Fedora Linux 8801 Published by

The following security updates are available for Fedora Linux:

[SECURITY] Fedora 39 Update: roundcubemail-1.6.8-1.fc39
[SECURITY] Fedora 39 Update: dotnet8.0-8.0.107-1.fc39
[SECURITY] Fedora 39 Update: 389-ds-base-2.4.6-1.fc39
[SECURITY] Fedora 40 Update: roundcubemail-1.6.8-1.fc40
[SECURITY] Fedora 40 Update: 389-ds-base-3.0.4-2.fc40
[SECURITY] Fedora 40 Update: dotnet8.0-8.0.107-1.fc40




[SECURITY] Fedora 39 Update: roundcubemail-1.6.8-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-b60eb661a4
2024-08-15 14:22:26.297565
--------------------------------------------------------------------------------

Name : roundcubemail
Product : Fedora 39
Version : 1.6.8
Release : 1.fc39
URL : http://www.roundcube.net
Summary : Round Cube Webmail is a browser-based multilingual IMAP client
Description :
RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.

--------------------------------------------------------------------------------
Update Information:

Version 1.6.8
Managesieve: Protect special scripts in managesieve_kolab_master mode
Fix newmail_notifier notification focus in Chrome (#9467)
Fix fatal error when parsing some TNEF attachments (#9462)
Fix double scrollbar when composing a mail with many plain text lines (#7760)
Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
Fix bug where some messages could get malformed in an import from a MBOX file
(#9510)
Fix invalid line break characters in multi-line text in Sieve scripts (#9543)
Fix bug where "with attachment" filter could fail on some fts engines (#9514)
Fix bug where an unhandled exception was caused by an invalid image attachment
(#9475)
Fix bug where a long subject title could not be displayed in some cases (#9416)
Fix infinite loop when parsing malformed Sieve script (#9562)
Fix bug where imap_conn_option's 'socket' was ignored (#9566)
Fix XSS vulnerability in post-processing of sanitized HTML content
CVE-2024-42009
Fix XSS vulnerability in serving of attachments other than HTML or SVG
CVE-2024-42008
Fix information leak (access to remote content) via insufficient CSS filtering
CVE-2024-42010
--------------------------------------------------------------------------------
ChangeLog:

* Mon Aug 5 2024 Remi Collet [remi@remirepo.net] - 1.6.8-1
- update to 1.6.8
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2303070 - CVE-2024-42008 roundcubemail: A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2303070
[ 2 ] Bug #2303075 - CVE-2024-42009 roundcubemail: A Cross-Site Scripting vulnerability in Roundcube [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2303075
[ 3 ] Bug #2303095 - CVE-2024-42010 roundcubemail: information leak due to insufficient CSS filtering [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2303095
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-b60eb661a4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 39 Update: dotnet8.0-8.0.107-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-70741fe21f
2024-08-15 14:22:26.297521
--------------------------------------------------------------------------------

Name : dotnet8.0
Product : Fedora 39
Version : 8.0.107
Release : 1.fc39
URL : https://github.com/dotnet/
Summary : .NET Runtime and SDK
Description :
.NET is a fast, lightweight and modular platform for creating
cross platform applications that work on Linux, macOS and Windows.

It particularly focuses on creating console applications, web
applications and micro-services.

.NET contains a runtime conforming to .NET Standards a set of
framework libraries, an SDK containing compilers and a 'dotnet'
application to drive everything.

--------------------------------------------------------------------------------
Update Information:

This is the July 2024 security updates for .NET 8.
Release Notes:
SDK: https://github.com/dotnet/core/blob/main/release-notes/8.0/8.0.7/8.0.107.md
Runtime: https://github.com/dotnet/core/blob/main/release-
notes/8.0/8.0.7/8.0.7.md
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 9 2024 Omair Majid [omajid@redhat.com] - 8.0.107-1
- Update to .NET SDK 8.0.107 and Runtime 8.0.7
* Wed Jul 3 2024 Omair Majid [omajid@redhat.com] - 8.0.105-1
- Fix ownership of some missed directories
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-70741fe21f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 39 Update: 389-ds-base-2.4.6-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-c8290315df
2024-08-15 14:22:26.297556
--------------------------------------------------------------------------------

Name : 389-ds-base
Product : Fedora 39
Version : 2.4.6
Release : 1.fc39
URL : https://www.port389.org
Summary : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server. The base package includes
the LDAP server and command line utilities for server administration.

--------------------------------------------------------------------------------
Update Information:

Changelog
* Tue Jul 30 2024 Viktor Ashirov [vashirov@redhat.com] - 2.4.6-1
- Update to 2.4.6
- Resolves: CVE-2024-1062 (rhbz#2261884)
- Resolves: CVE-2024-2199 (rhbz#2283632)
- Resolves: CVE-2024-3657 (rhbz#2283631)
- Resolves: CVE-2024-5953 (rhbz#2292109)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 30 2024 Viktor Ashirov [vashirov@redhat.com] - 2.4.6-1
- Update to 2.4.6
- Resolves: CVE-2024-1062 (rhbz#2261884)
- Resolves: CVE-2024-2199 (rhbz#2283632)
- Resolves: CVE-2024-3657 (rhbz#2283631)
- Resolves: CVE-2024-5953 (rhbz#2292109)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2261879 - CVE-2024-1062 389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)
https://bugzilla.redhat.com/show_bug.cgi?id=2261879
[ 2 ] Bug #2267976 - CVE-2024-2199 389-ds-base: Malformed userPassword may cause crash at do_modify in slapd/modify.c
https://bugzilla.redhat.com/show_bug.cgi?id=2267976
[ 3 ] Bug #2274401 - CVE-2024-3657 389-ds-base: potential denial of service via specially crafted kerberos AS-REQ request
https://bugzilla.redhat.com/show_bug.cgi?id=2274401
[ 4 ] Bug #2292104 - CVE-2024-5953 389-ds-base: Malformed userPassword hash may cause Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=2292104
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-c8290315df' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: roundcubemail-1.6.8-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-2e908e829a
2024-08-15 02:33:16.252055
--------------------------------------------------------------------------------

Name : roundcubemail
Product : Fedora 40
Version : 1.6.8
Release : 1.fc40
URL : http://www.roundcube.net
Summary : Round Cube Webmail is a browser-based multilingual IMAP client
Description :
RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.

--------------------------------------------------------------------------------
Update Information:

Version 1.6.8
Managesieve: Protect special scripts in managesieve_kolab_master mode
Fix newmail_notifier notification focus in Chrome (#9467)
Fix fatal error when parsing some TNEF attachments (#9462)
Fix double scrollbar when composing a mail with many plain text lines (#7760)
Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
Fix bug where some messages could get malformed in an import from a MBOX file
(#9510)
Fix invalid line break characters in multi-line text in Sieve scripts (#9543)
Fix bug where "with attachment" filter could fail on some fts engines (#9514)
Fix bug where an unhandled exception was caused by an invalid image attachment
(#9475)
Fix bug where a long subject title could not be displayed in some cases (#9416)
Fix infinite loop when parsing malformed Sieve script (#9562)
Fix bug where imap_conn_option's 'socket' was ignored (#9566)
Fix XSS vulnerability in post-processing of sanitized HTML content
CVE-2024-42009
Fix XSS vulnerability in serving of attachments other than HTML or SVG
CVE-2024-42008
Fix information leak (access to remote content) via insufficient CSS filtering
CVE-2024-42010
--------------------------------------------------------------------------------
ChangeLog:

* Mon Aug 5 2024 Remi Collet [remi@remirepo.net] - 1.6.8-1
- update to 1.6.8
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2303071 - CVE-2024-42008 roundcubemail: A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2303071
[ 2 ] Bug #2303076 - CVE-2024-42009 roundcubemail: A Cross-Site Scripting vulnerability in Roundcube [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2303076
[ 3 ] Bug #2303096 - CVE-2024-42010 roundcubemail: information leak due to insufficient CSS filtering [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2303096
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-2e908e829a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: 389-ds-base-3.0.4-2.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-ac07913be8
2024-08-15 02:33:16.252041
--------------------------------------------------------------------------------

Name : 389-ds-base
Product : Fedora 40
Version : 3.0.4
Release : 2.fc40
URL : https://www.port389.org
Summary : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server. The base package includes
the LDAP server and command line utilities for server administration.

--------------------------------------------------------------------------------
Update Information:

Changelog
* Tue Jul 30 2024 Viktor Ashirov [vashirov@redhat.com] - 3.0.4-2
- Replace lmdb with lmdb-libs in Requires
* Tue Jul 30 2024 Viktor Ashirov [vashirov@redhat.com] - 3.0.4-1
- Update to 3.0.4
- Resolves: CVE-2024-1062 (rhbz#2261884)
- Resolves: CVE-2024-2199 (rhbz#2283632)
- Resolves: CVE-2024-3657 (rhbz#2283631)
- Resolves: CVE-2024-5953 (rhbz#2292109)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 30 2024 Viktor Ashirov [vashirov@redhat.com] - 3.0.4-2
- Replace lmdb with lmdb-libs in Requires
* Tue Jul 30 2024 Viktor Ashirov [vashirov@redhat.com] - 3.0.4-1
- Update to 3.0.4
- Resolves: CVE-2024-1062 (rhbz#2261884)
- Resolves: CVE-2024-2199 (rhbz#2283632)
- Resolves: CVE-2024-3657 (rhbz#2283631)
- Resolves: CVE-2024-5953 (rhbz#2292109)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2261879 - CVE-2024-1062 389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)
https://bugzilla.redhat.com/show_bug.cgi?id=2261879
[ 2 ] Bug #2267976 - CVE-2024-2199 389-ds-base: Malformed userPassword may cause crash at do_modify in slapd/modify.c
https://bugzilla.redhat.com/show_bug.cgi?id=2267976
[ 3 ] Bug #2274401 - CVE-2024-3657 389-ds-base: potential denial of service via specially crafted kerberos AS-REQ request
https://bugzilla.redhat.com/show_bug.cgi?id=2274401
[ 4 ] Bug #2292104 - CVE-2024-5953 389-ds-base: Malformed userPassword hash may cause Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=2292104
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-ac07913be8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: dotnet8.0-8.0.107-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-04cb0f92bc
2024-08-15 02:33:16.251993
--------------------------------------------------------------------------------

Name : dotnet8.0
Product : Fedora 40
Version : 8.0.107
Release : 1.fc40
URL : https://github.com/dotnet/
Summary : .NET Runtime and SDK
Description :
.NET is a fast, lightweight and modular platform for creating
cross platform applications that work on Linux, macOS and Windows.

It particularly focuses on creating console applications, web
applications and micro-services.

.NET contains a runtime conforming to .NET Standards a set of
framework libraries, an SDK containing compilers and a 'dotnet'
application to drive everything.

--------------------------------------------------------------------------------
Update Information:

This is the July 2024 security updates for .NET 8.
Release Notes:
SDK: https://github.com/dotnet/core/blob/main/release-notes/8.0/8.0.7/8.0.107.md
Runtime: https://github.com/dotnet/core/blob/main/release-
notes/8.0/8.0.7/8.0.7.md
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 9 2024 Omair Majid [omajid@redhat.com] - 8.0.107-1
- Update to .NET SDK 8.0.107 and Runtime 8.0.7
* Wed Jul 3 2024 Omair Majid [omajid@redhat.com] - 8.0.105-1
- Fix ownership of some missed directories
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-04cb0f92bc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--