Fedora Linux 8487 Published by

The following security updates are available for Fedora Linux:

Fedora 38 Update: python-paramiko-3.4.0-1.fc38
Fedora 38 Update: xorg-x11-server-1.20.14-28.fc38
Fedora 38 Update: tigervnc-1.13.1-9.fc38
Fedora 39 Update: chromium-120.0.6099.216-1.fc39




Fedora 38 Update: python-paramiko-3.4.0-1.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-39a8c72ea9
2024-01-11 02:15:43.703845
--------------------------------------------------------------------------------

Name : python-paramiko
Product : Fedora 38
Version : 3.4.0
Release : 1.fc38
URL : https://github.com/paramiko/paramiko
Summary : SSH2 protocol library for python
Description :

Paramiko (a combination of the Esperanto words for "paranoid" and "friend") is
a module for python 2.3 or greater that implements the SSH2 protocol for secure
(encrypted and authenticated) connections to remote machines. Unlike SSL (aka
TLS), the SSH2 protocol does not require hierarchical certificates signed by a
powerful central authority. You may know SSH2 as the protocol that replaced
telnet and rsh for secure access to remote shells, but the protocol also
includes the ability to open arbitrary channels to remote services across an
encrypted tunnel (this is how sftp works, for example).

--------------------------------------------------------------------------------
Update Information:

Terrapin fix
--------------------------------------------------------------------------------
ChangeLog:

* Tue Dec 19 2023 Gwyn Ciesla [gwync@protonmail.com] - 3.4.0-1
- 3.4.0
* Sun Jul 30 2023 Paul Howarth - 3.3.1-1
- Update to 3.3.1 (rhbz#2227478)
- Cleaned up some very old root level files, mostly just to exercise some of
our doc build and release machinery
* Fri Jul 28 2023 Gwyn Ciesla [gwync@protonmail.com] - 3.3.0-1
- 3.3.0
- Add support and tests for 'Match final ..' (frequently used in ProxyJump
configurations to exclude the jump host) to our SSH config parser (GH#1907,
GH#1992)
- Add an explicit 'max_concurrent_prefetch_requests' argument to
'paramiko.client.SSHClient.get' and 'paramiko.client.SSHClient.getfo',
allowing users to limit the number of concurrent requests used during
prefetch (GH#1587, GH#2058)
* Fri Jul 21 2023 Fedora Release Engineering [releng@fedoraproject.org] - 3.2.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jun 15 2023 Python Maint - 3.2.0-2
- Rebuilt for Python 3.12
* Sat May 27 2023 Paul Howarth - 3.2.0-1
- Update to 3.2.0 (rhbz#2210398)
- Fixed a very sneaky bug found at the apparently rarely-traveled
intersection of RSA-SHA2 keys, certificates, SSH agents, and
stricter-than-OpenSSH server targets, which manifested as yet another
"well, if we turn off SHA2 at one end or another, everything works again"
problem, for example with version 12 of the Teleport server endpoint
- The 'server-sig-algs' and 'RSA-SHA2' features added around Paramiko 2.9 or
so, had the annoying side effect of not working with servers that don't
support *either* of those feature sets, requiring use of
'disabled_algorithms' to forcibly disable the SHA2 algorithms on Paramiko's
end (GH#1961, GH#2012 and countless others)
- The *experimental* '~paramiko.transport.ServiceRequestingTransport' (noted
in its own entry in this changelog) includes a fix for this issue,
specifically by falling back to the same algorithm as the in-use pubkey if
it's in the algorithm list (leaving the "first algorithm in said list" as
an absolute final fallback)
- Implement '_fields()' on '~paramiko.agent.AgentKey' so that it may be
compared (via '==') with other '~paramiko.pkey.PKey' instances
- Since its inception, Paramiko has (for reasons lost to time) implemented
authentication as a side effect of handling affirmative replies to
'MSG_SERVICE_REQUEST' protocol messages; what this means is Paramiko makes
one such request before every 'MSG_USERAUTH_REQUEST', i.e. every auth
attempt (GH#23)
- OpenSSH doesn't care if clients send multiple service requests, but other
server implementations are often stricter in what they accept after an
initial service request (due to the RFCs not being clear), which can
result in odd behavior when a user doesn't authenticate successfully on
the very first try (for example, when the right key for a target host is
the third in one's ssh-agent)
- This version of Paramiko now contains an opt-in
'~paramiko.transport.Transport' subclass,
'~paramiko.transport.ServiceRequestingTransport', which more-correctly
implements service request handling in the Transport, and uses an
auth-handler subclass internally that has been similarly adapted; users
wanting to try this new experimental code path may hand this class to
'SSHClient.connect` as its 'transport_factory' kwarg
- This feature is *EXPERIMENTAL* and its code may be subject to change
- Minor backwards incompatible changes exist in the new code paths, most
notably the removal of the (inconsistently applied and rarely used)
'event' arguments to the 'auth_xxx' methods
- GSSAPI support has only been partially implemented, and is untested
- Some minor backwards-*compatible* changes were made to the *existing*
Transport and AuthHandler classes to facilitate the new code; for
example, 'Transport._handler_table' and
'AuthHandler._client_handler_table' are now properties instead of raw
attributes
- Users of '~paramiko.client.SSHClient' can now configure the authentication
logic Paramiko uses when connecting to servers; this functionality is
intended for advanced users and higher-level libraries such as 'Fabric'
( https://fabfile.org/); see '~paramiko.auth_strategy' for details (GH#387)
- Fabric's co-temporal release includes a proof-of-concept use of this
feature, implementing an auth flow much closer to that of the OpenSSH
client (versus Paramiko's legacy behavior); it is *strongly recommended*
that if this interests you, investigate replacing any direct use of
'SSHClient' with Fabric's 'Connection'
- This feature is **EXPERIMENTAL**; please see its docs for details
- Enhanced '~paramiko.agent.AgentKey' with new attributes, such as:
- Added a 'comment' attribute (and constructor argument);
'Agent.get_keys()' now uses this kwarg to store any comment field sent
over by the agent; the original version of the agent feature inexplicably
did not store the comment anywhere
- Agent-derived keys now attempt to instantiate a copy of the appropriate
key class for access to other algorithm-specific members (e.g. key size);
this is available as the '.inner_key' attribute
- This functionality is now in use in Fabric's new '--list-agent-keys'
feature, as well as in Paramiko's debug logging
- '~paramiko.pkey.PKey' now offers convenience "meta-constructors", static
methods that simplify the process of instantiating the correct subclass for
a given key input
- For example, 'PKey.from_path' can load a file path without knowing
*a priori* what type of key it is (thanks to some handy methods within
our cryptography dependency); going forwards, we expect this to be the
primary method of loading keys by user code that runs on "human time"
(i.e. where some minor efficiencies are worth the convenience)
- In addition, 'PKey.from_type_string' now exists, and is being used in
some internals to load ssh-agent keys
- As part of these changes, '~paramiko.pkey.PKey' and friends grew a
'~paramiko.pkey.PKey.identifiers' classmethod; this is inspired by the
'~paramiko.ecdsakey.ECDSAKey.supported_key_format_identifiers' classmethod
(which now refers to the new method); this also includes adding a '.name'
attribute to most key classes (which will eventually replace
'.get_name()')
- '~paramiko.pkey.PKey' grew a new '.algorithm_name' property that displays
the key algorithm; this is typically derived from the value of
'~paramiko.pkey.PKey.get_name'; for example, ED25519 keys have a 'get_name'
of 'ssh-ed25519' (the SSH protocol key type field value), and now have a
'algorithm_name' of 'ED25519'
- '~paramiko.pkey.PKey' grew a new '.fingerprint' property that emits a
fingerprint string matching the SHA256+Base64 values printed by various
OpenSSH tooling (e.g. 'ssh-add -l', 'ssh -v'); this is intended to help
troubleshoot Paramiko-vs-OpenSSH behavior and will eventually replace the
venerable 'get_fingerprint' method
- '~paramiko.agent.AgentKey' had a dangling Python 3 incompatible '__str__'
method returning bytes; this method has been removed, allowing the
superclass' ('~paramiko.pkey.PKey') method to run instead
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2255908 - TRIAGE CVE-2023-48795 python-paramiko: ssh: Prefix truncation attack on Binary Packet Protocol (BPP) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2255908
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-39a8c72ea9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 38 Update: xorg-x11-server-1.20.14-28.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2023-ec02e360af
2024-01-11 02:15:43.703651
--------------------------------------------------------------------------------

Name : xorg-x11-server
Product : Fedora 38
Version : 1.20.14
Release : 28.fc38
URL : http://www.x.org
Summary : X.Org X11 X server
Description :
X.Org X11 X server

--------------------------------------------------------------------------------
Update Information:

CVE fix for: CVE-2023-6377, CVE-2023-6478
--------------------------------------------------------------------------------
ChangeLog:

* Wed Dec 13 2023 Peter Hutterer [peter.hutterer@redhat.com] - 1.20.14-28
- CVE fix for: CVE-2023-6377, CVE-2023-6478
* Fri Nov 10 2023 Peter Hutterer [peter.hutterer@redhat.com] - 1.20.14-27
- Update with full SPDX license list
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2023-ec02e360af' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 38 Update: tigervnc-1.13.1-9.fc38


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2023-ec02e360af
2024-01-11 02:15:43.703651
--------------------------------------------------------------------------------

Name : tigervnc
Product : Fedora 38
Version : 1.13.1
Release : 9.fc38
URL : http://www.tigervnc.com
Summary : A TigerVNC remote display system
Description :
Virtual Network Computing (VNC) is a remote display system which
allows you to view a computing 'desktop' environment not only on the
machine where it is running, but from anywhere on the Internet and
from a wide variety of machine architectures. This package contains a
client which will allow you to connect to other desktops running a VNC
server.

--------------------------------------------------------------------------------
Update Information:

CVE fix for: CVE-2023-6377, CVE-2023-6478
--------------------------------------------------------------------------------
ChangeLog:

* Wed Dec 13 2023 Jan Grulich [jgrulich@redhat.com] - 1.13.1-9
- Rebuild for Xorg CVEs
Fixes: CVE-2023-6377, CVE-2023-6478
* Wed Nov 22 2023 Florian Weimer [fweimer@redhat.com] - 1.13.1-8
- Drop incorrect tigervnc-c99-2.patch.
* Wed Nov 22 2023 Florian Weimer [fweimer@redhat.com] - 1.13.1-7
- C compatibility fixes
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2023-ec02e360af' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--



Fedora 39 Update: chromium-120.0.6099.216-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-01607ac0ae
2024-01-11 01:15:19.066744
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 39
Version : 120.0.6099.216
Release : 1.fc39
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

update to 120.0.6099.216 - High CVE-2024-0333: Insufficient data validation in
Extensions
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jan 10 2024 Than Ngo [than@redhat.com] - 120.0.6099.216-1
- update to 120.0.6099.216
* High CVE-2024-0333: Insufficient data validation in Extensions
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2257630 - CVE-2024-0333 chromium: chromium-browser: Insufficient data validation in Extensions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2257630
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-01607ac0ae' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--