January 2023 - Epel-packagers-sig - Fedora Mailing-Lists

[Bug 2127008] New: CVE-2021-43138 yarnpkg: async: Prototype Pollution in async [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2127008 Bug ID: 2127008 Summary: CVE-2021-43138 yarnpkg: async: Prototype Pollution in async [fedora-all] Product: Fedora Version: 36 Status: NEW Component: yarnpkg Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: zsvetlik(a)redhat.com Reporter: ahanwate(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, ngompa13(a)gmail.com, zsvetlik(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2127008

11 months, 2 weeks

1
10
0 / 0

[Bug 2152006] New: luarocks-3.9.2 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2152006 Bug ID: 2152006 Summary: luarocks-3.9.2 is available Product: Fedora Version: rawhide Status: NEW Component: luarocks Keywords: FutureFeature, Triaged Assignee: michel(a)michel-slm.name Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, ktdreyer(a)ktdreyer.com, lua-packagers-sig(a)lists.fedoraproject.org, michel(a)michel-slm.name Target Milestone: --- Classification: Fedora Releases retrieved: 3.9.2 Upstream release that is considered latest: 3.9.2 Current version/release in rawhide: 3.9.1-1.fc38 URL: https://luarocks.org/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release... Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1856/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/luarocks -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2152006

11 months, 3 weeks

1
11
0 / 0

[Bug 2135231] New: CVE-2021-36369 dropbear: <net-misc/dropbear-2022.82: forwarded agent abuse [epel-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2135231 Bug ID: 2135231 Summary: CVE-2021-36369 dropbear: <net-misc/dropbear-2022.82: forwarded agent abuse [epel-all] Product: Fedora EPEL Version: epel8 Status: NEW Component: dropbear Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: buytenh(a)wantstofly.org Reporter: mrehak(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: buytenh(a)wantstofly.org, cickumqt(a)gmail.com, daniellarasouza(a)yahoo.com.br, epel-packagers-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of epel-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora EPEL. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135231

11 months, 4 weeks

1
11
0 / 0

[Bug 2135229] New: CVE-2021-36369 <net-misc/dropbear-2022.82: forwarded agent abuse

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2135229 Bug ID: 2135229 Summary: CVE-2021-36369 <net-misc/dropbear-2022.82: forwarded agent abuse Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: mrehak(a)redhat.com CC: buytenh(a)wantstofly.org, cickumqt(a)gmail.com, daniellarasouza(a)yahoo.com.br, epel-packagers-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Other Due to a non-RFC-compliant check of the available authentication methods in the client-side SSH code, it is possible for an SSH server to change the login process in its favor. This attack can bypass additional security measures such as FIDO2 tokens or SSH-Askpass. Thus, it allows an attacker to abuse a forwarded agent for logging on to another server unnoticed. Reference: https://github.com/mkj/dropbear/pull/128 https://github.com/mkj/dropbear/releases/tag/DROPBEAR_2022.82 https://github.com/mkj/dropbear/releases -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135229

11 months, 4 weeks

1
6
0 / 0

[Bug 2140613] New: CVE-2022-37603 yarnpkg: loader-utils:Regular expression denial of service [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2140613 Bug ID: 2140613 Summary: CVE-2022-37603 yarnpkg: loader-utils:Regular expression denial of service [fedora-all] Product: Fedora Version: 36 Status: NEW Component: yarnpkg Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: zsvetlik(a)redhat.com Reporter: vinair(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, ngompa13(a)gmail.com, zsvetlik(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2140613

11 months, 4 weeks

1
7
0 / 0

[Bug 2032607] New: F36FailsToInstall: hyperkitty

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2032607 Bug ID: 2032607 Summary: F36FailsToInstall: hyperkitty Product: Fedora Version: rawhide Status: NEW Component: python-hyperkitty Assignee: michel(a)michel-slm.name Reporter: mhroncok(a)redhat.com CC: epel-packagers-sig(a)lists.fedoraproject.org, infra-sig(a)lists.fedoraproject.org, michel(a)michel-slm.name, ngompa13(a)gmail.com, python-sig(a)lists.fedoraproject.org Blocks: 1992487 (F36FailsToInstall,RAWHIDEFailsToInstall) Target Milestone: --- Classification: Fedora Hello, Please note that this comment was generated automatically. If you feel that this output has mistakes, please contact me via email (mhroncok(a)redhat.com). Your package (python-hyperkitty) Fails To Install in Fedora 36: can't install hyperkitty: - nothing provides python3.10dist(flufl-lock) >= 4 needed by hyperkitty-1.3.5-1.fc36.noarch - nothing provides python3.10dist(mistune) >= 2~rc1 needed by hyperkitty-1.3.5-1.fc36.noarch If you know about this problem and are planning on fixing it, please acknowledge so by setting the bug status to ASSIGNED. If you don't have time to maintain this package, consider orphaning it, so maintainers of dependent packages realize the problem. If you don't react accordingly to the policy for FTBFS/FTI bugs (https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fai...), your package may be orphaned in 8+ weeks. P.S. The data was generated solely from koji buildroot, so it might be newer than the latest compose or the content on mirrors. P.P.S. If this bug has been reported in the middle of upgrading multiple dependent packages, please consider using side tags: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/#updating-inter... Thanks! Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1992487 [Bug 1992487] Fedora 36 Fails To install Tracker -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2032607

11 months, 4 weeks

1
19
0 / 0

[Bug 2162389] New: CVE-2022-46175 yarnpkg: json5: Prototype Pollution in JSON5 via Parse Method [fedora-36]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2162389 Bug ID: 2162389 Summary: CVE-2022-46175 yarnpkg: json5: Prototype Pollution in JSON5 via Parse Method [fedora-36] Product: Fedora Version: 36 Status: NEW Component: yarnpkg Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: zsvetlik(a)redhat.com Reporter: ahanwate(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, manisandro(a)gmail.com, ngompa13(a)gmail.com, zsvetlik(a)redhat.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2156263 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2162389

11 months, 4 weeks

1
4
0 / 0

[Bug 2162186] New: CVE-2022-41721 golang-x-net: x/net/http2/h2c: request smuggling [fedora-36]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2162186 Bug ID: 2162186 Summary: CVE-2022-41721 golang-x-net: x/net/http2/h2c: request smuggling [fedora-36] Product: Fedora Version: 36 Status: NEW Component: golang-x-net Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: zebob.m(a)gmail.com Reporter: askrabec(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, go-sig(a)lists.fedoraproject.org, zebob.m(a)gmail.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2162182 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2162186

11 months, 4 weeks

1
4
0 / 0

[Bug 2063508] New: authentication recquired The password you use does not match

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2063508 Bug ID: 2063508 Summary: authentication recquired The password you use does not match Product: Fedora Version: 36 OS: Linux Status: NEW Component: keyrings-filesystem Severity: high Assignee: manisandro(a)gmail.com Reporter: jjb(a)xs4all.nl QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, manisandro(a)gmail.com, sergio(a)serjux.com Target Milestone: --- Classification: Fedora Description of problem: Keyring is locked. (in Passwords and Keys, Seahorse) try to solve error message "authentication required, the password you use to log in to your computer no longer match that of your login keyring" The known password is not accepted. Version-Release number of selected component (if applicable): How reproducible: try to Get Geary (email program) at work. At login to the computer the password is working all right. Steps to Reproduce: 1. 2. 3. Actual results: cannot authenticate password. Expected results: no question of authentication Additional info: do not know how to solve this problem. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2063508

11 months, 4 weeks

1
5
0 / 0

[Bug 2090622] New: [abrt] xmlstarlet: xmlXPathCompUnaryExpr(): xmlstarlet killed by SIGSEGV

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2090622 Bug ID: 2090622 Summary: [abrt] xmlstarlet: xmlXPathCompUnaryExpr(): xmlstarlet killed by SIGSEGV Product: Fedora Version: 36 Hardware: x86_64 Status: NEW Whiteboard: abrt_hash:fae15203a4426ff6ea89539d9cb4c1ae9473b845;VAR IANT_ID=workstation; Component: xmlstarlet Assignee: stickster(a)gmail.com Reporter: mf.flip(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: daltonminer(a)gmail.com, dcavalca(a)fb.com, epel-packagers-sig(a)lists.fedoraproject.org, michel(a)michel-slm.name, ngompa13(a)gmail.com, stickster(a)gmail.com Target Milestone: --- Classification: Fedora Version-Release number of selected component: xmlstarlet-1.6.1-18.fc36 Additional info: reporter: libreport-2.17.1 backtrace_rating: 4 cgroup: 0::/user.slice/user-1000.slice/user@1000.service/app.slice/vte-spawn-b6417f15-9599-4249-82d4-24ff704344e1.scope cmdline: xmlstarlet ed --without-comments activemq.xml crash_function: xmlXPathCompUnaryExpr executable: /usr/bin/xmlstarlet journald_cursor: s=952f321409164e31aecdcfe29dabfc09;i=2c2dd8;b=d8a42405eec240a19c823e14d4731d5c;m=7ac1a3fe9;t=5dfd855906ebd;x=1c1ad98bbbf498bf kernel: 5.17.9-300.fc36.x86_64 rootdir: / runlevel: N 5 type: CCpp uid: 1000 Truncated backtrace: Thread no. 1 (10 frames) #0 xmlXPathCompUnaryExpr at /usr/src/debug/libxml2-2.9.14-1.fc36.x86_64/xpath.c:10736 #1 xmlXPathCompMultiplicativeExpr at /usr/src/debug/libxml2-2.9.14-1.fc36.x86_64/xpath.c:10769 #2 xmlXPathCompAdditiveExpr at /usr/src/debug/libxml2-2.9.14-1.fc36.x86_64/xpath.c:10810 #3 xmlXPathCompRelationalExpr at /usr/src/debug/libxml2-2.9.14-1.fc36.x86_64/xpath.c:10848 #4 xmlXPathCompEqualityExpr at /usr/src/debug/libxml2-2.9.14-1.fc36.x86_64/xpath.c:10887 #5 xmlXPathCompAndExpr at /usr/src/debug/libxml2-2.9.14-1.fc36.x86_64/xpath.c:10918 #6 xmlXPathCompileExpr at /usr/src/debug/libxml2-2.9.14-1.fc36.x86_64/xpath.c:10956 #7 xmlXPathEvalExpr__internal_alias at /usr/src/debug/libxml2-2.9.14-1.fc36.x86_64/xpath.c:14426 #9 xmlXPathEval__internal_alias at /usr/src/debug/libxml2-2.9.14-1.fc36.x86_64/xpath.c:14466 #10 xmlXPathEvalExpression__internal_alias at /usr/src/debug/libxml2-2.9.14-1.fc36.x86_64/xpath.c:14541 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2090622

11 months, 4 weeks

1
2
0 / 0

2024

2023

2022

2021

Epel-packagers-sig January 2023