January 2024 - Epel-packagers-sig - Fedora mailing-lists

[Bug 2255095] New: CVE-2023-48795 golang-x-crypto: ssh: Prefix truncation attack on Binary Packet Protocol (BPP) [fedora-all]
by bugzilla＠redhat.com 17 Jan '24

17 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2255095 Bug ID: 2255095 Summary: CVE-2023-48795 golang-x-crypto: ssh: Prefix truncation attack on Binary Packet Protocol (BPP) [fedora-all] Product: Fedora Version: 39 Status: NEW Component: golang-x-crypto Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: mark.e.fuller(a)gmx.de Reporter: saroy(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, go-sig(a)lists.fedoraproject.org, mark.e.fuller(a)gmx.de Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2254210 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2255095 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 10

[Bug 2257428] New: zbar-0.23.93 is available
by bugzilla＠redhat.com 17 Jan '24

17 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2257428 Bug ID: 2257428 Summary: zbar-0.23.93 is available Product: Fedora Version: rawhide Status: NEW Component: zbar Keywords: FutureFeature, Triaged Assignee: gwync(a)protonmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: dougsland(a)redhat.com, epel-packagers-sig(a)lists.fedoraproject.org, gwync(a)protonmail.com, mchehab(a)infradead.org, negativo17(a)gmail.com Target Milestone: --- Classification: Fedora Releases retrieved: 0.23.93 Upstream release that is considered latest: 0.23.93 Current version/release in rawhide: 0.23.90-12.fc40 URL: https://github.com/mchehab/zbar Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/13689/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/zbar -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2257428 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 8

[Bug 2257396] New: Affect by CVE-2023-40889
by bugzilla＠redhat.com 17 Jan '24

17 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2257396 Bug ID: 2257396 Summary: Affect by CVE-2023-40889 Product: Fedora Version: 38 OS: Linux Status: NEW Component: zbar Keywords: Security Severity: urgent Assignee: gwync(a)protonmail.com Reporter: bugzilla(a)terrortux.de QA Contact: extras-qa(a)fedoraproject.org CC: dougsland(a)redhat.com, epel-packagers-sig(a)lists.fedoraproject.org, gwync(a)protonmail.com, mchehab(a)infradead.org, negativo17(a)gmail.com Target Milestone: --- Classification: Fedora It looks like 0.23.90 needs an update, because it will be affected by the CVE. Reproducible: Always https://github.com/advisories/GHSA-mhp6-jvpx-2p4m -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2257396 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 6

[Bug 2235863] New: CVE-2023-40889 zbar: buffer overflow via crafted qr code [fedora-all]
by bugzilla＠redhat.com 17 Jan '24

17 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2235863 Bug ID: 2235863 Summary: CVE-2023-40889 zbar: buffer overflow via crafted qr code [fedora-all] Product: Fedora Version: 38 Status: NEW Component: zbar Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: gwync(a)protonmail.com Reporter: askrabec(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dougsland(a)redhat.com, epel-packagers-sig(a)lists.fedoraproject.org, gwync(a)protonmail.com, mchehab(a)infradead.org, negativo17(a)gmail.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2235861 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2235863 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 8

[Bug 2235860] New: CVE-2023-40890 zbar: stack overflow caused malicious qr code may lead to information diusclosure or arbitrary code execution. [fedora-all]
by bugzilla＠redhat.com 17 Jan '24

17 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2235860 Bug ID: 2235860 Summary: CVE-2023-40890 zbar: stack overflow caused malicious qr code may lead to information diusclosure or arbitrary code execution. [fedora-all] Product: Fedora Version: 38 Status: NEW Component: zbar Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: gwync(a)protonmail.com Reporter: askrabec(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dougsland(a)redhat.com, epel-packagers-sig(a)lists.fedoraproject.org, gwync(a)protonmail.com, mchehab(a)infradead.org, negativo17(a)gmail.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2235858 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2235860 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 8

[Bug 2248226] New: golang-x-net: golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325) [epel-all]
by bugzilla＠redhat.com 17 Jan '24

17 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2248226 Bug ID: 2248226 Summary: golang-x-net: golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325) [epel-all] Product: Fedora EPEL Version: epel8 Status: NEW Component: golang-x-net Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: mark.e.fuller(a)gmx.de Reporter: zmiele(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, go-sig(a)lists.fedoraproject.org, mark.e.fuller(a)gmx.de Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2248209 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2248226 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 5

[Bug 2229579] New: CVE-2023-3978 golang-x-net: golang.org/x/net/html: Cross site scripting [epel-all]
by bugzilla＠redhat.com 17 Jan '24

17 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2229579 Bug ID: 2229579 Summary: CVE-2023-3978 golang-x-net: golang.org/x/net/html: Cross site scripting [epel-all] Product: Fedora EPEL Version: epel8 Status: NEW Component: golang-x-net Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: mark.e.fuller(a)gmx.de Reporter: ahanwate(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, go-sig(a)lists.fedoraproject.org, mark.e.fuller(a)gmx.de Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2228689 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2229579 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 5

[Bug 2178403] New: CVE-2022-41723 golang-x-net: golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding [epel-all]
by bugzilla＠redhat.com 17 Jan '24

17 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2178403 Bug ID: 2178403 Summary: CVE-2022-41723 golang-x-net: golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding [epel-all] Product: Fedora EPEL Version: epel8 Status: NEW Component: golang-x-net Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: zebob.m(a)gmail.com Reporter: ahanwate(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, go-sig(a)lists.fedoraproject.org, zebob.m(a)gmail.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2178358 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2178403

1 7

[Bug 2258618] New: python-nbconvert-7.14.2 is available
by bugzilla＠redhat.com 17 Jan '24

17 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2258618 Bug ID: 2258618 Summary: python-nbconvert-7.14.2 is available Product: Fedora Version: rawhide Status: NEW Component: python-nbconvert Keywords: FutureFeature, Triaged Assignee: lbalhar(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, jonathan(a)almalinux.org, lbalhar(a)redhat.com, mhroncok(a)redhat.com, python-packagers-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Releases retrieved: 7.14.2 Upstream release that is considered latest: 7.14.2 Current version/release in rawhide: 7.14.1-1.fc40 URL: https://jupyter.org/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/10522/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/python-nbconvert -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2258618 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 2

[Bug 2237821] New: blender core dumps at execution instead of giving sane feedback about unsupported hardware
by bugzilla＠redhat.com 16 Jan '24

16 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2237821 Bug ID: 2237821 Summary: blender core dumps at execution instead of giving sane feedback about unsupported hardware Product: Fedora Version: 38 Hardware: aarch64 OS: Linux Status: NEW Component: blender Severity: medium Assignee: luya_tfz(a)thefinalzone.net Reporter: havealoha+fedoraproject(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: code(a)musicinmybrain.net, design-devel(a)lists.fedoraproject.org, epel-packagers-sig(a)lists.fedoraproject.org, kwizart(a)gmail.com, luya_tfz(a)thefinalzone.net, negativo17(a)gmail.com Target Milestone: --- Classification: Fedora blender core dumps at execution instead of giving sane feedback about unsupported hardware Reproducible: Always Steps to Reproduce: 1. install asahi fedora remix 38 on macbook air m1n1 2. install and launch blender Actual Results: core dump Expected Results: blender should return an error about unsupported hardware and or unsupported OpenGL version https://discussion.fedoraproject.org/t/blender-crashes-on-latest-build-and-… BLT_lang_init: 'locale' data path for translations not found, continuing EGL Error (0x3009): EGL_BAD_MATCH: Arguments are inconsistent (for example, a valid context requires buffers n ot supplied by a valid surface). EGL Error (0x3009): EGL_BAD_MATCH: Arguments are inconsistent (for example, a valid context requires buffers n ot supplied by a valid surface). EGL Error (0x3009): EGL_BAD_MATCH: Arguments are inconsistent (for example, a valid context requires buffers n ot supplied by a valid surface). EGL Error (0x3009): EGL_BAD_MATCH: Arguments are inconsistent (for example, a valid context requires buffers n ot supplied by a valid surface). EGL Error (0x3009): EGL_BAD_MATCH: Arguments are inconsistent (for example, a valid context requires buffers n ot supplied by a valid surface). EGL Error (0x3009): EGL_BAD_MATCH: Arguments are inconsistent (for example, a valid context requires buffers n ot supplied by a valid surface). EGL Error (0x3009): EGL_BAD_MATCH: Arguments are inconsistent (for example, a valid context requires buffers n ot supplied by a valid surface). EGL Error (0x3009): EGL_BAD_MATCH: Arguments are inconsistent (for example, a valid context requires buffers n ot supplied by a valid surface). Warning: No OpenGL vendor detected. blender: ../src/dispatch_common.c:872: epoxy_get_proc_address: Assertion `0 && "Couldn't find current GLX or E GL context.\n"' failed. Aborted (core dumped) # Asahi Linux System Diagnostic Dump Collected at: Wed Sep 6 20:44:45 PDT 2023 (2023-09-06T20:44:45-07:00) Username: Hostname: makukumba ## Device information Model: Apple MacBook Air (M1, 2020) Compatible: apple,j313 apple,t8103 apple,arm-platform ## Firmware versions iBoot1: iBoot-8422.141.2 iBoot2: iBoot-8422.141.2 SFR: 13.5 OS firmware: 13.5 m1n1 stage 2: v1.3.3 U-Boot: 2023.07 ## Boot information ESP UUID: 745b90c8-7d4a-4418-b5ea-74fbcf0d0483 EFI: available ## System information Kernel: 6.4.11-401.asahi.fc38.aarch64+16k Kernel build: #1 SMP PREEMPT_DYNAMIC Mon Aug 21 19:38:10 UTC 2023 Uptime: 20:44:45 up 22:36, 3 users, load average: 0.70, 0.59, 0.46 Kernel cmdline: BOOT_IMAGE=(hd0,gpt5)/boot/vmlinuz-6.4.11-401.asahi.fc38.aarch64+16k rhgb quiet root=UUID=86ad63d7-5618-4548-8ba8-78d68efa4738 rootflags=subvol=root ## Environment COLORTERM=truecolor DISPLAY=:0 LANG=C.UTF-8 LANGUAGE= TERM=xterm-256color WAYLAND_DISPLAY=wayland-0 XDG_SESSION_TYPE=wayland ## Mounts ``` ## PCI devices ``` 00:00.0 PCI bridge: Apple Inc. Apple Silicon PCI Express Root Port (rev 01) 01:00.0 Network controller: Broadcom Inc. and subsidiaries BRCM4378 Wireless Network Adapter (rev 03) 01:00.1 Network controller: Broadcom Inc. and subsidiaries BRCM4378 Bluetooth Controller (rev 03) ``` ## Input devices ``` I: Bus=001c Vendor=05ac Product=0281 Version=0935 N: Name="Apple Internal Keyboard / Trackpad" P: Phys=spi1.0 (2) S: Sysfs=/devices/platform/soc/23510c000.spi/spi_master/spi1/spi1.0/001C:05AC:0281.0002/input/input0 U: Uniq= H: Handlers=mouse0 event0 B: PROP=5 B: EV=1b B: KEY=e520 10000 0 0 0 0 B: ABS=67f800001000003 B: MSC=10 I: Bus=001c Vendor=05ac Product=0281 Version=0935 N: Name="Apple Internal Keyboard / Trackpad" P: Phys=spi1.0 (1) S: Sysfs=/devices/platform/soc/23510c000.spi/spi_master/spi1/spi1.0/001C:05AC:0281.0001/input/input1 U: Uniq= H: Handlers=sysrq kbd leds event1 B: PROP=0 B: EV=120013 B: KEY=10000 0 0 0 101007b02011007 ff9f21fac14057ff ffbeffdfffefffff fffffffffffffffe B: MSC=10 B: LED=1f I: Bus=0000 Vendor=0000 Product=0000 Version=0000 N: Name="Apple SMC power/lid events" P: Phys=macsmc-hid (0) S: Sysfs=/devices/platform/soc/23e400000.smc/macsmc-hid/input/input2 U: Uniq= H: Handlers=kbd event2 B: PROP=0 B: EV=23 B: KEY=10000000000000 0 B: SW=1 I: Bus=0000 Vendor=0000 Product=0000 Version=0000 N: Name="MacBook Air J313 Headphone Jack" P: Phys=ALSA S: Sysfs=/devices/platform/sound/sound/card0/input3 U: Uniq= H: Handlers=event3 B: PROP=0 B: EV=21 B: SW=14 ``` -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2237821 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 13

2025

2024

2023

2022

2021

Epel-packagers-sig January 2024