The following Fedora EPEL 8 Security updates need testing:
Age URL
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-ac28924f8e
rpki-client-9.5-1.el8
The following builds have been pushed to Fedora EPEL 8 updates-testing
cacti-1.2.30-1.el8
cacti-spine-1.2.30-1.el8
csdiff-3.5.4-1.el8
csmock-3.8.1-1.el8
mujs-1.0.9-2.el8
python-specfile-0.35.0-1.el8
radicale-3.5.1-3.el8
tio-3.9-1.el8
tor-0.4.8.16-1.el8
trafficserver-9.2.10-1.el8
whichfont-2.1.0-4.el8
Details about builds:
================================================================================
cacti-1.2.30-1.el8 (FEDORA-EPEL-2025-ba03a05138)
An rrd based graphing tool
--------------------------------------------------------------------------------
Update Information:
Update cacti and cacti-spine to version 1.2.30. This includes the upstream fixes
for many CVEs, including several remote code execution bugs.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr 10 2025 Diego Herrera <[email protected]> - 1.2.30-1
- Update to version 1.2.30
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2317098 - CVE-2024-43363 cacti: Remote code execution via Log
Poisoning in Cacti [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2317098
[ 2 ] Bug #2317101 - CVE-2024-43362 cacti: Stored Cross-site Scripting (XSS)
when creating external links in Cacti [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2317101
[ 3 ] Bug #2317105 - CVE-2024-43364 cacti: Stored Cross-site Scripting (XSS)
when creating external links in Cacti [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2317105
[ 4 ] Bug #2317108 - CVE-2024-43365 cacti: Stored Cross-site Scripting (XSS)
when creating external links in Cacti [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2317108
[ 5 ] Bug #2342333 - CVE-2024-45598 cacti: Cacti has a Local File Inclusion
(LFI) Vulnerability via Poller Standard Error Log Path [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2342333
[ 6 ] Bug #2342339 - CVE-2025-24367 cacti: Cacti allows Arbitrary File
Creation leading to RCE [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2342339
[ 7 ] Bug #2342354 - CVE-2025-24368 cacti: Cacti has a SQL Injection
vulnerability when using tree rules through Automation API [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2342354
[ 8 ] Bug #2342357 - CVE-2025-22604 cacti: Cacti has Authenticated RCE via
multi-line SNMP responses [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2342357
[ 9 ] Bug #2342359 - CVE-2024-54146 cacti: Cacti has a SQL Injection
vulnerability when view host template [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2342359
[ 10 ] Bug #2342361 - CVE-2024-54145 cacti: Cacti has a SQL Injection
vulnerability when request automation devices [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2342361
[ 11 ] Bug #2345160 - CVE-2025-26520 cacti: SQL Injection in Cacti [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2345160
--------------------------------------------------------------------------------
================================================================================
cacti-spine-1.2.30-1.el8 (FEDORA-EPEL-2025-ba03a05138)
Threaded poller for Cacti written in C
--------------------------------------------------------------------------------
Update Information:
Update cacti and cacti-spine to version 1.2.30. This includes the upstream fixes
for many CVEs, including several remote code execution bugs.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 11 2025 Diego Herrera <[email protected]> - 1.2.30-1
- Update to version 1.2.30
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2317098 - CVE-2024-43363 cacti: Remote code execution via Log
Poisoning in Cacti [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2317098
[ 2 ] Bug #2317101 - CVE-2024-43362 cacti: Stored Cross-site Scripting (XSS)
when creating external links in Cacti [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2317101
[ 3 ] Bug #2317105 - CVE-2024-43364 cacti: Stored Cross-site Scripting (XSS)
when creating external links in Cacti [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2317105
[ 4 ] Bug #2317108 - CVE-2024-43365 cacti: Stored Cross-site Scripting (XSS)
when creating external links in Cacti [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2317108
[ 5 ] Bug #2342333 - CVE-2024-45598 cacti: Cacti has a Local File Inclusion
(LFI) Vulnerability via Poller Standard Error Log Path [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2342333
[ 6 ] Bug #2342339 - CVE-2025-24367 cacti: Cacti allows Arbitrary File
Creation leading to RCE [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2342339
[ 7 ] Bug #2342354 - CVE-2025-24368 cacti: Cacti has a SQL Injection
vulnerability when using tree rules through Automation API [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2342354
[ 8 ] Bug #2342357 - CVE-2025-22604 cacti: Cacti has Authenticated RCE via
multi-line SNMP responses [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2342357
[ 9 ] Bug #2342359 - CVE-2024-54146 cacti: Cacti has a SQL Injection
vulnerability when view host template [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2342359
[ 10 ] Bug #2342361 - CVE-2024-54145 cacti: Cacti has a SQL Injection
vulnerability when request automation devices [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2342361
[ 11 ] Bug #2345160 - CVE-2025-26520 cacti: SQL Injection in Cacti [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2345160
--------------------------------------------------------------------------------
================================================================================
csdiff-3.5.4-1.el8 (FEDORA-EPEL-2025-e91a42660a)
Non-interactive tools for processing code scan results in plain-text
--------------------------------------------------------------------------------
Update Information:
update to latest upstream release
--------------------------------------------------------------------------------
ChangeLog:
* Tue Apr 15 2025 Kamil Dudka <[email protected]> - 3.5.4-1
- update to latest upstream release
--------------------------------------------------------------------------------
================================================================================
csmock-3.8.1-1.el8 (FEDORA-EPEL-2025-e91a42660a)
A mock wrapper for Static Analysis tools
--------------------------------------------------------------------------------
Update Information:
update to latest upstream release
--------------------------------------------------------------------------------
ChangeLog:
* Tue Apr 15 2025 Kamil Dudka <[email protected]> - 3.8.1-1
- update to latest upstream
--------------------------------------------------------------------------------
================================================================================
mujs-1.0.9-2.el8 (FEDORA-EPEL-2025-141926b526)
An embeddable Javascript interpreter
--------------------------------------------------------------------------------
Update Information:
Backport upstream fix for CVE-2021-33796.
https://nvd.nist.gov/vuln/detail/CVE-2021-33796
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 11 2025 Carl George <[email protected]> - 1.0.9-2
- Backport upstream fix for CVE-2021-33796 rhbz#2221274
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2221274 - CVE-2021-33796 mujs: Use-after-free in regexp source
property access [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2221274
--------------------------------------------------------------------------------
================================================================================
python-specfile-0.35.0-1.el8 (FEDORA-EPEL-2025-213e58e21a)
A library for parsing and manipulating RPM spec files
--------------------------------------------------------------------------------
Update Information:
Automatic update for python-specfile-0.35.0-1.el8.
Changelog for python-specfile
* Sun Apr 13 2025 Packit <[email protected]> - 0.35.0-1
- Added support for creating Specfile instances from file objects and strings.
(#458)
- The `context_management` type stubs now use `ParamSpec` from
`typing_extensions` to support Python < 3.10. (#466)
--------------------------------------------------------------------------------
ChangeLog:
* Sun Apr 13 2025 Packit <[email protected]> - 0.35.0-1
- Added support for creating Specfile instances from file objects and strings.
(#458)
- The `context_management` type stubs now use `ParamSpec` from
`typing_extensions` to support Python < 3.10. (#466)
--------------------------------------------------------------------------------
================================================================================
radicale-3.5.1-3.el8 (FEDORA-EPEL-2025-bae5025627)
A simple CalDAV (calendar) and CardDAV (contact) server
--------------------------------------------------------------------------------
Update Information:
Fix conditional dependency of shadow-utils introduced with 3.5.0-1
Fix missing user/group creation introduced with 3.5.0-1 (bz#2358635)
Update to 3.5.1
--------------------------------------------------------------------------------
ChangeLog:
* Sun Apr 13 2025 Peter Bieringer <[email protected]> - 3.5.1-3
- Fix conditional dependency of shadow-utils introduced with 3.5.0-1
* Mon Apr 7 2025 Peter Bieringer <[email protected]> - 3.5.1-2
- Fix missing user/group creation introduced with 3.5.0-1 (bz#2358635)
* Sat Apr 5 2025 Peter Bieringer <[email protected]> - 3.5.1-1
- Update to 3.5.1
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2357589 - radicale-3.5.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2357589
[ 2 ] Bug #2358635 - radicale user is not created when dnf installs the
package
https://bugzilla.redhat.com/show_bug.cgi?id=2358635
--------------------------------------------------------------------------------
================================================================================
tio-3.9-1.el8 (FEDORA-EPEL-2025-59add22d1e)
Simple TTY terminal I/O application
--------------------------------------------------------------------------------
Update Information:
tio v3.9
Fix parsing of timestamp options
CodeQL: Upgrade to upload-artifact@v4
Update plaintext man page
Add character mapping examples
Fix pattern matching memory corruption
Don't add null characters to the expect buffer
They prevent regexec() from seeing the remainder of the buffer.
Disable stdout buffering globally
This makes it possible to pipe output to other programs cleanly.
Docs: edited the license date
Manpage: Fix backslash encoding
Literal backslash needs to be written as \e.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Apr 13 2025 Robert Scheck <[email protected]> 3.9-1
- Upgrade to 3.9 (#2359218)
* Sun Jan 19 2025 Fedora Release Engineering <[email protected]> - 3.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2359218 - tio-3.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2359218
--------------------------------------------------------------------------------
================================================================================
tor-0.4.8.16-1.el8 (FEDORA-EPEL-2025-dd9b870f88)
Anonymizing overlay network for TCP
--------------------------------------------------------------------------------
Update Information:
update to latest upstream release https://forum.torproject.org/t/stable-
release-0-4-8-16/18062
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 11 2025 Marcel Härry <[email protected]> - 0.4.8.16-1
- update to latest upstream release
https://forum.torproject.org/t/stable-release-0-4-8-16/18062
* Sat Mar 1 2025 Marcel Härry <[email protected]> - 0.4.8.14-1
- update to latest upstream release
https://forum.torproject.org/t/stable-release-0-4-8-14/17242 (bz#2211726)
* Sun Jan 19 2025 Fedora Release Engineering <[email protected]> -
0.4.8.13-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
trafficserver-9.2.10-1.el8 (FEDORA-EPEL-2025-36ee2e808c)
Fast, scalable and extensible HTTP/1.1 and HTTP/2 caching proxy server
--------------------------------------------------------------------------------
Update Information:
Resolves CVE-2024-53868
--------------------------------------------------------------------------------
ChangeLog:
* Sun Apr 13 2025 Jered Floyd <[email protected]> 9.2.10-1
- Update to upstream 9.2.10
- Resolves CVE-2024-53868
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2356761 - trafficserver-10.0.5 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2356761
[ 2 ] Bug #2357159 - CVE-2024-53868 trafficserver: Apache Traffic Server:
Malformed chunked message body allows request smuggling [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2357159
[ 3 ] Bug #2357160 - CVE-2024-53868 trafficserver: Apache Traffic Server:
Malformed chunked message body allows request smuggling [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2357160
[ 4 ] Bug #2357161 - CVE-2024-53868 trafficserver: Apache Traffic Server:
Malformed chunked message body allows request smuggling [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2357161
[ 5 ] Bug #2357162 - CVE-2024-53868 trafficserver: Apache Traffic Server:
Malformed chunked message body allows request smuggling [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2357162
--------------------------------------------------------------------------------
================================================================================
whichfont-2.1.0-4.el8 (FEDORA-EPEL-2025-ba3cc1d812)
Querying Fontconfig
--------------------------------------------------------------------------------
Update Information:
Added --language (-l) CLI option to detect the default font for a given language
code, which detects and prints the default font family that supports the
specified language.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Apr 15 2025 Sudip Shil <[email protected]> - 2.1.0-0
- Added --language (-l) CLI option to detect the default font for a given
language code, which detects and prints the default font family that supports
the specified language.
- Introduced valid_langs[] array containing known language codes supported by
fontconfig, Rejects invalid language codes early with a clear error message.
- Checks not only if a font is returned, but whether it actually supports the
given language.
- Updated --help output to include usage for --language option.
- updated readme with installation, build section.
* Sun Jan 19 2025 Fedora Release Engineering <[email protected]> -
1.0.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Sat Jul 20 2024 Fedora Release Engineering <[email protected]> -
1.0.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Sat Jan 27 2024 Fedora Release Engineering <[email protected]> -
1.0.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
--
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
