Fedora Linux 8758 Published by

Fedora Linux has received various security upgrades, including chrome, apache-commons-io, podman, containers-common, and buildah, to improve its security features:

[SECURITY] Fedora 39 Update: chromium-130.0.6723.58-1.fc39
[SECURITY] Fedora 39 Update: apache-commons-io-2.11.0-5.fc39
[SECURITY] Fedora 41 Update: podman-5.2.5-1.fc41
[SECURITY] Fedora 41 Update: containers-common-0.60.4-4.fc41
[SECURITY] Fedora 41 Update: buildah-1.37.5-1.fc41




[SECURITY] Fedora 39 Update: chromium-130.0.6723.58-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-c0b1d26de3
2024-10-20 00:53:34.130147
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 39
Version : 130.0.6723.58
Release : 1.fc39
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 130.0.6723.58
* High CVE-2024-9954: Use after free in AI
* Medium CVE-2024-9955: Use after free in Web Authentication
* Medium CVE-2024-9956: Inappropriate implementation in Web Authentication
* Medium CVE-2024-9957: Use after free in UI
* Medium CVE-2024-9958: Inappropriate implementation in PictureInPicture
* Medium CVE-2024-9959: Use after free in DevTools
* Medium CVE-2024-9960: Use after free in Dawn
* Medium CVE-2024-9961: Use after free in Parcel Tracking
* Medium CVE-2024-9962: Inappropriate implementation in Permissions
* Medium CVE-2024-9963: Insufficient data validation in Downloads
* Low CVE-2024-9964: Inappropriate implementation in Payments
* Low CVE-2024-9965: Insufficient data validation in DevTools
* Low CVE-2024-9966: Inappropriate implementation in Navigations
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 16 2024 Than Ngo [than@redhat.com] - 130.0.6723.58-1
- update to 130.0.6723.58
* High CVE-2024-9954: Use after free in AI
* Medium CVE-2024-9955: Use after free in Web Authentication
* Medium CVE-2024-9956: Inappropriate implementation in Web Authentication
* Medium CVE-2024-9957: Use after free in UI
* Medium CVE-2024-9958: Inappropriate implementation in PictureInPicture
* Medium CVE-2024-9959: Use after free in DevTools
* Medium CVE-2024-9960: Use after free in Dawn
* Medium CVE-2024-9961: Use after free in Parcel Tracking
* Medium CVE-2024-9962: Inappropriate implementation in Permissions
* Medium CVE-2024-9963: Insufficient data validation in Downloads
* Low CVE-2024-9964: Inappropriate implementation in Payments
* Low CVE-2024-9965: Insufficient data validation in DevTools
* Low CVE-2024-9966: Inappropriate implementation in Navigations
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2318990 - CVE-2024-9957 chromium: Use after free in UI [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2318990
[ 2 ] Bug #2318991 - CVE-2024-9957 chromium: Use after free in UI [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2318991
[ 3 ] Bug #2318992 - CVE-2024-9961 chromium: Use after free in Parcel Tracking [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2318992
[ 4 ] Bug #2318993 - CVE-2024-9961 chromium: Use after free in Parcel Tracking [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2318993
[ 5 ] Bug #2318996 - CVE-2024-9959 chromium: Use after free in DevTools [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2318996
[ 6 ] Bug #2318998 - CVE-2024-9959 chromium: Use after free in DevTools [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2318998
[ 7 ] Bug #2318999 - CVE-2024-9963 chromium: Insufficient data validation in Downloads [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2318999
[ 8 ] Bug #2319000 - CVE-2024-9963 chromium: Insufficient data validation in Downloads [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319000
[ 9 ] Bug #2319001 - CVE-2024-9962 chromium: Inappropriate implementation in Permissions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319001
[ 10 ] Bug #2319002 - CVE-2024-9962 chromium: Inappropriate implementation in Permissions [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319002
[ 11 ] Bug #2319003 - CVE-2024-9964 chromium: Inappropriate implementation in Payments [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319003
[ 12 ] Bug #2319004 - CVE-2024-9964 chromium: Inappropriate implementation in Payments [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319004
[ 13 ] Bug #2319005 - CVE-2024-9960 chromium: Use after free in Dawn [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319005
[ 14 ] Bug #2319006 - CVE-2024-9960 chromium: Use after free in Dawn [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319006
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-c0b1d26de3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 39 Update: apache-commons-io-2.11.0-5.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-5d581b2365
2024-10-20 00:53:34.129991
--------------------------------------------------------------------------------

Name : apache-commons-io
Product : Fedora 39
Version : 2.11.0
Release : 5.fc39
URL : https://commons.apache.org/io
Summary : Utilities to assist with developing IO functionality
Description :
Commons-IO contains utility classes, stream implementations,
file filters, and endian classes. It is a library of utilities
to assist with developing IO functionality.

--------------------------------------------------------------------------------
Update Information:

Fixes possible denial of service attack on untrusted input
--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct 4 2024 Mikolaj Izdebski [mizdebsk@redhat.com]
- Fix possible denial of service attack on untrusted input
- Resolves: rhbz#2316397
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2316397 - CVE-2024-47554 apache-commons-io: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2316397
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-5d581b2365' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: podman-5.2.5-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-5a61a2fa45
2024-10-19 22:48:44.962126
--------------------------------------------------------------------------------

Name : podman
Product : Fedora 41
Version : 5.2.5
Release : 1.fc41
URL : https://podman.io/
Summary : Manage Pods, Containers and Container Images
Description :
podman (Pod Manager) is a fully featured container engine that is a simple
daemonless tool. podman provides a Docker-CLI comparable command line that
eases the transition from other container engines and allows the management of
pods, containers and images. Simply put: alias docker=podman.
Most podman commands can be run as a regular user, without requiring
additional privileges.

podman uses Buildah(1) internally to create container images.
Both tools share image (not container) storage, hence each can use or
manipulate images (but not containers) created by the other.

--------------------------------------------------------------------------------
Update Information:

Automatic update for buildah-1.37.5-1.fc41.
Changelog for buildah
* Fri Oct 18 2024 Packit [hello@packit.dev] - 2:1.37.5-1
- Update to 1.37.5 upstream release
Fixes CVE-2024-9341, CVE-2024-9675 and CVE-2024-9676.
bugfix
--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct 18 2024 Lokesh Mandvekar [lsm5@fedoraproject.org] - 5:5.2.5-1
- bump to v5.2.5
* Tue Oct 15 2024 Lokesh Mandvekar [lsm5@fedoraproject.org] - 5:5.2.4-2
- c/common pr 2194
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2317462 - CVE-2024-9675 buildah: Buildah allows arbitrary directory mount [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2317462
[ 2 ] Bug #2317464 - CVE-2024-9675 podman: Buildah allows arbitrary directory mount [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2317464
[ 3 ] Bug #2318511 - CVE-2024-9341 podman: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2318511
[ 4 ] Bug #2318514 - CVE-2024-9341 buildah: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2318514
[ 5 ] Bug #2319017 - CVE-2024-9676 buildah: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319017
[ 6 ] Bug #2319019 - CVE-2024-9676 podman: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319019
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-5a61a2fa45' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: containers-common-0.60.4-4.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-5a61a2fa45
2024-10-19 22:48:44.962126
--------------------------------------------------------------------------------

Name : containers-common
Product : Fedora 41
Version : 0.60.4
Release : 4.fc41
URL : https://github.com/containers/common
Summary : Common configuration and documentation for containers
Description :
This package contains common configuration files and documentation for container
tools ecosystem, such as Podman, Buildah and Skopeo.

It is required because the most of configuration files and docs come from projects
which are vendored into Podman, Buildah, Skopeo, etc. but they are not packaged
separately.

--------------------------------------------------------------------------------
Update Information:

Automatic update for buildah-1.37.5-1.fc41.
Changelog for buildah
* Fri Oct 18 2024 Packit [hello@packit.dev] - 2:1.37.5-1
- Update to 1.37.5 upstream release
Fixes CVE-2024-9341, CVE-2024-9675 and CVE-2024-9676.
bugfix
--------------------------------------------------------------------------------
ChangeLog:

* Thu Oct 17 2024 Debarshi Ray [rishi@fedoraproject.org] - 5:0.60.4-4
- Revert "Move fuse-overlayfs to suggests" for all Fedoras
* Wed Oct 16 2024 Debarshi Ray [rishi@fedoraproject.org] - 5:0.60.4-3
- Revert "Move fuse-overlayfs to suggests" for Fedora 40 and older
* Tue Oct 15 2024 Lokesh Mandvekar [lsm5@fedoraproject.org] - 5:0.60.4-2
- disable zstd chunked on fedora
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2317462 - CVE-2024-9675 buildah: Buildah allows arbitrary directory mount [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2317462
[ 2 ] Bug #2317464 - CVE-2024-9675 podman: Buildah allows arbitrary directory mount [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2317464
[ 3 ] Bug #2318511 - CVE-2024-9341 podman: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2318511
[ 4 ] Bug #2318514 - CVE-2024-9341 buildah: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2318514
[ 5 ] Bug #2319017 - CVE-2024-9676 buildah: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319017
[ 6 ] Bug #2319019 - CVE-2024-9676 podman: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319019
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-5a61a2fa45' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: buildah-1.37.5-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-5a61a2fa45
2024-10-19 22:48:44.962126
--------------------------------------------------------------------------------

Name : buildah
Product : Fedora 41
Version : 1.37.5
Release : 1.fc41
URL : https://buildah.io
Summary : A command line tool used for creating OCI Images
Description :
The buildah package provides a command line tool which can be used to
* create a working container from scratch
or
* create a working container from an image as a starting point
* mount/umount a working container's root file system for manipulation
* save container's root file system layer to create a new image
* delete a working container or an image

--------------------------------------------------------------------------------
Update Information:

Automatic update for buildah-1.37.5-1.fc41.
Changelog for buildah
* Fri Oct 18 2024 Packit [hello@packit.dev] - 2:1.37.5-1
- Update to 1.37.5 upstream release
Fixes CVE-2024-9341, CVE-2024-9675 and CVE-2024-9676.
bugfix
--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct 18 2024 Packit [hello@packit.dev] - 2:1.37.5-1
- Update to 1.37.5 upstream release
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2317462 - CVE-2024-9675 buildah: Buildah allows arbitrary directory mount [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2317462
[ 2 ] Bug #2317464 - CVE-2024-9675 podman: Buildah allows arbitrary directory mount [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2317464
[ 3 ] Bug #2318511 - CVE-2024-9341 podman: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2318511
[ 4 ] Bug #2318514 - CVE-2024-9341 buildah: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2318514
[ 5 ] Bug #2319017 - CVE-2024-9676 buildah: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319017
[ 6 ] Bug #2319019 - CVE-2024-9676 podman: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2319019
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-5a61a2fa45' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--