Fedora 41 Update: chromium-132.0.6834.159-1.fc41
Fedora 41 Update: yq-4.43.1-5.fc41
Fedora 41 Update: fastd-23-1.fc41
Fedora 41 Update: ovn-24.09.2-4.fc41
[SECURITY] Fedora 41 Update: chromium-132.0.6834.159-1.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-2525ddc3f2
2025-02-04 01:14:03.353096+00:00
--------------------------------------------------------------------------------
Name : chromium
Product : Fedora 41
Version : 132.0.6834.159
Release : 1.fc41
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).
--------------------------------------------------------------------------------
Update Information:
Updated to 132.0.6834.159
* Medium CVE-2025-0762: Use after free in DevTools
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 29 2025 Than Ngo [than@redhat.com] - 132.0.6834.159-1
- Updated to 132.0.6834.159
* Medium CVE-2025-0762: Use after free in DevTools
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2342789 - CVE-2025-0762 chromium: Use After Free in DevTools in Google Chrome [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2342789
[ 2 ] Bug #2342790 - CVE-2025-0762 chromium: Use After Free in DevTools in Google Chrome [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2342790
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-2525ddc3f2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: yq-4.43.1-5.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-cd51e0177b
2025-02-04 01:14:03.353042+00:00
--------------------------------------------------------------------------------
Name : yq
Product : Fedora 41
Version : 4.43.1
Release : 5.fc41
URL : https://github.com/mikefarah/yq
Summary : Yq is a portable command-line YAML, JSON, XML, CSV, TOML and properties processor
Description :
Yq is a portable command-line YAML, JSON, XML, CSV, TOML and properties
processor.
--------------------------------------------------------------------------------
Update Information:
Rebuilt against golang-x-net 0.33.0 for CVE-2024-45338
--------------------------------------------------------------------------------
ChangeLog:
* Sun Jan 26 2025 Michel Lind [salimma@fedoraproject.org] - 4.43.1-5
- Fix building with Go 1.24; Resolves: RHBZ#2341595
* Sun Jan 19 2025 Fedora Release Engineering [releng@fedoraproject.org] - 4.43.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2333265 - CVE-2024-45338 yq: Non-linear parsing of case-insensitive content in golang.org/x/net/html [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2333265
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-cd51e0177b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: fastd-23-1.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-b895b18cfe
2025-02-04 01:14:03.352890+00:00
--------------------------------------------------------------------------------
Name : fastd
Product : Fedora 41
Version : 23
Release : 1.fc41
URL : https://github.com/neocturne/fastd
Summary : Fast and secure tunneling daemon
Description :
fastd is a secure tunneling daemon with some unique features:
- Very small binary (about 100KB on OpenWRT in the default configuration,
including all dependencies besides libc)
- Exchangable crypto methods
- Transport over UDP for simple usage behind NAT
- Can run in 1:1 and 1:n scenarios
- There are no server and client roles defined by the protocol, this is just
defined by the usage.
- Only one instance of the daemon is needed on each host to create a full mesh
If no full mesh is established, a routing protocol is necessary to enable
hosts that are not connected directly to reach each other
--------------------------------------------------------------------------------
Update Information:
This release contains a number of small improvements and bugfixes, including
mitigations for the LOW severity vulnerability CVE-2025-24356.
Bugfixes
Add mitigations for fast-reconnect amplification attacks
When receiving a data packet from an unknown IP address/port combination, fastd
will assume that one of its connected peers has moved to a new address (for
example due to internet lines with dynamic IP, or roaming between WWAN and a
local internet connection) and initiate a reconnect by sending a handshake
packet. This âfast reconnectâ avoids having to wait for a session timeout (up to
~90s) until a new connection is established.
Even a 1-byte UDP packet just containing the fastd packet type header can
trigger a much larger handshake packet (~150 bytes of UDP payload). With fastd
v22, this number is doubled, because two handshakes are sent (one in a
pre-v22-compatible format and one in a new L2TP-style format). Including IPv4
and UDP headers, the resulting amplification factor is roughly 12-13.
By sending data packets with a spoofed source address to fastd instances
reachable on the internet, this amplification of UDP traffic might be used to
facilitate a Distributed Denial of Service attack.
fastd has always implemented rate limiting for handshakes to unknown IP
addresses and ports to 1 handshake per 15s to avoid this kind of attack, however
the rate is limited per-port and not per-address, thus still allowing handshakes
to be sent to all 65535 UDP ports of the same IP address unlimited.
The issue has been mitigated in fastd v23 by a number of changes:
Rate-limiting has been changed changed to be applied per-address instead of per-
port
Only one handshake instead of two handshakes is sent for fast-reconnect (by
determining from the format of the data packet whether a pre-v22 or L2TP-style
handshake should be used)
Require at least a full method header instead of just a single byte for a data
packet to be considered valid. This does not have an effect on instances that
enable the null method (regardless of null being actually in use), as a single-
byte UDP packet is a valid null keepalive, but for all other methods the
amplification factor is slightly reduced.
Only fastd instances that allow connections from arbitrary IP addresses are
vulnerable. Instances in a âclientâ role that configure their peers using the
remote config option (which includes the common deployment as part of the Gluon
wireless mesh firmware) will not respond to unexpected data packets with a
handshake and are therefore unaffected.
CVE-2025-24356 has been assigned to this issue. The severity of this
vulnerability is considered LOW.
A GitHub security advisory can be found under GHSA-pggg-vpfv-4rcv.
Fix config loading to fail on offload l2tp no; when L2TP offloading is
unsupported by the fastd build or the kernel
Fix assembly Salsa20(/12) implementations accidentally generating the Linux-
specific .note.GNU-stack ELF section on non-Linux systems
This is unlikely to have caused any issues, as other systems should just ignore
the unknown section.
Status socket: - Fix interface name information with L2TP offloading - Add per-
peer MTU information
Documentation: - Fix incorrect âpersist interfaceâ examples - Improve
explanation of float option
Build: - Fix build on macOS (again) - Fix build with Meson 0.49 (the minimum
version marked as supported by fastd)
Other changes
Add support for Indirect Branch Tracking and Shadow Stacks on x86
The assembly Salsa20(/12) implementations have been marked compatible with IBT
and SHSTK, which are part of Intel CET (Control-flow Enforcement Technology) and
can be enabled using the -fcf-protection GCC option.
The file COPYRIGHT has been renamed to LICENSE
The vendored version of libmnl that is used with libmnl_builtin=true has been
updated to 1.0.5
--------------------------------------------------------------------------------
ChangeLog:
* Sun Jan 26 2025 Felix Kaechele [felix@kaechele.ca] - 23-1
- update to 23
* Thu Jan 16 2025 Fedora Release Engineering [releng@fedoraproject.org] - 22-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2342133 - fastd-23 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2342133
[ 2 ] Bug #2342338 - CVE-2025-24356 fastd: UDP traffic amplification via fastd's fast reconnect feature [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2342338
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-b895b18cfe' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 41 Update: ovn-24.09.2-4.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-46e6440101
2025-02-04 01:14:03.352818+00:00
--------------------------------------------------------------------------------
Name : ovn
Product : Fedora 41
Version : 24.09.2
Release : 4.fc41
URL : http://www.openvswitch.org/
Summary : Open Virtual Network support
Description :
OVN, the Open Virtual Network, is a system to support virtual network
abstraction. OVN complements the existing capabilities of OVS to add
native support for virtual network abstractions, such as virtual L2 and L3
overlays and security groups.
--------------------------------------------------------------------------------
Update Information:
Update the OVN sources to upstream release v24.09.2
--------------------------------------------------------------------------------
ChangeLog:
* Sat Jan 25 2025 Numan Siddique [numans@ovn.org] - 24.09.2-04
- Update the OVN sources to upstream release v24.09.2
with the base OVN commit df4f80a60d4cd712870aa73d32d5677448c11c78
and OVS commit 9e07a69bbb2a7d3eb35f9b487161c50cfa5bd65e
The below commits are also synced:
- Prepare for 24.09.3.
[Upstream: 0a899586b9ec222b335a956021971de1c2dd2312]
- ic: Fix NULL ptr deref on log of duplicate routes.
[Upstream: 5a19ae8fa2965e4bf6864f84dfd1adef85ba4b13]
- controller: Fix IPv6 dp flow explosion by setting flow table prefixes.
[Upstream 8d64f2b7dcef24d175151ba5e0732281cdeb6d54]
- tests: Fix flaky "ovn-controller: Multiple OVS interfaces ...".
[Upstream: c09c714a6beb413c479983d2a301411e81d89f71]
* Fri Jan 17 2025 Fedora Release Engineering [releng@fedoraproject.org] - 24.09.1-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2267396 - ovn-24.09.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2267396
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-46e6440101' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--