Fedora Linux 8801 Published by

Fedora Linux just released a series of security updates, which include rust-rustls-0.23.17-1.fc40, rust-zlib-rs-0.4.0-1.fc40, xen-4.18.3, thunderbird-128.5.0-1.fc41, tuned-2.24.1-1.fc41, nss-3.106.0-1.fc41, firefox-133.0-1.fc41, pam-1.6.1-7.fc41, and rust-rustls-0.23.17-1.fc41:

Fedora 40 Update: rust-rustls-0.23.17-1.fc40
Fedora 40 Update: rust-zlib-rs-0.4.0-1.fc40
Fedora 40 Update: xen-4.18.3-3.fc40
Fedora 41 Update: thunderbird-128.5.0-1.fc41
Fedora 41 Update: tuned-2.24.1-1.fc41
Fedora 41 Update: nss-3.106.0-1.fc41
Fedora 41 Update: firefox-133.0-1.fc41
Fedora 41 Update: pam-1.6.1-7.fc41
Fedora 41 Update: rust-zlib-rs-0.4.0-1.fc41
Fedora 41 Update: rust-rustls-0.23.17-1.fc41



[SECURITY] Fedora 40 Update: rust-rustls-0.23.17-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-632b468c59
2024-11-29 03:47:35.523146+00:00
--------------------------------------------------------------------------------

Name : rust-rustls
Product : Fedora 40
Version : 0.23.17
Release : 1.fc40
URL : https://crates.io/crates/rustls
Summary : Modern TLS library written in Rust
Description :
Rustls is a modern TLS library written in Rust.

--------------------------------------------------------------------------------
Update Information:

Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.
The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow
during decompression with malicious input). This issue had no actual impact in
Fedora, because no applications yet use the the zlib-rs feature of rustls and
rustls is the only dependent package of zlib-rs.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Nov 20 2024 Benjamin A. Beasley [code@musicinmybrain.net] - 0.23.17-1
- Update to version 0.23.17; Fixes RHBZ#2326682
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2326413 - CVE-2024-11249 rust-zlib-rs: zlib-rs stack overflow during decompression with malicious input [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2326413
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-632b468c59' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: rust-zlib-rs-0.4.0-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-632b468c59
2024-11-29 03:47:35.523146+00:00
--------------------------------------------------------------------------------

Name : rust-zlib-rs
Product : Fedora 40
Version : 0.4.0
Release : 1.fc40
URL : https://crates.io/crates/zlib-rs
Summary : Memory-safe zlib implementation written in rust
Description :
A memory-safe zlib implementation written in rust.

--------------------------------------------------------------------------------
Update Information:

Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.
The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow
during decompression with malicious input). This issue had no actual impact in
Fedora, because no applications yet use the the zlib-rs feature of rustls and
rustls is the only dependent package of zlib-rs.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Nov 20 2024 Benjamin A. Beasley [code@musicinmybrain.net] - 0.4.0-1
- Update to version 0.4.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2326413 - CVE-2024-11249 rust-zlib-rs: zlib-rs stack overflow during decompression with malicious input [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2326413
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-632b468c59' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: xen-4.18.3-3.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-7c2cfa2fe5
2024-11-29 03:47:35.523115+00:00
--------------------------------------------------------------------------------

Name : xen
Product : Fedora 40
Version : 4.18.3
Release : 3.fc40
URL : http://xen.org/
Summary : Xen is a virtual machine monitor
Description :
This package contains the XenD daemon and xm command line
tools, needed to manage virtual machines running under the
Xen hypervisor

--------------------------------------------------------------------------------
Update Information:

Deadlock in x86 HVM standard VGA handling [XSA-463, CVE-2024-45818]
libxl leaks data to PVH guests via ACPI tables [XSA-464, CVE-2024-45819]
--------------------------------------------------------------------------------
ChangeLog:

* Wed Nov 13 2024 Michael Young [m.a.young@durham.ac.uk] - 4.18.3-3
- Deadlock in x86 HVM standard VGA handling [XSA-463, CVE-2024-45818]
- libxl leaks data to PVH guests via ACPI tables [XSA-464, CVE-2024-45819]
- additional patches so above applies cleanly
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-7c2cfa2fe5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: thunderbird-128.5.0-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-07f6b6766c
2024-11-29 03:29:16.748049+00:00
--------------------------------------------------------------------------------

Name : thunderbird
Product : Fedora 41
Version : 128.5.0
Release : 1.fc41
URL : http://www.mozilla.org/projects/thunderbird/
Summary : Mozilla Thunderbird mail/newsgroup client
Description :
Mozilla Thunderbird is a standalone mail and newsgroup client.

--------------------------------------------------------------------------------
Update Information:

Update to 128.5.0
https://www.thunderbird.net/en-US/thunderbird/128.5.0esr/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-68/
--------------------------------------------------------------------------------
ChangeLog:

* Wed Nov 27 2024 Eike Rathke [erack@redhat.com] - 128.5.0-1
- Update to 128.5.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-07f6b6766c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: tuned-2.24.1-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-e457d67157
2024-11-29 03:29:16.748036+00:00
--------------------------------------------------------------------------------

Name : tuned
Product : Fedora 41
Version : 2.24.1
Release : 1.fc41
URL : http://www.tuned-project.org/
Summary : A dynamic adaptive system tuning daemon
Description :
The tuned package contains a daemon that tunes system settings dynamically.
It does so by monitoring the usage of several system components periodically.
Based on that information components will then be put into lower or higher
power saving modes to adapt to the current usage. Currently only ethernet
network and ATA harddisk devices are implemented.

--------------------------------------------------------------------------------
Update Information:

This is new version that fixes CVE-2024-52336 and CVE-2024-52337 which allowed
privileged execution by non-privileged active local user and log injection.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Nov 26 2024 Jaroslav Škarvada - 2.24.1-1
- new release
- fixed privileged execution of arbitrary scripts by active local user
resolves: CVE-2024-52336
- added sanity checks for API methods parameters
resolves: CVE-2024-52337
- tuned-ppd: fixed controller init to correctly set _on_battery
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-e457d67157' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 41 Update: nss-3.106.0-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-b266d38c44
2024-11-29 03:29:16.748004+00:00
--------------------------------------------------------------------------------

Name : nss
Product : Fedora 41
Version : 3.106.0
Release : 1.fc41
URL : http://www.mozilla.org/projects/security/pki/nss/
Summary : Network Security Services
Description :
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.

--------------------------------------------------------------------------------
Update Information:

Update NSS to 3.106.0
Update to Firefox 133.0
--------------------------------------------------------------------------------
ChangeLog:

* Tue Nov 19 2024 Bojan Smojver [bojan@rexursive.com] - 3.106.0-1
- Update NSS to 3.106.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-b266d38c44' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: firefox-133.0-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-b266d38c44
2024-11-29 03:29:16.748004+00:00
--------------------------------------------------------------------------------

Name : firefox
Product : Fedora 41
Version : 133.0
Release : 1.fc41
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

--------------------------------------------------------------------------------
Update Information:

Update NSS to 3.106.0
Update to Firefox 133.0
--------------------------------------------------------------------------------
ChangeLog:

* Fri Nov 22 2024 Martin Stransky [stransky@redhat.com] - 133.0-1
- Updated to latest upstream (133.0)
* Mon Nov 18 2024 Martin Stransky [stransky@redhat.com] - 132.0.2-2
- Added memory saving flags to x86_64
* Fri Nov 15 2024 Martin Stransky [stransky@redhat.com] - 132.0.2-1
- Updated to 132.0.2
- Try to reduce build mem usage on ppc64le
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-b266d38c44' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: pam-1.6.1-7.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-4d4d946073
2024-11-29 03:29:16.747998+00:00
--------------------------------------------------------------------------------

Name : pam
Product : Fedora 41
Version : 1.6.1
Release : 7.fc41
URL : http://www.linux-pam.org/
Summary : An extensible library which provides authentication for applications
Description :
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.

--------------------------------------------------------------------------------
Update Information:

pam_access: rework resolving of tokens as hostname.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Nov 25 2024 Iker Pedrosa [ipedrosa@redhat.com] - 1.6.1-7
- pam_access: rework resolving of tokens as hostname.
Resolves: CVE-2024-10963 and #2324300
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2324300 - CVE-2024-10963 pam: Improper Hostname Interpretation in pam_access Leads to Access Control Bypass [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2324300
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-4d4d946073' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: rust-zlib-rs-0.4.0-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-41e6e2fc74
2024-11-29 03:29:16.747934+00:00
--------------------------------------------------------------------------------

Name : rust-zlib-rs
Product : Fedora 41
Version : 0.4.0
Release : 1.fc41
URL : https://crates.io/crates/zlib-rs
Summary : Memory-safe zlib implementation written in rust
Description :
A memory-safe zlib implementation written in rust.

--------------------------------------------------------------------------------
Update Information:

Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.
The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow
during decompression with malicious input). This issue had no actual impact in
Fedora, because no applications yet use the the zlib-rs feature of rustls and
rustls is the only dependent package of zlib-rs.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Nov 20 2024 Benjamin A. Beasley [code@musicinmybrain.net] - 0.4.0-1
- Update to version 0.4.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2326414 - CVE-2024-11249 rust-zlib-rs: zlib-rs stack overflow during decompression with malicious input [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2326414
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-41e6e2fc74' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 41 Update: rust-rustls-0.23.17-1.fc41


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-41e6e2fc74
2024-11-29 03:29:16.747934+00:00
--------------------------------------------------------------------------------

Name : rust-rustls
Product : Fedora 41
Version : 0.23.17
Release : 1.fc41
URL : https://crates.io/crates/rustls
Summary : Modern TLS library written in Rust
Description :
Rustls is a modern TLS library written in Rust.

--------------------------------------------------------------------------------
Update Information:

Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.
The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow
during decompression with malicious input). This issue had no actual impact in
Fedora, because no applications yet use the the zlib-rs feature of rustls and
rustls is the only dependent package of zlib-rs.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Nov 20 2024 Benjamin A. Beasley [code@musicinmybrain.net] - 0.23.17-1
- Update to version 0.23.17; Fixes RHBZ#2326682
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2326414 - CVE-2024-11249 rust-zlib-rs: zlib-rs stack overflow during decompression with malicious input [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2326414
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-41e6e2fc74' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--