Fedora Linux 8797 Published by

A bunch of security updates has been rolled out for Fedora Linux 41 Beta (RC), featuring the likes of firefox, mbedtls, libcoap, chromium, vim, ruby, clamav, python-django, haproxy, osc, mbedtls, nextcloud, and wolfssl:

[SECURITY] Fedora 41 Update: firefox-130.0-5.fc41
[SECURITY] Fedora 41 Update: mbedtls3.6-3.6.1-1.fc41
[SECURITY] Fedora 41 Update: libcoap-4.3.5-6.fc41
[SECURITY] Fedora 41 Update: chromium-128.0.6613.119-1.fc41
[SECURITY] Fedora 41 Update: vim-9.1.719-1.fc41
[SECURITY] Fedora 41 Update: ruby-3.3.5-14.fc41
[SECURITY] Fedora 41 Update: mingw-python3-3.11.9-2.fc41
[SECURITY] Fedora 41 Update: thunderbird-128.2.0-1.fc41
[SECURITY] Fedora 41 Update: mingw-expat-2.6.3-1.fc41
[SECURITY] Fedora 41 Update: clamav-1.0.7-1.fc41
[SECURITY] Fedora 41 Update: python-django-4.2.16-1.fc41
[SECURITY] Fedora 41 Update: haproxy-3.0.4-1.fc41
[SECURITY] Fedora 41 Update: python-django4.2-4.2.16-1.fc41
[SECURITY] Fedora 41 Update: osc-1.9.1-420.1.1.fc41
[SECURITY] Fedora 41 Update: mbedtls-2.28.9-1.fc41
[SECURITY] Fedora 41 Update: nextcloud-29.0.6-1.fc41
[SECURITY] Fedora 41 Update: wolfssl-5.7.2-2.fc41




[SECURITY] Fedora 41 Update: firefox-130.0-5.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-55a5adeec4
2024-09-13 20:43:08.473995
--------------------------------------------------------------------------------

Name : firefox
Product : Fedora 41
Version : 130.0
Release : 5.fc41
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

--------------------------------------------------------------------------------
Update Information:

PipeWire camera support: backport set of upstream patches
New upstream update (130.0)
--------------------------------------------------------------------------------
ChangeLog:

* Sun Sep 8 2024 Jan Grulich - 130.0-5
- PipeWire camera support: backport set of upstream patches
* Fri Sep 6 2024 Martin Stransky - 130.0-4
- Added fix for mzbz#1916038
* Thu Sep 5 2024 Martin Stransky - 130.0-3
- Downgrade libyuv to fix AVIF image rendering
* Fri Aug 30 2024 Martin Stransky - 130.0-2
- Updated to 130.0 build 2
* Wed Aug 28 2024 Martin Stransky - 130.0-1
- Update to 130.0
* Wed Aug 28 2024 Miroslav Suchý - 129.0.2-2
- convert license to SPDX
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-55a5adeec4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 41 Update: mbedtls3.6-3.6.1-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-9a87127dd0
2024-09-13 20:43:08.473761
--------------------------------------------------------------------------------

Name : mbedtls3.6
Product : Fedora 41
Version : 3.6.1
Release : 1.fc41
URL : https://www.trustedfirmware.org/projects/mbed-tls
Summary : Light-weight cryptographic and SSL/TLS library
Description :
Mbed TLS is a light-weight open source cryptographic and SSL/TLS
library written in C. Mbed TLS makes it easy for developers to include
cryptographic and SSL/TLS capabilities in their (embedded)
applications with as little hassle as possible.

--------------------------------------------------------------------------------
Update Information:

Update to 3.6.1
Release notes: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.1
Update to 3.6.0
--------------------------------------------------------------------------------
ChangeLog:

* Fri Sep 6 2024 Bill Roberts [bill.roberts@arm.com] - 3.6.1-1
- Update to 3.6.1
- Notably Fixes CVE-2024-45157
* Tue Apr 2 2024 Bill Roberts [bill.roberts@arm.com] - 3.6.0-1
- Update to 3.6.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2282603 - Review Request: mbedtls3.6 - Light-weight cryptographic and SSL/TLS library
https://bugzilla.redhat.com/show_bug.cgi?id=2282603
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-9a87127dd0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: libcoap-4.3.5-6.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-9c7bbee0f0
2024-09-13 20:43:08.473243
--------------------------------------------------------------------------------

Name : libcoap
Product : Fedora 41
Version : 4.3.5
Release : 6.fc41
URL : https://libcoap.net/
Summary : C library implementation of CoAP
Description :
The Constrained Application Protocol (CoAP) is a specialized web transfer
protocol for use with constrained nodes and constrained networks in the Internet
of Things. The protocol is designed for machine-to-machine (M2M) applications
such as smart energy and building automation.

libcoap implements a lightweight application-protocol for devices with
constrained resources such as computing power, RF range, memory, bandwidth,
or network packet sizes. This protocol, CoAP, was standardized in the IETF
working group "CoRE" as RFC 7252.

--------------------------------------------------------------------------------
Update Information:

Update to 4.3.5 GA
--------------------------------------------------------------------------------
ChangeLog:

* Sat Sep 7 2024 Peter Robinson - 4.3.5-6
- Update to 4.3.5 GA
* Mon Sep 2 2024 Miroslav Suchý - 4.3.5-0.4.rc1
- convert license to SPDX
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2290846 - CVE-2023-51847 libcoap: remote attacker to cause a denial of service via thecoap_context_t [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2290846
--------------------------------------------------------------------------------



[SECURITY] Fedora 41 Update: chromium-128.0.6613.119-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-e109b67926
2024-09-13 20:43:08.473182
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 41
Version : 128.0.6613.119
Release : 1.fc41
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

update to 128.0.6613.119
High CVE-2024-8362: Use after free in WebAudio
High CVE-2024-7970: Out of bounds write in V8
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 5 2024 Than Ngo [than@redhat.com] - 128.0.6613.119-1
- update to 128.0.6613.119
* High CVE-2024-8362: Use after free in WebAudio
* High CVE-2024-7970: Out of bounds write in V8
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2303360 - CVE-2024-7536 chromium: Use after free in WebAudio [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303360
[ 2 ] Bug #2303361 - CVE-2024-6994 chromium: Heap buffer overflow in Layout [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303361
[ 3 ] Bug #2303362 - CVE-2024-6994 chromium: Heap buffer overflow in Layout [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303362
[ 4 ] Bug #2303363 - CVE-2024-7003 chromium: Inappropriate implementation in FedCM [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303363
[ 5 ] Bug #2303364 - CVE-2024-7000 chromium: Use after free in CSS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303364
[ 6 ] Bug #2303365 - CVE-2024-7003 chromium: Inappropriate implementation in FedCM [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303365
[ 7 ] Bug #2303366 - CVE-2024-6999 chromium: Inappropriate implementation in FedCM [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303366
[ 8 ] Bug #2303367 - CVE-2024-6998 chromium: Use after free in User Education [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303367
[ 9 ] Bug #2303368 - CVE-2024-6997 chromium: Use after free in Tabs [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303368
[ 10 ] Bug #2303369 - CVE-2024-7000 chromium: Use after free in CSS [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303369
[ 11 ] Bug #2303370 - CVE-2024-6999 chromium: Inappropriate implementation in FedCM [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303370
[ 12 ] Bug #2303371 - CVE-2024-6996 chromium: Race in Frames [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303371
[ 13 ] Bug #2303372 - CVE-2024-6995 chromium: Inappropriate implementation in Fullscreen [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303372
[ 14 ] Bug #2303373 - CVE-2024-6998 chromium: Use after free in User Education [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303373
[ 15 ] Bug #2303374 - CVE-2024-6997 chromium: Use after free in Tabs [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303374
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-e109b67926' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: vim-9.1.719-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-48e080c52f
2024-09-13 20:43:08.473161
--------------------------------------------------------------------------------

Name : vim
Product : Fedora 41
Version : 9.1.719
Release : 1.fc41
URL : http://www.vim.org/
Summary : The VIM editor
Description :
VIM (VIsual editor iMproved) is an updated and improved version of the
vi editor. Vi was the first real screen-based editor for UNIX, and is
still very popular. VIM improves on vi by adding new features:
multiple windows, multi-level undo, block highlighting and more.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2024-45306
patchlevel 703
Security fixes for CVE-2024-43374, CVE-2024-43802
--------------------------------------------------------------------------------
ChangeLog:

* Fri Sep 6 2024 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.1.719-1
- patchlevel 719
* Fri Aug 30 2024 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.1.703-1
- patchlevel 703
* Mon Aug 12 2024 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.1.672-1
- patchlevel 672
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2305311 - CVE-2024-43374 vim: use-after-free in alist_add() in src/arglist.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2305311
[ 2 ] Bug #2308491 - CVE-2024-43802 vim: Heap Buffer Overflow in Vim's Typeahead Buffer Handling [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2308491
[ 3 ] Bug #2309344 - CVE-2024-45306 vim: heap-buffer-overflow in Vim [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2309344
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-48e080c52f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: ruby-3.3.5-14.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-cfcd6258fa
2024-09-13 20:43:08.473040
--------------------------------------------------------------------------------

Name : ruby
Product : Fedora 41
Version : 3.3.5
Release : 14.fc41
URL : https://www.ruby-lang.org/
Summary : An interpreter of object-oriented scripting language
Description :
Ruby is the interpreted scripting language for quick and easy
object-oriented programming. It has many features to process text
files and to do system management tasks (as in Perl). It is simple,
straight-forward, and extensible.

--------------------------------------------------------------------------------
Update Information:

Upgrade to Ruby 3.3.5.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 3 2024 Vít Ondruch - 3.3.5-14
- Upgrade to Ruby 3.3.5.
Resolves: rhbz#2309364
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2298243 - CVE-2024-39908 rexml: DoS vulnerability in REXML
https://bugzilla.redhat.com/show_bug.cgi?id=2298243
[ 2 ] Bug #2307297 - CVE-2024-43398 rexml: DoS vulnerability in REXML
https://bugzilla.redhat.com/show_bug.cgi?id=2307297
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-cfcd6258fa' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 41 Update: mingw-python3-3.11.9-2.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-48fd84da22
2024-09-13 20:43:08.472806
--------------------------------------------------------------------------------

Name : mingw-python3
Product : Fedora 41
Version : 3.11.9
Release : 2.fc41
URL : https://www.python.org/
Summary : MinGW Windows python3
Description :
MinGW Windows python3

--------------------------------------------------------------------------------
Update Information:

Backport patch for CVE-2024-8088
--------------------------------------------------------------------------------
ChangeLog:

* Wed Aug 28 2024 Sandro Mani [manisandro@gmail.com] - 3.11.9-2
- Backport patch for CVE-2024-8088
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2307457 - CVE-2024-8088 mingw-python3: From NVD collector [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2307457
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-48fd84da22' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: thunderbird-128.2.0-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-194cb0840b
2024-09-13 20:43:08.472773
--------------------------------------------------------------------------------

Name : thunderbird
Product : Fedora 41
Version : 128.2.0
Release : 1.fc41
URL : http://www.mozilla.org/projects/thunderbird/
Summary : Mozilla Thunderbird mail/newsgroup client
Description :
Mozilla Thunderbird is a standalone mail and newsgroup client.

--------------------------------------------------------------------------------
Update Information:

Update to 128.2.0
https://www.thunderbird.net/en-US/thunderbird/128.2.0esr/releasenotes/
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 5 2024 Eike Rathke [erack@redhat.com] - 128.2.0-1
- Update to 128.2.0
* Tue Aug 6 2024 Eike Rathke [erack@redhat.com] - 128.1.0-1
- Update to 128.1.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-194cb0840b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: mingw-expat-2.6.3-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-c5d55d5845
2024-09-13 20:43:08.472730
--------------------------------------------------------------------------------

Name : mingw-expat
Product : Fedora 41
Version : 2.6.3
Release : 1.fc41
URL : http://www.libexpat.org/
Summary : MinGW Windows port of expat XML parser library
Description :
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
the parser prior to starting the parse. These handlers are called when the
parser discovers the associated structures in the document being parsed. A
start tag is an example of the kind of structures for which you may
register handlers.

--------------------------------------------------------------------------------
Update Information:

Update to expat-2.6.3.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 5 2024 Sandro Mani [manisandro@gmail.com] - 2.6.3-1
- Update to 2.6.3
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2308682 - CVE-2024-45490 mingw-expat: Negative Length Parsing Vulnerability in libexpat [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2308682
[ 2 ] Bug #2308684 - CVE-2024-45490 mingw-expat: Negative Length Parsing Vulnerability in libexpat [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2308684
[ 3 ] Bug #2310142 - CVE-2024-45491 mingw-expat: Integer Overflow or Wraparound [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2310142
[ 4 ] Bug #2310145 - CVE-2024-45491 mingw-expat: Integer Overflow or Wraparound [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2310145
[ 5 ] Bug #2310148 - CVE-2024-45492 mingw-expat: integer overflow [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2310148
[ 6 ] Bug #2310151 - CVE-2024-45492 mingw-expat: integer overflow [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2310151
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-c5d55d5845' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: clamav-1.0.7-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-0d7eb64d90
2024-09-13 20:43:08.472713
--------------------------------------------------------------------------------

Name : clamav
Product : Fedora 41
Version : 1.0.7
Release : 1.fc41
URL : https://www.clamav.net/
Summary : End-user tools for the Clam Antivirus scanner
Description :
Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this
software is the integration with mail servers (attachment scanning). The
package provides a flexible and scalable multi-threaded daemon, a command
line scanner, and a tool for automatic updating via Internet. The programs
are based on a shared library distributed with the Clam AntiVirus package,
which you can use with your own software. The virus database is based on
the virus database from OpenAntiVirus, but contains additional signatures
(including signatures for popular polymorphic viruses, too) and is KEPT UP
TO DATE.

--------------------------------------------------------------------------------
Update Information:

Update to 1.0.7
CVE-2024-20506: Changed the logging module to disable following symlinks on
Linux and Unix systems so as to prevent an attacker with existing access to the
'clamd' or 'freshclam' services from using a symlink to corrupt system files.
CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF file parser
that could cause a denial-of-service (DoS) condition.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 5 2024 Yaakov Selkowitz [yselkowi@redhat.com] - 1.0.7-1
- Update to 1.0.7
* Wed Jul 17 2024 Fedora Release Engineering [releng@fedoraproject.org] - 1.0.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2300593 - clamav: FTBFS in Fedora rawhide/f41
https://bugzilla.redhat.com/show_bug.cgi?id=2300593
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-0d7eb64d90' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: python-django-4.2.16-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-396c94f0a3
2024-09-13 20:43:08.472565
--------------------------------------------------------------------------------

Name : python-django
Product : Fedora 41
Version : 4.2.16
Release : 1.fc41
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.

--------------------------------------------------------------------------------
Update Information:

urlize and urlizetrunc were subject to a potential denial-of-service attack via
very large inputs with a specific sequence of characters.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Sep 4 2024 Michel Lind [salimma@fedoraproject.org] - 4.2.16-1
- Update to version 4.2.16
- Fixes: CVE-2024-45230, RHBZ#2309746
- Sync spec improvements from python-django4.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2309746 - CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize()
https://bugzilla.redhat.com/show_bug.cgi?id=2309746
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-396c94f0a3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: haproxy-3.0.4-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-bd2368f66a
2024-09-13 20:43:08.472492
--------------------------------------------------------------------------------

Name : haproxy
Product : Fedora 41
Version : 3.0.4
Release : 1.fc41
URL : http://www.haproxy.org/
Summary : HAProxy reverse proxy for high availability environments
Description :
HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high
availability environments. Indeed, it can:
- route HTTP requests depending on statically assigned cookies
- spread load among several servers while assuring server persistence
through the use of HTTP cookies
- switch to backup servers in the event a main one fails
- accept connections to special ports dedicated to service monitoring
- stop accepting connections without breaking existing ones
- add, modify, and delete HTTP headers in both directions
- block requests matching particular patterns
- report detailed status to authenticated users from a URI
intercepted from the application

--------------------------------------------------------------------------------
Update Information:

Update to 3.0.4 (CVE-2024-45506, #2309472)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 3 2024 Ryan O'Hara [rohara@redhat.com] - 3.0.4-1
- Update to 3.0.4 (CVE-2024-45506, #2309472)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2309472 - haproxy-3.0.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2309472
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-bd2368f66a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: python-django4.2-4.2.16-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-b08735561c
2024-09-13 20:43:08.472457
--------------------------------------------------------------------------------

Name : python-django4.2
Product : Fedora 41
Version : 4.2.16
Release : 1.fc41
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.

--------------------------------------------------------------------------------
Update Information:

urlize and urlizetrunc were subject to a potential denial-of-service attack via
very large inputs with a specific sequence of characters.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Sep 4 2024 Michel Lind [salimma@fedoraproject.org] - 4.2.16-1
- Update to version 4.2.16
- Fixes: CVE-2024-45230, RHBZ#2309747
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2309747 - CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize()
https://bugzilla.redhat.com/show_bug.cgi?id=2309747
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-b08735561c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: osc-1.9.1-420.1.1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-3d2a146701
2024-09-13 20:43:08.472069
--------------------------------------------------------------------------------

Name : osc
Product : Fedora 41
Version : 1.9.1
Release : 420.1.1.fc41
URL : https://github.com/openSUSE/osc
Summary : Open Build Service Commander
Description :
Commandline client for the Open Build Service.

See http://en.opensuse.org/openSUSE:OSC , as well as
http://en.opensuse.org/openSUSE:Build_Service_Tutorial for a general
introduction.

--------------------------------------------------------------------------------
Update Information:

New upstream release 1.9.1, fixes CVE-2024-22034
--------------------------------------------------------------------------------
ChangeLog:

* Wed Sep 4 2024 Dan Čermák - 1.9.1-415.1.1
- New upstream release 1.9.1, fixes CVE-2024-22034 and rhbz#2309529
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2309529 - osc-1.9.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2309529
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-3d2a146701' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 41 Update: mbedtls-2.28.9-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-d4bcb0da46
2024-09-13 20:43:08.471899
--------------------------------------------------------------------------------

Name : mbedtls
Product : Fedora 41
Version : 2.28.9
Release : 1.fc41
URL : https://www.trustedfirmware.org/projects/mbed-tls
Summary : Light-weight cryptographic and SSL/TLS library
Description :
Mbed TLS is a light-weight open source cryptographic and SSL/TLS
library written in C. Mbed TLS makes it easy for developers to include
cryptographic and SSL/TLS capabilities in their (embedded)
applications with as little hassle as possible.

--------------------------------------------------------------------------------
Update Information:

Update to 2.28.9
Release notes: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.9
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 3 2024 Morten Stevens [mstevens@fedoraproject.org] - 2.28.9-1
- Revert to 2.28.x branch for F41
* Thu Jul 18 2024 Fedora Release Engineering [releng@fedoraproject.org] - 3.6.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Tue May 14 2024 Morten Stevens [mstevens@fedoraproject.org] - 3.6.0-1
- Update to 3.6.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2310290 - CVE-2024-45157 mbedtls: From NVD collector [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2310290
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-d4bcb0da46' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: nextcloud-29.0.6-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-19e63ed69e
2024-09-13 20:43:08.471872
--------------------------------------------------------------------------------

Name : nextcloud
Product : Fedora 41
Version : 29.0.6
Release : 1.fc41
URL : http://nextcloud.com
Summary : Private file sync and share server
Description :
NextCloud gives you universal access to your files through a web interface or
WebDAV. It also provides a platform to easily view & sync your contacts,
calendars and bookmarks across all your devices and enables basic editing right
on the web. NextCloud is extendable via a simple but powerful API for
applications and plugins.

--------------------------------------------------------------------------------
Update Information:

29.0.6 release RHBZ#2305125 RHBZ#2309499 fixes CVE-2024-39338
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 3 2024 Andrew Bauer - 29.0.6-1
- 29.0.6 release RHBZ#2305125 RHBZ#2309499 fixes CVE-2024-39338
* Tue Sep 3 2024 Andrew Bauer - 29.0.5-5
- 29.0.6 release RHBZ#2305125 RHBZ#2309499 fixes CVE-2024-39338
* Tue Sep 3 2024 Andrew Bauer - 29.0.5-4
- 29.0.6 release RHBZ#2305125 RHBZ#2309499 fixes CVE-2024-39338
* Tue Sep 3 2024 Andrew Bauer - 29.0.5-3
- 29.0.6 release RHBZ#2305125 RHBZ# 2309499 fixes CVE-2024-39338
* Mon Sep 2 2024 Miroslav Suchý - 29.0.5-2
- convert license to SPDX
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2305125 - CVE-2024-39338 nextcloud: axios: Server-Side Request Forgery [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2305125
[ 2 ] Bug #2309499 - nextcloud-30.0.0rc3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2309499
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-19e63ed69e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 41 Update: wolfssl-5.7.2-2.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-e089551039
2024-09-13 20:43:08.471854
--------------------------------------------------------------------------------

Name : wolfssl
Product : Fedora 41
Version : 5.7.2
Release : 2.fc41
URL : https://github.com/wolfSSL/wolfssl
Summary : Lightweight SSL/TLS library written in ANSI C
Description :
The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight SSL/TLS
library written in ANSI C and targeted for embedded, RTOS, and
resource-constrained environments - primarily because of its small size,
speed, and feature set. It is commonly used in standard operating environments
as well because of its royalty-free pricing and excellent cross platform
support. wolfSSL supports industry standards up to the current TLS 1.3 and
DTLS 1.3, is up to 20 times smaller than OpenSSL, and offers progressive
ciphers such as ChaCha20, Curve25519, Blake2b and Post-Quantum TLS 1.3 groups.
User bench-marking and feedback reports dramatically better performance when
using wolfSSL over OpenSSL.

wolfSSL is powered by the wolfCrypt cryptography library. Two versions of
wolfCrypt have been FIPS 140-2 validated (Certificate #2425 and certificate

visit the wolfCrypt FIPS FAQ or contact fips@wolfssl.com.

--------------------------------------------------------------------------------
Update Information:

RHBZ#2308628 RHBZ#2308629 RHBZ#2308630 RHBZ#2308631 fixed in 5.7.2 release
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 3 2024 Andrew Bauer [zonexpertconsulting@outlook.com] - 5.7.2-2
- RHBZ#2308628 RHBZ#2308629 RHBZ#2308630 RHBZ#2308631 fixed in 5.7.2 release
- fips macro patch no longer needed
* Sun Aug 25 2024 Andrew Bauer [zonexpertconsulting@outlook.com] - 5.7.2-1
- 5.7.2 release
- patch FIPS_VERSION3_GE macro issue
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2308628 - CVE-2024-1543 wolfssl: The side-channel protected T-Table implementation in wolfSSL [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2308628
[ 2 ] Bug #2308629 - CVE-2024-1543 wolfssl: The side-channel protected T-Table implementation in wolfSSL [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2308629
[ 3 ] Bug #2308630 - CVE-2024-1545 wolfssl: Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2308630
[ 4 ] Bug #2308631 - CVE-2024-1545 wolfssl: Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2308631
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-e089551039' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--