkitgtk.org/
Summary : GTK web content engine library
Description :
WebKitGTK is the port of the WebKit web rendering engine to the
GTK platform.

--------------------------------------------------------------------------------
Update Information:

Fix webkit_web_context_allow_tls_certificate_for_host to handle IPv6 URIs
produced by SoupURI.
Ignore stops with offset zero before last one when rendering gradients with
cairo.
Write bwrapinfo.json to disk for xdg-desktop-portal.
Fix gamepads detection by correctly handling focused window in GTK4.
Fix several crashes and rendering issues.
Fix CVE-2024-23222, CVE-2024-23206, CVE-2024-23213
--------------------------------------------------------------------------------
ChangeLog:

* Mon Feb 5 2024 Michael Catanzaro [mcatanzaro@redhat.com] - 2.42.5-1
- Update to WebKitGTK 2.42.5
* Fri Dec 15 2023 Michael Catanzaro [mcatanzaro@redhat.com] - 2.42.4-1
- Update to 2.42.4
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-97faaca23d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--