The following Fedora EPEL 7 Security updates need testing: Age URL 6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-36e0ca3184 netatalk-3.1.18-1.el7 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-0d68b0d3aa chromium-117.0.5938.149-1.el7 The following builds have been pushed to Fedora EPEL 7 updates-testing apptainer-1.2.4-1.el7 libcue-2.2.1-13.el7 stb-0-0.27.20231009gitc4bbb6e.el7 trafficserver-9.2.3-1.el7 Details about builds: ================================================================================ apptainer-1.2.4-1.el7 (FEDORA-EPEL-2023-9351dc66e0) Application and environment virtualization formerly known as Singularity -------------------------------------------------------------------------------- Update Information: Update to upstream 1.2.4 -------------------------------------------------------------------------------- ChangeLog: * Wed Oct 11 2023 Dave Dykstra <dwd@xxxxxxxx> - 1.2.4 - Update to upstream 1.2.4 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2243304 - apptainer-1.2.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2243304 -------------------------------------------------------------------------------- ================================================================================ libcue-2.2.1-13.el7 (FEDORA-EPEL-2023-b5d558ab14) Cue sheet parser library -------------------------------------------------------------------------------- Update Information: This update backports the fix for a serious security issue that could cause arbitrary code execution, tracked as CVE-2023-43641. See [this write-up by Kevin Backhouse](https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on- gnome-cve-2023-43641/) for details. Thanks to Kevin for discovering the issue and writing the fix. -------------------------------------------------------------------------------- ChangeLog: * Tue Oct 10 2023 Adam Williamson <awilliam@xxxxxxxxxx> - 2.2.1-13 - Fix CVE-2023-43641 (Kevin Backhouse) * Thu Jul 20 2023 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.2.1-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Thu Jan 19 2023 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.2.1-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild * Thu Jul 21 2022 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.2.1-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild * Thu Jan 20 2022 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.2.1-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild * Thu Jul 22 2021 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.2.1-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild * Tue Jan 26 2021 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.2.1-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Tue Aug 4 2020 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> - 2.2.1-6 - Work around CMake out-of-source builds on all branches (#1863986) * Tue Jul 28 2020 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.2.1-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Mon Jul 13 2020 Tom Stellard <tstellar@xxxxxxxxxx> - 2.2.1-4 - Use make macros - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro * Wed Jan 29 2020 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.2.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild * Thu Jul 25 2019 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.2.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2243168 - CVE-2023-43641 libcue: a out-of-bounds array access leads to RCE [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2243168 -------------------------------------------------------------------------------- ================================================================================ stb-0-0.27.20231009gitc4bbb6e.el7 (FEDORA-EPEL-2023-c43dcce45f) Single-file public domain libraries for C/C++ -------------------------------------------------------------------------------- Update Information: A new parallel-installable stb_image_resize2 library is added (stb_image_resize2-devel). It should provide significantly better performance; the API is similar but not compatible. The original stb_image_resize library is deprecated by the author, but will continue to be packaged as stb_image_resize- devel for the foreseeable future. -------------------------------------------------------------------------------- ChangeLog: * Tue Oct 10 2023 Benjamin A. Beasley <code@xxxxxxxxxxxxxxxxxx> - 0-0.27.20231009gitc4bbb6e - Update to 0^20231009gitc4bbb6e - A new stb_image_resize2 library is introduced - Upstream has deprecated stb_image_resize, but we still package it -------------------------------------------------------------------------------- ================================================================================ trafficserver-9.2.3-1.el7 (FEDORA-EPEL-2023-d499e96867) Fast, scalable and extensible HTTP/1.1 and HTTP/2 caching proxy server -------------------------------------------------------------------------------- Update Information: Update to upstream 9.2.3 Resolves CVE-2023-44487, CVE-2023-41752, CVE-2023-39456 ---- Use OpenSSL 1.1.x from EPEL on EL7 to enable TLSv1.3 and enable Chrome 117+ workaround -------------------------------------------------------------------------------- ChangeLog: * Wed Oct 11 2023 Jered Floyd <jered@xxxxxxxxxx> 9.2.3-1 - Update to upstream 9.2.3 - Resolves CVE-2023-44487, CVE-2023-41752, CVE-2023-39456 * Wed Oct 4 2023 Jered Floyd <jered@xxxxxxxxxx> 9.2.2-2 - Use OpenSSL 1.1.x from EPEL on RHEL 7 to fix Chrome 117+ bugs -------------------------------------------------------------------------------- References: [ 1 ] Bug #2242988 - trafficserver-9.2.3-rc0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2242988 [ 2 ] Bug #2243251 - [Major Incident] CVE-2023-44487 trafficserver: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2243251 [ 3 ] Bug #2243252 - [Major Incident] CVE-2023-44487 trafficserver: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2243252 -------------------------------------------------------------------------------- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
