Fedora Linux 8727 Published by

The following security updates are available for Fedora Linux:

Fedora 40 Update: chromium-126.0.6478.126-1.fc40
Fedora 40 Update: openvpn-2.6.11-1.fc40
Fedora 40 Update: moodle-4.3.5-1.fc40
Fedora 40 Update: freeipa-4.12.1-1.fc40
Fedora 39 Update: firefox-127.0.2-1.fc39
Fedora 39 Update: chromium-126.0.6478.126-1.fc39
Fedora 39 Update: moodle-4.3.5-1.fc39




Fedora 40 Update: chromium-126.0.6478.126-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-0c02698648
2024-06-27 02:02:42.638248
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 40
Version : 126.0.6478.126
Release : 1.fc40
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

update to 126.0.6478.126
High CVE-2024-6290: Use after free in Dawn
High CVE-2024-6291: Use after free in Swiftshader
High CVE-2024-6292: Use after free in Dawn
High CVE-2024-6293: Use after free in Dawn
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 25 2024 Than Ngo [than@redhat.com] - 126.0.6478.126-1
- update to 126.0.6478.126
* High CVE-2024-6290: Use after free in Dawn
* High CVE-2024-6291: Use after free in Swiftshader
* High CVE-2024-6292: Use after free in Dawn
* High CVE-2024-6293: Use after free in Dawn
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2294106 - CVE-2024-6290 CVE-2024-6291 chromium: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2294106
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-0c02698648' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 40 Update: openvpn-2.6.11-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-b611e122fb
2024-06-27 02:02:42.638234
--------------------------------------------------------------------------------

Name : openvpn
Product : Fedora 40
Version : 2.6.11
Release : 1.fc40
URL : https://community.openvpn.net/
Summary : A full-featured TLS VPN solution
Description :
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
for compression.

--------------------------------------------------------------------------------
Update Information:

Update to upstream OpenVPN 2.6.11
CVE-2024-5594: control channel: refuse control channel messages with
nonprintable characters in them
CVE-2024-28882: only call schedule_exit() once (on a given peer)
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jun 21 2024 Frank Lichtenheld [frank@lichtenheld.com] - 2.6.11-1
- Update to upstream OpenVPN 2.6.11
- Remove obsolete "beta release" qualifier from Summary
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2270512 - openvpn-2.6.11 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2270512
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-b611e122fb' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 40 Update: moodle-4.3.5-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-020937763e
2024-06-27 02:02:42.638197
--------------------------------------------------------------------------------

Name : moodle
Product : Fedora 40
Version : 4.3.5
Release : 1.fc40
URL : https://moodle.org/
Summary : A Course Management System
Description :
Moodle is a course management system (CMS) - a free, Open Source software
package designed using sound pedagogical principles, to help educators create
effective online learning communities.

--------------------------------------------------------------------------------
Update Information:

Fix for multiple CVEs
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 18 2024 Gwyn Ciesla [gwync@protonmail.com] - 4.3.5-1
- 4.3.5
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2292945 - CVE-2024-38273 moodle: BigBlueButton web service leaks meeting joining information to users who should not have access [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2292945
[ 2 ] Bug #2292946 - CVE-2024-38274 moodle: stored XSS via calendar's event title when deleting the event [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2292946
[ 3 ] Bug #2292951 - CVE-2024-38276 moodle: CSRF risks due to misuse of confirm_sesskey [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2292951
[ 4 ] Bug #2292953 - CVE-2024-38277 moodle: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2292953
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-020937763e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 40 Update: freeipa-4.12.1-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-2a466c6514
2024-06-27 02:02:42.637986
--------------------------------------------------------------------------------

Name : freeipa
Product : Fedora 40
Version : 4.12.1
Release : 1.fc40
URL : http://www.freeipa.org/
Summary : The Identity, Policy and Audit system
Description :
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).

--------------------------------------------------------------------------------
Update Information:

Fix CVE-2024-2698 and CVE-2024-3183
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 11 2024 Julien Rische [jrische@redhat.com] - 4.12.1-1
- Upstream release 4.12.1
- Release notes: https://www.freeipa.org/release-notes/4-12-1.html
- Security release: CVE-2024-2698 CVE-2024-3183
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2291164 - CVE-2024-3183 freeipa: user can obtain a hash of the passwords of all domain users and perform offline brute force [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2291164
[ 2 ] Bug #2291165 - CVE-2024-2698 freeipa: delegation rules allow a proxy service to impersonate any user to access another target service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2291165
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-2a466c6514' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: firefox-127.0.2-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-a61be271bb
2024-06-27 01:42:19.290486
--------------------------------------------------------------------------------

Name : firefox
Product : Fedora 39
Version : 127.0.2
Release : 1.fc39
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

--------------------------------------------------------------------------------
Update Information:

New upstream version (127.0.2)
New upstream version (127.0)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 25 2024 Martin Stransky [stransky@redhat.com] - 127.0.2-1
- Update to 127.0.2
* Fri Jun 14 2024 Jan Grulich [jgrulich@redhat.com] - 127.0-2
- Fix duplicated camera entries with PipeWire
* Mon Jun 10 2024 Jan Horak [jhorak@redhat.com] - 127.0-1
- Update to 127.0
* Tue May 21 2024 Jan Horak [jhorak@redhat.com] - 126.0-8
- Enabled crashreporter again
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-a61be271bb' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: chromium-126.0.6478.126-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-508d03d0c7
2024-06-27 01:42:19.290494
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 39
Version : 126.0.6478.126
Release : 1.fc39
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

update to 126.0.6478.126
High CVE-2024-6290: Use after free in Dawn
High CVE-2024-6291: Use after free in Swiftshader
High CVE-2024-6292: Use after free in Dawn
High CVE-2024-6293: Use after free in Dawn
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 25 2024 Than Ngo [than@redhat.com] - 126.0.6478.126-1
- update to 126.0.6478.126
* High CVE-2024-6290: Use after free in Dawn
* High CVE-2024-6291: Use after free in Swiftshader
* High CVE-2024-6292: Use after free in Dawn
* High CVE-2024-6293: Use after free in Dawn
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2294106 - CVE-2024-6290 CVE-2024-6291 chromium: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2294106
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-508d03d0c7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: moodle-4.3.5-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-9df8ef935b
2024-06-27 01:42:19.290458
--------------------------------------------------------------------------------

Name : moodle
Product : Fedora 39
Version : 4.3.5
Release : 1.fc39
URL : https://moodle.org/
Summary : A Course Management System
Description :
Moodle is a course management system (CMS) - a free, Open Source software
package designed using sound pedagogical principles, to help educators create
effective online learning communities.

--------------------------------------------------------------------------------
Update Information:

Fix for multiple CVEs
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 18 2024 Gwyn Ciesla [gwync@protonmail.com] - 4.3.5-1
- 4.3.5
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2292945 - CVE-2024-38273 moodle: BigBlueButton web service leaks meeting joining information to users who should not have access [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2292945
[ 2 ] Bug #2292946 - CVE-2024-38274 moodle: stored XSS via calendar's event title when deleting the event [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2292946
[ 3 ] Bug #2292951 - CVE-2024-38276 moodle: CSRF risks due to misuse of confirm_sesskey [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2292951
[ 4 ] Bug #2292953 - CVE-2024-38277 moodle: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2292953
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-9df8ef935b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--