Fedora Linux 8552 Published by

The following updates are available for Fedora Linux:

Fedora 38 Update: kernel-6.7.6-100.fc38
Fedora 38 Update: thunderbird-115.8.0-1.fc38
Fedora 38 Update: yarnpkg-1.22.21-2.fc38
Fedora 39 Update: chromium-122.0.6261.69-1.fc39
Fedora 39 Update: kernel-6.7.6-200.fc39
Fedora 39 Update: yarnpkg-1.22.21-2.fc39



Fedora 38 Update: kernel-6.7.6-100.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-71f0f16533
2024-02-28 01:40:29.293829
--------------------------------------------------------------------------------

Name : kernel
Product : Fedora 38
Version : 6.7.6
Release : 100.fc38
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package

--------------------------------------------------------------------------------
Update Information:

The 6.7.6 stable kernel update contains a number of important fixes across the
tree.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Feb 23 2024 Justin M. Forbes [jforbes@fedoraproject.org] [6.7.6-0]
- Add CVE fix for 6.7.6 (Justin M. Forbes)
- Linux v6.7.6
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2265269 - CVE-2023-52437 kernel: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
https://bugzilla.redhat.com/show_bug.cgi?id=2265269
[ 2 ] Bug #2265517 - CVE-2024-26585 kernel: tls: race between tx work scheduling and socket close
https://bugzilla.redhat.com/show_bug.cgi?id=2265517
[ 3 ] Bug #2265518 - CVE-2024-26582 kernel: tls: use-after-free with partial reads and async decrypt
https://bugzilla.redhat.com/show_bug.cgi?id=2265518
[ 4 ] Bug #2265519 - CVE-2024-26584 kernel: tls: handle backlogging of crypto requests
https://bugzilla.redhat.com/show_bug.cgi?id=2265519
[ 5 ] Bug #2265520 - CVE-2024-26583 kernel: tls: race between async notify and socket close
https://bugzilla.redhat.com/show_bug.cgi?id=2265520
[ 6 ] Bug #2265646 - CVE-2024-26593 kernel: i2c: i801: Fix block process call transactions
https://bugzilla.redhat.com/show_bug.cgi?id=2265646
[ 7 ] Bug #2265833 - CVE-2024-26603 kernel: x86/fpu: Stop relying on userspace for info to fault in xsave buffer
https://bugzilla.redhat.com/show_bug.cgi?id=2265833
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-71f0f16533' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 38 Update: thunderbird-115.8.0-1.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-5361211b10
2024-02-28 01:40:29.293823
--------------------------------------------------------------------------------

Name : thunderbird
Product : Fedora 38
Version : 115.8.0
Release : 1.fc38
URL : http://www.mozilla.org/projects/thunderbird/
Summary : Mozilla Thunderbird mail/newsgroup client
Description :
Mozilla Thunderbird is a standalone mail and newsgroup client.

--------------------------------------------------------------------------------
Update Information:

Update to 115.8.0
https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/
https://www.thunderbird.net/en-US/thunderbird/115.8.0/releasenotes/
--------------------------------------------------------------------------------
ChangeLog:

* Wed Feb 21 2024 Eike Rathke [erack@redhat.com] - 115.8.0-1
- Update to 115.8.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-5361211b10' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 38 Update: yarnpkg-1.22.21-2.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-5ecc250449
2024-02-28 01:40:29.293733
--------------------------------------------------------------------------------

Name : yarnpkg
Product : Fedora 38
Version : 1.22.21
Release : 2.fc38
URL : https://github.com/yarnpkg/yarn
Summary : Fast, reliable, and secure dependency management.
Description :
Fast, reliable, and secure dependency management.

--------------------------------------------------------------------------------
Update Information:

Update to 1.22.21, add fixes for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Feb 19 2024 Sandro Mani [manisandro@gmail.com] - 1.22.21-2
- Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234
* Fri Feb 16 2024 Sandro Mani [manisandro@gmail.com] - 1.22.21-1
- Update to 1.22.21
* Sat Jan 27 2024 Fedora Release Engineering [releng@fedoraproject.org] - 1.22.19-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sat Jul 22 2023 Fedora Release Engineering [releng@fedoraproject.org] - 1.22.19-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed May 3 2023 Sandro Mani [manisandro@gmail.com] - 1.22.19-6
- Rebuild (nodejs20)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2209317 - CVE-2022-37599 yarnpkg: loader-utils: regular expression denial of service in interpolateName.js [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2209317
[ 2 ] Bug #2220682 - CVE-2023-26136 yarnpkg: tough-cookie: prototype pollution in cookie memstore [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2220682
[ 3 ] Bug #2246633 - CVE-2023-46234 yarnpkg: browserify-sign: upper bound check issue in dsaVerify leads to a signature forgery attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2246633
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-5ecc250449' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: chromium-122.0.6261.69-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-ef56ea86fc
2024-02-28 01:07:06.086838
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 39
Version : 122.0.6261.69
Release : 1.fc39
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Updated to 122.0.6261.69
--------------------------------------------------------------------------------
ChangeLog:

* Fri Feb 23 2024 Than Ngo [than@redhat.com] - 122.0.6261.69-1
- update to 122.0.6261.69
- fix build error on el8
- bz#2265039, built with -fwrapv for improved memory safety
- bz#2265043, built with -ftrivial-auto-var-init=zero for improved security and preditability
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2265039 - Missing -fwrapv for improved memory safety
https://bugzilla.redhat.com/show_bug.cgi?id=2265039
[ 2 ] Bug #2265043 - Missing -ftrivial-auto-var-init=zero for improved security and preditability
https://bugzilla.redhat.com/show_bug.cgi?id=2265043
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-ef56ea86fc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: kernel-6.7.6-200.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-d16d94b00d
2024-02-28 01:07:06.086832
--------------------------------------------------------------------------------

Name : kernel
Product : Fedora 39
Version : 6.7.6
Release : 200.fc39
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package

--------------------------------------------------------------------------------
Update Information:

The 6.7.6 stable kernel update contains a number of important fixes across the
tree.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Feb 23 2024 Justin M. Forbes [jforbes@fedoraproject.org] [6.7.6-0]
- Add CVE fix for 6.7.6 (Justin M. Forbes)
- Linux v6.7.6
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2260044 - CVE-2024-23850 kernel: btrfs_get_root_ref has an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation
https://bugzilla.redhat.com/show_bug.cgi?id=2260044
[ 2 ] Bug #2260046 - CVE-2024-23851 kernel: copy_params can attempt to allocate more than INT_MAX bytes and crash
https://bugzilla.redhat.com/show_bug.cgi?id=2260046
[ 3 ] Bug #2265269 - CVE-2023-52437 kernel: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
https://bugzilla.redhat.com/show_bug.cgi?id=2265269
[ 4 ] Bug #2265517 - CVE-2024-26585 kernel: tls: race between tx work scheduling and socket close
https://bugzilla.redhat.com/show_bug.cgi?id=2265517
[ 5 ] Bug #2265518 - CVE-2024-26582 kernel: tls: use-after-free with partial reads and async decrypt
https://bugzilla.redhat.com/show_bug.cgi?id=2265518
[ 6 ] Bug #2265519 - CVE-2024-26584 kernel: tls: handle backlogging of crypto requests
https://bugzilla.redhat.com/show_bug.cgi?id=2265519
[ 7 ] Bug #2265520 - CVE-2024-26583 kernel: tls: race between async notify and socket close
https://bugzilla.redhat.com/show_bug.cgi?id=2265520
[ 8 ] Bug #2265646 - CVE-2024-26593 kernel: i2c: i801: Fix block process call transactions
https://bugzilla.redhat.com/show_bug.cgi?id=2265646
[ 9 ] Bug #2265833 - CVE-2024-26603 kernel: x86/fpu: Stop relying on userspace for info to fault in xsave buffer
https://bugzilla.redhat.com/show_bug.cgi?id=2265833
[ 10 ] Bug #2266257 - CVE-2024-26604 kernel: null pointer dereference in kobject
https://bugzilla.redhat.com/show_bug.cgi?id=2266257
[ 11 ] Bug #2266286 - CVE-2024-26606 kernel: signal epoll threads of self-work
https://bugzilla.redhat.com/show_bug.cgi?id=2266286
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-d16d94b00d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: yarnpkg-1.22.21-2.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-28fc0c2ef4
2024-02-28 01:07:06.086715
--------------------------------------------------------------------------------

Name : yarnpkg
Product : Fedora 39
Version : 1.22.21
Release : 2.fc39
URL : https://github.com/yarnpkg/yarn
Summary : Fast, reliable, and secure dependency management.
Description :
Fast, reliable, and secure dependency management.

--------------------------------------------------------------------------------
Update Information:

Update to 1.22.21, add fixes for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Feb 19 2024 Sandro Mani [manisandro@gmail.com] - 1.22.21-2
- Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234
* Fri Feb 16 2024 Sandro Mani [manisandro@gmail.com] - 1.22.21-1
- Update to 1.22.21
* Sat Jan 27 2024 Fedora Release Engineering [releng@fedoraproject.org] - 1.22.19-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2209317 - CVE-2022-37599 yarnpkg: loader-utils: regular expression denial of service in interpolateName.js [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2209317
[ 2 ] Bug #2220682 - CVE-2023-26136 yarnpkg: tough-cookie: prototype pollution in cookie memstore [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2220682
[ 3 ] Bug #2246633 - CVE-2023-46234 yarnpkg: browserify-sign: upper bound check issue in dsaVerify leads to a signature forgery attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2246633
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-28fc0c2ef4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--