[SECURITY] Fedora 39 Update: python3-docs-3.12.6-1.fc39
[SECURITY] Fedora 39 Update: python3.12-3.12.6-1.fc39
[SECURITY] Fedora 39 Update: expat-2.6.3-1.fc39
[SECURITY] Fedora 39 Update: aardvark-dns-1.12.2-2.fc39
[SECURITY] Fedora 41 Update: openssl-3.2.2-7.fc41
[SECURITY] Fedora 41 Update: expat-2.6.3-1.fc41
[SECURITY] Fedora 41 Update: aardvark-dns-1.12.2-2.fc41
[SECURITY] Fedora 39 Update: python3-docs-3.12.6-1.fc39
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-e453a209e9
2024-09-21 01:27:06.693688
--------------------------------------------------------------------------------
Name : python3-docs
Product : Fedora 39
Version : 3.12.6
Release : 1.fc39
URL : https://www.python.org/
Summary : Documentation for the Python 3 programming language
Description :
The python3-docs package contains documentation on the Python 3
programming language and interpreter.
--------------------------------------------------------------------------------
Update Information:
This is the sixth maintenance release of Python 3.12
Python 3.12 is the newest major release of the Python programming language, and
it contains many new features and optimizations. 3.12.6 is the latest
maintenance release, containing about 90 bugfixes, build improvements and
documentation changes since 3.12.5. This is an expedited release to address the
following security issues:
gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with
backslashes by http.cookies. Fixes CVE-2024-7592.
gh-121285: Remove backtracking from tarfile header parsing for hdrcharset, PAX,
and GNU sparse headers. That's CVE-2024-6232.
gh-102988: email.utils.getaddresses() and email.utils.parseaddr() now return
('', '') 2-tuples in more situations where invalid email addresses are
encountered instead of potentially inaccurate values. Add optional strict
parameter to these two functions: use strict=False to get the old behavior,
accept malformed inputs. getattr(email.utils, 'supports_strict_parsing', False)
can be use to check if the strict paramater is available. This improves the
CVE-2023-27043 fix.
gh-123270: Sanitize names in zipfile.Path to avoid infinite loops (gh-122905)
without breaking contents using legitimate characters. That's CVE-2024-8088.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Sep 9 2024 Tomáš Hrnčiar - 3.12.6-1
- Update to 3.12.6
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2307370 - CVE-2024-8088 python: cpython: Iterating over a malicious ZIP file may lead to Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=2307370
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-e453a209e9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 39 Update: python3.12-3.12.6-1.fc39
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-e453a209e9
2024-09-21 01:27:06.693688
--------------------------------------------------------------------------------
Name : python3.12
Product : Fedora 39
Version : 3.12.6
Release : 1.fc39
URL : https://www.python.org/
Summary : Version 3.12 of the Python interpreter
Description :
Python 3.12 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.
--------------------------------------------------------------------------------
Update Information:
This is the sixth maintenance release of Python 3.12
Python 3.12 is the newest major release of the Python programming language, and
it contains many new features and optimizations. 3.12.6 is the latest
maintenance release, containing about 90 bugfixes, build improvements and
documentation changes since 3.12.5. This is an expedited release to address the
following security issues:
gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with
backslashes by http.cookies. Fixes CVE-2024-7592.
gh-121285: Remove backtracking from tarfile header parsing for hdrcharset, PAX,
and GNU sparse headers. That's CVE-2024-6232.
gh-102988: email.utils.getaddresses() and email.utils.parseaddr() now return
('', '') 2-tuples in more situations where invalid email addresses are
encountered instead of potentially inaccurate values. Add optional strict
parameter to these two functions: use strict=False to get the old behavior,
accept malformed inputs. getattr(email.utils, 'supports_strict_parsing', False)
can be use to check if the strict paramater is available. This improves the
CVE-2023-27043 fix.
gh-123270: Sanitize names in zipfile.Path to avoid infinite loops (gh-122905)
without breaking contents using legitimate characters. That's CVE-2024-8088.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Sep 9 2024 Tomáš Hrnčiar - 3.12.6-1
- Update to 3.12.6
- Fixes: rhbz#2310090
* Fri Aug 23 2024 Charalampos Stratakis - 3.12.5-2
- Security fix for CVE-2024-8088
- Fixes: rhbz#2307461
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2307370 - CVE-2024-8088 python: cpython: Iterating over a malicious ZIP file may lead to Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=2307370
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-e453a209e9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 39 Update: expat-2.6.3-1.fc39
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-527052ab76
2024-09-21 01:27:06.693681
--------------------------------------------------------------------------------
Name : expat
Product : Fedora 39
Version : 2.6.3
Release : 1.fc39
URL : https://libexpat.github.io/
Summary : An XML parser library
Description :
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
the parser prior to starting the parse. These handlers are called when the
parser discovers the associated structures in the document being parsed. A
start tag is an example of the kind of structures for which you may
register handlers.
--------------------------------------------------------------------------------
Update Information:
Rebase to version 2.6.3
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 5 2024 Tomas Korbar [tkorbar@redhat.com] - 2.6.3-1
- Rebase to version 2.6.3
- Resolves: rhbz#2309690
- Resolves: CVE-2024-45492
- Resolves: CVE-2024-45491
- Resolves: CVE-2024-45490
* Wed Jul 17 2024 Fedora Release Engineering [releng@fedoraproject.org] - 2.6.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2308681 - CVE-2024-45490 expat: Negative Length Parsing Vulnerability in libexpat [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2308681
[ 2 ] Bug #2310141 - CVE-2024-45491 expat: Integer Overflow or Wraparound [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2310141
[ 3 ] Bug #2310147 - CVE-2024-45492 expat: integer overflow [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2310147
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-527052ab76' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 39 Update: aardvark-dns-1.12.2-2.fc39
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-0ce77b8571
2024-09-21 01:27:06.693631
--------------------------------------------------------------------------------
Name : aardvark-dns
Product : Fedora 39
Version : 1.12.2
Release : 2.fc39
URL : https://github.com/containers/aardvark-dns
Summary : Authoritative DNS server for A/AAAA container records
Description :
Authoritative DNS server for A/AAAA container records
Forwards other request to configured resolvers.
Read more about configuration in `src/backend/mod.rs`.
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2024-8418
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 5 2024 Lokesh Mandvekar [lsm5@fedoraproject.org] - 2:1.12.2-2
- install builddeps for tmt tests
* Wed Sep 4 2024 Packit [hello@packit.dev] - 2:1.12.2-1
- Update to 1.12.2 upstream release
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2309683 - CVE-2024-8418 containers/aardvark-dns: TCP Query Handling Flaw in Aardvark-dns Leading to Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=2309683
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-0ce77b8571' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: openssl-3.2.2-7.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-7d5c1bcc78
2024-09-21 00:15:33.562274
--------------------------------------------------------------------------------
Name : openssl
Product : Fedora 41
Version : 3.2.2
Release : 7.fc41
URL : http://www.openssl.org/
Summary : Utilities from the general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
--------------------------------------------------------------------------------
Update Information:
Fix CVE-2024-5535: SSL_select_next_proto buffer overread
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 12 2024 Sahana Prasad [sahana@redhat.com] - 1:3.2.2-7
- Fix CVE-2024-5535: SSL_select_next_proto buffer overread
* Fri Sep 6 2024 Sahana Prasad [sahana@redhat.com] - 1:3.2.2-6
- Patch for CVE-2024-6119
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-7d5c1bcc78' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: expat-2.6.3-1.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-671549e74c
2024-09-21 00:15:33.562077
--------------------------------------------------------------------------------
Name : expat
Product : Fedora 41
Version : 2.6.3
Release : 1.fc41
URL : https://libexpat.github.io/
Summary : An XML parser library
Description :
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
the parser prior to starting the parse. These handlers are called when the
parser discovers the associated structures in the document being parsed. A
start tag is an example of the kind of structures for which you may
register handlers.
--------------------------------------------------------------------------------
Update Information:
Rebase to version 2.6.3
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 5 2024 Tomas Korbar [tkorbar@redhat.com] - 2.6.3-1
- Rebase to version 2.6.3
- Resolves: rhbz#2309690
- Resolves: CVE-2024-45492
- Resolves: CVE-2024-45491
- Resolves: CVE-2024-45490
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2309690 - expat-2.6.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2309690
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-671549e74c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: aardvark-dns-1.12.2-2.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-30ed35ba86
2024-09-21 00:15:33.562038
--------------------------------------------------------------------------------
Name : aardvark-dns
Product : Fedora 41
Version : 1.12.2
Release : 2.fc41
URL : https://github.com/containers/aardvark-dns
Summary : Authoritative DNS server for A/AAAA container records
Description :
Authoritative DNS server for A/AAAA container records
Forwards other request to configured resolvers.
Read more about configuration in `src/backend/mod.rs`.
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2024-8418
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 5 2024 Lokesh Mandvekar [lsm5@fedoraproject.org] - 2:1.12.2-2
- install builddeps for tmt tests
* Wed Sep 4 2024 Packit [hello@packit.dev] - 2:1.12.2-1
- Update to 1.12.2 upstream release
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2309683 - CVE-2024-8418 containers/aardvark-dns: TCP Query Handling Flaw in Aardvark-dns Leading to Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=2309683
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-30ed35ba86' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--