The following Fedora EPEL 9 Security updates need testing:
Age URL
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-75d8605b8c
stb-0^20241002git31707d1-4.el9
0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-90c1787ffb
vaultwarden-1.32.7-2.el9
The following builds have been pushed to Fedora EPEL 9 updates-testing
baresip-3.19.0-1.el9
chromium-132.0.6834.83-1.el9
distribution-gpg-keys-1.107-1.el9
ipv6calc-4.2.2-1.el9
k2hash-1.0.97-1.el9
libre-3.19.0-1.el9
minisign-0.12-1.el9
mock-core-configs-42.1-1.el9
pam-u2f-1.3.2-1.el9
rust-libz-ng-sys-1.1.21-1.el9
Details about builds:
================================================================================
baresip-3.19.0-1.el9 (FEDORA-EPEL-2025-e349f6243b)
Modular SIP user-agent with audio and video support
--------------------------------------------------------------------------------
Update Information:
Baresip v3.19.0 (2025-01-15)
ua: hide credentials in CREATE event
menu: add scode and reason arguments to hangup command
ua prevent double call accept
bevent: fix encode bevent without display name
ua: fix logging copy paste mistake
misc: Static code analysis fixes
menu/dynamic_menu: add argument to mute command
ci,misc: add clang-analyze and fix warnings
audio: use au_calc_nsamp() with au_ prefix
ci: add selftest to build
ci/fedora: synchronize packages with spec file from Fedora 42
copyright: happy new year 2025
debian: replace with CPack DEB generator
config: use designated initializers
menu/static_menu: fix hangup SEGV
cmake: update min requirement and use range
video: initialize vidframe properly
ci/coverage: use ubuntu-22.04
vidinfo: avoid use of floating numbers
in_band_dtmf: avoid floating point in calculation
test: call - print info if call bundle test fails
libre v3.19.0 (2025-01-15)
fmt: fix pl trim methods and add tests
sipsess: add sipsess_msg getter function
rtp/sess: fix missing srate_tx locking
rtcp: use rtcp_rtpfb_gnack_encode() function
net/linux: add net_netlink_addrs
tcp,udp: set TOS (TCLASS) for IPv6 sockets
sys/fs: fix fs_fopen return null check
test: remove mock tcp-server (unused)
rtp: remove rtcp_psfb_sli_encode() (unused)
ci/clang: bump clang-18 and use ubuntu 24.04
net/linux/addrs: fix point-to-point peer address bug
ci/coverage: bump min_cov
ci/sanitizers: bump clang and ubuntu
net/linux/addrs: fix netlink kernel warnings
rem: add au_ prefix to calc_nsamp()
rem/vidconv: add vidconv_center and x and y source offsets
test: add testcode for rem au-module
mem: remove peak from memstat
debian: replace with CPack DEB Generator
copyright: happy new year 2025
test/vidconv: remove static struct test
net/linux/addrs: use list instead of fixed array for interface up
test: optional IPv6 for tcp/udp tos test
cmake: update min requirement and use range
rem/vid/frame: fix vidframe init
atomic: fix compilation for C++ and Windows-ARM64
test: add test for C++ applications
ci: use ubuntu-22.04 were needed
cmake: enable compiler warnings for C only
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 16 2025 Robert Scheck <[email protected]> 3.19.0-1
- Upgrade to 3.19.0 (#2338145)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2338145 - baresip-3.19.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2338145
[ 2 ] Bug #2338170 - libre-3.19.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2338170
--------------------------------------------------------------------------------
================================================================================
chromium-132.0.6834.83-1.el9 (FEDORA-EPEL-2025-a5fa82b9fd)
A WebKit (Blink) powered web browser that Google doesn't want you to use
--------------------------------------------------------------------------------
Update Information:
Update to 132.0.6834.83
* High CVE-2025-0434: Out of bounds memory access in V8
* High CVE-2025-0435: Inappropriate implementation in Navigation
* High CVE-2025-0436: Integer overflow in Skia
* High CVE-2025-0437: Out of bounds read in Metrics
* High CVE-2025-0438: Stack buffer overflow in Tracing
* Medium CVE-2025-0439: Race in Frames
* Medium CVE-2025-0440: Inappropriate implementation in Fullscreen
* Medium CVE-2025-0441: Inappropriate implementation in Fenced
* Medium CVE-2025-0442: Inappropriate implementation in Payments
* Medium CVE-2025-0443: Insufficient data validation in Extensions
* Low CVE-2025-0446: Inappropriate implementation in Extensions
* Low CVE-2025-0447: Inappropriate implementation in Navigation
* Low CVE-2025-0448: Inappropriate implementation in Compositing
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 15 2025 Than Ngo <[email protected]> - 132.0.6834.83-1
- Update to 132.0.6834.83
* High CVE-2025-0434: Out of bounds memory access in V8
* High CVE-2025-0435: Inappropriate implementation in Navigation
* High CVE-2025-0436: Integer overflow in Skia
* High CVE-2025-0437: Out of bounds read in Metrics
* High CVE-2025-0438: Stack buffer overflow in Tracing
* Medium CVE-2025-0439: Race in Frames
* Medium CVE-2025-0440: Inappropriate implementation in Fullscreen
* Medium CVE-2025-0441: Inappropriate implementation in Fenced
* Medium CVE-2025-0442: Inappropriate implementation in Payments
* Medium CVE-2025-0443: Insufficient data validation in Extensions
* Low CVE-2025-0446: Inappropriate implementation in Extensions
* Low CVE-2025-0447: Inappropriate implementation in Navigation
* Low CVE-2025-0448: Inappropriate implementation in Compositing
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2336836 - CVE-2025-0291 chromium: Type Confusion in V8 [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2336836
[ 2 ] Bug #2336837 - CVE-2025-0291 chromium: Type Confusion in V8 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2336837
[ 3 ] Bug #2338180 - CVE-2025-0437 chromium: Out of bounds read in Metrics
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2338180
[ 4 ] Bug #2338181 - CVE-2025-0437 chromium: Out of bounds read in Metrics
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2338181
[ 5 ] Bug #2338200 - CVE-2025-0438 chromium: Stack buffer overflow in Tracing
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2338200
[ 6 ] Bug #2338218 - CVE-2025-0434 chromium: Out of bounds memory access in
V8 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2338218
[ 7 ] Bug #2338230 - CVE-2025-0436 chromium: From CVEorg collector
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2338230
[ 8 ] Bug #2338231 - CVE-2025-0436 chromium: From CVEorg collector [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2338231
--------------------------------------------------------------------------------
================================================================================
distribution-gpg-keys-1.107-1.el9 (FEDORA-EPEL-2025-6e3e716be9)
GPG keys of various Linux distributions
--------------------------------------------------------------------------------
Update Information:
mock
https://rpm-software-management.github.io/mock/Release-Notes-Configs-42.1
distribution-gpg-keys
new Fedora 43 key
Update Mageia gpg key
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 15 2025 Miroslav Suchý <[email protected]> 1.107-1
- Add Fedora 44 key
- Update Mageia gpg key
--------------------------------------------------------------------------------
================================================================================
ipv6calc-4.2.2-1.el9 (FEDORA-EPEL-2025-9993dabfe7)
IPv6 address format change and calculation utility
--------------------------------------------------------------------------------
Update Information:
include databases/registries/lisp/site-db as no longer reachable for download
add additional Perl requirements
Final release 4.2.2
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 14 2025 Peter Bieringer <[email protected]> - 4.2.2-1
- include databases/registries/lisp/site-db as no longer reachable for download
- add additional Perl requirements
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2338122 - ipv6calc-4.2.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2338122
--------------------------------------------------------------------------------
================================================================================
k2hash-1.0.97-1.el9 (FEDORA-EPEL-2025-7ad2ab54a3)
NoSQL Key Value Store(KVS) tools and library
--------------------------------------------------------------------------------
Update Information:
Initial import (fedora#2330726).
--------------------------------------------------------------------------------
ChangeLog:
* Fri Dec 20 2024 Hirotaka Wakabayashi <[email protected]> - 1.0.97-1
- Initial import (fedora#2330726).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2330726 - Review Request: k2hash - NoSQL Key Value Store(KVS)
tools and library
https://bugzilla.redhat.com/show_bug.cgi?id=2330726
--------------------------------------------------------------------------------
================================================================================
libre-3.19.0-1.el9 (FEDORA-EPEL-2025-e349f6243b)
Generic library for real-time communications
--------------------------------------------------------------------------------
Update Information:
Baresip v3.19.0 (2025-01-15)
ua: hide credentials in CREATE event
menu: add scode and reason arguments to hangup command
ua prevent double call accept
bevent: fix encode bevent without display name
ua: fix logging copy paste mistake
misc: Static code analysis fixes
menu/dynamic_menu: add argument to mute command
ci,misc: add clang-analyze and fix warnings
audio: use au_calc_nsamp() with au_ prefix
ci: add selftest to build
ci/fedora: synchronize packages with spec file from Fedora 42
copyright: happy new year 2025
debian: replace with CPack DEB generator
config: use designated initializers
menu/static_menu: fix hangup SEGV
cmake: update min requirement and use range
video: initialize vidframe properly
ci/coverage: use ubuntu-22.04
vidinfo: avoid use of floating numbers
in_band_dtmf: avoid floating point in calculation
test: call - print info if call bundle test fails
libre v3.19.0 (2025-01-15)
fmt: fix pl trim methods and add tests
sipsess: add sipsess_msg getter function
rtp/sess: fix missing srate_tx locking
rtcp: use rtcp_rtpfb_gnack_encode() function
net/linux: add net_netlink_addrs
tcp,udp: set TOS (TCLASS) for IPv6 sockets
sys/fs: fix fs_fopen return null check
test: remove mock tcp-server (unused)
rtp: remove rtcp_psfb_sli_encode() (unused)
ci/clang: bump clang-18 and use ubuntu 24.04
net/linux/addrs: fix point-to-point peer address bug
ci/coverage: bump min_cov
ci/sanitizers: bump clang and ubuntu
net/linux/addrs: fix netlink kernel warnings
rem: add au_ prefix to calc_nsamp()
rem/vidconv: add vidconv_center and x and y source offsets
test: add testcode for rem au-module
mem: remove peak from memstat
debian: replace with CPack DEB Generator
copyright: happy new year 2025
test/vidconv: remove static struct test
net/linux/addrs: use list instead of fixed array for interface up
test: optional IPv6 for tcp/udp tos test
cmake: update min requirement and use range
rem/vid/frame: fix vidframe init
atomic: fix compilation for C++ and Windows-ARM64
test: add test for C++ applications
ci: use ubuntu-22.04 were needed
cmake: enable compiler warnings for C only
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 16 2025 Robert Scheck <[email protected]> 3.19.0-1
- Upgrade to 3.19.0 (#2338170)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2338145 - baresip-3.19.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2338145
[ 2 ] Bug #2338170 - libre-3.19.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2338170
--------------------------------------------------------------------------------
================================================================================
minisign-0.12-1.el9 (FEDORA-EPEL-2025-e00659d555)
A dead simple tool to sign files and verify digital signatures
--------------------------------------------------------------------------------
Update Information:
update to 0.12
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 16 2025 François Kooman <[email protected]> - 0.12-1
- update to 0.12
* Thu Jul 18 2024 Fedora Release Engineering <[email protected]> - 0.11-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Thu Jan 25 2024 Fedora Release Engineering <[email protected]> - 0.11-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <[email protected]> - 0.11-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Oct 5 2023 Remi Collet <[email protected]> - 0.11-5
- rebuild for new libsodium
* Thu Jul 20 2023 Fedora Release Engineering <[email protected]> - 0.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jan 19 2023 Fedora Release Engineering <[email protected]> - 0.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2338382 - minisign-0.12 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2338382
--------------------------------------------------------------------------------
================================================================================
mock-core-configs-42.1-1.el9 (FEDORA-EPEL-2025-6e3e716be9)
Mock core config files basic chroots
--------------------------------------------------------------------------------
Update Information:
mock
https://rpm-software-management.github.io/mock/Release-Notes-Configs-42.1
distribution-gpg-keys
new Fedora 43 key
Update Mageia gpg key
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 16 2025 Pavel Raiskup <[email protected]> 42.1-1
- branch fedora-42 configs, move rawhide to releasever=43
--------------------------------------------------------------------------------
================================================================================
pam-u2f-1.3.2-1.el9 (FEDORA-EPEL-2025-e177aa0ddf)
Implements PAM authentication over U2F
--------------------------------------------------------------------------------
Update Information:
pam-u2f 1.3.1 includes a fix to resolve CVE-2025-23013 (Partial Authentication
Bypass). CVSS score 7.3. 1.3.2 is a fix for a regression that could impact
existing use cases.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 16 2025 Gary Buhrmaster <[email protected]> - 1.3.2-1
- Update to 1.3.2 - resolves rhbz#2338418
1.3.2 fixes a potentially breaking issue with tightened authfile checking
with 1.3.1
* Tue Jan 14 2025 Gary Buhrmaster <[email protected]> - 1.3.1-1
- Update to 1.3.1 - resolves rhbz#2337634
* Thu Jul 18 2024 Fedora Release Engineering <[email protected]> -
1.3.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Thu Jan 25 2024 Fedora Release Engineering <[email protected]> -
1.3.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <[email protected]> -
1.3.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Oct 30 2023 Gary Buhrmaster <[email protected]> - 1.3.0-3
- Perform deglobing of files per packaging guidelines
* Thu Jul 20 2023 Fedora Release Engineering <[email protected]> -
1.3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2338113 - CVE-2025-23013 pam-u2f: Partial Authentication Bypass in
pam-u2f Software Package [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2338113
--------------------------------------------------------------------------------
================================================================================
rust-libz-ng-sys-1.1.21-1.el9 (FEDORA-EPEL-2025-823fdc8ce3)
Low-level bindings to zlib-ng
--------------------------------------------------------------------------------
Update Information:
Update to 1.1.21 (no significant changes since we use the system zlib-ng)
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 16 2025 Benjamin A. Beasley <[email protected]> - 1.1.21-1
- Update to 1.1.21 (close RHBZ#2336137)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2336137 - rust-libz-ng-sys-1.1.21 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2336137
--------------------------------------------------------------------------------
--
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
