The following Fedora EPEL 8 Security updates need testing:
Age URL
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-76db503610
seamonkey-2.53.18-1.el8
The following builds have been pushed to Fedora EPEL 8 updates-testing
chromium-120.0.6099.71-1.el8
expected-1.1.0-1.el8
guacamole-server-1.5.4-1.el8
unrealircd-6.1.3-1.el8
Details about builds:
================================================================================
chromium-120.0.6099.71-1.el8 (FEDORA-EPEL-2023-d1b0df83e0)
A WebKit (Blink) powered web browser that Google doesn't want you to use
--------------------------------------------------------------------------------
Update Information:
Update to 120.0.6099.71 ---- Update to 120.0.6099.62, upstream release fixes
follow security issues: * High CVE-2023-6508: Use after free in Media Stream *
High CVE-2023-6509: Use after free in Side Panel Search * Medium CVE-2023-6510:
Use after free in Media Capture * Low CVE-2023-6511: Inappropriate
implementation in Autofill * Low CVE-2023-6512: Inappropriate implementation in
Web Browser UI ---- update to 119.0.6045.199, upstream security release *
High CVE-2023-6348: Type Confusion in Spellcheck * High CVE-2023-6347: Use after
free in Mojo * High CVE-2023-6346: Use after free in WebAudio * High
CVE-2023-6350: Out of bounds memory access in libavif * High CVE-2023-6351: Use
after free in libavif * High CVE-2023-6345: Integer overflow in Skia
--------------------------------------------------------------------------------
ChangeLog:
* Fri Dec 8 2023 Than Ngo <than(a)redhat.com> - 120.0.6099.71-1
- update to 120.0.6099.71
* Wed Dec 6 2023 Than Ngo <than(a)redhat.com> - 120.0.6099.62-2
- drop unsupported ldflag which caused build failure
* Tue Dec 5 2023 Than Ngo <than(a)redhat.com> - 120.0.6099.62-1
- update to 120.0.6099.62
- fixed bz#2252874, built with control flow integrity (CFI) support
* Sat Dec 2 2023 Than Ngo <than(a)redhat.com> - 120.0.6099.56-1
- update to 120.0.6099.56
- enable qt6 UI backend
* Sat Dec 2 2023 Than Ngo <than(a)redhat.com> - 119.0.6045.199-2
- fixed bz#2242271, built with bundleminizip in fedora > 39
- fixed bz#2251884, built with fstack-protector-strong for improved security
* Wed Nov 29 2023 Than Ngo <than(a)redhat.com> - 119.0.6045.199-1
- update to 119.0.6045.199
* Sun Nov 19 2023 Than Ngo <than(a)redhat.com> - 119.0.6045.159-2
- fix ffmpeg conflicts
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2252009 - CVE-2023-6346 CVE-2023-6347 CVE-2023-6350 CVE-2023-6351 chromium:
various flaws [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2252009
[ 2 ] Bug #2252188 - CVE-2023-6345 chromium: chromium-browser: Integer overflow
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2252188
[ 3 ] Bug #2252191 - CVE-2023-6348 chromium: chromium-browser: Type Confusion in
Spellcheck [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2252191
[ 4 ] Bug #2253151 - CVE-2023-6508 chromium: Use after free in Media Stream [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2253151
[ 5 ] Bug #2253154 - CVE-2023-6509 chromium: Use after free in Side Panel Search
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2253154
[ 6 ] Bug #2253157 - CVE-2023-6510 chromium: Use after free in Media Capture [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2253157
[ 7 ] Bug #2253161 - CVE-2023-6511 chromium: Inappropriate implementation in Autofill
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2253161
[ 8 ] Bug #2253164 - CVE-2023-6512 chromium: Inappropriate implementation in Web Browser
UI [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2253164
--------------------------------------------------------------------------------
================================================================================
expected-1.1.0-1.el8 (FEDORA-EPEL-2023-ddda2b79e7)
C++11/14/17 std::expected with functional-style extensions
--------------------------------------------------------------------------------
Update Information:
Build for EPEL8/9
--------------------------------------------------------------------------------
ChangeLog:
* Thu Mar 16 2023 Vitaly Zaitsev <vitaly(a)easycoding.org> - 1.1.0-1
- Updated to version 1.1.0.
* Thu Jan 19 2023 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.0.0-8
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.0.0-7
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jan 20 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.0.0-6
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Jul 21 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.0.0-5
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jan 26 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.0.0-4
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.0.0-3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jan 28 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.0.0-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Jan 6 2020 Vitaly Zaitsev <vitaly(a)easycoding.org> - 1.0.0-1
- Initial SPEC release.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2252323 - Please branch and build expected for EPEL8 and EPEL9
https://bugzilla.redhat.com/show_bug.cgi?id=2252323
--------------------------------------------------------------------------------
================================================================================
guacamole-server-1.5.4-1.el8 (FEDORA-EPEL-2023-eb17d13fbd)
Server-side native components that form the Guacamole proxy
--------------------------------------------------------------------------------
Update Information:
# Apache Guacamole 1.5.4 ## User interface / platform - History Recording
Player should show controls when mouse is moved (GUACAMOLE-1872) - Bug:
Control bar doesn���t auto-hide on history recording player (GUACAMOLE-1873) ##
Authentication, integration, and storage - Bug: Regression in JSON module
causes loading to fail (GUACAMOLE-1851) - Bug: Permission check for creating
user groups is incorrect (GUACAMOLE-1856) ## Protocol support / guacd - Bug:
Race condition can cause the first user for a connection to miss updates
(GUACAMOLE-1846) - Bug: Parser reparses same instructions multiple times in
some cases (GUACAMOLE-1849) - Bug: `guac_common_cursor_dup()` may segfault if
cursor is being modified (GUACAMOLE-1850) - Add libguac convenience functions
for memory management (GUACAMOLE-1867) ## Internationalization - Updates and
corrections to Catalan translation (GUACAMOLE-1880) ## Documentation - TOTP
Authentication - Add documentation relating to usage with docker
(GUACAMOLE-1878) ## General housekeeping and cleanup - Update webapp
dependencies to latest stable and compatible versions (GUACAMOLE-1859) - Bump
version numbers to 1.5.4 (GUACAMOLE-1886)
--------------------------------------------------------------------------------
ChangeLog:
* Sat Dec 9 2023 Robert Scheck <robert(a)fedoraproject.org> - 1.5.4-1
- Update to 1.5.4 (#2223510)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2223510 - guacamole-server-1.5.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2223510
--------------------------------------------------------------------------------
================================================================================
unrealircd-6.1.3-1.el8 (FEDORA-EPEL-2023-a1267e32b9)
Open Source IRC server
--------------------------------------------------------------------------------
Update Information:
# UnrealIRCd 6.1.3 The main focus of this release is adding countermeasures
against large scale spam/drones. Upstream does this by offering a central API
which can be used for accessing Central Blocklist, Central Spamreport and
Central Spamfilter. ## Enhancements * Central anti-spam services: * The
services from below require a central-api key, which you can [request
here](https://www.unrealircd.org/central-api/). * [Central
Blocklist](https://www.unrealircd.org/docs/Central_Blocklist) is an attempt to
detect and block spammers. It works similar to DNS Blacklists but the central
blocklist receives many more details about the user that is trying to connect
and therefore can make a better decision on whether a user is likely a spammer.
* [Central
Spamreport](https://www.unrealircd.org/docs/Central_spamreport)
allows you to send spam reports (user details, last sent lines) via the
`SPAMREPORT` command. This information may then be used to improve [Central
Blocklist](https://www.unrealircd.org/docs/Central_Blocklist) and/or [Central
Spamfilter](https://www.unrealircd.org/docs/Central_Spamfilter). * The
[Central
Spamfilter](https://www.unrealircd.org/docs/Central_Spamfilter), which
provides `spamfilter { }` blocks that are centrally managed, is now fetched from
a different URL if you have an Central API key set. This way, upstream can later
provide `spamfilter { }` blocks that build on central blocklist scoring
functionality, and also so upstream doesn't have to reveal all the central
spamfilter blocks to the world. * New option `auto` for [set::hide-ban-
reason](https://www.unrealircd.org/docs/Set_block#set::hide-ban-reason), which
is now the default. This will hide the \*LINE reason to other users if the
\*LINE reason contains the IP of the user, for example when it contains a
DroneBL URL which has `lookup?ip=XXX`. This to protect the privacy of the user.
Other possible settings are `no` (never hide, the previous default) and `yes` to
always hide the \*LINE reason. In all cases the user affected by the server ban
can still see the reason and IRCOps too. * Make [Deny
channel](https://www.unrealircd.org/docs/Deny_channel_block) support escaped
sequences like `channel "#xyz\*";` so you can match a literal `*` or `?` via
`\*` and `\?`. * New option [listen::options::websocket::allow-
origin](https://www.unrealircd.org/docs/Listen_block#options_block_(optio...:
this allows to restrict websocket connections to a list of websites (the sites
hosting the HTML/JS page that makes the websocket connection). It doesn't
*securely* restrict it though, non-browsers will bypass this restriction, but it
can still be useful to restrict regular webchat users. * The [Proxy
block](https://www.unrealircd.org/docs/Proxy_block) already had support for
reverse proxying with the `Forwarded` header. Now it also properly supports
`X-Forwarded-For`. If you previously used a proxy block with type `web`, then
you now need to choose one of the new types explicitly. Note that using a
reverse proxy for IRC traffic is rare (see the proxy block docs for details),
but upstream offers the option. ## Changes * Reserve more file descriptors
for internal use. For example, when there are 10,000 fd's are available upstream
now reserves 250, and when 2048 are available upstream reserves 32. This so
upstream has more fds available to handle things like log files, do HTTPS
callbacks to blacklists, etc. * Make `$client.details` in logs follow the
ident rules for users in the handshake too, so use the `~` prefix if ident
lookups are enabled and identd fails etc. * More validation for operclass
names (`a-zA-Z0-9_-`) * Hits for central-blocklist are now broadcasted
globally instead of staying on the same server. ## Fixes * When using a
trusted reverse proxy with the [Proxy
block](https://www.unrealircd.org/docs/Proxy_block), under some circumstances it
was possible for end-users to spoof IPs. * Crash issue when a module is
reloaded (not unloaded) and that module no longer provides a particular moddata
object, e.g. because it was renamed or no longer needed. This is rare, but did
happen for one third party module recently. * Fix memory leak when unloading a
module for good and that module provided ModData objects for "unknown users"
(users still in the handshake). * Don't ask to generate TLS certificate if one
already exists (issue introduced in 6.1.2). ## Developers and protocol * New
hooks: `HOOKTYPE_WATCH_ADD`, `HOOKTYPE_WATCH_DEL`,
`HOOKTYPE_MONITOR_NOTIFICATION`. * The hook `HOOKTYPE_IS_HANDSHAKE_FINISHED`
is now properly called at all places. * A new [URL
API](https://www.unrealircd.org/docs/Dev:URL_API) to easily fetch URLs from
modules.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Dec 9 2023 Robert Scheck <robert(a)fedoraproject.org> 6.1.3-1
- Upgrade to 6.1.3 (#2252372)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2252372 - unrealircd-6.1.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2252372
--------------------------------------------------------------------------------