The following Fedora EPEL 7 Security updates need testing:
Age URL
6
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1388277bf4
chromium-113.0.5672.126-1.el7
3
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-2455ae47ae
godot-3.1.2-2.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
golang-1.19.9-1.el7
radsecproxy-1.10.0-1.el7
Details about builds:
================================================================================
golang-1.19.9-1.el7 (FEDORA-EPEL-2023-efd9bbf67e)
The Go Programming Language
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2023-24538, CVE-2023-24536 , CVE-2023-24537,
CVE-2023-24534, CVE-2023-24539, CVE-2023-29400, and CVE-2023-24540
--------------------------------------------------------------------------------
ChangeLog:
* Fri May 26 2023 Dave Dykstra <dwd(a)fedoraproject.org> - 1.19.9-1
- Update to 1.19.9 by doing the equivalent changes as centos8-stream.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2184481 - CVE-2023-24538 golang: html/template: backticks not treated as
string delimiters
https://bugzilla.redhat.com/show_bug.cgi?id=2184481
[ 2 ] Bug #2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart:
denial of service from excessive resource consumption
https://bugzilla.redhat.com/show_bug.cgi?id=2184482
[ 3 ] Bug #2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service
from excessive memory allocation
https://bugzilla.redhat.com/show_bug.cgi?id=2184483
[ 4 ] Bug #2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2184484
[ 5 ] Bug #2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS
values
https://bugzilla.redhat.com/show_bug.cgi?id=2196026
[ 6 ] Bug #2196027 - CVE-2023-24540 golang: html/template: improper handling of
JavaScript whitespace
https://bugzilla.redhat.com/show_bug.cgi?id=2196027
[ 7 ] Bug #2196029 - CVE-2023-29400 golang: html/template: improper handling of empty
HTML attributes
https://bugzilla.redhat.com/show_bug.cgi?id=2196029
--------------------------------------------------------------------------------
================================================================================
radsecproxy-1.10.0-1.el7 (FEDORA-EPEL-2023-3c32763fc0)
Generic RADIUS proxy with RadSec support
--------------------------------------------------------------------------------
Update Information:
# radsecproxy 1.10.0 (2023-05-26) ## New features - Native dynamic discovery
for NAPTR and SRV records - Optionally log accounting requests when respoinding
directly - SNI support for outgoing connections - Optionally specify server name
for certificate name check - Manual MTU setting for DTLS on non-linux platforms
## Misc - Don't require server type to be set by dyndisc scripts - Improve
locating openssl lib using pkg-config ## Bug Fixes - Fix radius message length
handling
--------------------------------------------------------------------------------
ChangeLog:
* Fri May 26 2023 Robert Scheck <robert(a)fedoraproject.org> 1.10.0-1
- Upgrade to 1.10.0 (#2207652)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2207652 - radsecproxy-1.10.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2207652
--------------------------------------------------------------------------------