[EPEL-devel] Fedora EPEL 9 updates-testing report

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The following Fedora EPEL 9 Security updates need testing:
 Age  URL
   6  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-1dbf6380d2   java-latest-openjdk-24.0.2.0.12-1.rolling.el9
   4  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-11ee8c8dc3   chromium-138.0.7204.168-1.el9
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-ab0fae74f1   opentofu-1.10.3-1.el9
   1  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-72356603ed   node-exporter-1.9.1-2.el9


The following builds have been pushed to Fedora EPEL 9 updates-testing

    osc-1.19.0-457.2.1.el9
    perl-Crypt-CBC-3.07-1.el9
    rclone-1.70.3-1.el9

Details about builds:


================================================================================
 osc-1.19.0-457.2.1.el9 (FEDORA-EPEL-2025-79f9b46fba)
 Open Build Service Commander
--------------------------------------------------------------------------------
Update Information:

New upstream release 1.19.0, fixes rhbz#2383995
New upstream release 1.18.0, fixes rhbz#2382633
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jul 28 2025 Dan Ä?ermák <dan.cermak@xxxxxxxxxx> - 1.19.0-457.2.1
- New upstream release 1.19.0, fixes rhbz#2383995
* Thu Jul 24 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.18.0-453.4.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Wed Jul 23 2025 Dan Ä?ermák <dan.cermak@xxxxxxxxxx> - 1.18.0-453.4.1
- New upstream release 1.18.0, fixes rhbz#2382633
* Tue Jun 24 2025 Dan Ä?ermák <dan.cermak@xxxxxxxxxx> - 1.17.0-451.2.1
- New upstream release 1.17.0, fixes rhbz#2374601
* Tue Jun  3 2025 Python Maint <python-maint@xxxxxxxxxx> - 1.16.0-448.1.2
- Rebuilt for Python 3.14
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2382633 - osc-1.18.0 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2382633
  [ 2 ] Bug #2383995 - osc-1.19.0 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2383995
--------------------------------------------------------------------------------


================================================================================
 perl-Crypt-CBC-3.07-1.el9 (FEDORA-EPEL-2025-e0c2088c0b)
 Encrypt Data with Cipher Block Chaining Mode
--------------------------------------------------------------------------------
Update Information:

This update, to the current upstream release version, includes a fix to source
random numbers using the Crypt::URandom module rather than trying to read
/dev/urandom and falling back to Perl's insecure rand() function if /dev/urandom
is not usable (CVE-2025-2814).
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jul 28 2025 Paul Howarth <paul@xxxxxxxxxxxx> - 3.07-1
- Update to 3.07 (rhbz#2383870)
  - New upstream maintainer
  - Fix CVE-2025-2814 by using Crypt::URandom
  - Fix decryption of ciphertext created with 'header' => 'randomiv'
  - Fixed bug in which manually-specified key and -pkdf=>"none" was not having
    any effect
  - Converted build process to Dist::Zilla
  - Miscellaneous minor Dist::Zilla related changes
- Switch upstream source URL from cpan.metacpan.org to www.cpan.org to skip a
  redirect
- Package new LICENSE, SECURITY.md and vulnerabilities.txt files
* Fri Jul 25 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 3.04-18
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Sat Jan 18 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 3.04-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Thu Jul 18 2024 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 3.04-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Thu Jan 25 2024 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 3.04-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 3.04-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2359383 - CVE-2025-2814 perl-Crypt-CBC: Crypt::CBC versions between 1.21 and 3.04 for Perl may use insecure rand() function for cryptographic functions [epel-9]
        https://bugzilla.redhat.com/show_bug.cgi?id=2359383
--------------------------------------------------------------------------------


================================================================================
 rclone-1.70.3-1.el9 (FEDORA-EPEL-2025-3ad6d2fe5c)
 Rsync for cloud storage
--------------------------------------------------------------------------------
Update Information:

Update to 1.70.3 and adopt go-vendor-tools
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jul 28 2025 Mikel Olasagasti Uranga <mikel@xxxxxxxxxxxxxxx> - 1.70.3-1
- Update to 1.70.3 - Closes rhbz#2379085
* Mon Jul 28 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.70.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mikel@xxxxxxxxxxxxxxx> - 1.70.2-1
- Update to 1.70.2 - Closes rhbz#2254045 rhbz#2336979 rhbz#2337234
  rhbz#2341265 rhbz#2348838 rhbz#2350844 rhbz#2352327 rhbz#2354433
  rhbz#2360615 rhbz#2360653
* Mon Jul 28 2025 Yaakov Selkowitz <yselkowi@xxxxxxxxxx> - 1.68.2-5
- Fix build with golang 1.24
* Mon Jul 28 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.68.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mikel@xxxxxxxxxxxxxxx> - 1.68.2-3
- Restore previous version
* Mon Jul 28 2025 Robert-André Mauchin <zebob.m@xxxxxxxxx> - 1.68.2-2
- Update to 1.68.2
- Move to bundling with gotmax23 tool
- Bump golang.org/x/net/html to v0.33.0 to fix CVE-2024-45338
- Bump golang.org/x/crypto/ssh to v0.31.0 to fix CVE-2024-45337
- Bump github.com/quic-go/quic-go to 0.48.2 to fix CVE-2024-53259 and
  CVE-2024-22189
- s390x is temporarly disable until a workaround to
  https://github.com/cronokirby/saferith/issues/52 is found
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mikel@xxxxxxxxxxxxxxx> - 1.68.2-1
- Update to 1.68.2 - Closes rhbz#2311287 rhbz#2326578 rhbz#2333262
  rhbz#2333238 rhbz#2331989 rhbz#2331961
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mikel@xxxxxxxxxxxxxxx> - 1.67.0-2
- Fix version ldflag - Closes rhbz#2315855
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mikel@xxxxxxxxxxxxxxx> - 1.67.0-1
- Update to 1.67.0 - Closes rhbz#2251762 rhbz#2292717 rhbz#2301235
  rhbz#2255106
* Mon Jul 28 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.64.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Mon Jul 28 2025 Maxwell G <maxwell@xxxxxxx> - 1.64.2-4
- Rebuild for golang 1.22.0
* Mon Jul 28 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.64.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Jul 28 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.64.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mikel@xxxxxxxxxxxxxxx> - 1.64.2-1
- Update to 1.64.2 - Closes rhbz#2244697
* Mon Jul 28 2025 Jonathan Steffan <jsteffan@xxxxxxxxxxxxxxxxx> - 1.64.0-2
- Add mount.rclone for systemd.mount support
- Create symlink for utilization in systemd units
- Create optional rclonefs symlink, per documentation
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mikel@xxxxxxxxxxxxxxx> - 1.64.0-1
- Update to 1.64.0 - Closes rhbz#2238581 rhbz#2229610 rhbz#2229606
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mikel@xxxxxxxxxxxxxxx> - 1.63.1-1
- Update to 1.63.1 - Closes rhbz#2155701 rhbz#2163286 rhbz#2171700
  rhbz#2178480 rhbz#2226392
- Don't build storj backend by default
- Use shell completion macros
* Mon Jul 28 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.60.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Mon Jul 28 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.60.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mikel@xxxxxxxxxxxxxxx> - 1.60.1-1
- Update to 1.60.1 - Closes rhbz#2144108
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mikel@xxxxxxxxxxxxxxx> - 1.60.0-1
- Update to 1.60.0
* Mon Jul 28 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.57.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Jul 28 2025 Maxwell G <gotmax@e.email> - 1.57.0-8
- Rebuild for
  CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang
* Mon Jul 28 2025 Maxwell G <gotmax@e.email> - 1.57.0-7
- Rebuild for CVE-2022-{24675,28327,29526 in golang}
* Mon Jul 28 2025 Maxwell G <gotmax@e.email> - 1.57.0-6
- Rebuild for CVE-2022-{24675,28327,29526} in golang
* Mon Jul 28 2025 Robert-André Mauchin <zebob.m@xxxxxxxxx> - 1.57.0-5
- Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327,
  CVE-2022-27191, CVE-2022-29526, CVE-2022-30629
* Mon Jul 28 2025 Zbigniew JÄ?drzejewski-Szmek <zbyszek@xxxxxxxxx> - 1.57.0-4
- Disable package notes because gold linker is used
* Mon Jul 28 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.57.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2067349 - CVE-2022-21698 rclone: prometheus/client_golang: Denial of service using InstrumentHandlerCounter [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2067349
  [ 2 ] Bug #2074250 - CVE-2022-27191 rclone: golang: crash in a golang.org/x/crypto/ssh server [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2074250
  [ 3 ] Bug #2141826 - EPEL9 update from 1.57 to at least 1.58?
        https://bugzilla.redhat.com/show_bug.cgi?id=2141826
  [ 4 ] Bug #2163049 - CVE-2022-41717 rclone: golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2163049
  [ 5 ] Bug #2178405 - CVE-2022-41723 rclone: golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2178405
  [ 6 ] Bug #2229581 - CVE-2023-3978 rclone: golang.org/x/net/html: Cross site scripting [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2229581
  [ 7 ] Bug #2248231 - rclone: golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325) [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2248231
  [ 8 ] Bug #2255068 - CVE-2023-48795 rclone: ssh: Prefix truncation attack on Binary Packet Protocol (BPP) [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2255068
  [ 9 ] Bug #2292673 - CVE-2024-24789 rclone: golang: archive/zip: Incorrect handling of certain ZIP files [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2292673
  [ 10 ] Bug #2326579 - CVE-2024-52522 rclone: improper permission and ownership handling on symlink targets with --links and --metadata [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2326579
  [ 11 ] Bug #2331935 - CVE-2024-45337 rclone: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto [epel-9]
        https://bugzilla.redhat.com/show_bug.cgi?id=2331935
  [ 12 ] Bug #2333216 - CVE-2024-45338 rclone: Non-linear parsing of case-insensitive content in golang.org/x/net/html [epel-9]
        https://bugzilla.redhat.com/show_bug.cgi?id=2333216
  [ 13 ] Bug #2339076 - Update to match F42 version 1.68.2
        https://bugzilla.redhat.com/show_bug.cgi?id=2339076
  [ 14 ] Bug #2348790 - CVE-2025-22868 rclone: Unexpected memory consumption during token parsing in golang.org/x/oauth2 [epel-9]
        https://bugzilla.redhat.com/show_bug.cgi?id=2348790
--------------------------------------------------------------------------------



-- 
_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Announce]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Linux Apps]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux