November 2023 - Epel-packagers-sig - Fedora mailing-lists

[Bug 2246633] New: CVE-2023-46234 yarnpkg: browserify-sign: upper bound check issue in dsaVerify leads to a signature forgery attack [fedora-all]
by bugzilla＠redhat.com 27 Feb '24

27 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=2246633 Bug ID: 2246633 Summary: CVE-2023-46234 yarnpkg: browserify-sign: upper bound check issue in dsaVerify leads to a signature forgery attack [fedora-all] Product: Fedora Version: 38 Status: NEW Component: yarnpkg Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: zsvetlik(a)redhat.com Reporter: pdelbell(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, manisandro(a)gmail.com, ngompa13(a)gmail.com, zsvetlik(a)redhat.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2246470 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2246633 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 8

[Bug 2220682] New: CVE-2023-26136 yarnpkg: tough-cookie: prototype pollution in cookie memstore [fedora-all]
by bugzilla＠redhat.com 27 Feb '24

27 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=2220682 Bug ID: 2220682 Summary: CVE-2023-26136 yarnpkg: tough-cookie: prototype pollution in cookie memstore [fedora-all] Product: Fedora Version: 38 Status: NEW Component: yarnpkg Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: zsvetlik(a)redhat.com Reporter: ahanwate(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, manisandro(a)gmail.com, ngompa13(a)gmail.com, zsvetlik(a)redhat.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2219310 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2220682 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 8

[Bug 2209317] New: CVE-2022-37599 yarnpkg: loader-utils: regular expression denial of service in interpolateName.js [fedora-all]
by bugzilla＠redhat.com 27 Feb '24

27 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=2209317 Bug ID: 2209317 Summary: CVE-2022-37599 yarnpkg: loader-utils: regular expression denial of service in interpolateName.js [fedora-all] Product: Fedora Version: 38 Status: NEW Component: yarnpkg Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: zsvetlik(a)redhat.com Reporter: ahanwate(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, manisandro(a)gmail.com, ngompa13(a)gmail.com, zsvetlik(a)redhat.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2134872 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2209317

1 8

[Bug 2251792] New: python-bcrypt-4.1.0 is available
by bugzilla＠redhat.com 24 Feb '24

24 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=2251792 Bug ID: 2251792 Summary: python-bcrypt-4.1.0 is available Product: Fedora Version: rawhide Status: NEW Component: python-bcrypt Keywords: FutureFeature, Triaged Assignee: pingou(a)pingoured.fr Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, infra-sig(a)lists.fedoraproject.org, mhayden(a)redhat.com, pingou(a)pingoured.fr, python-packagers-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Releases retrieved: 4.1.0 Upstream release that is considered latest: 4.1.0 Current version/release in rawhide: 4.0.1-6.fc40 URL: http://pypi.python.org/pypi/bcrypt Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/9047/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/python-bcrypt -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2251792 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 10

[Bug 2179146] New: python-pandas-2.0.0rc1 is available
by bugzilla＠redhat.com 20 Feb '24

20 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=2179146 Bug ID: 2179146 Summary: python-pandas-2.0.0rc1 is available Product: Fedora Version: rawhide Status: NEW Component: python-pandas Keywords: FutureFeature, Triaged Assignee: jonathan(a)almalinux.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, jonathan(a)almalinux.org, mail(a)kushaldas.in, neuro-sig(a)lists.fedoraproject.org, orion(a)nwra.com, python-packagers-sig(a)lists.fedoraproject.org, sergio.pasra(a)gmail.com, tomspur(a)fedoraproject.org, wfp5p(a)worldbroken.com Target Milestone: --- Classification: Fedora Releases retrieved: 2.0.0rc1 Upstream release that is considered latest: 2.0.0rc1 Current version/release in rawhide: 1.5.3-1.fc39 URL: http://pandas.pydata.org/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/7578/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/python-pandas -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2179146

1 18

[Bug 2249694] New: yarnpkg-1.22.21 is available
by bugzilla＠redhat.com 16 Feb '24

16 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=2249694 Bug ID: 2249694 Summary: yarnpkg-1.22.21 is available Product: Fedora Version: rawhide Status: NEW Component: yarnpkg Keywords: FutureFeature, Triaged Assignee: zsvetlik(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, manisandro(a)gmail.com, ngompa13(a)gmail.com, zsvetlik(a)redhat.com Target Milestone: --- Classification: Fedora Releases retrieved: 1.22.20, 1.22.21 Upstream release that is considered latest: 1.22.21 Current version/release in rawhide: 1.22.19-7.fc39 URL: https://yarnpkg.com Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/13363/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/yarnpkg -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2249694 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 1

[Bug 2183119] New: FTBFS with autoconf 2.72/2.73
by bugzilla＠redhat.com 15 Feb '24

15 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=2183119 Bug ID: 2183119 Summary: FTBFS with autoconf 2.72/2.73 Product: Fedora Version: rawhide OS: All Status: NEW Component: ImageMagick Assignee: luya_tfz(a)thefinalzone.net Reporter: fberat(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora Autoconf 2.72 (or 2.73) seems to be under preparation upstream, I therefore started to build dependent components against the pre-release [1] to verify that they can be built once it lands in Fedora. Your component fails to build with the new version of autoconf, due to the following error: configure:4837: error: possibly undefined macro: _AC_SYS_LARGEFILE_TEST_INCLUDES If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: error: /usr/bin/autoconf failed with exit status: 1 Unfortunately, this can't be fixed with an autoreconf, an update of the files provided by gnulib are necessary. These files are usually added during the bootstrap of the source code, which is done to generate the release tarball. Please forward this to the community, and update the component accordingly. [1] https://lists.gnu.org/archive/html/autoconf/2023-03/msg00020.html -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2183119

1 2

[Bug 2247262] New: nemo-extensions fails to build with Python 3.13: error: implicit declaration of function PySys_SetArgv
by bugzilla＠redhat.com 15 Feb '24

15 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=2247262 Bug ID: 2247262 Summary: nemo-extensions fails to build with Python 3.13: error: implicit declaration of function PySys_SetArgv Product: Fedora Version: rawhide Status: NEW Component: nemo-extensions Assignee: leigh123linux(a)googlemail.com Reporter: ksurma(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, ksurma(a)redhat.com, leigh123linux(a)googlemail.com, mhroncok(a)redhat.com, riehecky(a)fnal.gov Blocks: 2244836 (PYTHON3.13) Target Milestone: --- Classification: Fedora nemo-extensions fails to build with Python 3.13.0a1. ../src/nemo-python.c: In function ‘nemo_python_init_python’: ../src/nemo-python.c:192:9: error: implicit declaration of function ‘PySys_SetArgv’ [-Werror=implicit-function-declaration] 192 | PySys_SetArgv(1, argv); | ^~~~~~~~~~~~~ According to https://docs.python.org/3.13/whatsnew/3.13.html: Remove the following old functions to configure the Python initialization, deprecated in Python 3.11: PySys_AddWarnOptionUnicode(): use PyConfig.warnoptions instead. PySys_AddWarnOption(): use PyConfig.warnoptions instead. PySys_AddXOption(): use PyConfig.xoptions instead. PySys_HasWarnOptions(): use PyConfig.xoptions instead. PySys_SetArgvEx(): set PyConfig.argv instead. PySys_SetArgv(): set PyConfig.argv instead. PySys_SetPath(): set PyConfig.module_search_paths instead. Py_SetPath(): set PyConfig.module_search_paths instead. Py_SetProgramName(): set PyConfig.program_name instead. Py_SetPythonHome(): set PyConfig.home instead. Py_SetStandardStreamEncoding(): set PyConfig.stdio_encoding instead, and set also maybe PyConfig.legacy_windows_stdio (on Windows). _Py_SetProgramFullPath(): set PyConfig.executable instead. https://docs.python.org/3.13/whatsnew/3.13.html For the build logs, see: https://copr-be.cloud.fedoraproject.org/results/@python/python3.13/fedora-r… For all our attempts to build nemo-extensions with Python 3.13, see: https://copr.fedorainfracloud.org/coprs/g/python/python3.13/package/nemo-ex… Testing and mass rebuild of packages is happening in copr. You can follow these instructions to test locally in mock if your package builds with Python 3.13: https://copr.fedorainfracloud.org/coprs/g/python/python3.13/ Let us know here if you have any questions. Python 3.13 is planned to be included in Fedora 41. To make that update smoother, we're building Fedora packages with all pre-releases of Python 3.13. A build failure prevents us from testing all dependent packages (transitive [Build]Requires), so if this package is required a lot, it's important for us to get it fixed soon. We'd appreciate help from the people who know this package best, but if you don't want to work on this now, let us know so we can try to work around it on our side. Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2244836 [Bug 2244836] Python 3.13 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2247262 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 1

[Bug 2172727] New: F38FailsToInstall: python3-cle
by bugzilla＠redhat.com 10 Feb '24

10 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=2172727 Bug ID: 2172727 Summary: F38FailsToInstall: python3-cle Product: Fedora Version: 38 Status: NEW Component: python-cle Assignee: redhat(a)flyn.org Reporter: fti-bugs(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, mail(a)fabian-affolter.ch, redhat(a)flyn.org Blocks: 2117177 (F38FailsToInstall) Target Milestone: --- Classification: Fedora Hello, Please note that this comment was generated automatically by https://pagure.io/releng/blob/main/f/scripts/ftbfs-fti/follow-policy.py If you feel that this output has mistakes, please open an issue at https://pagure.io/releng/ Your package (python-cle) Fails To Install in Fedora 38: can't install python3-cle: - nothing provides python3.11dist(pyvex) = 9.0.9572 needed by python3-cle-9.0.9572-4.fc37.noarch If you know about this problem and are planning on fixing it, please acknowledge so by setting the bug status to ASSIGNED. If you don't have time to maintain this package, consider orphaning it, so maintainers of dependent packages realize the problem. If you don't react accordingly to the policy for FTBFS/FTI bugs (https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails…), your package may be orphaned in 8+ weeks. P.S. The data was generated solely from koji buildroot, so it might be newer than the latest compose or the content on mirrors. To reproduce, use the koji/local repo only, e.g. in mock: $ mock -r fedora-38-x86_64 --config-opts mirrored=False install python3-cle P.P.S. If this bug has been reported in the middle of upgrading multiple dependent packages, please consider using side tags: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/#updating-inter-d… Thanks! Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2117177 [Bug 2117177] Fedora 38 Fails To install Tracker -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2172727

1 14

[Bug 2172728] New: F38FailsToInstall: python3-pyvex
by bugzilla＠redhat.com 10 Feb '24

10 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=2172728 Bug ID: 2172728 Summary: F38FailsToInstall: python3-pyvex Product: Fedora Version: 38 Status: NEW Component: python-pyvex Assignee: redhat(a)flyn.org Reporter: fti-bugs(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, mail(a)fabian-affolter.ch, redhat(a)flyn.org Blocks: 2117177 (F38FailsToInstall) Target Milestone: --- Classification: Fedora Hello, Please note that this comment was generated automatically by https://pagure.io/releng/blob/main/f/scripts/ftbfs-fti/follow-policy.py If you feel that this output has mistakes, please open an issue at https://pagure.io/releng/ Your package (python-pyvex) Fails To Install in Fedora 38: can't install python3-pyvex: - nothing provides python3.11dist(archinfo) = 9.2.32 needed by python3-pyvex-9.2.32-2.fc38.x86_64 If you know about this problem and are planning on fixing it, please acknowledge so by setting the bug status to ASSIGNED. If you don't have time to maintain this package, consider orphaning it, so maintainers of dependent packages realize the problem. If you don't react accordingly to the policy for FTBFS/FTI bugs (https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails…), your package may be orphaned in 8+ weeks. P.S. The data was generated solely from koji buildroot, so it might be newer than the latest compose or the content on mirrors. To reproduce, use the koji/local repo only, e.g. in mock: $ mock -r fedora-38-x86_64 --config-opts mirrored=False install python3-pyvex P.P.S. If this bug has been reported in the middle of upgrading multiple dependent packages, please consider using side tags: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/#updating-inter-d… Thanks! Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2117177 [Bug 2117177] Fedora 38 Fails To install Tracker -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2172728

1 15

2024

2023

2022

2021

Epel-packagers-sig November 2023