May 2023 - Epel-packagers-sig - Fedora mailing-lists

[Bug 2127008] New: CVE-2021-43138 yarnpkg: async: Prototype Pollution in async [fedora-all]
by bugzilla＠redhat.com 05 Jun '23

05 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2127008 Bug ID: 2127008 Summary: CVE-2021-43138 yarnpkg: async: Prototype Pollution in async [fedora-all] Product: Fedora Version: 36 Status: NEW Component: yarnpkg Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: zsvetlik(a)redhat.com Reporter: ahanwate(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, ngompa13(a)gmail.com, zsvetlik(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2127008

1 10

[Bug 2167289] New: CVE-2018-25079 yarnpkg: is-url: inefficient regular expression complexity [epel-8]
by bugzilla＠redhat.com 05 Jun '23

05 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2167289 Bug ID: 2167289 Summary: CVE-2018-25079 yarnpkg: is-url: inefficient regular expression complexity [epel-8] Product: Fedora EPEL Version: epel8 Status: NEW Component: yarnpkg Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: zsvetlik(a)redhat.com Reporter: ahanwate(a)redhat.com CC: epel-packagers-sig(a)lists.fedoraproject.org, manisandro(a)gmail.com, ngompa13(a)gmail.com, zsvetlik(a)redhat.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2167268 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2167289

1 3

[Bug 2209211] New: rb_libtorrent-2.0.9 is available
by bugzilla＠redhat.com 04 Jun '23

04 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2209211 Bug ID: 2209211 Summary: rb_libtorrent-2.0.9 is available Product: Fedora Version: rawhide Status: NEW Component: rb_libtorrent Keywords: FutureFeature, Triaged Assignee: mike(a)cchtml.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, me(a)fale.io, mike(a)cchtml.com Target Milestone: --- Classification: Fedora Releases retrieved: 1.2.19, 2.0.9 Upstream release that is considered latest: 2.0.9 Current version/release in rawhide: 2.0.8-3.fc39 URL: http://libtorrent.org Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/4166/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/rb_libtorrent -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2209211

1 8

[Bug 2210875] New: ImageMagick-7.1.1.11 is available
by bugzilla＠redhat.com 03 Jun '23

03 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2210875 Bug ID: 2210875 Summary: ImageMagick-7.1.1.11 is available Product: Fedora Version: rawhide Status: NEW Component: ImageMagick Keywords: FutureFeature, Triaged Assignee: luya_tfz(a)thefinalzone.net Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora Releases retrieved: 7.1.1.11 Upstream release that is considered latest: 7.1.1.11 Current version/release in rawhide: 7.1.1.10-1.fc39 URL: https://imagemagick.org Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/328484/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/ImageMagick -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2210875

1 5

[Bug 2210669] New: CVE-2023-34151 ImageMagick: Undefined behaviors of casting double to size_t in svg, mvg and other coders [fedora-38]
by bugzilla＠redhat.com 03 Jun '23

03 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2210669 Bug ID: 2210669 Summary: CVE-2023-34151 ImageMagick: Undefined behaviors of casting double to size_t in svg, mvg and other coders [fedora-38] Product: Fedora Version: 38 Status: NEW Component: ImageMagick Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: luya_tfz(a)thefinalzone.net Reporter: saroy(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2210657 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2210669

1 6

[Bug 2210666] New: CVE-2023-34152 ImageMagick: RCE (shell command injection) vulnerability in OpenBlob with --enable-pipes configured [fedora-38]
by bugzilla＠redhat.com 03 Jun '23

03 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2210666 Bug ID: 2210666 Summary: CVE-2023-34152 ImageMagick: RCE (shell command injection) vulnerability in OpenBlob with --enable-pipes configured [fedora-38] Product: Fedora Version: 38 Status: NEW Component: ImageMagick Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: luya_tfz(a)thefinalzone.net Reporter: saroy(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2210659 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2210666

1 6

[Bug 2210663] New: CVE-2023-34153 ImageMagick: Shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding [fedora-38]
by bugzilla＠redhat.com 03 Jun '23

03 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2210663 Bug ID: 2210663 Summary: CVE-2023-34153 ImageMagick: Shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding [fedora-38] Product: Fedora Version: 38 Status: NEW Component: ImageMagick Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: luya_tfz(a)thefinalzone.net Reporter: saroy(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2210660 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2210663

1 6

[Bug 2207788] New: ImageMagick-7.1.1.9 is available
by bugzilla＠redhat.com 03 Jun '23

03 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2207788 Bug ID: 2207788 Summary: ImageMagick-7.1.1.9 is available Product: Fedora Version: rawhide Status: NEW Component: ImageMagick Keywords: FutureFeature, Triaged Assignee: luya_tfz(a)thefinalzone.net Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora Releases retrieved: 7.1.1.9 Upstream release that is considered latest: 7.1.1.9 Current version/release in rawhide: 7.1.1.8-1.fc39 URL: https://imagemagick.org Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/328484/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/ImageMagick -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2207788

1 9

[Bug 2209158] New: python-rasterio-1.3.7 is available
by bugzilla＠redhat.com 01 Jun '23

01 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2209158 Bug ID: 2209158 Summary: python-rasterio-1.3.7 is available Product: Fedora Version: rawhide Status: NEW Component: python-rasterio Keywords: FutureFeature, Triaged Assignee: quantum.analyst(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, jonathan(a)almalinux.org, python-packagers-sig(a)lists.fedoraproject.org, quantum.analyst(a)gmail.com Target Milestone: --- Classification: Fedora Releases retrieved: 1.3.7 Upstream release that is considered latest: 1.3.7 Current version/release in rawhide: 1.3.6-4.fc39 URL: https://github.com/mapbox/rasterio Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/17437/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/python-rasterio -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2209158

1 6

[Bug 2140597] CVE-2022-37603 loader-utils:Regular expression denial of service
by bugzilla＠redhat.com 31 May '23

31 May '23

https://bugzilla.redhat.com/show_bug.cgi?id=2140597 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2023:3374 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2140597

1 0

2024

2023

2022

2021

Epel-packagers-sig May 2023