https://bugzilla.redhat.com/show_bug.cgi?id=2135229
Bug ID: 2135229
Summary: CVE-2021-36369 <net-misc/dropbear-2022.82: forwarded
agent abuse
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: mrehak(a)redhat.com
CC: buytenh(a)wantstofly.org, cickumqt(a)gmail.com,
daniellarasouza(a)yahoo.com.br,
epel-packagers-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Other
Due to a non-RFC-compliant check of the available authentication methods in the
client-side SSH code, it is possible for an SSH server to change the login
process in its favor. This attack can bypass additional security measures such
as FIDO2 tokens or SSH-Askpass. Thus, it allows an attacker to abuse a
forwarded agent for logging on to another server unnoticed.
Reference:
https://github.com/mkj/dropbear/pull/128https://github.com/mkj/dropbear/releases/tag/DROPBEAR_2022.82https://github.com/mkj/dropbear/releases
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2135229
https://bugzilla.redhat.com/show_bug.cgi?id=2140613
Bug ID: 2140613
Summary: CVE-2022-37603 yarnpkg: loader-utils:Regular
expression denial of service [fedora-all]
Product: Fedora
Version: 36
Status: NEW
Component: yarnpkg
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: zsvetlik(a)redhat.com
Reporter: vinair(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
ngompa13(a)gmail.com, zsvetlik(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2140613
https://bugzilla.redhat.com/show_bug.cgi?id=2032607
Bug ID: 2032607
Summary: F36FailsToInstall: hyperkitty
Product: Fedora
Version: rawhide
Status: NEW
Component: python-hyperkitty
Assignee: michel(a)michel-slm.name
Reporter: mhroncok(a)redhat.com
CC: epel-packagers-sig(a)lists.fedoraproject.org,
infra-sig(a)lists.fedoraproject.org,
michel(a)michel-slm.name, ngompa13(a)gmail.com,
python-sig(a)lists.fedoraproject.org
Blocks: 1992487 (F36FailsToInstall,RAWHIDEFailsToInstall)
Target Milestone: ---
Classification: Fedora
Hello,
Please note that this comment was generated automatically. If you feel that
this output has mistakes, please contact me via email (mhroncok(a)redhat.com)
Your package (python-hyperkitty) Fails To Install in Fedora 36:
can't install hyperkitty:
- nothing provides python3.10dist(flufl-lock) >= 4 needed by
hyperkitty-1.3.5-1.fc36.noarch
- nothing provides python3.10dist(mistune) >= 2~rc1 needed by
hyperkitty-1.3.5-1.fc36.noarch
If you know about this problem and are planning on fixing it, please
acknowledge so by setting the bug status to ASSIGNED. If you don't have time to
maintain this package, consider orphaning it, so maintainers of dependent
packages realize the problem.
If you don't react accordingly to the policy for FTBFS/FTI bugs
(https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails…)
your package may be orphaned in 8+ weeks.
P.S. The data was generated solely from koji buildroot, so it might be newer
than the latest compose or the content on mirrors.
P.P.S. If this bug has been reported in the middle of upgrading multiple
dependent packages, please consider using side tags:
https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/#updating-inter-d…
Thanks!
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1992487
[Bug 1992487] Fedora 36 Fails To install Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2032607
https://bugzilla.redhat.com/show_bug.cgi?id=2162389
Bug ID: 2162389
Summary: CVE-2022-46175 yarnpkg: json5: Prototype Pollution in
JSON5 via Parse Method [fedora-36]
Product: Fedora
Version: 36
Status: NEW
Component: yarnpkg
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: zsvetlik(a)redhat.com
Reporter: ahanwate(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
manisandro(a)gmail.com, ngompa13(a)gmail.com,
zsvetlik(a)redhat.com
Target Milestone: ---
Classification: Fedora
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2156263
Disclaimer: Community trackers are created by Red Hat Product Security team on
a best effort basis. Package maintainers are required to ascertain if the flaw
indeed affects their package, before starting the update process.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2162389
https://bugzilla.redhat.com/show_bug.cgi?id=2162186
Bug ID: 2162186
Summary: CVE-2022-41721 golang-x-net: x/net/http2/h2c: request
smuggling [fedora-36]
Product: Fedora
Version: 36
Status: NEW
Component: golang-x-net
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: zebob.m(a)gmail.com
Reporter: askrabec(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
go-sig(a)lists.fedoraproject.org, zebob.m(a)gmail.com
Target Milestone: ---
Classification: Fedora
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2162182
Disclaimer: Community trackers are created by Red Hat Product Security team on
a best effort basis. Package maintainers are required to ascertain if the flaw
indeed affects their package, before starting the update process.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2162186
https://bugzilla.redhat.com/show_bug.cgi?id=2063508
Bug ID: 2063508
Summary: authentication recquired The password you use does not
match
Product: Fedora
Version: 36
OS: Linux
Status: NEW
Component: keyrings-filesystem
Severity: high
Assignee: manisandro(a)gmail.com
Reporter: jjb(a)xs4all.nl
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
manisandro(a)gmail.com, sergio(a)serjux.com
Target Milestone: ---
Classification: Fedora
Description of problem:
Keyring is locked. (in Passwords and Keys, Seahorse)
try to solve error message "authentication required, the password you use to
log in to your computer no longer match that of your login keyring"
The known password is not accepted.
Version-Release number of selected component (if applicable):
How reproducible:
try to Get Geary (email program) at work.
At login to the computer the password is working all right.
Steps to Reproduce:
1.
2.
3.
Actual results:
cannot authenticate password.
Expected results:
no question of authentication
Additional info:
do not know how to solve this problem.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2063508
https://bugzilla.redhat.com/show_bug.cgi?id=2107574
Bug ID: 2107574
Summary: fortune(6) man page indentation is messed up for -o
and -s options
Product: Fedora
Version: 36
Status: NEW
Component: fortune-mod
Severity: low
Assignee: sheltren(a)fedoraproject.org
Reporter: rhbugs(a)n-dimensional.de
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
sergio(a)serjux.com, sheltren(a)fedoraproject.org,
shlomif(a)shlomifish.org
Target Milestone: ---
Classification: Fedora
Created attachment 1897376
--> https://bugzilla.redhat.com/attachment.cgi?id=1897376&action=edit
Quick fix patch to the fortune.6 file, copying the formatting -i and -n
Description of problem:
In the fortune(6) man page, the indentation for the description
of the options -o and -s is wrong.
Version-Release number of selected component (if applicable):
fortune-mod-3.12.0-2.fc36.x86_64
How reproducible:
100%
Steps to Reproduce:
1. man fortune
2. type /record or scroll down
Actual results:
filename-record will precede the records from the file it names.
-n length
Set the longest fortune length (in characters) considered to be
“short” (the default is 160). All fortunes longer than this are
considered “long”. Be careful! If you set the length too short and
ask for short fortunes, or too long and ask for long ones, fortune
goes into a never-ending thrash loop.
-o Choose only from potentially offensive aphorisms. The -o option
is ignored if a fortune directory is specified.
Please, please, please request a potentially offensive fortune if
and only if you believe, deep in your heart, that you are willing
to be offended. (And that you'll just quit using -o rather than
give us grief about it, okay?)
... let us keep in mind the basic governing philosophy of The
Brotherhood, as handsomely summarized in these words: we believe in
healthy, hearty laughter -- at the expense of the whole human race,
if needs be. Needs be.
--H. Allen Smith, "Rude Jokes"
-s Short apothegms only. See -n on which fortunes are considered
“short”.
-i
Ignore case for -m patterns.
Expected results:
filename-record will precede the records from the file it names.
-n length
Set the longest fortune length (in characters) considered to be
“short” (the default is 160). All fortunes longer than this are
considered “long”. Be careful! If you set the length too short and
ask for short fortunes, or too long and ask for long ones, fortune
goes into a never-ending thrash loop.
-o
Choose only from potentially offensive aphorisms. The -o option is
ignored if a fortune directory is specified.
Please, please, please request a potentially offensive fortune if
and only if you believe, deep in your heart, that you are willing
to be offended. (And that you'll just quit using -o rather than
give us grief about it, okay?)
... let us keep in mind the basic governing philosophy of The
Brotherhood, as handsomely summarized in these words: we believe in
healthy, hearty laughter -- at the expense of the whole human race,
if needs be. Needs be.
--H. Allen Smith, "Rude Jokes"
-s
Short apothegms only. See -n on which fortunes are considered
“short”.
-i
Ignore case for -m patterns.
Additional info:
The attached patch only fixes the symptoms, not the root cause.
This should probably be fixed somewhere upstream deep inside the mass of perl
scripts building the man pages.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2107574
https://bugzilla.redhat.com/show_bug.cgi?id=2126075
Bug ID: 2126075
Summary: CVE-2021-40648 sys-apps/man2html: multiple
vulnerabilities
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: ybuenos(a)redhat.com
CC: epel-packagers-sig(a)lists.fedoraproject.org,
orion(a)nwra.com, sergio(a)serjux.com,
tchollingsworth(a)gmail.com, viktor.vix.jancik(a)gmail.com
Target Milestone: ---
Classification: Other
CVE-2021-40648:
In man2html 1.6g, a filename can be created to overwrite the previous size
parameter of the next chunk and the fd, bk, fd_nextsize, bk_nextsize of the
current chunk. The next chunk is then freed later on, causing a freeing of an
arbitrary amount of memory.
https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2126075
https://bugzilla.redhat.com/show_bug.cgi?id=2126816
Bug ID: 2126816
Summary: CVE-2021-40648 man2html: sys-apps/man2html: multiple
vulnerabilities [fedora-all]
Product: Fedora
Version: 36
Status: NEW
Component: man2html
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: sergio(a)serjux.com
Reporter: ybuenos(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
orion(a)nwra.com, sergio(a)serjux.com,
tchollingsworth(a)gmail.com, viktor.vix.jancik(a)gmail.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2126816