Fedora Linux 8731 Published by

The following security updates have been released for Fedora Linux:

Fedora 38 Update: libfilezilla-0.47.0-1.fc38
Fedora 38 Update: filezilla-3.67.0-1.fc38
Fedora 39 Update: thunderbird-115.10.1-4.fc39
Fedora 39 Update: flatpak-1.15.8-1.fc39
Fedora 39 Update: kubernetes-1.27.13-1.fc39
Fedora 39 Update: curl-8.2.1-5.fc39
Fedora 39 Update: xen-4.17.4-1.fc39
Fedora 40 Update: kubernetes-1.29.4-1.fc40
Fedora 40 Update: xen-4.18.2-1.fc40




Fedora 38 Update: libfilezilla-0.47.0-1.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-0489e7ba1e
2024-04-25 01:36:14.911592
--------------------------------------------------------------------------------

Name : libfilezilla
Product : Fedora 38
Version : 0.47.0
Release : 1.fc38
URL : https://lib.filezilla-project.org/
Summary : C++ Library for FileZilla
Description :
libfilezilla is a small and modern C++ library, offering some basic
functionality to build high-performing, platform-independent programs.

--------------------------------------------------------------------------------
Update Information:

Fix for CVE-2024-31497
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr 15 2024 Gwyn Ciesla [gwync@protonmail.com] - 0.47.0-1
- 0.47.0
* Tue Feb 6 2024 Gwyn Ciesla [gwync@protonmail.com] - 0.46.0-1
- 0.46.0
* Thu Jan 25 2024 Fedora Release Engineering [releng@fedoraproject.org] - 0.45.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering [releng@fedoraproject.org] - 0.45.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2275187 - CVE-2024-31497 filezilla: putty: secret key recovery of NIST P-521 private keys Through Biased ECDSA Nonces in PuTTY Client [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2275187
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-0489e7ba1e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 38 Update: filezilla-3.67.0-1.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-0489e7ba1e
2024-04-25 01:36:14.911592
--------------------------------------------------------------------------------

Name : filezilla
Product : Fedora 38
Version : 3.67.0
Release : 1.fc38
URL : https://filezilla-project.org/
Summary : FTP, FTPS and SFTP client
Description :
FileZilla is a FTP, FTPS and SFTP client for Linux with a lot of features.
- Supports FTP, FTP over SSL/TLS (FTPS) and SSH File Transfer Protocol (SFTP)
- Cross-platform
- Available in many languages
- Supports resume and transfer of large files greater than 4GB
- Easy to use Site Manager and transfer queue
- Drag & drop support
- Speed limits
- Filename filters
- Network configuration wizard

--------------------------------------------------------------------------------
Update Information:

Fix for CVE-2024-31497
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr 15 2024 Gwyn Ciesla [gwync@protonmail.com] - 3.67.0-1
- 3.67.0
* Mon Apr 15 2024 Gwyn Ciesla [gwync@protonmail.com] - 3.66.5-2
- libfilezilla rebuild
* Wed Feb 7 2024 Gwyn Ciesla [gwync@protonmail.com] - 3.66.5-1
- 3.66.5
* Wed Jan 24 2024 Fedora Release Engineering [releng@fedoraproject.org] - 3.66.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering [releng@fedoraproject.org] - 3.66.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2275187 - CVE-2024-31497 filezilla: putty: secret key recovery of NIST P-521 private keys Through Biased ECDSA Nonces in PuTTY Client [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2275187
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-0489e7ba1e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: thunderbird-115.10.1-4.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-81c9a3fe50
2024-04-25 01:19:12.575148
--------------------------------------------------------------------------------

Name : thunderbird
Product : Fedora 39
Version : 115.10.1
Release : 4.fc39
URL : http://www.mozilla.org/projects/thunderbird/
Summary : Mozilla Thunderbird mail/newsgroup client
Description :
Mozilla Thunderbird is a standalone mail and newsgroup client.

--------------------------------------------------------------------------------
Update Information:

Update to 115.10.1
https://www.thunderbird.net/en-US/thunderbird/115.10.1/releasenotes/
Fix https://bugzilla.redhat.com/show_bug.cgi?id=2276078
Including security update to 115.10.0
https://www.mozilla.org/en-US/security/advisories/mfsa2024-20/
https://www.thunderbird.net/en-US/thunderbird/115.10.0/releasenotes/
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 23 2024 Jan Horak [jhorak@redhat.com] - 115.10.1-4
- Move the MOZ_APP_REMOTINGNAME from the startup script to the build options.
* Tue Apr 23 2024 Jan Horak [jhorak@redhat.com] - 115.10.1-3
- Fixed startup script
* Mon Apr 22 2024 Eike Rathke [erack@redhat.com] - 115.10.1-2
- Resolves: rhbz#2276078 Set MOZ_APP_REMOTINGNAME to firefox
* Mon Apr 22 2024 Eike Rathke [erack@redhat.com] - 115.10.1-1
- Update to 115.10.1
* Tue Apr 16 2024 Eike Rathke [erack@redhat.com] - 115.10.0-1
- Update to 115.10.0
- Revert expat CVE-2023-52425 fix
* Fri Mar 22 2024 Jan Horak [jhorak@redhat.com] - 115.9.0-2
- Use wayland backend on Fedora 40+
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2276078 - Opening links in emails with Firefox fails if FF is already running
https://bugzilla.redhat.com/show_bug.cgi?id=2276078
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-81c9a3fe50' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: flatpak-1.15.8-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-c8d21fe399
2024-04-25 01:19:12.575114
--------------------------------------------------------------------------------

Name : flatpak
Product : Fedora 39
Version : 1.15.8
Release : 1.fc39
URL : https://flatpak.org/
Summary : Application deployment framework for desktop apps
Description :
flatpak is a system for building, distributing and running sandboxed desktop
applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for
more information.

--------------------------------------------------------------------------------
Update Information:

Update to 1.15.8
Fix CVE-2024-32462
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 19 2024 David King [amigadave@amigadave.com] - 1.15.8-1
- Update to 1.15.8 (#2275983)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2271979 - flatpak-1.15.8 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2271979
[ 2 ] Bug #2275983 - CVE-2024-32462 flatpak: sandbox escape via RequestBackground portal [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2275983
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-c8d21fe399' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: kubernetes-1.27.13-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-662a8b6005
2024-04-25 01:19:12.575022
--------------------------------------------------------------------------------

Name : kubernetes
Product : Fedora 39
Version : 1.27.13
Release : 1.fc39
URL : https://kubernetes.io/
Summary : Open Source Production-Grade Container Scheduling And Management Platform
Description :
Open Source Production-Grade Container Scheduling And Management Platform

--------------------------------------------------------------------------------
Update Information:

Updates Fedora 30 to Kubernetes 1.27.13.
Resolves CVE-2024-3177: Bypassing mountable secrets policy imposed by the
ServiceAccount admission plugin.
In addition, a few bug and regression fixes.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 16 2024 Bradley G Smith [bradley.g.smith@gmail.com] - 1.27.13-1
- Update to v1.27.13.
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-662a8b6005' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: curl-8.2.1-5.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-6dab59bd47
2024-04-25 01:19:12.574803
--------------------------------------------------------------------------------

Name : curl
Product : Fedora 39
Version : 8.2.1
Release : 5.fc39
URL : https://curl.se/
Summary : A utility for getting files from remote servers (FTP, HTTP, and others)
Description :
curl is a command line tool for transferring data with URL syntax, supporting
FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP
uploading, HTTP form based upload, proxies, cookies, user+password
authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer
resume, proxy tunneling and a busload of other useful tricks.

--------------------------------------------------------------------------------
Update Information:

fix Usage of disabled protocol (CVE-2024-2004)
fix HTTP/2 push headers memory-leak (CVE-2024-2398)
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 3 2024 Jan Macku [jamacku@redhat.com] - 8.2.1-5
- fix Usage of disabled protocol (CVE-2024-2004)
- fix HTTP/2 push headers memory-leak (CVE-2024-2398)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2270498 - CVE-2024-2398 curl: HTTP/2 push headers memory-leak
https://bugzilla.redhat.com/show_bug.cgi?id=2270498
[ 2 ] Bug #2270500 - CVE-2024-2004 curl: Usage of disabled protocol
https://bugzilla.redhat.com/show_bug.cgi?id=2270500
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-6dab59bd47' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: xen-4.17.4-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-4357ec611d
2024-04-25 01:19:12.574795
--------------------------------------------------------------------------------

Name : xen
Product : Fedora 39
Version : 4.17.4
Release : 1.fc39
URL : http://xen.org/
Summary : Xen is a virtual machine monitor
Description :
This package contains the XenD daemon and xm command line
tools, needed to manage virtual machines running under the
Xen hypervisor

--------------------------------------------------------------------------------
Update Information:

x86: Native Branch History Injection [XSA-456, CVE-2024-2201]
update to xen 4.17.4, remove patches now included upstream
rebase xen.gcc12.fixes.patch
x86 HVM hypercalls may trigger Xen bug check [XSA-454, CVE-2023-46842]
x86: Incorrect logic for BTC/SRSO mitigations [XSA-455, CVE-2024-31142]
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 9 2024 Michael Young [m.a.young@durham.ac.uk] - 4.17.4-1
- x86: Native Branch History Injection [XSA-456, CVE-2024-2201]
- update to xen 4.17.4, remove patches now included upstream
rebase xen.gcc12.fixes.patch
- x86 HVM hypercalls may trigger Xen bug check [XSA-454, CVE-2023-46842]
- x86: Incorrect logic for BTC/SRSO mitigations [XSA-455, CVE-2024-31142]
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-4357ec611d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 40 Update: kubernetes-1.29.4-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-ce2eefc399
2024-04-25 00:59:19.184672
--------------------------------------------------------------------------------

Name : kubernetes
Product : Fedora 40
Version : 1.29.4
Release : 1.fc40
URL : https://kubernetes.io/
Summary : Open Source Production-Grade Container Scheduling And Management Platform
Description :
Open Source Production-Grade Container Scheduling And Management Platform
Installs kubelet, the kubernetes agent on each machine in a
cluster. The kubernetes-client sub-package,
containing kubectl, is recommended but not strictly required.
The kubernetes-client sub-package should be installed on
control plane machines.

--------------------------------------------------------------------------------
Update Information:

Update Kubernetes to v1.29.4 for Fedora 40. Resolves CVE-2024-3177: Bypassing
mountable secrets policy imposed by the ServiceAccount admission plugin.
Additional bug and regression fixes include a bump to Golang.org/x/net to
v0.23.0 to address CVE-2023-45288 .
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 16 2024 Bradley G Smith [bradley.g.smith@gmail.com] - 1.29.4-1
- Update to v1.29.4
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-ce2eefc399' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 40 Update: xen-4.18.2-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-a46df5ba2f
2024-04-25 00:59:19.184421
--------------------------------------------------------------------------------

Name : xen
Product : Fedora 40
Version : 4.18.2
Release : 1.fc40
URL : http://xen.org/
Summary : Xen is a virtual machine monitor
Description :
This package contains the XenD daemon and xm command line
tools, needed to manage virtual machines running under the
Xen hypervisor

--------------------------------------------------------------------------------
Update Information:

x86: Native Branch History Injection [XSA-456, CVE-2024-2201]
update to xen 4.18.2, remove patches now included upstream
x86 HVM hypercalls may trigger Xen bug check [XSA-454, CVE-2023-46842]
x86: Incorrect logic for BTC/SRSO mitigations [XSA-455, CVE-2024-31142]
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 9 2024 Michael Young [m.a.young@durham.ac.uk] - 4.18.2-1
- x86: Native Branch History Injection [XSA-456, CVE-2024-2201]
- update to xen 4.18.2, remove patches now included upstream
* Tue Apr 9 2024 Michael Young [m.a.young@durham.ac.uk] - 4.18.1-2
- x86 HVM hypercalls may trigger Xen bug check [XSA-454, CVE-2023-46842]
- x86: Incorrect logic for BTC/SRSO mitigations [XSA-455, CVE-2024-31142]
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-a46df5ba2f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--