Fedora 41 Update: cloud-init-24.2-4.fc41
Fedora 42 Update: chromium-138.0.7204.168-1.fc42
Fedora 42 Update: cloud-init-24.2-5.fc42
[SECURITY] Fedora 41 Update: cloud-init-24.2-4.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-58f05c43ae
2025-07-30 01:28:52.274692+00:00
--------------------------------------------------------------------------------
Name : cloud-init
Product : Fedora 41
Version : 24.2
Release : 4.fc41
URL : https://github.com/canonical/cloud-init
Summary : Cloud instance init scripts
Description :
Cloud-init is a set of init scripts for cloud instances. Cloud instances
need special scripts to run during initialization to retrieve and install
ssh keys and to let the user run various scripts.
--------------------------------------------------------------------------------
Update Information:
Backport fixes for CVE-2024-6174 and CVE-2024-11584
cloud-init included the systemd socket unit cloud-init-hotplugd.socket with
default SocketMode that grants 0666 permissions, making it world-writable. An
unprivelege user could trigger hotplug-hook commands (CVE-2024-11584)
When a non-x86 platform is detected, cloud-init granted root access to a
hardcoded url with a local IP address. To prevent this, cloud-init default
configurations disable platform enumeration (CVE-2024-6174)
Note that the fix for CVE-2024-6174 includes a change that may break non-x86
OpenStack Nova users. Affected users may wish to use ConfigDrive as a workaround
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jul 21 2025 Jeremy Cline [jeremycline@linux.microsoft.com] - 24.2-4
- Backport fixes for CVE-2024-6174 and CVE-2024-11584
- cloud-init included the systemd socket unit cloud-init-hotplugd.socket
with default SocketMode that grants 0666 permissions, making it world-
writable. An unprivelege user could trigger hotplug-hook commands
(CVE-2024-11584)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2375012 - CVE-2024-6174 cloud-init: From CVEorg collector [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2375012
[ 2 ] Bug #2375013 - CVE-2024-6174 cloud-init: From CVEorg collector [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2375013
[ 3 ] Bug #2375025 - CVE-2024-11584 cloud-init: From CVEorg collector [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2375025
[ 4 ] Bug #2375026 - CVE-2024-11584 cloud-init: From CVEorg collector [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2375026
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-58f05c43ae' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 42 Update: chromium-138.0.7204.168-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-0069214e9f
2025-07-30 01:21:50.253440+00:00
--------------------------------------------------------------------------------
Name : chromium
Product : Fedora 42
Version : 138.0.7204.168
Release : 1.fc42
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).
--------------------------------------------------------------------------------
Update Information:
Update to 138.0.7204.168
CVE-2025-8010: Type Confusion in V8
CVE-2025-8011: Type Confusion in V8
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 23 2025 Than Ngo [than@redhat.com] - 138.0.7204.168-1
- Update to 138.0.7204.168
* CVE-2025-8010: Type Confusion in V8
* CVE-2025-8011: Type Confusion in V8
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2361244 - Localizations for new window/private window action don't work for certain locales on plasma
https://bugzilla.redhat.com/show_bug.cgi?id=2361244
[ 2 ] Bug #2382742 - CVE-2025-8010 chromium: Chromium type confusion [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2382742
[ 3 ] Bug #2382743 - CVE-2025-8011 chromium: Chromium type confusion [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2382743
[ 4 ] Bug #2382744 - CVE-2025-8010 chromium: Chromium type confusion [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2382744
[ 5 ] Bug #2382745 - CVE-2025-8011 chromium: Chromium type confusion [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2382745
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-0069214e9f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 42 Update: cloud-init-24.2-5.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-b93ee7b368
2025-07-30 01:21:50.253416+00:00
--------------------------------------------------------------------------------
Name : cloud-init
Product : Fedora 42
Version : 24.2
Release : 5.fc42
URL : https://github.com/canonical/cloud-init
Summary : Cloud instance init scripts
Description :
Cloud-init is a set of init scripts for cloud instances. Cloud instances
need special scripts to run during initialization to retrieve and install
ssh keys and to let the user run various scripts.
--------------------------------------------------------------------------------
Update Information:
Backport fixes for CVE-2024-6174 and CVE-2024-11584
cloud-init included the systemd socket unit cloud-init-hotplugd.socket with
default SocketMode that grants 0666 permissions, making it world-writable. An
unprivelege user could trigger hotplug-hook commands (CVE-2024-11584)
When a non-x86 platform is detected, cloud-init granted root access to a
hardcoded url with a local IP address. To prevent this, cloud-init default
configurations disable platform enumeration (CVE-2024-6174)
Note that the fix for CVE-2024-6174 includes a change that may break non-x86
OpenStack Nova users. Affected users may wish to use ConfigDrive as a workaround
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jul 21 2025 Jeremy Cline [jeremycline@linux.microsoft.com] - 24.2-5
- Backport fixes for CVE-2024-6174 and CVE-2024-11584
- cloud-init included the systemd socket unit cloud-init-hotplugd.socket
with default SocketMode that grants 0666 permissions, making it world-
writable. An unprivelege user could trigger hotplug-hook commands
(CVE-2024-11584)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2375012 - CVE-2024-6174 cloud-init: From CVEorg collector [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2375012
[ 2 ] Bug #2375013 - CVE-2024-6174 cloud-init: From CVEorg collector [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2375013
[ 3 ] Bug #2375025 - CVE-2024-11584 cloud-init: From CVEorg collector [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2375025
[ 4 ] Bug #2375026 - CVE-2024-11584 cloud-init: From CVEorg collector [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2375026
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-b93ee7b368' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
