The following Fedora EPEL 9 Security updates need testing:
Age URL
6
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-9c790c33f7
netatalk-3.1.18-1.el9
5
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-a0ec47d7c6
composer-2.6.5-1.el9
5
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-3a968a9e97
chromium-117.0.5938.149-1.el9
1
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-61870984c8
mbedtls-2.28.5-1.el9
The following builds have been pushed to Fedora EPEL 9 updates-testing
apptainer-1.2.4-1.el9
gaupol-1.13-2.el9
libcue-2.3.0-1.el9
python-ogr-0.47.0-1.el9
python-openslide-1.3.1-3.el9
texlive-extension-20200406-34.el9
tmt-1.28.2-1.el9
trafficserver-9.2.3-1.el9
yt-dlp-2023.10.07-1.el9
Details about builds:
================================================================================
apptainer-1.2.4-1.el9 (FEDORA-EPEL-2023-18afa1ea0d)
Application and environment virtualization formerly known as Singularity
--------------------------------------------------------------------------------
Update Information:
Update to upstream 1.2.4
--------------------------------------------------------------------------------
ChangeLog:
* Wed Oct 11 2023 Dave Dykstra <dwd(a)fnal.gov> - 1.2.4
- Update to upstream 1.2.4
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2243304 - apptainer-1.2.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2243304
--------------------------------------------------------------------------------
================================================================================
gaupol-1.13-2.el9 (FEDORA-EPEL-2023-ca38a4f4c4)
Editor for text-based subtitle files
--------------------------------------------------------------------------------
Update Information:
Update Gaupol to 1.13 and add a weak dependency on mpv for media previews. ##
2023-10-08: Gaupol 1.13 - Fix translations missing for enums - Fix Python 3.12
compatibility and drop support for Python < 3.4 - Add Chinese (China)
translation
--------------------------------------------------------------------------------
ChangeLog:
* Wed Oct 11 2023 Benjamin A. Beasley <code(a)musicinmybrain.net> - 1.13-2
- Fedora, EPEL9: add a weak dependency on mpv
- This is upstream���s preferred media player for previews, and the only
supported one packaged in Fedora and EPEL
* Wed Oct 11 2023 Benjamin A. Beasley <code(a)musicinmybrain.net> - 1.13-1
- Update to 1.13 (close RHBZ#2242996)
* Wed Oct 11 2023 Yaakov Selkowitz <yselkowi(a)redhat.com> - 1.12-6
- Fix flatpak build
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2242996 - gaupol-1.13 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2242996
--------------------------------------------------------------------------------
================================================================================
libcue-2.3.0-1.el9 (FEDORA-EPEL-2023-b4fc9c3fdb)
Cue sheet parser library
--------------------------------------------------------------------------------
Update Information:
This update provides a new release of libcue that includes the fix for a serious
security issue that could cause arbitrary code execution, tracked as
CVE-2023-43641. See [this write-up by Kevin
Backhouse](https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-
gnome-cve-2023-43641/) for details. Thanks to Kevin for discovering the issue
and writing the fix. It also includes another small bug fix.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Oct 10 2023 Adam Williamson <awilliam(a)redhat.com> - 2.3.0-1
- New release 2.3.0
- Drop merged patch
* Tue Oct 10 2023 Adam Williamson <awilliam(a)redhat.com> - 2.2.1-13
- Fix CVE-2023-43641 (Kevin Backhouse)
* Thu Jul 20 2023 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.2.1-12
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jan 19 2023 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.2.1-11
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.2.1-10
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jan 20 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.2.1-9
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2243168 - CVE-2023-43641 libcue: a out-of-bounds array access leads to RCE
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2243168
--------------------------------------------------------------------------------
================================================================================
python-ogr-0.47.0-1.el9 (FEDORA-EPEL-2023-01b34367b7)
One API for multiple git forges
--------------------------------------------------------------------------------
Update Information:
Automatic update for python-ogr-0.47.0-1.el9. ##### **Changelog for python-
ogr** ``` * Wed Oct 11 2023 Packit <hello(a)packit.dev> - 0.47.0-1 - Added
support for removing users/groups from a project and possibility to check for
groups with permissions to modify a PR. (#815) - Resolves rhbz#2125279 * Fri
Oct 06 2023 Packit <hello(a)packit.dev> - 0.46.2-1 - Added missing README to
package metadata. ``` ---- Automatic update for python-ogr-0.46.2-1.el9.
##### **Changelog for python-ogr** ``` * Fri Oct 06 2023 Packit
<hello(a)packit.dev> - 0.46.2-1 - Added missing README to package metadata. ```
--------------------------------------------------------------------------------
ChangeLog:
* Wed Oct 11 2023 Packit <hello(a)packit.dev> - 0.47.0-1
- Added support for removing users/groups from a project and possibility to check for
groups with permissions to modify a PR. (#815)
- Resolves rhbz#2125279
* Fri Oct 6 2023 Packit <hello(a)packit.dev> - 0.46.2-1
- Added missing README to package metadata.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2125279 - python-ogr-0.47.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2125279
--------------------------------------------------------------------------------
================================================================================
python-openslide-1.3.1-3.el9 (FEDORA-EPEL-2023-12a678ef1d)
Python bindings for the OpenSlide library
--------------------------------------------------------------------------------
Update Information:
- Update docs to transform images to sRGB using the default rendering intent of
the image���s ICC profile, rather than absolute colorimetric intent. - Fix SPDX
license identifier.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Oct 11 2023 Benjamin Gilbert <bgilbert(a)backtick.net> - 1.3.1-3
- Use correct SPDX license identifier
* Sun Oct 8 2023 Benjamin Gilbert <bgilbert(a)backtick.net> - 1.3.1-2
- Fix tests on EPEL 9
* Sun Oct 8 2023 Benjamin Gilbert <bgilbert(a)backtick.net> - 1.3.1-1
- New release
- Drop obsolete versioned dependency on OpenSlide
- Drop obsolete Provides/Obsoletes
--------------------------------------------------------------------------------
================================================================================
texlive-extension-20200406-34.el9 (FEDORA-EPEL-2023-856c0e7861)
TeX formatting system
--------------------------------------------------------------------------------
Update Information:
added texlive-boondox, texlive-fontaxes, texlive-IEEEtran and texlive-newtx
--------------------------------------------------------------------------------
ChangeLog:
* Wed Oct 11 2023 Than Ngo <than(a)redhat.com> - 20200406-34
- fixed bz#2242153, add support of IEEEtran, boondox, fontaxes, newtx
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2242153 - Please branch and build IEEEtrans in epel9
https://bugzilla.redhat.com/show_bug.cgi?id=2242153
--------------------------------------------------------------------------------
================================================================================
tmt-1.28.2-1.el9 (FEDORA-EPEL-2023-d3ffb2a15b)
Test Management Tool
--------------------------------------------------------------------------------
Update Information:
Automatic update for tmt-1.28.2-1.el9. ##### **Changelog for tmt** ``` * Wed
Oct 11 2023 Petr ��pl��chal <psplicha(a)redhat.com> - 1.28.2 - Build man page during
the `release` action * Wed Oct 11 2023 Petr ��pl��chal <psplicha(a)redhat.com> -
1.28.1 - Remove the `.dev0` suffix from the spec `Version` * Fri Oct 06 2023
Petr ��pl��chal <psplicha(a)redhat.com> - 1.28.0 - Update the `release` action with
`hatch` changes - Fix the multihost web test to work with container - Add `skip`
as a supported custom result outcome - Add docs for the new `--update-missing`
option - Remove irrelevant mention of `rhel-8` in the spec - Record start/end
time & duration of test checks - Add `--update-missing` to update phase fields
only when not set by fmf - Add --skip-prepare-verify-ssh and --post-install-
script to artemis plugin (#2347) - Force tmt-link pre-commit to use fmf 1.3.0
which brings new features (#2376) - Add logging of applied adjust rules - Handle
all context dimension values case insensitive - Hide `OPTIONLESS_FIELDS` from
`tmt plan show` - Add context into the `html` report - Display test check
results in `display` report output - Fix creation of guest data from plugin
options - Allow wider output - Beaker plugin is negating Beaker operators by
default - Include link to the data directory in the html report - Teach logging
methods to handle common types - Move the copr repository to the `teemtee` group
- Add a new `cpu` property `stepping` to hardware - Extract beakerlib phase name
to a failure log - Always show the real beaker job id - Create a production copr
build for each release - AVC denials check for tests (#2331) - Add nice &
colorfull help to "make" targets - Include more dependencies in the dev
environment - Stop using the `_version.py` file - Replace `opt()` for
`--dry/--force` with properties - Update build names for copr/main and pull
requests - Use `hatch` and `pyproject`, refactor `tmt.spec` - Use dataclass for
log record details instead of typed dict - Refactor html report plugin to use
existing template rendering - Narrow type of hardware constraint variants -
Refactor parameters of `Plan._iter_steps()` - Use `format_value()` instead of
`pprint()` - Use the minimal plan to test imported plan execution - Refactor
exception rendering to use generators - Add the `export` callback for fields
(#2288) - Update a verified-by link for the beaker provision - Multi-string help
texts converted to multiline strings - Make the upload to PyPI working again -
Hide command event debug logs behind a log topic (#2281) - Replace
`pkg_resources` with `importlib.resources` - Wrap `click.Choice` use with
`choices` parameter - Lower unnecessary verbosity of podman commands - Move
check-related code into `tmt.checks` - Disable `systemd-resolved` to prevent dns
failures - Adjust test coverage for deep beakerlib libraries - Document
migration from provision.fmf to tmt (#2325) - Remove TBD of initiator context
for Packit - Fix output indentation of imported plans - Copr repo with a group
owner requires quotes ```
--------------------------------------------------------------------------------
ChangeLog:
* Wed Oct 11 2023 Petr ��pl��chal <psplicha(a)redhat.com> - 1.28.2
- Build man page during the `release` action
* Wed Oct 11 2023 Petr ��pl��chal <psplicha(a)redhat.com> - 1.28.1
- Remove the `.dev0` suffix from the spec `Version`
* Fri Oct 6 2023 Petr ��pl��chal <psplicha(a)redhat.com> - 1.28.0
- Update the `release` action with `hatch` changes
- Fix the multihost web test to work with container
- Add `skip` as a supported custom result outcome
- Add docs for the new `--update-missing` option
- Remove irrelevant mention of `rhel-8` in the spec
- Record start/end time & duration of test checks
- Add `--update-missing` to update phase fields only when not set by fmf
- Add --skip-prepare-verify-ssh and --post-install-script to artemis plugin (#2347)
- Force tmt-link pre-commit to use fmf 1.3.0 which brings new features (#2376)
- Add logging of applied adjust rules
- Handle all context dimension values case insensitive
- Hide `OPTIONLESS_FIELDS` from `tmt plan show`
- Add context into the `html` report
- Display test check results in `display` report output
- Fix creation of guest data from plugin options
- Allow wider output
- Beaker plugin is negating Beaker operators by default
- Include link to the data directory in the html report
- Teach logging methods to handle common types
- Move the copr repository to the `teemtee` group
- Add a new `cpu` property `stepping` to hardware
- Extract beakerlib phase name to a failure log
- Always show the real beaker job id
- Create a production copr build for each release
- AVC denials check for tests (#2331)
- Add nice & colorfull help to "make" targets
- Include more dependencies in the dev environment
- Stop using the `_version.py` file
- Replace `opt()` for `--dry/--force` with properties
- Update build names for copr/main and pull requests
- Use `hatch` and `pyproject`, refactor `tmt.spec`
- Use dataclass for log record details instead of typed dict
- Refactor html report plugin to use existing template rendering
- Narrow type of hardware constraint variants
- Refactor parameters of `Plan._iter_steps()`
- Use `format_value()` instead of `pprint()`
- Use the minimal plan to test imported plan execution
- Refactor exception rendering to use generators
- Add the `export` callback for fields (#2288)
- Update a verified-by link for the beaker provision
- Multi-string help texts converted to multiline strings
- Make the upload to PyPI working again
- Hide command event debug logs behind a log topic (#2281)
- Replace `pkg_resources` with `importlib.resources`
- Wrap `click.Choice` use with `choices` parameter
- Lower unnecessary verbosity of podman commands
- Move check-related code into `tmt.checks`
- Disable `systemd-resolved` to prevent dns failures
- Adjust test coverage for deep beakerlib libraries
- Document migration from provision.fmf to tmt (#2325)
- Remove TBD of initiator context for Packit
- Fix output indentation of imported plans
- Copr repo with a group owner requires quotes
--------------------------------------------------------------------------------
================================================================================
trafficserver-9.2.3-1.el9 (FEDORA-EPEL-2023-834ef33019)
Fast, scalable and extensible HTTP/1.1 and HTTP/2 caching proxy server
--------------------------------------------------------------------------------
Update Information:
Update to upstream 9.2.3 Resolves CVE-2023-44487, CVE-2023-41752, CVE-2023-39456
--------------------------------------------------------------------------------
ChangeLog:
* Wed Oct 11 2023 Jered Floyd <jered(a)redhat.com> 9.2.3-1
- Update to upstream 9.2.3
- Resolves CVE-2023-44487, CVE-2023-41752, CVE-2023-39456
* Wed Oct 4 2023 Jered Floyd <jered(a)redhat.com> 9.2.2-2
- Use OpenSSL 1.1.x from EPEL on RHEL 7 to fix Chrome 117+ bugs
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2242988 - trafficserver-9.2.3-rc0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2242988
[ 2 ] Bug #2243251 - [Major Incident] CVE-2023-44487 trafficserver: HTTP/2: Multiple
HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2243251
[ 3 ] Bug #2243252 - [Major Incident] CVE-2023-44487 trafficserver: HTTP/2: Multiple
HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2243252
--------------------------------------------------------------------------------
================================================================================
yt-dlp-2023.10.07-1.el9 (FEDORA-EPEL-2023-f06290bec2)
A command-line program to download videos from online video platforms
--------------------------------------------------------------------------------
Update Information:
Update to 2023.10.07.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Oct 11 2023 Marcus M��ller <marcus_fedora(a)baseband.digital> - 2023.10.07-1
- Update to 2023.10.07.
- Fixes rhbz#2243274
- Fixes rhbz#2240465
* Sat Jul 22 2023 Fedora Release Engineering <releng(a)fedoraproject.org> -
2023.07.06-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2240465 - yt-dlp-2023.10.07 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2240465
[ 2 ] Bug #2243274 - yt-dlp 2023.07.06 broken on YouTube Playlist links
https://bugzilla.redhat.com/show_bug.cgi?id=2243274
--------------------------------------------------------------------------------