Fedora 42 Update: python-django4.2-4.2.22-1.fc42
Fedora 42 Update: rust-git-interactive-rebase-tool-2.4.1-9.fc42
Fedora 42 Update: python-setuptools-74.1.3-7.fc42
Fedora 42 Update: kea-2.6.3-1.fc42
Fedora 42 Update: python-django5-5.2.2-1.fc42
Fedora 41 Update: kea-2.6.3-1.fc41
Fedora 41 Update: python-django5-5.1.10-1.fc41
[SECURITY] Fedora 42 Update: python-django4.2-4.2.22-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-6de2ab1d25
2025-06-18 14:42:09.231422+00:00
--------------------------------------------------------------------------------
Name : python-django4.2
Product : Fedora 42
Version : 4.2.22
Release : 1.fc42
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.
--------------------------------------------------------------------------------
Update Information:
Fixes CVE-2025-32873: Denial-of-service possibility in strip_tags()
Fixes CVE-2025-48432: Potential log injection via unescaped request path
--------------------------------------------------------------------------------
ChangeLog:
* Sun Jun 8 2025 Michel Lind [salimma@fedoraproject.org] - 4.2.22-1
- Update to version 4.2.22
- Fixes CVE-2025-32873: Denial-of-service possibility in strip_tags()
- Fixes CVE-2025-48432: Potential log injection via unescaped request path
- Revert setuptools bump; we don't need it and don't have the needed
version
- Rebase Python 3.13 patch
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2365046 - CVE-2025-32873 python-django4.2: Django StripTags Denial of Service [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2365046
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-6de2ab1d25' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 42 Update: rust-git-interactive-rebase-tool-2.4.1-9.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-da9b58be96
2025-06-18 14:42:09.231396+00:00
--------------------------------------------------------------------------------
Name : rust-git-interactive-rebase-tool
Product : Fedora 42
Version : 2.4.1
Release : 9.fc42
URL : https://crates.io/crates/git-interactive-rebase-tool
Summary : Full-featured terminal-based sequence editor for Git interactive rebase
Description :
Full-featured terminal-based sequence editor for Git interactive rebase.
--------------------------------------------------------------------------------
Update Information:
Rebuild for CVE-2024-12224, CVE-2025-4574
--------------------------------------------------------------------------------
ChangeLog:
* Sun Jun 8 2025 Benjamin Gilbert [bgilbert@backtick.net] - 2.4.1-9
- Rebuild for CVE-2024-12224, CVE-2025-4574 (rhbz#2370599, rhbz#2366573)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2366573 - CVE-2025-4574 rust-git-interactive-rebase-tool: crossbeam-channel Vulnerable to Double Free on Drop [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2366573
[ 2 ] Bug #2370599 - CVE-2024-12224 rust-git-interactive-rebase-tool: idna accepts Punycode labels that do not produce any non-ASCII when decoded [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2370599
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-da9b58be96' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 42 Update: python-setuptools-74.1.3-7.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-1c17f3520b
2025-06-19 01:56:35.684304+00:00
--------------------------------------------------------------------------------
Name : python-setuptools
Product : Fedora 42
Version : 74.1.3
Release : 7.fc42
URL : https://pypi.python.org/pypi/setuptools
Summary : Easily build and distribute Python packages
Description :
Setuptools is a collection of enhancements to the Python distutils that allow
you to more easily build and distribute Python packages, especially ones that
have dependencies on other packages.
This package also contains the runtime components of setuptools, necessary to
execute the software that requires pkg_resources.
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2025-47273
--------------------------------------------------------------------------------
ChangeLog:
* Sun Jun 15 2025 Miro Hron??ok [miro@hroncok.cz] - 74.1.3-7
- Security fix for CVE-2025-47273
- Fixes: rhbz#2372615
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2372615 - CVE-2025-47273 python-setuptools: Path Traversal Vulnerability in setuptools PackageIndex [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2372615
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-1c17f3520b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 42 Update: kea-2.6.3-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-dc6ec0a8e2
2025-06-19 01:56:35.684103+00:00
--------------------------------------------------------------------------------
Name : kea
Product : Fedora 42
Version : 2.6.3
Release : 1.fc42
URL : http://kea.isc.org
Summary : DHCPv4, DHCPv6 and DDNS server from ISC
Description :
DHCP implementation from Internet Systems Consortium, Inc. that features fully
functional DHCPv4, DHCPv6 and Dynamic DNS servers.
Both DHCP servers fully support server discovery, address assignment, renewal,
rebinding and release. The DHCPv6 server supports prefix delegation. Both
servers support DNS Update mechanism, using stand-alone DDNS daemon.
--------------------------------------------------------------------------------
Update Information:
New version 2.6.3 (rhbz#2368989)
Fix for: CVE-2025-32801, CVE-2025-32802, CVE-2025-32803
kea.conf: Remove /tmp/ from socket-name for existing configurations
kea.conf: Set pseudo-random password for default config to secure fresh install
and allow CA startup without user intervention
kea.conf: Restrict directory permissions
Sync service files with upstream
Fix leases ownership when switching from root to kea user (rhbz#2324168)
Release Notes:
The new default configuration file, kea-ctrl-agent.conf, introduces an
authentication setting, "password-file", which restricts access to the REST API.
On Fedora, the kea-api-password file is automatically populated with a pseudo-
random password to secure new installations.
For system upgrades, it is strongly recommended to update any custom
configurations to restrict access to the REST API.
For more details, including information on CVE fixes and incompatible changes,
refer to the upstream release notes:
https://downloads.isc.org/isc/kea/2.6.3/Kea-2.6.3-ReleaseNotes.txt
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 9 2025 Martin Osvald [mosvald@redhat.com] - 2.6.3-1
- New version 2.6.3 (rhbz#2368989)
- Fix for: CVE-2025-32801, CVE-2025-32802, CVE-2025-32803
- kea.conf: Remove /tmp/ from socket-name for existing configurations
- kea.conf: Set pseudo-random password for default config to secure fresh
install and allow CA startup without user intervention
- kea.conf: Restrict directory permissions
- Sync service files with upstream
- Fix leases ownership when switching from root to kea user (rhbz#2324168)
* Mon Jun 9 2025 Yaakov Selkowitz [yselkowi@redhat.com] - 2.6.2-5
- Reconditionalize openssl-devel-engine
* Mon Jun 9 2025 Martin Osvald [mosvald@redhat.com] - 2.6.2-4
- kea.spec: remove rhel7 and f40 conditions
* Mon Jun 9 2025 Pavol Sloboda [pavol.sloboda02@gmail.com] - 2.6.2-3
- fix: fixed the BuildRequires of mariadb-devel package the mariadb-
connector-c-devel package is available for all RHEL versions from version
8 and above, as version 7 is quite old this condition is not necessary
and all packages should use the BuildRequires of mariadb-connector-c-
devel instead of mariadb-devel if possible
* Mon Jun 2 2025 Franti??ek Hrdina [fhrdina@redhat.com] - 2.6.2-2
- Update location of fmf plans
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2324168 - System update from F40 to F41: kea-dhcp unusable
https://bugzilla.redhat.com/show_bug.cgi?id=2324168
[ 2 ] Bug #2368989 - kea-2.6.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2368989
[ 3 ] Bug #2369337 - CVE-2025-32803 kea: Insecure file permissions can result in confidential information leakage [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2369337
[ 4 ] Bug #2369379 - CVE-2025-32801 kea: Loading a malicious hook library can lead to local privilege escalation [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2369379
[ 5 ] Bug #2370279 - CVE-2025-32802 kea: Insecure handling of file paths allows multiple local attacks [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2370279
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-dc6ec0a8e2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 42 Update: python-django5-5.2.2-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-ad58eb378b
2025-06-19 01:56:35.684098+00:00
--------------------------------------------------------------------------------
Name : python-django5
Product : Fedora 42
Version : 5.2.2
Release : 1.fc42
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.
--------------------------------------------------------------------------------
Update Information:
Fixes CVE-2025-32873: Denial-of-service possibility in strip_tags()
Fixes CVE-2025-48432: Potential log injection via unescaped request path
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 9 2025 Michel Lind [salimma@fedoraproject.org] - 5.2.2-1
- Update to 5.2.2
- Fixes CVE-2025-32873: Denial-of-service possibility in strip_tags()
- Fixes CVE-2025-48432: Potential log injection via unescaped request path
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2365047 - CVE-2025-32873 python-django5: Django StripTags Denial of Service [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2365047
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-ad58eb378b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 41 Update: kea-2.6.3-1.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-b870671130
2025-06-19 01:20:13.177267+00:00
--------------------------------------------------------------------------------
Name : kea
Product : Fedora 41
Version : 2.6.3
Release : 1.fc41
URL : http://kea.isc.org
Summary : DHCPv4, DHCPv6 and DDNS server from ISC
Description :
DHCP implementation from Internet Systems Consortium, Inc. that features fully
functional DHCPv4, DHCPv6 and Dynamic DNS servers.
Both DHCP servers fully support server discovery, address assignment, renewal,
rebinding and release. The DHCPv6 server supports prefix delegation. Both
servers support DNS Update mechanism, using stand-alone DDNS daemon.
--------------------------------------------------------------------------------
Update Information:
New version 2.6.3 (rhbz#2368989)
Fix for: CVE-2025-32801, CVE-2025-32802, CVE-2025-32803
kea.conf: Remove /tmp/ from socket-name for existing configurations
kea.conf: Set pseudo-random password for default config to secure fresh
install and allow CA startup without user intervention
kea.conf: Restrict directory permissions
Sync service files with upstream
Fix leases ownership when switching from root to kea user (rhbz#2324168)
Release Notes:
The new default configuration file, kea-ctrl-agent.conf, introduces an
authentication setting, "password-file", which restricts access to the REST API.
On Fedora, the kea-api-password file is automatically populated with a pseudo-
random password to secure new installations.
For system upgrades, it is strongly recommended to update any custom
configurations to restrict access to the REST API.
For more details, including information on CVE fixes and incompatible changes,
refer to the upstream release notes:
https://downloads.isc.org/isc/kea/2.6.3/Kea-2.6.3-ReleaseNotes.txt
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 9 2025 Martin Osvald [mosvald@redhat.com] - 2.6.3-1
- New version 2.6.3 (rhbz#2368989)
- Fix for: CVE-2025-32801, CVE-2025-32802, CVE-2025-32803
- kea.conf: Remove /tmp/ from socket-name for existing configurations
- kea.conf: Set pseudo-random password for default config to secure fresh
install and allow CA startup without user intervention
- kea.conf: Restrict directory permissions
- Sync service files with upstream
- Fix leases ownership when switching from root to kea user (rhbz#2324168)
* Mon Jun 9 2025 Yaakov Selkowitz [yselkowi@redhat.com] - 2.6.2-6
- Reconditionalize openssl-devel-engine
* Mon Jun 9 2025 Martin Osvald [mosvald@redhat.com] - 2.6.2-5
- kea.spec: remove rhel7 and f40 conditions
* Mon Jun 9 2025 Pavol Sloboda [pavol.sloboda02@gmail.com] - 2.6.2-4
- fix: fixed the BuildRequires of mariadb-devel package the mariadb-
connector-c-devel package is available for all RHEL versions from version
8 and above, as version 7 is quite old this condition is not necessary
and all packages should use the BuildRequires of mariadb-connector-c-
devel instead of mariadb-devel if possible
* Mon Jun 9 2025 Andrea Bolognani [abologna@redhat.com] - 2.6.2-3
- Use autoreconf more (fixes riscv64 build)
* Mon Jun 2 2025 Franti??ek Hrdina [fhrdina@redhat.com] - 2.6.2-2
- Update location of fmf plans
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2324168 - System update from F40 to F41: kea-dhcp unusable
https://bugzilla.redhat.com/show_bug.cgi?id=2324168
[ 2 ] Bug #2368989 - kea-2.6.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2368989
[ 3 ] Bug #2369336 - CVE-2025-32803 kea: Insecure file permissions can result in confidential information leakage [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2369336
[ 4 ] Bug #2369380 - CVE-2025-32801 kea: Loading a malicious hook library can lead to local privilege escalation [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2369380
[ 5 ] Bug #2370278 - CVE-2025-32802 kea: Insecure handling of file paths allows multiple local attacks [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2370278
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-b870671130' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 41 Update: python-django5-5.1.10-1.fc41
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-2dff80a8a3
2025-06-19 01:20:13.177257+00:00
--------------------------------------------------------------------------------
Name : python-django5
Product : Fedora 41
Version : 5.1.10
Release : 1.fc41
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.
--------------------------------------------------------------------------------
Update Information:
Fixes CVE-2025-32873: Denial-of-service possibility in strip_tags()
Fixes CVE-2025-48432: Potential log injection via unescaped request path
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 9 2025 Michel Lind [salimma@fedoraproject.org] - 5.1.10-1
- Update to 5.1.10
- Fixes CVE-2025-32873: Denial-of-service possibility in strip_tags()
- Fixes CVE-2025-48432: Potential log injection via unescaped request path
* Fri Apr 4 2025 Michel Lind [salimma@fedoraproject.org] - 5.1.8-1
- Update to 5.1.8
- On Windows, this fixes CVE-2025-27556. Mentioning for compleness
- Fixes a regression in Django 5.1.7 affecting
LogEntryManager.log_actions() - #36234
- Remove legacy symlinks
* Wed Mar 19 2025 Tom???? Hrn??iar [thrnciar@redhat.com] - 5.1.7-2
- Adjust patch to allow setuptools
