Fedora Linux 8798 Published by

Fedora has unleashed a delightful array of security updates for Fedora Linux 39 and 40, giving a little love to chromium, python3, python3-docs, clamav, and thunderbird, along with apr and mingw-expat:

[SECURITY] Fedora 40 Update: chromium-128.0.6613.137-1.fc40
[SECURITY] Fedora 40 Update: python3-docs-3.12.6-1.fc40
[SECURITY] Fedora 40 Update: python3.12-3.12.6-1.fc40
[SECURITY] Fedora 40 Update: mingw-expat-2.6.3-1.fc40
[SECURITY] Fedora 40 Update: clamav-1.0.7-1.fc40
[SECURITY] Fedora 39 Update: thunderbird-115.15.0-1.fc39
[SECURITY] Fedora 39 Update: mingw-expat-2.6.3-1.fc39
[SECURITY] Fedora 39 Update: apr-1.7.5-1.fc39




[SECURITY] Fedora 40 Update: chromium-128.0.6613.137-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-0a4a65f805
2024-09-14 01:57:36.689629
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 40
Version : 128.0.6613.137
Release : 1.fc40
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

update to 128.0.6613.137
* High CVE-2024-8636: Heap buffer overflow in Skia
* High CVE-2024-8637: Use after free in Media Router
* High CVE-2024-8638: Type Confusion in V8
* High CVE-2024-8639: Use after free in Autofill
--------------------------------------------------------------------------------
ChangeLog:

* Wed Sep 11 2024 Than Ngo [than@redhat.com] - 128.0.6613.137-1
- update to 128.0.6613.137
* High CVE-2024-8636: Heap buffer overflow in Skia
* High CVE-2024-8637: Use after free in Media Router
* High CVE-2024-8638: Type Confusion in V8
* High CVE-2024-8639: Use after free in Autofill
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2311182 - CVE-2024-45590 chromium: Denial of Service Vulnerability in body-parser [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2311182
[ 2 ] Bug #2311196 - CVE-2024-45590 chromium: Denial of Service Vulnerability in body-parser [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2311196
[ 3 ] Bug #2311225 - CVE-2024-45590 chromium: Denial of Service Vulnerability in body-parser [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2311225
[ 4 ] Bug #2311373 - CVE-2024-43796 chromium: Improper Input Handling in Express Redirects [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2311373
[ 5 ] Bug #2311378 - CVE-2024-43796 chromium: Improper Input Handling in Express Redirects [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2311378
[ 6 ] Bug #2311393 - CVE-2024-43796 chromium: Improper Input Handling in Express Redirects [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2311393
[ 7 ] Bug #2311684 - CVE-2024-8636 chromium: Heap buffer overflow in Skia [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2311684
[ 8 ] Bug #2311685 - CVE-2024-8636 chromium: Heap buffer overflow in Skia [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2311685
[ 9 ] Bug #2311686 - CVE-2024-8636 chromium: Heap buffer overflow in Skia [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2311686
[ 10 ] Bug #2311690 - CVE-2024-8638 chromium: Type Confusion in V8 in Google Chrome [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2311690
[ 11 ] Bug #2311692 - CVE-2024-8638 chromium: Type Confusion in V8 in Google Chrome [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2311692
[ 12 ] Bug #2311693 - CVE-2024-8638 chromium: Type Confusion in V8 in Google Chrome [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2311693
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-0a4a65f805' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: python3-docs-3.12.6-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-1d0cb3b43f
2024-09-14 01:57:36.689592
--------------------------------------------------------------------------------

Name : python3-docs
Product : Fedora 40
Version : 3.12.6
Release : 1.fc40
URL : https://www.python.org/
Summary : Documentation for the Python 3 programming language
Description :
The python3-docs package contains documentation on the Python 3
programming language and interpreter.

--------------------------------------------------------------------------------
Update Information:

This is the sixth maintenance release of Python 3.12
Python 3.12 is the newest major release of the Python programming language, and
it contains many new features and optimizations. 3.12.6 is the latest
maintenance release, containing about 90 bugfixes, build improvements and
documentation changes since 3.12.5. This is an expedited release to address the
following security issues:
gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with
backslashes by http.cookies. Fixes CVE-2024-7592.
gh-121285: Remove backtracking from tarfile header parsing for hdrcharset, PAX,
and GNU sparse headers. That's CVE-2024-6232.
gh-102988: email.utils.getaddresses() and email.utils.parseaddr() now return
('', '') 2-tuples in more situations where invalid email addresses are
encountered instead of potentially inaccurate values. Add optional strict
parameter to these two functions: use strict=False to get the old behavior,
accept malformed inputs. getattr(email.utils, 'supports_strict_parsing', False)
can be use to check if the strict paramater is available. This improves the
CVE-2023-27043 fix.
gh-123270: Sanitize names in zipfile.Path to avoid infinite loops (gh-122905)
without breaking contents using legitimate characters. That's CVE-2024-8088.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Sep 9 2024 Tomáš Hrnčiar - 3.12.6-1
- Update to 3.12.6
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2307370 - CVE-2024-8088 python: cpython: Iterating over a malicious ZIP file may lead to Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=2307370
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-1d0cb3b43f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 40 Update: python3.12-3.12.6-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-1d0cb3b43f
2024-09-14 01:57:36.689592
--------------------------------------------------------------------------------

Name : python3.12
Product : Fedora 40
Version : 3.12.6
Release : 1.fc40
URL : https://www.python.org/
Summary : Version 3.12 of the Python interpreter
Description :
Python 3.12 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

--------------------------------------------------------------------------------
Update Information:

This is the sixth maintenance release of Python 3.12
Python 3.12 is the newest major release of the Python programming language, and
it contains many new features and optimizations. 3.12.6 is the latest
maintenance release, containing about 90 bugfixes, build improvements and
documentation changes since 3.12.5. This is an expedited release to address the
following security issues:
gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with
backslashes by http.cookies. Fixes CVE-2024-7592.
gh-121285: Remove backtracking from tarfile header parsing for hdrcharset, PAX,
and GNU sparse headers. That's CVE-2024-6232.
gh-102988: email.utils.getaddresses() and email.utils.parseaddr() now return
('', '') 2-tuples in more situations where invalid email addresses are
encountered instead of potentially inaccurate values. Add optional strict
parameter to these two functions: use strict=False to get the old behavior,
accept malformed inputs. getattr(email.utils, 'supports_strict_parsing', False)
can be use to check if the strict paramater is available. This improves the
CVE-2023-27043 fix.
gh-123270: Sanitize names in zipfile.Path to avoid infinite loops (gh-122905)
without breaking contents using legitimate characters. That's CVE-2024-8088.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Sep 9 2024 Tomáš Hrnčiar - 3.12.6-1
- Update to 3.12.6
- Fixes: rhbz#2310090
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2307370 - CVE-2024-8088 python: cpython: Iterating over a malicious ZIP file may lead to Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=2307370
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-1d0cb3b43f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 40 Update: mingw-expat-2.6.3-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-c7b547bec5
2024-09-14 01:57:36.689518
--------------------------------------------------------------------------------

Name : mingw-expat
Product : Fedora 40
Version : 2.6.3
Release : 1.fc40
URL : http://www.libexpat.org/
Summary : MinGW Windows port of expat XML parser library
Description :
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
the parser prior to starting the parse. These handlers are called when the
parser discovers the associated structures in the document being parsed. A
start tag is an example of the kind of structures for which you may
register handlers.

--------------------------------------------------------------------------------
Update Information:

Update to expat-2.6.3.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 5 2024 Sandro Mani [manisandro@gmail.com] - 2.6.3-1
- Update to 2.6.3
* Thu Jul 18 2024 Fedora Release Engineering [releng@fedoraproject.org] - 2.6.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Fri Mar 22 2024 Sandro Mani [manisandro@gmail.com] - 2.6.2-1
- Update to 2.6.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2308682 - CVE-2024-45490 mingw-expat: Negative Length Parsing Vulnerability in libexpat [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2308682
[ 2 ] Bug #2308684 - CVE-2024-45490 mingw-expat: Negative Length Parsing Vulnerability in libexpat [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2308684
[ 3 ] Bug #2310142 - CVE-2024-45491 mingw-expat: Integer Overflow or Wraparound [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2310142
[ 4 ] Bug #2310145 - CVE-2024-45491 mingw-expat: Integer Overflow or Wraparound [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2310145
[ 5 ] Bug #2310148 - CVE-2024-45492 mingw-expat: integer overflow [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2310148
[ 6 ] Bug #2310151 - CVE-2024-45492 mingw-expat: integer overflow [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2310151
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-c7b547bec5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: clamav-1.0.7-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-e8f7a74693
2024-09-14 01:57:36.689511
--------------------------------------------------------------------------------

Name : clamav
Product : Fedora 40
Version : 1.0.7
Release : 1.fc40
URL : https://www.clamav.net/
Summary : End-user tools for the Clam Antivirus scanner
Description :
Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this
software is the integration with mail servers (attachment scanning). The
package provides a flexible and scalable multi-threaded daemon, a command
line scanner, and a tool for automatic updating via Internet. The programs
are based on a shared library distributed with the Clam AntiVirus package,
which you can use with your own software. The virus database is based on
the virus database from OpenAntiVirus, but contains additional signatures
(including signatures for popular polymorphic viruses, too) and is KEPT UP
TO DATE.

--------------------------------------------------------------------------------
Update Information:

Update to 1.0.7
CVE-2024-20506: Changed the logging module to disable following symlinks on
Linux and Unix systems so as to prevent an attacker with existing access to the
'clamd' or 'freshclam' services from using a symlink to corrupt system files.
CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF file parser
that could cause a denial-of-service (DoS) condition.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 5 2024 Yaakov Selkowitz [yselkowi@redhat.com] - 1.0.7-1
- Update to 1.0.7
* Wed Jul 17 2024 Fedora Release Engineering [releng@fedoraproject.org] - 1.0.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2310067 - CVE-2024-20506 clamav: ClamD process writes to log file while privileged without checking if its been replaced with a symlink [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2310067
[ 2 ] Bug #2310073 - CVE-2024-20505 clamav: out-of-bounds read bug in the PDF file parser [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2310073
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-e8f7a74693' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 39 Update: thunderbird-115.15.0-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-e77ad5f585
2024-09-14 01:25:52.789566
--------------------------------------------------------------------------------

Name : thunderbird
Product : Fedora 39
Version : 115.15.0
Release : 1.fc39
URL : http://www.mozilla.org/projects/thunderbird/
Summary : Mozilla Thunderbird mail/newsgroup client
Description :
Mozilla Thunderbird is a standalone mail and newsgroup client.

--------------------------------------------------------------------------------
Update Information:

Update to 115.15.0
https://www.thunderbird.net/en-US/thunderbird/115.15.0esr/releasenotes/
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 5 2024 Eike Rathke [erack@redhat.com] - 115.15.0-1
- Update to 115.15.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-e77ad5f585' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 39 Update: mingw-expat-2.6.3-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-e86a48cd72
2024-09-14 01:25:52.789546
--------------------------------------------------------------------------------

Name : mingw-expat
Product : Fedora 39
Version : 2.6.3
Release : 1.fc39
URL : http://www.libexpat.org/
Summary : MinGW Windows port of expat XML parser library
Description :
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
the parser prior to starting the parse. These handlers are called when the
parser discovers the associated structures in the document being parsed. A
start tag is an example of the kind of structures for which you may
register handlers.

--------------------------------------------------------------------------------
Update Information:

Update to expat-2.6.3.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 5 2024 Sandro Mani [manisandro@gmail.com] - 2.6.3-1
- Update to 2.6.3
* Thu Jul 18 2024 Fedora Release Engineering [releng@fedoraproject.org] - 2.6.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Fri Mar 22 2024 Sandro Mani [manisandro@gmail.com] - 2.6.2-1
- Update to 2.6.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2308682 - CVE-2024-45490 mingw-expat: Negative Length Parsing Vulnerability in libexpat [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2308682
[ 2 ] Bug #2308684 - CVE-2024-45490 mingw-expat: Negative Length Parsing Vulnerability in libexpat [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2308684
[ 3 ] Bug #2310142 - CVE-2024-45491 mingw-expat: Integer Overflow or Wraparound [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2310142
[ 4 ] Bug #2310145 - CVE-2024-45491 mingw-expat: Integer Overflow or Wraparound [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2310145
[ 5 ] Bug #2310148 - CVE-2024-45492 mingw-expat: integer overflow [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2310148
[ 6 ] Bug #2310151 - CVE-2024-45492 mingw-expat: integer overflow [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2310151
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-e86a48cd72' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 39 Update: apr-1.7.5-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-318343049c
2024-09-14 01:25:52.789492
--------------------------------------------------------------------------------

Name : apr
Product : Fedora 39
Version : 1.7.5
Release : 1.fc39
URL : https://apr.apache.org/
Summary : Apache Portable Runtime library
Description :
The mission of the Apache Portable Runtime (APR) is to provide a
free library of C data structures and routines, forming a system
portability layer to as many operating systems as possible,
including Unices, MS Win32, BeOS and OS/2.

--------------------------------------------------------------------------------
Update Information:

This update to the apr package fixes a security issue in the handling of shared
memory permissions.
SECURITY: CVE-2023-49582: Apache Portable Runtime (APR):
Unexpected lax shared memory permissions (cve.mitre.org)
Lax permissions set by the Apache Portable Runtime library on
Unix platforms would allow local users read access to named
shared memory segments, potentially revealing sensitive
application data.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Aug 28 2024 Joe Orton - 1.7.5-1
- update to 1.7.5 (#2307902)
* Wed Jul 17 2024 Fedora Release Engineering - 1.7.3-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Thu Feb 8 2024 Joe Orton - 1.7.3-8
- use autosetup
- always disable SCTP support at build time
* Mon Jan 29 2024 Fedora Release Engineering - 1.7.3-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Jan 22 2024 Fedora Release Engineering - 1.7.3-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering - 1.7.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Oct 24 2023 Luboš Uhliarik - 1.7.3-4
- rebuilt
* Fri Sep 29 2023 Luboš Uhliarik - 1.7.3-3
- SPDX migration
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2308485 - CVE-2023-49582 apr: Lax permissions in Apache Portable Runtime shared memory [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2308485
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-318343049c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------