Fedora Linux 8799 Published by

Fedora Linux has been updated with multiple security enhancements, which include chromium, cobbler, and libsoup3:

Fedora 40 Update: chromium-131.0.6778.85-2.fc40
Fedora 40 Update: cobbler-3.3.7-1.fc40
Fedora 41 Update: chromium-131.0.6778.85-2.fc41
Fedora 41 Update: cobbler-3.3.7-1.fc41
Fedora 39 Update: cobbler-3.3.7-1.fc39
Fedora 39 Update: libsoup3-3.4.4-3.fc39




[SECURITY] Fedora 40 Update: chromium-131.0.6778.85-2.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-292aa2c246
2024-11-26 04:38:12.122783+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 40
Version : 131.0.6778.85
Release : 2.fc40
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 131.0.6778.85
* High CVE-2024-11395: Type Confusion in V8
* High CVE-2024-11110: Inappropriate implementation in Blink
* Medium CVE-2024-11111: Inappropriate implementation in Autofill
* Medium CVE-2024-11112: Use after free in Media
* Medium CVE-2024-11113: Use after free in Accessibility
* Medium CVE-2024-11114: Inappropriate implementation in Views
* Medium CVE-2024-11115: Insufficient policy enforcement in Navigation
* Medium CVE-2024-11116: Inappropriate implementation in Paint
* Low CVE-2024-11117: Inappropriate implementation in FileSystem
--------------------------------------------------------------------------------
ChangeLog:

* Sat Nov 23 2024 Than Ngo [than@redhat.com] - 131.0.6778.85-2
- Enable qt-ui
- Workaround for random crash
* Wed Nov 20 2024 Than Ngo [than@redhat.com] - 131.0.6778.85-1
- Update to 131.0.6778.85
* High CVE-2024-11395: Type Confusion in V8
* Tue Nov 12 2024 Than Ngo [than@redhat.com] - 131.0.6778.69-1
- Update to 131.0.6778.69
* High CVE-2024-11110: Inappropriate implementation in Blink
* Medium CVE-2024-11111: Inappropriate implementation in Autofill
* Medium CVE-2024-11112: Use after free in Media
* Medium CVE-2024-11113: Use after free in Accessibility
* Medium CVE-2024-11114: Inappropriate implementation in Views
* Medium CVE-2024-11115: Insufficient policy enforcement in Navigation
* Medium CVE-2024-11116: Inappropriate implementation in Paint
* Low CVE-2024-11117: Inappropriate implementation in FileSystem
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2325761 - CVE-2024-11110 chromium: Inappropriate implementation in Extensions [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325761
[ 2 ] Bug #2325762 - CVE-2024-11110 chromium: Inappropriate implementation in Extensions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325762
[ 3 ] Bug #2325763 - CVE-2024-11111 chromium: Inappropriate implementation in Autofill [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325763
[ 4 ] Bug #2325764 - CVE-2024-11111 chromium: Inappropriate implementation in Autofill [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325764
[ 5 ] Bug #2325765 - CVE-2024-11113 chromium: Use after free in Accessibility [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325765
[ 6 ] Bug #2325766 - CVE-2024-11113 chromium: Use after free in Accessibility [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325766
[ 7 ] Bug #2325767 - CVE-2024-11116 chromium: Inappropriate implementation in Blink [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325767
[ 8 ] Bug #2325768 - CVE-2024-11116 chromium: Inappropriate implementation in Blink [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325768
[ 9 ] Bug #2325769 - CVE-2024-11117 chromium: Inappropriate implementation in FileSystem [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325769
[ 10 ] Bug #2325770 - CVE-2024-11117 chromium: Inappropriate implementation in FileSystem [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325770
[ 11 ] Bug #2327554 - CVE-2024-11395 chromium: Type Confusion in V8 [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2327554
[ 12 ] Bug #2327555 - CVE-2024-11395 chromium: Type Confusion in V8 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2327555
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-292aa2c246' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: cobbler-3.3.7-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-76d8603c78
2024-11-26 04:38:12.122771+00:00
--------------------------------------------------------------------------------

Name : cobbler
Product : Fedora 40
Version : 3.3.7
Release : 1.fc40
URL : https://cobbler.github.io/
Summary : Boot server configurator
Description :
Cobbler is a network install server. Cobbler supports PXE, ISO
virtualized installs, and re-installing existing Linux machines. The
last two modes use a helper tool, 'koan', that integrates with cobbler.
Cobbler's advanced features include importing distributions from DVDs
and rsync mirrors, kickstart templating, integrated yum mirroring, and
built-in DHCP/DNS Management. Cobbler has a XML-RPC API for integration
with other applications.

--------------------------------------------------------------------------------
Update Information:

Update to 3.3.7 - CVE-2024-47533
--------------------------------------------------------------------------------
ChangeLog:

* Sun Nov 17 2024 Orion Poplawski [orion@nwra.com] - 3.3.7-1
- Update to 3.3.7 (CVE-2024-47533)
* Fri Sep 27 2024 Carl George [carlwgeorge@fedoraproject.org] - 3.3.6-2
- Fix cheetah dependency rhbz#2314630
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2326874 - cobbler-3.3.7 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2326874
[ 2 ] Bug #2327081 - CVE-2024-47533 cobbler: Cobbler allows anyone to connect to cobbler XML-RPC server with a known password and make changes [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2327081
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-76d8603c78' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: chromium-131.0.6778.85-2.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-582d2a7648
2024-11-26 03:12:45.928856+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 41
Version : 131.0.6778.85
Release : 2.fc41
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 131.0.6778.85
* High CVE-2024-11395: Type Confusion in V8
* High CVE-2024-11110: Inappropriate implementation in Blink
* Medium CVE-2024-11111: Inappropriate implementation in Autofill
* Medium CVE-2024-11112: Use after free in Media
* Medium CVE-2024-11113: Use after free in Accessibility
* Medium CVE-2024-11114: Inappropriate implementation in Views
* Medium CVE-2024-11115: Insufficient policy enforcement in Navigation
* Medium CVE-2024-11116: Inappropriate implementation in Paint
* Low CVE-2024-11117: Inappropriate implementation in FileSystem
--------------------------------------------------------------------------------
ChangeLog:

* Sat Nov 23 2024 Than Ngo [than@redhat.com] - 131.0.6778.85-2
- Enable qt-ui
- Workaround for random crash
* Wed Nov 20 2024 Than Ngo [than@redhat.com] - 131.0.6778.85-1
- Update to 131.0.6778.85
* High CVE-2024-11395: Type Confusion in V8
* Tue Nov 12 2024 Than Ngo [than@redhat.com] - 131.0.6778.69-1
- Update to 131.0.6778.69
* High CVE-2024-11110: Inappropriate implementation in Blink
* Medium CVE-2024-11111: Inappropriate implementation in Autofill
* Medium CVE-2024-11112: Use after free in Media
* Medium CVE-2024-11113: Use after free in Accessibility
* Medium CVE-2024-11114: Inappropriate implementation in Views
* Medium CVE-2024-11115: Insufficient policy enforcement in Navigation
* Medium CVE-2024-11116: Inappropriate implementation in Paint
* Low CVE-2024-11117: Inappropriate implementation in FileSystem
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2325761 - CVE-2024-11110 chromium: Inappropriate implementation in Extensions [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325761
[ 2 ] Bug #2325762 - CVE-2024-11110 chromium: Inappropriate implementation in Extensions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325762
[ 3 ] Bug #2325763 - CVE-2024-11111 chromium: Inappropriate implementation in Autofill [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325763
[ 4 ] Bug #2325764 - CVE-2024-11111 chromium: Inappropriate implementation in Autofill [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325764
[ 5 ] Bug #2325765 - CVE-2024-11113 chromium: Use after free in Accessibility [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325765
[ 6 ] Bug #2325766 - CVE-2024-11113 chromium: Use after free in Accessibility [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325766
[ 7 ] Bug #2325767 - CVE-2024-11116 chromium: Inappropriate implementation in Blink [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325767
[ 8 ] Bug #2325768 - CVE-2024-11116 chromium: Inappropriate implementation in Blink [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325768
[ 9 ] Bug #2325769 - CVE-2024-11117 chromium: Inappropriate implementation in FileSystem [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325769
[ 10 ] Bug #2325770 - CVE-2024-11117 chromium: Inappropriate implementation in FileSystem [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325770
[ 11 ] Bug #2327554 - CVE-2024-11395 chromium: Type Confusion in V8 [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2327554
[ 12 ] Bug #2327555 - CVE-2024-11395 chromium: Type Confusion in V8 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2327555
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-582d2a7648' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: cobbler-3.3.7-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-4f04edd1e7
2024-11-26 03:12:45.928809+00:00
--------------------------------------------------------------------------------

Name : cobbler
Product : Fedora 41
Version : 3.3.7
Release : 1.fc41
URL : https://cobbler.github.io/
Summary : Boot server configurator
Description :
Cobbler is a network install server. Cobbler supports PXE, ISO
virtualized installs, and re-installing existing Linux machines. The
last two modes use a helper tool, 'koan', that integrates with cobbler.
Cobbler's advanced features include importing distributions from DVDs
and rsync mirrors, kickstart templating, integrated yum mirroring, and
built-in DHCP/DNS Management. Cobbler has a XML-RPC API for integration
with other applications.

--------------------------------------------------------------------------------
Update Information:

Update to 3.3.7 - CVE-2024-47533
--------------------------------------------------------------------------------
ChangeLog:

* Sun Nov 17 2024 Orion Poplawski [orion@nwra.com] - 3.3.7-1
- Update to 3.3.7 (CVE-2024-47533)
* Fri Sep 27 2024 Carl George [carlwgeorge@fedoraproject.org] - 3.3.6-2
- Fix cheetah dependency rhbz#2314630
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2326874 - cobbler-3.3.7 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2326874
[ 2 ] Bug #2327082 - CVE-2024-47533 cobbler: Cobbler allows anyone to connect to cobbler XML-RPC server with a known password and make changes [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2327082
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-4f04edd1e7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 39 Update: cobbler-3.3.7-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-a6f0ade1d3
2024-11-26 01:28:25.152878+00:00
--------------------------------------------------------------------------------

Name : cobbler
Product : Fedora 39
Version : 3.3.7
Release : 1.fc39
URL : https://cobbler.github.io/
Summary : Boot server configurator
Description :
Cobbler is a network install server. Cobbler supports PXE, ISO
virtualized installs, and re-installing existing Linux machines. The
last two modes use a helper tool, 'koan', that integrates with cobbler.
Cobbler's advanced features include importing distributions from DVDs
and rsync mirrors, kickstart templating, integrated yum mirroring, and
built-in DHCP/DNS Management. Cobbler has a XML-RPC API for integration
with other applications.

--------------------------------------------------------------------------------
Update Information:

Update to 3.3.7 - CVE-2024-47533
--------------------------------------------------------------------------------
ChangeLog:

* Sun Nov 17 2024 Orion Poplawski - 3.3.7-1
- Update to 3.3.7 (CVE-2024-47533)
* Fri Sep 27 2024 Carl George - 3.3.6-2
- Fix cheetah dependency rhbz#2314630
* Wed Jul 31 2024 Orion Poplawski - 3.3.6-1
- Update to 3.3.6
* Thu Jul 25 2024 Miroslav SuchĂ˝ - 3.3.5-3
- convert license to SPDX
* Wed Jul 17 2024 Fedora Release Engineering - 3.3.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Fri Jul 12 2024 Orion Poplawski - 3.3.5-1
- Update to 3.3.5
* Fri Jun 7 2024 Python Maint - 3.3.4-5
- Rebuilt for Python 3.13
* Fri Jun 7 2024 Python Maint - 3.3.4-4
- Rebuilt for Python 3.13
* Sat Apr 27 2024 Orion Poplawski - 3.3.4-3
- Fix service name in selinux post install script
* Fri Apr 26 2024 Orion Poplawski - 3.3.4-2
- Test for existence of web.ss before chowning it (bz#2276860)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2326874 - cobbler-3.3.7 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2326874
[ 2 ] Bug #2327080 - CVE-2024-47533 cobbler: Cobbler allows anyone to connect to cobbler XML-RPC server with a known password and make changes [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2327080
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-a6f0ade1d3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 39 Update: libsoup3-3.4.4-3.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-a059ea1dfc
2024-11-26 01:28:25.152831+00:00
--------------------------------------------------------------------------------

Name : libsoup3
Product : Fedora 39
Version : 3.4.4
Release : 3.fc39
URL : https://wiki.gnome.org/Projects/libsoup
Summary : Soup, an HTTP library implementation
Description :
Libsoup is an HTTP library implementation in C. It was originally part
of a SOAP (Simple Object Access Protocol) implementation called Soup, but
the SOAP and non-SOAP parts have now been split into separate packages.

libsoup uses the Glib main loop and is designed to work well with GTK
applications. This enables GNOME applications to access HTTP servers
on the network in a completely asynchronous fashion, very similar to
the Gtk+ programming model (a synchronous operation mode is also
supported for those who want it), but the SOAP parts were removed
long ago.

--------------------------------------------------------------------------------
Update Information:

Add patches to fix:
CVE-2024-52530 libsoup3: HTTP request smuggling via stripping null bytes from
the ends of header names (bug #2325358)
CVE-2024-52532 libsoup3: infinite loop while reading websocket data (bug
#2325356)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Nov 12 2024 Milan Crha [mcrha@redhat.com] - 3.4.4-3
- Add a patch to fix CVE-2024-52532 (infinite loop while reading websocket
data)
* Tue Nov 12 2024 Milan Crha [mcrha@redhat.com] - 3.4.4-2
- Add a patch to fix CVE-2024-52530 (headers: Strictly don't allow NUL
bytes)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2325356 - CVE-2024-52532 libsoup3: infinite loop while reading websocket data [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325356
[ 2 ] Bug #2325358 - CVE-2024-52530 libsoup3: HTTP request smuggling via stripping null bytes from the ends of header names [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2325358
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-a059ea1dfc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--