https://bugzilla.redhat.com/show_bug.cgi?id=2246633
Bug ID: 2246633
Summary: CVE-2023-46234 yarnpkg: browserify-sign: upper bound
check issue in dsaVerify leads to a signature forgery
attack [fedora-all]
Product: Fedora
Version: 38
Status: NEW
Component: yarnpkg
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: zsvetlik(a)redhat.com
Reporter: pdelbell(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
manisandro(a)gmail.com, ngompa13(a)gmail.com,
zsvetlik(a)redhat.com
Target Milestone: ---
Classification: Fedora
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2246470
Disclaimer: Community trackers are created by Red Hat Product Security team on
a best effort basis. Package maintainers are required to ascertain if the flaw
indeed affects their package, before starting the update process.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2246633
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…
https://bugzilla.redhat.com/show_bug.cgi?id=2220682
Bug ID: 2220682
Summary: CVE-2023-26136 yarnpkg: tough-cookie: prototype
pollution in cookie memstore [fedora-all]
Product: Fedora
Version: 38
Status: NEW
Component: yarnpkg
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: zsvetlik(a)redhat.com
Reporter: ahanwate(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
manisandro(a)gmail.com, ngompa13(a)gmail.com,
zsvetlik(a)redhat.com
Target Milestone: ---
Classification: Fedora
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2219310
Disclaimer: Community trackers are created by Red Hat Product Security team on
a best effort basis. Package maintainers are required to ascertain if the flaw
indeed affects their package, before starting the update process.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2220682
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…
https://bugzilla.redhat.com/show_bug.cgi?id=2209317
Bug ID: 2209317
Summary: CVE-2022-37599 yarnpkg: loader-utils: regular
expression denial of service in interpolateName.js
[fedora-all]
Product: Fedora
Version: 38
Status: NEW
Component: yarnpkg
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: zsvetlik(a)redhat.com
Reporter: ahanwate(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
manisandro(a)gmail.com, ngompa13(a)gmail.com,
zsvetlik(a)redhat.com
Target Milestone: ---
Classification: Fedora
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2134872
Disclaimer: Community trackers are created by Red Hat Product Security team on
a best effort basis. Package maintainers are required to ascertain if the flaw
indeed affects their package, before starting the update process.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2209317
https://bugzilla.redhat.com/show_bug.cgi?id=2251792
Bug ID: 2251792
Summary: python-bcrypt-4.1.0 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: python-bcrypt
Keywords: FutureFeature, Triaged
Assignee: pingou(a)pingoured.fr
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
infra-sig(a)lists.fedoraproject.org, mhayden(a)redhat.com,
pingou(a)pingoured.fr,
python-packagers-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Releases retrieved: 4.1.0
Upstream release that is considered latest: 4.1.0
Current version/release in rawhide: 4.0.1-6.fc40
URL: http://pypi.python.org/pypi/bcrypt
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M…
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from Anitya:
https://release-monitoring.org/project/9047/
To change the monitoring settings for the project, please visit:
https://src.fedoraproject.org/rpms/python-bcrypt
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2251792
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…
https://bugzilla.redhat.com/show_bug.cgi?id=2179146
Bug ID: 2179146
Summary: python-pandas-2.0.0rc1 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: python-pandas
Keywords: FutureFeature, Triaged
Assignee: jonathan(a)almalinux.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
jonathan(a)almalinux.org, mail(a)kushaldas.in,
neuro-sig(a)lists.fedoraproject.org, orion(a)nwra.com,
python-packagers-sig(a)lists.fedoraproject.org,
sergio.pasra(a)gmail.com, tomspur(a)fedoraproject.org,
wfp5p(a)worldbroken.com
Target Milestone: ---
Classification: Fedora
Releases retrieved: 2.0.0rc1
Upstream release that is considered latest: 2.0.0rc1
Current version/release in rawhide: 1.5.3-1.fc39
URL: http://pandas.pydata.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M…
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from Anitya:
https://release-monitoring.org/project/7578/
To change the monitoring settings for the project, please visit:
https://src.fedoraproject.org/rpms/python-pandas
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2179146
https://bugzilla.redhat.com/show_bug.cgi?id=2249694
Bug ID: 2249694
Summary: yarnpkg-1.22.21 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: yarnpkg
Keywords: FutureFeature, Triaged
Assignee: zsvetlik(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
manisandro(a)gmail.com, ngompa13(a)gmail.com,
zsvetlik(a)redhat.com
Target Milestone: ---
Classification: Fedora
Releases retrieved: 1.22.20, 1.22.21
Upstream release that is considered latest: 1.22.21
Current version/release in rawhide: 1.22.19-7.fc39
URL: https://yarnpkg.com
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M…
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from Anitya:
https://release-monitoring.org/project/13363/
To change the monitoring settings for the project, please visit:
https://src.fedoraproject.org/rpms/yarnpkg
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2249694
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…
https://bugzilla.redhat.com/show_bug.cgi?id=2183119
Bug ID: 2183119
Summary: FTBFS with autoconf 2.72/2.73
Product: Fedora
Version: rawhide
OS: All
Status: NEW
Component: ImageMagick
Assignee: luya_tfz(a)thefinalzone.net
Reporter: fberat(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: blaise(a)gmail.com, davide(a)cavalca.name,
epel-packagers-sig(a)lists.fedoraproject.org,
fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net,
michel(a)michel-slm.name, ngompa13(a)gmail.com,
pampelmuse(a)gmx.at, sergio(a)serjux.com
Target Milestone: ---
Classification: Fedora
Autoconf 2.72 (or 2.73) seems to be under preparation upstream, I therefore
started to build dependent components against the pre-release [1] to verify
that they can be built once it lands in Fedora.
Your component fails to build with the new version of autoconf, due to the
following error:
configure:4837: error: possibly undefined macro:
_AC_SYS_LARGEFILE_TEST_INCLUDES
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
autoreconf: error: /usr/bin/autoconf failed with exit status: 1
Unfortunately, this can't be fixed with an autoreconf, an update of the files
provided by gnulib are necessary.
These files are usually added during the bootstrap of the source code, which is
done to generate the release tarball.
Please forward this to the community, and update the component accordingly.
[1] https://lists.gnu.org/archive/html/autoconf/2023-03/msg00020.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2183119
https://bugzilla.redhat.com/show_bug.cgi?id=2247262
Bug ID: 2247262
Summary: nemo-extensions fails to build with Python 3.13:
error: implicit declaration of function PySys_SetArgv
Product: Fedora
Version: rawhide
Status: NEW
Component: nemo-extensions
Assignee: leigh123linux(a)googlemail.com
Reporter: ksurma(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
ksurma(a)redhat.com, leigh123linux(a)googlemail.com,
mhroncok(a)redhat.com, riehecky(a)fnal.gov
Blocks: 2244836 (PYTHON3.13)
Target Milestone: ---
Classification: Fedora
nemo-extensions fails to build with Python 3.13.0a1.
../src/nemo-python.c: In function ‘nemo_python_init_python’:
../src/nemo-python.c:192:9: error: implicit declaration of function
‘PySys_SetArgv’ [-Werror=implicit-function-declaration]
192 | PySys_SetArgv(1, argv);
| ^~~~~~~~~~~~~
According to https://docs.python.org/3.13/whatsnew/3.13.html:
Remove the following old functions to configure the Python initialization,
deprecated in Python 3.11:
PySys_AddWarnOptionUnicode(): use PyConfig.warnoptions instead.
PySys_AddWarnOption(): use PyConfig.warnoptions instead.
PySys_AddXOption(): use PyConfig.xoptions instead.
PySys_HasWarnOptions(): use PyConfig.xoptions instead.
PySys_SetArgvEx(): set PyConfig.argv instead.
PySys_SetArgv(): set PyConfig.argv instead.
PySys_SetPath(): set PyConfig.module_search_paths instead.
Py_SetPath(): set PyConfig.module_search_paths instead.
Py_SetProgramName(): set PyConfig.program_name instead.
Py_SetPythonHome(): set PyConfig.home instead.
Py_SetStandardStreamEncoding(): set PyConfig.stdio_encoding instead, and
set also maybe PyConfig.legacy_windows_stdio (on Windows).
_Py_SetProgramFullPath(): set PyConfig.executable instead.
https://docs.python.org/3.13/whatsnew/3.13.html
For the build logs, see:
https://copr-be.cloud.fedoraproject.org/results/@python/python3.13/fedora-r…
For all our attempts to build nemo-extensions with Python 3.13, see:
https://copr.fedorainfracloud.org/coprs/g/python/python3.13/package/nemo-ex…
Testing and mass rebuild of packages is happening in copr.
You can follow these instructions to test locally in mock if your package
builds with Python 3.13:
https://copr.fedorainfracloud.org/coprs/g/python/python3.13/
Let us know here if you have any questions.
Python 3.13 is planned to be included in Fedora 41.
To make that update smoother, we're building Fedora packages with all
pre-releases of Python 3.13.
A build failure prevents us from testing all dependent packages (transitive
[Build]Requires),
so if this package is required a lot, it's important for us to get it fixed
soon.
We'd appreciate help from the people who know this package best,
but if you don't want to work on this now, let us know so we can try to work
around it on our side.
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2244836
[Bug 2244836] Python 3.13
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2247262
Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…
https://bugzilla.redhat.com/show_bug.cgi?id=2172727
Bug ID: 2172727
Summary: F38FailsToInstall: python3-cle
Product: Fedora
Version: 38
Status: NEW
Component: python-cle
Assignee: redhat(a)flyn.org
Reporter: fti-bugs(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
mail(a)fabian-affolter.ch, redhat(a)flyn.org
Blocks: 2117177 (F38FailsToInstall)
Target Milestone: ---
Classification: Fedora
Hello,
Please note that this comment was generated automatically by
https://pagure.io/releng/blob/main/f/scripts/ftbfs-fti/follow-policy.py
If you feel that this output has mistakes, please open an issue at
https://pagure.io/releng/
Your package (python-cle) Fails To Install in Fedora 38:
can't install python3-cle:
- nothing provides python3.11dist(pyvex) = 9.0.9572 needed by
python3-cle-9.0.9572-4.fc37.noarch
If you know about this problem and are planning on fixing it, please
acknowledge so by setting the bug status to ASSIGNED. If you don't have time to
maintain this package, consider orphaning it, so maintainers of dependent
packages realize the problem.
If you don't react accordingly to the policy for FTBFS/FTI bugs
(https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails…),
your package may be orphaned in 8+ weeks.
P.S. The data was generated solely from koji buildroot, so it might be newer
than the latest compose or the content on mirrors. To reproduce, use the
koji/local repo only, e.g. in mock:
$ mock -r fedora-38-x86_64 --config-opts mirrored=False install python3-cle
P.P.S. If this bug has been reported in the middle of upgrading multiple
dependent packages, please consider using side tags:
https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/#updating-inter-d…
Thanks!
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2117177
[Bug 2117177] Fedora 38 Fails To install Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2172727
https://bugzilla.redhat.com/show_bug.cgi?id=2172728
Bug ID: 2172728
Summary: F38FailsToInstall: python3-pyvex
Product: Fedora
Version: 38
Status: NEW
Component: python-pyvex
Assignee: redhat(a)flyn.org
Reporter: fti-bugs(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
mail(a)fabian-affolter.ch, redhat(a)flyn.org
Blocks: 2117177 (F38FailsToInstall)
Target Milestone: ---
Classification: Fedora
Hello,
Please note that this comment was generated automatically by
https://pagure.io/releng/blob/main/f/scripts/ftbfs-fti/follow-policy.py
If you feel that this output has mistakes, please open an issue at
https://pagure.io/releng/
Your package (python-pyvex) Fails To Install in Fedora 38:
can't install python3-pyvex:
- nothing provides python3.11dist(archinfo) = 9.2.32 needed by
python3-pyvex-9.2.32-2.fc38.x86_64
If you know about this problem and are planning on fixing it, please
acknowledge so by setting the bug status to ASSIGNED. If you don't have time to
maintain this package, consider orphaning it, so maintainers of dependent
packages realize the problem.
If you don't react accordingly to the policy for FTBFS/FTI bugs
(https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails…),
your package may be orphaned in 8+ weeks.
P.S. The data was generated solely from koji buildroot, so it might be newer
than the latest compose or the content on mirrors. To reproduce, use the
koji/local repo only, e.g. in mock:
$ mock -r fedora-38-x86_64 --config-opts mirrored=False install
python3-pyvex
P.P.S. If this bug has been reported in the middle of upgrading multiple
dependent packages, please consider using side tags:
https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/#updating-inter-d…
Thanks!
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2117177
[Bug 2117177] Fedora 38 Fails To install Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2172728