Fedora Linux 8834 Published by

Fedora Linux has implemented a series of security updates, including glibc-2.40-14.fc41, golang-github-task-3.40.1-1.fc41, golang-github-chainguard-dev-git-urls-1.0.2-1.fc41, python3.14-3.14.0~a2-2.fc41, icecat-115.18.0-2.rh2.fc41, python-nbdime-4.0.2-2.fc40, and ColPack-1.0.10-25.fc40:

Fedora 41 Update: glibc-2.40-14.fc41
Fedora 41 Update: golang-github-task-3.40.1-1.fc41
Fedora 41 Update: golang-github-chainguard-dev-git-urls-1.0.2-1.fc41
Fedora 41 Update: python3.14-3.14.0~a2-2.fc41
Fedora 41 Update: icecat-115.18.0-2.rh2.fc41
Fedora 41 Update: python-nbdime-4.0.2-2.fc41
Fedora 41 Update: ColPack-1.0.10-25.fc41
Fedora 40 Update: icecat-115.18.0-2.rh2.fc40
Fedora 40 Update: python-nbdime-4.0.2-2.fc40
Fedora 40 Update: ColPack-1.0.10-25.fc40
Fedora 40 Update: python3.13-3.13.1-2.fc40




[SECURITY] Fedora 41 Update: glibc-2.40-14.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-846e191001
2024-12-19 04:06:20.748341+00:00
--------------------------------------------------------------------------------

Name : glibc
Product : Fedora 41
Version : 2.40
Release : 14.fc41
URL : http://www.gnu.org/software/glibc/
Summary : The GNU libc libraries
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.

--------------------------------------------------------------------------------
Update Information:

This update addresses a security vulnerability in the getrandom and arc4random
implementation (CVE-2024-12455) on POWER systems (pcpc64le). Other architectures
are not affected.
--------------------------------------------------------------------------------
ChangeLog:

* Sun Dec 15 2024 Florian Weimer [fweimer@redhat.com] - 2.40-14
- Minor update to getrandom vDSO handshake
* Wed Dec 11 2024 Florian Weimer [fweimer@redhat.com] - 2.40-13
- CVE-2024-12455: Incorrect getrandom return value on ppc64le
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2332112 - CVE-2024-12455 glibc: glibc in Fedora 41 ships a broken getrandom/arc4random for ppc64le platform [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2332112
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-846e191001' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: golang-github-task-3.40.1-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-40d4ab1c94
2024-12-19 04:06:20.748258+00:00
--------------------------------------------------------------------------------

Name : golang-github-task
Product : Fedora 41
Version : 3.40.1
Release : 1.fc41
URL : https://github.com/go-task/task
Summary : A task runner / simpler Make alternative written in Go
Description :

A task runner / simpler Make alternative written in Go.

--------------------------------------------------------------------------------
Update Information:

Bugfix to mitigate CVE-2023-46402
--------------------------------------------------------------------------------
ChangeLog:

* Sat Dec 7 2024 Mark E. Fuller [mark.e.fuller@gmx.de] - 3.40.1-1
- update to v3.40.1 to address CVE-2023-46402, close rhbz#2330797
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-40d4ab1c94' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: golang-github-chainguard-dev-git-urls-1.0.2-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-40d4ab1c94
2024-12-19 04:06:20.748258+00:00
--------------------------------------------------------------------------------

Name : golang-github-chainguard-dev-git-urls
Product : Fedora 41
Version : 1.0.2
Release : 1.fc41
URL : https://github.com/chainguard-dev/git-urls
Summary : Git-urls parses git URLs
Description :
Git-urls parses git URLs.

--------------------------------------------------------------------------------
Update Information:

Bugfix to mitigate CVE-2023-46402
--------------------------------------------------------------------------------
ChangeLog:

* Sat Dec 7 2024 Mark E. Fuller [mark.e.fuller@gmx.de] - 1.0.2-1
- initial import, close rhbz#2330941
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-40d4ab1c94' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: python3.14-3.14.0~a2-2.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-54aa5fc4b2
2024-12-19 04:06:20.748238+00:00
--------------------------------------------------------------------------------

Name : python3.14
Product : Fedora 41
Version : 3.14.0~a2
Release : 2.fc41
URL : https://www.python.org/
Summary : Version 3.14 of the Python interpreter
Description :
Python 3.14 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

The python3.14 package provides the "python3.14" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.14-libs package,
which should be installed automatically along with python3.14.
The remaining parts of the Python standard library are broken out into the
python3.14-tkinter and python3.14-test packages, which may need to be installed
separately.

Documentation for Python is provided in the python3.14-docs package.

Packages containing additional libraries for Python are generally named with
the "python3.14-" prefix.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2024-12254
--------------------------------------------------------------------------------
ChangeLog:

* Sun Dec 8 2024 Charalampos Stratakis [cstratak@redhat.com] - 3.14.0~a2-2
- Security fix for CVE-2024-12254
- Fixes: rhbz#2330928
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2330928 - CVE-2024-12254 python3.14: Unbounded memory buffering in SelectorSocketTransport.writelines() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2330928
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-54aa5fc4b2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: icecat-115.18.0-2.rh2.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-ff0115e6ac
2024-12-19 04:06:20.748106+00:00
--------------------------------------------------------------------------------

Name : icecat
Product : Fedora 41
Version : 115.18.0
Release : 2.rh2.fc41
URL : http://www.gnu.org/software/gnuzilla/
Summary : GNU version of Firefox browser
Description :
GNU IceCat is the GNU version of the Firefox ESR browser.
Extensions included to this version of IceCat:

* LibreJS
GNU LibreJS aims to address the JavaScript problem described in the article
"The JavaScript Trap" of Richard Stallman.

* JShelter: Mitigates potential threats from JavaScript, including fingerprinting,
tracking, and data collection. Slightly modifies the results of API calls,
differently on different domains, so that the cross-site fingerprint is not
stable. Applies security counter-measures that are likely not to break web pages.
Allows fine-grained control over the restrictions and counter-measures applied
to each domain.

* A set of companion extensions for LibreJS by Nathan Nichols
are pre-installed, and provide workarounds to use some services at USPS,
RSF.org, SumOfUs.org, pay.gov, McDonalds, goteo.org and Google Docs
without using nonfree JavaScript.

* A series of configuration changes and tweaks were applied to ensure that
IceCat does not initiate network connections that the user has not explicitly
requested. This implies not downloading feeds, updates, blacklists or any
other similar data needed during startup.

--------------------------------------------------------------------------------
Update Information:

Fix CVE-2024-11693 CVE-2024-11697 CVE-2024-11692
--------------------------------------------------------------------------------
ChangeLog:

* Sun Dec 8 2024 Antonio Trande [sagitter@fedoraproject.org] - 2:115.18.0-2.rh2
- Fix CVE-2024-11693 CVE-2024-11697 CVE-2024-11692
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-ff0115e6ac' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: python-nbdime-4.0.2-2.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-01e170c1ac
2024-12-19 04:06:20.748085+00:00
--------------------------------------------------------------------------------

Name : python-nbdime
Product : Fedora 41
Version : 4.0.2
Release : 2.fc41
URL : https://nbdime.readthedocs.io/
Summary : Diff and merge of Jupyter notebooks
Description :
Nbdime provides tools for diffing and merging of Jupyter notebooks.

- nbdiff: compare notebooks in a terminal-friendly way
- nbmerge: three-way merge of notebooks with automatic conflict resolution
- nbdiff-web: shows you a rich rendered diff of notebooks
- nbmerge-web: gives you a web-based three-way merge tool for notebooks
- nbshow: present a single notebook in a terminal-friendly way

--------------------------------------------------------------------------------
Update Information:

This update fixes CVE-2024-55565 by updating the vendored JavaScript to include
a version of nanoid without the security issue.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Dec 9 2024 Jerry James [loganjerry@gmail.com] - 4.0.2-2
- CVE-2024-55565: update vendored nanoid
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2331111 - CVE-2024-55565 python-nbdime: nanoid mishandles non-integer values [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2331111
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-01e170c1ac' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: ColPack-1.0.10-25.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-d6b79ab292
2024-12-19 04:06:20.748012+00:00
--------------------------------------------------------------------------------

Name : ColPack
Product : Fedora 41
Version : 1.0.10
Release : 25.fc41
URL : http://cscapes.cs.purdue.edu
Summary : Algorithms for specialized vertex coloring problems
Description :
ColPack is a package comprising of implementation of algorithms for
specialized vertex coloring problems that arise in sparse derivative
computation. It is written in an object-oriented fashion heavily using
the Standard Template Library (STL). It is designed to be simple,
modular, extendable and efficient.

--------------------------------------------------------------------------------
Update Information:

Fix for CVE-2024-55566.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Dec 9 2024 Björn Esser - 1.0.10-25
- Fix CVE-2024-55566
Fixes: rhbz#2331064
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2331064 - CVE-2024-55566 colpack: predictable /tmp file due to unseeded RNG usage in displayGraph()
https://bugzilla.redhat.com/show_bug.cgi?id=2331064
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-d6b79ab292' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 40 Update: icecat-115.18.0-2.rh2.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-7f67755963
2024-12-19 03:59:44.539063+00:00
--------------------------------------------------------------------------------

Name : icecat
Product : Fedora 40
Version : 115.18.0
Release : 2.rh2.fc40
URL : http://www.gnu.org/software/gnuzilla/
Summary : GNU version of Firefox browser
Description :
GNU IceCat is the GNU version of the Firefox ESR browser.
Extensions included to this version of IceCat:

* LibreJS
GNU LibreJS aims to address the JavaScript problem described in the article
"The JavaScript Trap" of Richard Stallman.

* JShelter: Mitigates potential threats from JavaScript, including fingerprinting,
tracking, and data collection. Slightly modifies the results of API calls,
differently on different domains, so that the cross-site fingerprint is not
stable. Applies security counter-measures that are likely not to break web pages.
Allows fine-grained control over the restrictions and counter-measures applied
to each domain.

* A set of companion extensions for LibreJS by Nathan Nichols
are pre-installed, and provide workarounds to use some services at USPS,
RSF.org, SumOfUs.org, pay.gov, McDonalds, goteo.org and Google Docs
without using nonfree JavaScript.

* A series of configuration changes and tweaks were applied to ensure that
IceCat does not initiate network connections that the user has not explicitly
requested. This implies not downloading feeds, updates, blacklists or any
other similar data needed during startup.

--------------------------------------------------------------------------------
Update Information:

Fix CVE-2024-11693 CVE-2024-11697 CVE-2024-11692
--------------------------------------------------------------------------------
ChangeLog:

* Sun Dec 8 2024 Antonio Trande [sagitter@fedoraproject.org] - 2:115.18.0-2.rh2
- Fix CVE-2024-11693 CVE-2024-11697 CVE-2024-11692
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-7f67755963' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: python-nbdime-4.0.2-2.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-d32fd0e2d1
2024-12-19 03:59:44.539051+00:00
--------------------------------------------------------------------------------

Name : python-nbdime
Product : Fedora 40
Version : 4.0.2
Release : 2.fc40
URL : https://nbdime.readthedocs.io/
Summary : Diff and merge of Jupyter notebooks
Description :
Nbdime provides tools for diffing and merging of Jupyter notebooks.

- nbdiff: compare notebooks in a terminal-friendly way
- nbmerge: three-way merge of notebooks with automatic conflict resolution
- nbdiff-web: shows you a rich rendered diff of notebooks
- nbmerge-web: gives you a web-based three-way merge tool for notebooks
- nbshow: present a single notebook in a terminal-friendly way

--------------------------------------------------------------------------------
Update Information:

This update fixes CVE-2024-55565 by updating the vendored JavaScript to include
a version of nanoid without the security issue.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Dec 9 2024 Jerry James [loganjerry@gmail.com] - 4.0.2-2
- CVE-2024-55565: update vendored nanoid
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2331102 - CVE-2024-55565 python-nbdime: nanoid mishandles non-integer values [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2331102
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-d32fd0e2d1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: ColPack-1.0.10-25.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-dd633679a9
2024-12-19 03:59:44.538975+00:00
--------------------------------------------------------------------------------

Name : ColPack
Product : Fedora 40
Version : 1.0.10
Release : 25.fc40
URL : http://cscapes.cs.purdue.edu
Summary : Algorithms for specialized vertex coloring problems
Description :
ColPack is a package comprising of implementation of algorithms for
specialized vertex coloring problems that arise in sparse derivative
computation. It is written in an object-oriented fashion heavily using
the Standard Template Library (STL). It is designed to be simple,
modular, extendable and efficient.

--------------------------------------------------------------------------------
Update Information:

Fix for CVE-2024-55566.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Dec 9 2024 Björn Esser - 1.0.10-25
- Fix CVE-2024-55566
Fixes: rhbz#2331064
* Wed Jul 17 2024 Fedora Release Engineering - 1.0.10-24
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Wed Jul 17 2024 Miroslav Suchý - 1.0.10-23
- convert license to SPDX
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2331064 - CVE-2024-55566 colpack: predictable /tmp file due to unseeded RNG usage in displayGraph()
https://bugzilla.redhat.com/show_bug.cgi?id=2331064
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-dd633679a9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 40 Update: python3.13-3.13.1-2.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-be6ea1ce44
2024-12-19 03:59:44.538953+00:00
--------------------------------------------------------------------------------

Name : python3.13
Product : Fedora 40
Version : 3.13.1
Release : 2.fc40
URL : https://www.python.org/
Summary : Version 3.13 of the Python interpreter
Description :
Python 3.13 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

The python3.13 package provides the "python3.13" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.13-libs package,
which should be installed automatically along with python3.13.
The remaining parts of the Python standard library are broken out into the
python3.13-tkinter and python3.13-test packages, which may need to be installed
separately.

Documentation for Python is provided in the python3.13-docs package.

Packages containing additional libraries for Python are generally named with
the "python3.13-" prefix.

--------------------------------------------------------------------------------
Update Information:

This is the first maintenance release of Python 3.13
Python 3.13 is the newest major release of the Python programming language, and
it contains many new features and optimizations compared to Python 3.12. 3.13.1
is the latest maintenance release, containing almost 400 bugfixes, build
improvements and documentation changes since 3.13.0.
Security content in this release
gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the
mapped IPv4 address value for deciding properties. Properties which have their
behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
CVE-2024-9287: gh-124651: Properly quote template strings in venv activation
scripts.
gh-125140: Remove the current directory from sys.path when using PyREPL.
CVE-2024-12254: Unbounded memory buffering in
SelectorSocketTransport.writelines() fixed.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Dec 9 2024 Miro Hrončok - 3.13.1-2
- Security fix for CVE-2024-12254
- Fixes: rhbz#2330927
* Tue Dec 3 2024 Charalampos Stratakis - 3.13.1-1
- Update to 3.13.1
- Security fix for CVE-2024-9287
- Fixes: rhbz#2321657
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2321657 - CVE-2024-9287 python3.13: Virtual environment (venv) activation scripts don't quote paths [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2321657
[ 2 ] Bug #2330927 - CVE-2024-12254 python3.13: Unbounded memory buffering in SelectorSocketTransport.writelines() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2330927
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-be6ea1ce44' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------