Fedora Linux 8492 Published by

The following security updates are available for Fedora Linux:

Fedora 38 Update: libebml-1.4.5-1.fc38
Fedora 38 Update: chromium-121.0.6167.139-1.fc38
Fedora 38 Update: mingw-python-pygments-2.15.1-1.fc38
Fedora 38 Update: grub2-2.06-114.fc38
Fedora 39 Update: libebml-1.4.5-1.fc39
Fedora 39 Update: python-aiohttp-3.9.3-1.fc39
Fedora 39 Update: mingw-libidn2-2.3.7-1.fc39
Fedora 39 Update: grub2-2.06-116.fc39



Fedora 38 Update: libebml-1.4.5-1.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-7261a9f668
2024-02-05 01:45:31.502972
--------------------------------------------------------------------------------

Name : libebml
Product : Fedora 38
Version : 1.4.5
Release : 1.fc38
URL : https://www.matroska.org/
Summary : Extensible Binary Meta Language library
Description :
Extensible Binary Meta Language access library A library for reading
and writing files with the Extensible Binary Meta Language, a binary
pendant to XML.

--------------------------------------------------------------------------------
Update Information:

Fixes CVE-2023-52339. No API or ABI changes.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Feb 2 2024 Dominik Mierzejewski [dominik@greysector.net] - 1.4.5-1
- update to 1.4.5 (#2254413)
- fixes CVE-2023-52339 (#2258046, #2258047)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2258046 - CVE-2023-52339 libebml: integer overflow in MemIOCallback::read
https://bugzilla.redhat.com/show_bug.cgi?id=2258046
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-7261a9f668' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 38 Update: chromium-121.0.6167.139-1.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-ca36dcc1d3
2024-02-05 01:45:31.502954
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 38
Version : 121.0.6167.139
Release : 1.fc38
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

update to 121.0.6167.139 * High CVE-2024-1060: Use after free in Canvas *
High CVE-2024-1059: Use after free in WebRTC * High CVE-2024-1077: Use after
free in Network
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jan 31 2024 Than Ngo [than@redhat.com] - 121.0.6167.139-1
- update to 121.0.6167.139
* High CVE-2024-1060: Use after free in Canvas
* High CVE-2024-1059: Use after free in WebRTC
* High CVE-2024-1077: Use after free in Network
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-ca36dcc1d3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 38 Update: mingw-python-pygments-2.15.1-1.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-db87ce2a47
2024-02-05 01:45:31.502909
--------------------------------------------------------------------------------

Name : mingw-python-pygments
Product : Fedora 38
Version : 2.15.1
Release : 1.fc38
URL : https://pygments.org/
Summary : MinGW Windows Python Pygments library
Description :
MinGW Windows Python Pygments library.

--------------------------------------------------------------------------------
Update Information:

Update to 2.15.1.
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 10 2023 Sandro Mani [manisandro@gmail.com] - 2.15.1-1
- Update to 2.15.1
* Fri Feb 17 2023 Sandro Mani [manisandro@gmail.com] - 2.14.0-1
- Update to 2.14.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2259081 - TRIAGE CVE-2022-40896 mingw-python-pygments: pygments: ReDoS in pygments [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2259081
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-db87ce2a47' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 38 Update: grub2-2.06-114.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-633dc7e183
2024-02-05 01:45:31.502538
--------------------------------------------------------------------------------

Name : grub2
Product : Fedora 38
Version : 2.06
Release : 114.fc38
URL : http://www.gnu.org/software/grub/
Summary : Bootloader with support for Linux, Multiboot and more
Description :

The GRand Unified Bootloader (GRUB) is a highly configurable and
customizable bootloader with modular architecture. It supports a rich
variety of kernel formats, file systems, computer architectures and
hardware devices.

--------------------------------------------------------------------------------
Update Information:

Combined update for several fixes as well as security fix for CVE-2023-4001 ```
Mon Jan 15 2024 Nicolas Frayer [nfrayer@redhat.com] - 2.06-114 grub-
core/commands: add flag to only search root dev Resolves: #2223437 Resolves:
#2224951 Resolves: #2258096 Resolves: CVE-2023-4001 Sat Jan 13 2024 Hector
Martin [marcan@fedoraproject.org] - 2.06-113 Switch memdisk compression to lzop
Thu Jan 11 2024 Daan De Meyer [daan.j.demeyer@gmail.com] - 2.06-112 Don't
obsolete the tools package with minimal Mon Jan 8 2024 Nicolas Frayer
[nfrayer@redhat.com] - 2.06-111 xfs: some bios systems with /boot partition
created with xfsprog < 6.5.0 can't boot with one of the xfs upstream patches
Resolves: #2254370 Tue Dec 19 2023 Nicolas Frayer [nfrayer@redhat.com] -
2.06-110 normal: fix prefix when loading modules Resolves: #2209435 Resolves:
#2173015 Tue Dec 12 2023 leo sandoval [lsandova@redhat.com] - 2.06-109
chainloader: remove device path debug message ```
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jan 15 2024 Nicolas Frayer [nfrayer@redhat.com] - 2.06-114
- grub-core/commands: add flag to only search root dev
- Resolves: #2223437
- Resolves: #2224951
- Resolves: #2258096
- Resolves: CVE-2023-4001
* Sat Jan 13 2024 Hector Martin [marcan@fedoraproject.org] - 2.06-113
- Switch memdisk compression to lzop
* Thu Jan 11 2024 Daan De Meyer [daan.j.demeyer@gmail.com] - 2.06-112
- Don't obsolete the tools package with minimal
* Mon Jan 8 2024 Nicolas Frayer [nfrayer@redhat.com] - 2.06-111
- xfs: some bios systems with /boot partition created with
xfsprog < 6.5.0 can't boot with one of the xfs upstream patches
- Resolves: #2254370
* Tue Dec 19 2023 Nicolas Frayer [nfrayer@redhat.com] - 2.06-110
- normal: fix prefix when loading modules
- Resolves: #2209435
- Resolves: #2173015
* Tue Dec 12 2023 leo sandoval [lsandova@redhat.com] - 2.06-109
- chainloader: remove device path debug message
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2224951 - CVE-2023-4001 grub2: bypass the GRUB password protection feature
https://bugzilla.redhat.com/show_bug.cgi?id=2224951
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-633dc7e183' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: libebml-1.4.5-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-ab879eeed1
2024-02-05 01:23:58.727183
--------------------------------------------------------------------------------

Name : libebml
Product : Fedora 39
Version : 1.4.5
Release : 1.fc39
URL : https://www.matroska.org/
Summary : Extensible Binary Meta Language library
Description :
Extensible Binary Meta Language access library A library for reading
and writing files with the Extensible Binary Meta Language, a binary
pendant to XML.

--------------------------------------------------------------------------------
Update Information:

Fixes CVE-2023-52339. No API or ABI changes.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Feb 2 2024 Dominik Mierzejewski [dominik@greysector.net] - 1.4.5-1
- update to 1.4.5 (#2254413)
- fixes CVE-2023-52339 (#2258046, #2258047)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2258046 - CVE-2023-52339 libebml: integer overflow in MemIOCallback::read
https://bugzilla.redhat.com/show_bug.cgi?id=2258046
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-ab879eeed1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: python-aiohttp-3.9.3-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-f249b74f03
2024-02-05 01:23:58.727147
--------------------------------------------------------------------------------

Name : python-aiohttp
Product : Fedora 39
Version : 3.9.3
Release : 1.fc39
URL : https://github.com/aio-libs/aiohttp
Summary : Python HTTP client/server for asyncio
Description :
Python HTTP client/server for asyncio which supports both the client and the
server side of the HTTP protocol, client and server websocket, and webservers
with middlewares and pluggable routing.

--------------------------------------------------------------------------------
Update Information:

Security update for CVE-2024-23334 and CVE-2024-23829 https://github.com/aio-
libs/aiohttp/releases/tag/v3.9.2 https://github.com/aio-
libs/aiohttp/releases/tag/v3.9.3
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 30 2024 Benjamin A. Beasley [code@musicinmybrain.net] - 3.9.3-1
- Update to 3.9.3, security update for CVE-2024-23334 and CVE-2024-23829 (fix
RHBZ#2261891, fix RHBZ#2261910)
* Tue Jan 30 2024 Benjamin A. Beasley [code@musicinmybrain.net] - 3.9.1-4
- Skip a couple of spurious or insignificant test failures (close RHBZ#2261544)
* Fri Jan 26 2024 Fedora Release Engineering [releng@fedoraproject.org] - 3.9.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering [releng@fedoraproject.org] - 3.9.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2261887 - CVE-2024-23334 aiohttp: follow_symlinks directory traversal vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=2261887
[ 2 ] Bug #2261909 - CVE-2024-23829 python-aiohttp: http request smuggling
https://bugzilla.redhat.com/show_bug.cgi?id=2261909
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-f249b74f03' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: mingw-libidn2-2.3.7-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-bbd29ed36a
2024-02-05 01:23:58.727069
--------------------------------------------------------------------------------

Name : mingw-libidn2
Product : Fedora 39
Version : 2.3.7
Release : 1.fc39
URL : https://www.gnu.org/software/libidn/#libidn2
Summary : MinGW Windows Internationalized Domain Name 2008 support library
Description :
Libidn2 is an implementation of the IDNA2008 specifications in RFC
5890, 5891, 5892, 5893 and TR46 for internationalized domain names
(IDN). It is a standalone library, without any dependency on libidn.

--------------------------------------------------------------------------------
Update Information:

# libidn2 2.3.7 (2024-01-27) - Really include `tests/standalone.sh` in
tarball. # libidn2 2.3.6 (2024-01-27) - Bump libtool version numbers to
reflect API/ABI addition. - Include `tests/standalone.sh` in tarball. #
libidn2 2.3.5 (2024-01-27) - Declaration of future API/ABI backwards
compatibility stability. GNU libc `dlopen` libidn2 and use the name
`libidn2.so.0` for this. Upstream believes that it will be too challenging to
ever do hard ABI break that for normal libraries is justified to remove
deprecated APIs. Thus upstream decided that they will support the current ABI
for a long time. Of course, if really convincing arguments for doing a ABI
break appears in the future upstream may re-consider, but take this as a
declaration of intent of will and that future ABI breaks should be discussed and
co-ordinated with the glibc team first. - Add public APIs for raw Punycode
encoding/decoding. Normal applications rarely need this, but it cleans up
the code and allow for external testing of the APIs, and resolve
https://gitlab.com/libidn/libidn2/-/issues/80 due to earlier use of weak symbols
for internal symbols `_idn2_punycode_encode` and `_idn2_punycode_decode`.
Upstream will support these internal symbols for backwards compatibility. This
allows a clean migration path for code that is still using the internal names.
- Bump required gettext version to 0.19.8 for musl-libc. - Un-deprecate
`idn2_to_ascii_4i` and make it `NUL` terminate output. The API
`idn2_to_ascii_4i` was deprecated in version 2.1.1 released in 2019-02-08. In
that release, the API was also modified to not `NUL`-terminate the output. That
is contrary to the old libidn2 behaviour, the behaviour of libidn's API
`idna_to_ascii_4i`, and the API documentation for the function. Since upstream
is not likely to ever break backwards API/ABI compatibility in libidn2, and the
deprecated gaurds leads to some trouble (see report in
https://gitlab.com/libidn/libidn2/-/merge_requests/93 upstream decided to un-
deprecate this function, as supporting it is not costly and the majority of code
that cares about conformance has likely been modified. This will fix the error
code and `NUL` termination report in
https://gitlab.com/libidn/libidn2/-/issues/100. Upstream still encourage you to
use the replacement API/ABI idn2_to_ascii_4i2 instead, when appropriate. -
Compiler warning improvements. As before, compiler warnings are enabled by
default. You may disable them using `./configure --disable-gcc-warnings` or
turn them into fatal errors using `./configure --enable-gcc-warnings=error` to
add `-Werror` and sensible `-Wno-error='s`. Based on gnulib's manywarnings, see
https://www.gnu.org/software/gnulib//manual/html_node/manywarnings.html. -
tests: Added script `tests/standalone.sh` suitable for integrators. The
main purpose is to test a system-installed libidn2 library and `idn2` tool,
suitable for distributor checking (a'la Debian's autopkgtest/debci). It may
also be used to test a newly built libidn2 outside the usual `make check`
infrastructure. To check that your system libidn2 library and `idn2` tool is
working, invoke the script with `srcdir` as an environment variable indicating
where it can be find the source code for libidn2's `tests/` directory (it will
use the directory name where the script is by default): `tests/standalone.sh`
If your system libidn2 is too old to pass certain tests, disable them using
`STANDALONE_DISABLE` like this: `STANDALONE_DISABLE='*punycode*'
tests/standalone.sh` See the script for more parameters. If the libidn2
under testing is too old and has known bugs, that should cause tests to fail,
which is intentional. - Various minor build fixes and translation updates.
- API and ABI is backwards compatible with the previous version.
`idn2_punycode_decode`: Add. `idn2_punycode_encode`: Add.
--------------------------------------------------------------------------------
ChangeLog:

* Sat Jan 27 2024 Robert Scheck [robert@fedoraproject.org] 2.3.7-1
- Upgrade to 2.3.7 (#2260624)
* Thu Jan 25 2024 Fedora Release Engineering [releng@fedoraproject.org] - 2.3.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering [releng@fedoraproject.org] - 2.3.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2260624 - mingw-libidn2-2.3.7 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2260624
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-bbd29ed36a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: grub2-2.06-116.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-53d986312e
2024-02-05 01:23:58.726586
--------------------------------------------------------------------------------

Name : grub2
Product : Fedora 39
Version : 2.06
Release : 116.fc39
URL : http://www.gnu.org/software/grub/
Summary : Bootloader with support for Linux, Multiboot and more
Description :

The GRand Unified Bootloader (GRUB) is a highly configurable and
customizable bootloader with modular architecture. It supports a rich
variety of kernel formats, file systems, computer architectures and
hardware devices.

--------------------------------------------------------------------------------
Update Information:

Combined update for several fixes as well as security fix for CVE-2023-4001 ```
Mon Jan 15 2024 Nicolas Frayer nfrayer@redhat.com - 2.06-116 grub-core/commands:
add flag to only search root dev Resolves: #2223437 Resolves: #2224951 Resolves:
#2258096 Resolves: CVE-2023-4001 Sat Jan 13 2024 Hector Martin
marcan@fedoraproject.org - 2.06-115 Switch memdisk compression to lzop Thu Jan
11 2024 Daan De Meyer daan.j.demeyer@gmail.com - 2.06-114 Don't obsolete the
tools package with minimal Mon Jan 8 2024 Nicolas Frayer [nfrayer@redhat.com] -
2.06-113 xfs: some bios systems with /boot partition created with xfsprog <
6.5.0 can't boot with one of the xfs upstream patches Resolves: #2254370 Tue
Dec 19 2023 Nicolas Frayer [nfrayer@redhat.com] - 2.06-112 normal: fix prefix
when loading modules Resolves: #2209435 Resolves: #2173015 Tue Dec 12 2023 leo
sandoval [lsandova@redhat.com] - 2.06-111 chainloader: remove device path debug
message ```
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jan 15 2024 Nicolas Frayer [nfrayer@redhat.com] - 2.06-116
- grub-core/commands: add flag to only search root dev
- Resolves: #2223437
- Resolves: #2224951
- Resolves: #2258096
- Resolves: CVE-2023-4001
* Sat Jan 13 2024 Hector Martin [marcan@fedoraproject.org] - 2.06-115
- Switch memdisk compression to lzop
* Thu Jan 11 2024 Daan De Meyer [daan.j.demeyer@gmail.com] - 2.06-114
- Don't obsolete the tools package with minimal
* Mon Jan 8 2024 Nicolas Frayer [nfrayer@redhat.com] - 2.06-113
- xfs: some bios systems with /boot partition created with
xfsprog < 6.5.0 can't boot with one of the xfs upstream patches
- Resolves: #2254370
* Tue Dec 19 2023 Nicolas Frayer [nfrayer@redhat.com] - 2.06-112
- normal: fix prefix when loading modules
- Resolves: #2209435
- Resolves: #2173015
* Tue Dec 12 2023 leo sandoval [lsandova@redhat.com] - 2.06-111
- chainloader: remove device path debug message
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2224951 - CVE-2023-4001 grub2: bypass the GRUB password protection feature
https://bugzilla.redhat.com/show_bug.cgi?id=2224951
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-53d986312e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--