The following Fedora EPEL 7 Security updates need testing: Age URL 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-fd36857b5e seamonkey-2.53.18-1.el7

The following builds have been pushed to Fedora EPEL 7 updates-testing

chromium-120.0.6099.71-1.el7 guacamole-server-1.5.4-1.el7 unrealircd-6.1.3-1.el7

Details about builds:

================================================================================ chromium-120.0.6099.71-1.el7 (FEDORA-EPEL-2023-3782f9a3bf) A WebKit (Blink) powered web browser that Google doesn't want you to use -------------------------------------------------------------------------------- Update Information:

Update to 120.0.6099.71 ---- Update to 120.0.6099.62, upstream release fixes follow security issues: * High CVE-2023-6508: Use after free in Media Stream * High CVE-2023-6509: Use after free in Side Panel Search * Medium CVE-2023-6510: Use after free in Media Capture * Low CVE-2023-6511: Inappropriate implementation in Autofill * Low CVE-2023-6512: Inappropriate implementation in Web Browser UI ---- update to 119.0.6045.199, upstream security release * High CVE-2023-6348: Type Confusion in Spellcheck * High CVE-2023-6347: Use after free in Mojo * High CVE-2023-6346: Use after free in WebAudio * High CVE-2023-6350: Out of bounds memory access in libavif * High CVE-2023-6351: Use after free in libavif * High CVE-2023-6345: Integer overflow in Skia -------------------------------------------------------------------------------- ChangeLog:

* Fri Dec 8 2023 Than Ngo than@redhat.com - 120.0.6099.71-1 - update to 120.0.6099.71 * Wed Dec 6 2023 Than Ngo than@redhat.com - 120.0.6099.62-2 - drop unsupported ldflag which caused build failure * Tue Dec 5 2023 Than Ngo than@redhat.com - 120.0.6099.62-1 - update to 120.0.6099.62 - fixed bz#2252874, built with control flow integrity (CFI) support * Sat Dec 2 2023 Than Ngo than@redhat.com - 120.0.6099.56-1 - update to 120.0.6099.56 - enable qt6 UI backend * Sat Dec 2 2023 Than Ngo than@redhat.com - 119.0.6045.199-2 - fixed bz#2242271, built with bundleminizip in fedora > 39 - fixed bz#2251884, built with fstack-protector-strong for improved security * Wed Nov 29 2023 Than Ngo than@redhat.com - 119.0.6045.199-1 - update to 119.0.6045.199 * Sun Nov 19 2023 Than Ngo than@redhat.com - 119.0.6045.159-2 - fix ffmpeg conflicts -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2252009 - CVE-2023-6346 CVE-2023-6347 CVE-2023-6350 CVE-2023-6351 chromium: various flaws [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2252009 [ 2 ] Bug #2252188 - CVE-2023-6345 chromium: chromium-browser: Integer overflow [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2252188 [ 3 ] Bug #2252191 - CVE-2023-6348 chromium: chromium-browser: Type Confusion in Spellcheck [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2252191 [ 4 ] Bug #2253151 - CVE-2023-6508 chromium: Use after free in Media Stream [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2253151 [ 5 ] Bug #2253154 - CVE-2023-6509 chromium: Use after free in Side Panel Search [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2253154 [ 6 ] Bug #2253157 - CVE-2023-6510 chromium: Use after free in Media Capture [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2253157 [ 7 ] Bug #2253161 - CVE-2023-6511 chromium: Inappropriate implementation in Autofill [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2253161 [ 8 ] Bug #2253164 - CVE-2023-6512 chromium: Inappropriate implementation in Web Browser UI [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2253164 --------------------------------------------------------------------------------

================================================================================ guacamole-server-1.5.4-1.el7 (FEDORA-EPEL-2023-e5cd593804) Server-side native components that form the Guacamole proxy -------------------------------------------------------------------------------- Update Information:

# Apache Guacamole 1.5.4 ## User interface / platform - History Recording Player should show controls when mouse is moved (GUACAMOLE-1872) - Bug: Control bar doesn���t auto-hide on history recording player (GUACAMOLE-1873) ## Authentication, integration, and storage - Bug: Regression in JSON module causes loading to fail (GUACAMOLE-1851) - Bug: Permission check for creating user groups is incorrect (GUACAMOLE-1856) ## Protocol support / guacd - Bug: Race condition can cause the first user for a connection to miss updates (GUACAMOLE-1846) - Bug: Parser reparses same instructions multiple times in some cases (GUACAMOLE-1849) - Bug: `guac_common_cursor_dup()` may segfault if cursor is being modified (GUACAMOLE-1850) - Add libguac convenience functions for memory management (GUACAMOLE-1867) ## Internationalization - Updates and corrections to Catalan translation (GUACAMOLE-1880) ## Documentation - TOTP Authentication - Add documentation relating to usage with docker (GUACAMOLE-1878) ## General housekeeping and cleanup - Update webapp dependencies to latest stable and compatible versions (GUACAMOLE-1859) - Bump version numbers to 1.5.4 (GUACAMOLE-1886) -------------------------------------------------------------------------------- ChangeLog:

* Sat Dec 9 2023 Robert Scheck robert@fedoraproject.org - 1:1.5.4-1 - Update to 1.5.4 (#2223510) -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2223510 - guacamole-server-1.5.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2223510 --------------------------------------------------------------------------------

================================================================================ unrealircd-6.1.3-1.el7 (FEDORA-EPEL-2023-991fb571f9) Open Source IRC server -------------------------------------------------------------------------------- Update Information:

# UnrealIRCd 6.1.3 The main focus of this release is adding countermeasures against large scale spam/drones. Upstream does this by offering a central API which can be used for accessing Central Blocklist, Central Spamreport and Central Spamfilter. ## Enhancements * Central anti-spam services: * The services from below require a central-api key, which you can [request here](https://www.unrealircd.org/central-api/). * [Central Blocklist](https://www.unrealircd.org/docs/Central_Blocklist) is an attempt to detect and block spammers. It works similar to DNS Blacklists but the central blocklist receives many more details about the user that is trying to connect and therefore can make a better decision on whether a user is likely a spammer. * [Central Spamreport](https://www.unrealircd.org/docs/Central_spamreport) allows you to send spam reports (user details, last sent lines) via the `SPAMREPORT` command. This information may then be used to improve [Central Blocklist](https://www.unrealircd.org/docs/Central_Blocklist) and/or [Central Spamfilter](https://www.unrealircd.org/docs/Central_Spamfilter). * The [Central Spamfilter](https://www.unrealircd.org/docs/Central_Spamfilter), which provides `spamfilter { }` blocks that are centrally managed, is now fetched from a different URL if you have an Central API key set. This way, upstream can later provide `spamfilter { }` blocks that build on central blocklist scoring functionality, and also so upstream doesn't have to reveal all the central spamfilter blocks to the world. * New option `auto` for [set::hide-ban- reason](https://www.unrealircd.org/docs/Set_block#set::hide-ban-reason), which is now the default. This will hide the *LINE reason to other users if the *LINE reason contains the IP of the user, for example when it contains a DroneBL URL which has `lookup?ip=XXX`. This to protect the privacy of the user. Other possible settings are `no` (never hide, the previous default) and `yes` to always hide the *LINE reason. In all cases the user affected by the server ban can still see the reason and IRCOps too. * Make [Deny channel](https://www.unrealircd.org/docs/Deny_channel_block) support escaped sequences like `channel "#xyz*";` so you can match a literal `*` or `?` via `*` and `?`. * New option [listen::options::websocket::allow- origin](https://www.unrealircd.org/docs/Listen_block#options_block_(optional)): this allows to restrict websocket connections to a list of websites (the sites hosting the HTML/JS page that makes the websocket connection). It doesn't *securely* restrict it though, non-browsers will bypass this restriction, but it can still be useful to restrict regular webchat users. * The [Proxy block](https://www.unrealircd.org/docs/Proxy_block) already had support for reverse proxying with the `Forwarded` header. Now it also properly supports `X-Forwarded-For`. If you previously used a proxy block with type `web`, then you now need to choose one of the new types explicitly. Note that using a reverse proxy for IRC traffic is rare (see the proxy block docs for details), but upstream offers the option. ## Changes * Reserve more file descriptors for internal use. For example, when there are 10,000 fd's are available upstream now reserves 250, and when 2048 are available upstream reserves 32. This so upstream has more fds available to handle things like log files, do HTTPS callbacks to blacklists, etc. * Make `$client.details` in logs follow the ident rules for users in the handshake too, so use the `~` prefix if ident lookups are enabled and identd fails etc. * More validation for operclass names (`a-zA-Z0-9_-`) * Hits for central-blocklist are now broadcasted globally instead of staying on the same server. ## Fixes * When using a trusted reverse proxy with the [Proxy block](https://www.unrealircd.org/docs/Proxy_block), under some circumstances it was possible for end-users to spoof IPs. * Crash issue when a module is reloaded (not unloaded) and that module no longer provides a particular moddata object, e.g. because it was renamed or no longer needed. This is rare, but did happen for one third party module recently. * Fix memory leak when unloading a module for good and that module provided ModData objects for "unknown users" (users still in the handshake). * Don't ask to generate TLS certificate if one already exists (issue introduced in 6.1.2). ## Developers and protocol * New hooks: `HOOKTYPE_WATCH_ADD`, `HOOKTYPE_WATCH_DEL`, `HOOKTYPE_MONITOR_NOTIFICATION`. * The hook `HOOKTYPE_IS_HANDSHAKE_FINISHED` is now properly called at all places. * A new [URL API](https://www.unrealircd.org/docs/Dev:URL_API) to easily fetch URLs from modules. -------------------------------------------------------------------------------- ChangeLog:

* Sat Dec 9 2023 Robert Scheck robert@fedoraproject.org 6.1.3-1 - Upgrade to 6.1.3 (#2252372) -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2252372 - unrealircd-6.1.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2252372 --------------------------------------------------------------------------------