Fedora Linux 8801 Published by

The following security updates have been released for Fedora Linux:

[SECURITY] Fedora 39 Update: vim-9.1.719-1.fc39
[SECURITY] Fedora 39 Update: nextcloud-29.0.6-2.fc39
[SECURITY] Fedora 39 Update: wolfssl-5.7.2-2.fc39
[SECURITY] Fedora 40 Update: python3.6-3.6.15-37.fc40
[SECURITY] Fedora 40 Update: python3.10-3.10.15-1.fc40
[SECURITY] Fedora 40 Update: python3.13-3.13.0~rc2-1.fc40
[SECURITY] Fedora 40 Update: nextcloud-29.0.6-2.fc40
[SECURITY] Fedora 40 Update: wolfssl-5.7.2-2.fc40




[SECURITY] Fedora 39 Update: vim-9.1.719-1.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-055adf8e6f
2024-09-12 01:34:06.829580
--------------------------------------------------------------------------------

Name : vim
Product : Fedora 39
Version : 9.1.719
Release : 1.fc39
URL : http://www.vim.org/
Summary : The VIM editor
Description :
VIM (VIsual editor iMproved) is an updated and improved version of the
vi editor. Vi was the first real screen-based editor for UNIX, and is
still very popular. VIM improves on vi by adding new features:
multiple windows, multi-level undo, block highlighting and more.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2024-45306
patchlevel 703
Security fixes for CVE-2024-43374, CVE-2024-43802
--------------------------------------------------------------------------------
ChangeLog:

* Fri Sep 6 2024 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.1.719-1
- patchlevel 719
* Fri Aug 30 2024 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.1.703-1
- patchlevel 703
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2305311 - CVE-2024-43374 vim: use-after-free in alist_add() in src/arglist.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2305311
[ 2 ] Bug #2308490 - CVE-2024-43802 vim: Heap Buffer Overflow in Vim's Typeahead Buffer Handling [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2308490
[ 3 ] Bug #2309343 - CVE-2024-45306 vim: heap-buffer-overflow in Vim [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2309343
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-055adf8e6f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 39 Update: nextcloud-29.0.6-2.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-bdac6de5ee
2024-09-12 01:34:06.829566
--------------------------------------------------------------------------------

Name : nextcloud
Product : Fedora 39
Version : 29.0.6
Release : 2.fc39
URL : http://nextcloud.com
Summary : Private file sync and share server
Description :
NextCloud gives you universal access to your files through a web interface or
WebDAV. It also provides a platform to easily view & sync your contacts,
calendars and bookmarks across all your devices and enables basic editing right
on the web. NextCloud is extendable via a simple but powerful API for
applications and plugins.

--------------------------------------------------------------------------------
Update Information:

29.0.6 release RHBZ#2305125 RHBZ#2309499 fixes CVE-2024-39338
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 3 2024 Andrew Bauer - 29.0.6-1
- 29.0.6 release RHBZ#2305125 RHBZ#2309499 fixes CVE-2024-39338
* Tue Sep 3 2024 Andrew Bauer - 29.0.5-5
- 29.0.6 release RHBZ#2305125 RHBZ#2309499 fixes CVE-2024-39338
* Tue Sep 3 2024 Andrew Bauer - 29.0.5-4
- 29.0.6 release RHBZ#2305125 RHBZ#2309499 fixes CVE-2024-39338
* Tue Sep 3 2024 Andrew Bauer - 29.0.5-3
- 29.0.6 release RHBZ#2305125 RHBZ# 2309499 fixes CVE-2024-39338
* Mon Sep 2 2024 Miroslav Suchý - 29.0.5-2
- convert license to SPDX
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2305125 - CVE-2024-39338 nextcloud: axios: Server-Side Request Forgery [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2305125
[ 2 ] Bug #2309499 - nextcloud-30.0.0rc3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2309499
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-bdac6de5ee' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 39 Update: wolfssl-5.7.2-2.fc39


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-b73e44fe9d
2024-09-12 01:34:06.829560
--------------------------------------------------------------------------------

Name : wolfssl
Product : Fedora 39
Version : 5.7.2
Release : 2.fc39
URL : https://github.com/wolfSSL/wolfssl
Summary : Lightweight SSL/TLS library written in ANSI C
Description :
The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight SSL/TLS
library written in ANSI C and targeted for embedded, RTOS, and
resource-constrained environments - primarily because of its small size,
speed, and feature set. It is commonly used in standard operating environments
as well because of its royalty-free pricing and excellent cross platform
support. wolfSSL supports industry standards up to the current TLS 1.3 and
DTLS 1.3, is up to 20 times smaller than OpenSSL, and offers progressive
ciphers such as ChaCha20, Curve25519, Blake2b and Post-Quantum TLS 1.3 groups.
User bench-marking and feedback reports dramatically better performance when
using wolfSSL over OpenSSL.

wolfSSL is powered by the wolfCrypt cryptography library. Two versions of
wolfCrypt have been FIPS 140-2 validated (Certificate #2425 and certificate

visit the wolfCrypt FIPS FAQ or contact fips@wolfssl.com.

--------------------------------------------------------------------------------
Update Information:

RHBZ#2308628 RHBZ#2308629 RHBZ#2308630 RHBZ#2308631 fixed in 5.7.2 release
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 3 2024 Andrew Bauer [zonexpertconsulting@outlook.com] - 5.7.2-2
- RHBZ#2308628 RHBZ#2308629 RHBZ#2308630 RHBZ#2308631 fixed in 5.7.2 release
- fips macro patch no longer needed
* Sun Aug 25 2024 Andrew Bauer [zonexpertconsulting@outlook.com] - 5.7.2-1
- 5.7.2 release
- patch FIPS_VERSION3_GE macro issue
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2308628 - CVE-2024-1543 wolfssl: The side-channel protected T-Table implementation in wolfSSL [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2308628
[ 2 ] Bug #2308629 - CVE-2024-1543 wolfssl: The side-channel protected T-Table implementation in wolfSSL [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2308629
[ 3 ] Bug #2308630 - CVE-2024-1545 wolfssl: Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2308630
[ 4 ] Bug #2308631 - CVE-2024-1545 wolfssl: Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2308631
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-b73e44fe9d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: python3.6-3.6.15-37.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-02027448d8
2024-09-12 01:26:59.749330
--------------------------------------------------------------------------------

Name : python3.6
Product : Fedora 40
Version : 3.6.15
Release : 37.fc40
URL : https://www.python.org/
Summary : Version 3.6 of the Python interpreter
Description :
Python 3.6 package for developers.

This package exists to allow developers to test their code against an older
version of Python. This is not a full Python stack and if you wish to run
your applications with Python 3.6, see other distributions
that support it, such as CentOS or RHEL with Software Collections
or older Fedora releases.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2024-6232 (rhbz#2310092)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 5 2024 Lumír Balhar - 3.6.15-37
- Security fix for CVE-2024-6232 (rhbz#2310092)
* Wed Sep 4 2024 Miroslav Suchý - 3.6.15-36
- convert license to SPDX
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2310092 - CVE-2024-6232 python3.6: tarfile: ReDos via excessive backtracking while parsing header values [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2310092
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-02027448d8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 40 Update: python3.10-3.10.15-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-f750328c3b
2024-09-12 01:26:59.749323
--------------------------------------------------------------------------------

Name : python3.10
Product : Fedora 40
Version : 3.10.15
Release : 1.fc40
URL : https://www.python.org/
Summary : Version 3.10 of the Python interpreter
Description :
Python 3.10 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

The python3.10 package provides the "python3.10" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.10-libs package,
which should be installed automatically along with python3.10.
The remaining parts of the Python standard library are broken out into the
python3.10-tkinter and python3.10-test packages, which may need to be installed
separately.

Documentation for Python is provided in the python3.10-docs package.

Packages containing additional libraries for Python are generally named with
the "python3.10-" prefix.

--------------------------------------------------------------------------------
Update Information:

This is a security release of Python 3.10
Note: The release you're looking at is Python 3.10.15, a security bugfix release
for the legacy 3.10 series. Python 3.12 is now the latest feature release series
of Python 3.
Security content in this release
gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with
backslashes by http.cookies. Fixes CVE-2024-7592.
gh-113171: Fixed various false positives and false negatives in
IPv4Address.is_private, IPv4Address.is_global, IPv6Address.is_private,
IPv6Address.is_global. Fixes CVE-2024-4032.
gh-67693: Fix urllib.parse.urlunparse() and urllib.parse.urlunsplit() for URIs
with path starting with multiple slashes and no authority. Fixes CVE-2015-2104.
gh-121957: Fixed missing audit events around interactive use of Python, now also
properly firing for python -i, as well as for python -m asyncio. The event in
question is cpython.run_stdin.
gh-122133: Authenticate the socket connection for the socket.socketpair()
fallback on platforms where AF_UNIX is not available like Windows.
gh-121285: Remove backtracking from tarfile header parsing for hdrcharset, PAX,
and GNU sparse headers. That's CVE-2024-6232.
gh-114572: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs()
now correctly lock access to the certificate store, when the ssl.SSLContext is
shared across multiple threads.
gh-102988: email.utils.getaddresses() and email.utils.parseaddr() now return
('', '') 2-tuples in more situations where invalid email addresses are
encountered instead of potentially inaccurate values. Add optional strict
parameter to these two functions: use strict=False to get the old behavior,
accept malformed inputs. getattr(email.utils, 'supports_strict_parsing', False)
can be use to check if the strict paramater is available. This improves the
CVE-2023-27043 fix.
gh-123270: Sanitize names in zipfile.Path to avoid infinite loops (gh-122905)
without breaking contents using legitimate characters. That's CVE-2024-8088.
gh-121650: email headers with embedded newlines are now quoted on output. The
generator will now refuse to serialize (write) headers that are unsafely folded
or delimited; see verify_generated_headers. That's CVE-2024-6923.
gh-119690: Fixes data type confusion in audit events raised by
_winapi.CreateFile and _winapi.CreateNamedPipe.
gh-116773: Fix instances of still has
pending operation at deallocation, the process may crash.
gh-112275: A deadlock involving pystate.c's HEAD_LOCK in posixmodule.c at fork
is now fixed.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Sep 9 2024 Tomáš Hrnčiar - 3.10.15-1
- Update to 3.10.15
* Tue Jul 23 2024 Lumír Balhar - 3.10.14-4
- Require systemtap-sdt-devel for sys/sdt.h
* Fri Jul 19 2024 Fedora Release Engineering - 3.10.14-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2293390 - CVE-2024-4032 python3.10: python: incorrect IPv4 and IPv6 private ranges [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2293390
[ 2 ] Bug #2303157 - CVE-2024-6923 python3.10: email module doesn't properly quotes newlines in email headers, allowing header injection [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303157
[ 3 ] Bug #2307459 - CVE-2024-8088 python3.10: From NVD collector [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2307459
[ 4 ] Bug #2310088 - CVE-2024-6232 python3.10: tarfile: ReDos via excessive backtracking while parsing header values [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2310088
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-f750328c3b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
---------------------------------------------------------------------------------



[SECURITY] Fedora 40 Update: python3.13-3.13.0~rc2-1.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-e887a10dee
2024-09-12 01:26:59.749302
--------------------------------------------------------------------------------

Name : python3.13
Product : Fedora 40
Version : 3.13.0~rc2
Release : 1.fc40
URL : https://www.python.org/
Summary : Version 3.13 of the Python interpreter
Description :
Python 3.13 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

The python3.13 package provides the "python3.13" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.13-libs package,
which should be installed automatically along with python3.13.
The remaining parts of the Python standard library are broken out into the
python3.13-tkinter and python3.13-test packages, which may need to be installed
separately.

Documentation for Python is provided in the python3.13-docs package.

Packages containing additional libraries for Python are generally named with
the "python3.13-" prefix.

--------------------------------------------------------------------------------
Update Information:

Python 3.13.0rc2
--------------------------------------------------------------------------------
ChangeLog:

* Sat Sep 7 2024 Karolina Surma [ksurma@redhat.com] - 3.13.0~rc2-1
- Update to Python 3.13.0rc2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2307370 - CVE-2024-8088 python: cpython: Iterating over a malicious ZIP file may lead to Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=2307370
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-e887a10dee' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--



[SECURITY] Fedora 40 Update: nextcloud-29.0.6-2.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-296a0db958
2024-09-12 01:26:59.749275
--------------------------------------------------------------------------------

Name : nextcloud
Product : Fedora 40
Version : 29.0.6
Release : 2.fc40
URL : http://nextcloud.com
Summary : Private file sync and share server
Description :
NextCloud gives you universal access to your files through a web interface or
WebDAV. It also provides a platform to easily view & sync your contacts,
calendars and bookmarks across all your devices and enables basic editing right
on the web. NextCloud is extendable via a simple but powerful API for
applications and plugins.

--------------------------------------------------------------------------------
Update Information:

29.0.6 release RHBZ#2305125 RHBZ#2309499 fixes CVE-2024-39338
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 3 2024 Andrew Bauer - 29.0.6-1
- 29.0.6 release RHBZ#2305125 RHBZ#2309499 fixes CVE-2024-39338
* Tue Sep 3 2024 Andrew Bauer - 29.0.5-5
- 29.0.6 release RHBZ#2305125 RHBZ#2309499 fixes CVE-2024-39338
* Tue Sep 3 2024 Andrew Bauer - 29.0.5-4
- 29.0.6 release RHBZ#2305125 RHBZ#2309499 fixes CVE-2024-39338
* Tue Sep 3 2024 Andrew Bauer - 29.0.5-3
- 29.0.6 release RHBZ#2305125 RHBZ# 2309499 fixes CVE-2024-39338
* Mon Sep 2 2024 Miroslav Suchý - 29.0.5-2
- convert license to SPDX
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2305125 - CVE-2024-39338 nextcloud: axios: Server-Side Request Forgery [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2305125
[ 2 ] Bug #2309499 - nextcloud-30.0.0rc3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2309499
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-296a0db958' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
---------------------------------------------------------------------------------



[SECURITY] Fedora 40 Update: wolfssl-5.7.2-2.fc40


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-ed1a50aa61
2024-09-12 01:26:59.749261
--------------------------------------------------------------------------------

Name : wolfssl
Product : Fedora 40
Version : 5.7.2
Release : 2.fc40
URL : https://github.com/wolfSSL/wolfssl
Summary : Lightweight SSL/TLS library written in ANSI C
Description :
The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight SSL/TLS
library written in ANSI C and targeted for embedded, RTOS, and
resource-constrained environments - primarily because of its small size,
speed, and feature set. It is commonly used in standard operating environments
as well because of its royalty-free pricing and excellent cross platform
support. wolfSSL supports industry standards up to the current TLS 1.3 and
DTLS 1.3, is up to 20 times smaller than OpenSSL, and offers progressive
ciphers such as ChaCha20, Curve25519, Blake2b and Post-Quantum TLS 1.3 groups.
User bench-marking and feedback reports dramatically better performance when
using wolfSSL over OpenSSL.

wolfSSL is powered by the wolfCrypt cryptography library. Two versions of
wolfCrypt have been FIPS 140-2 validated (Certificate #2425 and certificate

visit the wolfCrypt FIPS FAQ or contact fips@wolfssl.com.

--------------------------------------------------------------------------------
Update Information:

RHBZ#2308628 RHBZ#2308629 RHBZ#2308630 RHBZ#2308631 fixed in 5.7.2 release
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 3 2024 Andrew Bauer [zonexpertconsulting@outlook.com] - 5.7.2-2
- RHBZ#2308628 RHBZ#2308629 RHBZ#2308630 RHBZ#2308631 fixed in 5.7.2 release
- fips macro patch no longer needed
* Sun Aug 25 2024 Andrew Bauer [zonexpertconsulting@outlook.com] - 5.7.2-1
- 5.7.2 release
- patch FIPS_VERSION3_GE macro issue
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2308628 - CVE-2024-1543 wolfssl: The side-channel protected T-Table implementation in wolfSSL [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2308628
[ 2 ] Bug #2308629 - CVE-2024-1543 wolfssl: The side-channel protected T-Table implementation in wolfSSL [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2308629
[ 3 ] Bug #2308630 - CVE-2024-1545 wolfssl: Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2308630
[ 4 ] Bug #2308631 - CVE-2024-1545 wolfssl: Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2308631
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-ed1a50aa61' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--