The following Fedora 35 Security updates need testing:
Age URL
292
https://bodhi.fedoraproject.org/updates/FEDORA-2022-dfc6924a11
mysql-connector-java-8.0.28-1.fc35
13
https://bodhi.fedoraproject.org/updates/FEDORA-2022-003403ec6b
samba-4.15.12-0.fc35
13
https://bodhi.fedoraproject.org/updates/FEDORA-2022-14f11bfc73
ntfs-3g-2022.10.3-1.fc35
13
https://bodhi.fedoraproject.org/updates/FEDORA-2022-927df621df
thunderbird-102.5.0-1.fc35
13
https://bodhi.fedoraproject.org/updates/FEDORA-2022-53a4a5dd11 xen-4.15.4-1.fc35
6
https://bodhi.fedoraproject.org/updates/FEDORA-2022-df2f4923ea
libetpan-1.9.4-9.fc35
6
https://bodhi.fedoraproject.org/updates/FEDORA-2022-99c00af79f
advancecomp-2.4-1.fc35
5
https://bodhi.fedoraproject.org/updates/FEDORA-2022-0ff8149aad
qpress-20220819-1.fc35
2
https://bodhi.fedoraproject.org/updates/FEDORA-2022-cb7084ae1c
moodle-3.11.11-1.fc35
The following Fedora 35 Critical Path updates have yet to be approved:
Age URL
111
https://bodhi.fedoraproject.org/updates/FEDORA-2022-bca7996d14
annobin-10.81-1.fc35
75
https://bodhi.fedoraproject.org/updates/FEDORA-2022-97f6c4fd2a
libblockdev-2.28-2.fc35
17
https://bodhi.fedoraproject.org/updates/FEDORA-2022-43fa48ce4e
python-rpmautospec-0.3.1-1.fc35
13
https://bodhi.fedoraproject.org/updates/FEDORA-2022-53a4a5dd11 xen-4.15.4-1.fc35
13
https://bodhi.fedoraproject.org/updates/FEDORA-2022-927df621df
thunderbird-102.5.0-1.fc35
13
https://bodhi.fedoraproject.org/updates/FEDORA-2022-14f11bfc73
ntfs-3g-2022.10.3-1.fc35
13
https://bodhi.fedoraproject.org/updates/FEDORA-2022-003403ec6b
samba-4.15.12-0.fc35
9
https://bodhi.fedoraproject.org/updates/FEDORA-2022-7184211fc4 koji-1.31.0-1.fc35
9
https://bodhi.fedoraproject.org/updates/FEDORA-2022-1b29661d86 vim-9.0.915-1.fc35
6
https://bodhi.fedoraproject.org/updates/FEDORA-2022-32e69d01a9
libbsd-0.11.7-1.fc35
6
https://bodhi.fedoraproject.org/updates/FEDORA-2022-9fde12c816 gcc-11.3.1-4.fc35
2
https://bodhi.fedoraproject.org/updates/FEDORA-2022-ae162c4397
libxcrypt-4.4.33-3.fc35
2
https://bodhi.fedoraproject.org/updates/FEDORA-2022-a644404329
appstream-data-35-9.fc35
2
https://bodhi.fedoraproject.org/updates/FEDORA-2022-6299256f20
langtable-0.0.61-2.fc35
The following builds have been pushed to Fedora 35 updates-testing
fedora-upgrade-37.2-1.fc35
freerdp-2.9.0-1.fc35
mame-0.250-1.fc35
menulibre-2.3.0-1.fc35
mutter-41.9-2.fc35
nextcloud-25.0.1-1.fc35
osbuild-composer-69-1.fc35
python-glymur-0.12.1-1.fc35
python-specfile-0.10.0-1.fc35
ruby-3.0.5-155.fc35
setzer-0.4.8-1.fc35
sfnt2woff-zopfli-1.3.1-3.fc35
woff-0.20091126-33.fc35
Details about builds:
================================================================================
fedora-upgrade-37.2-1.fc35 (FEDORA-2022-cd31b3e759)
Upgrade Fedora to next version using dnf upgrade (unofficial tool)
--------------------------------------------------------------------------------
Update Information:
do not check if Fedora 37 is preupgrade
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 30 2022 Miroslav Such�� <msuchy(a)redhat.com> 37.2-1
- do not check if f37 is prerelease
- use spdx license
- 2142229 - reference for log what executed /usr/bin/true
- report reason of the retirement
--------------------------------------------------------------------------------
================================================================================
freerdp-2.9.0-1.fc35 (FEDORA-2022-a0a27f63ce)
Free implementation of the Remote Desktop Protocol (RDP)
--------------------------------------------------------------------------------
Update Information:
Update to 2.9.0 (CVE-2022-39316, CVE-2022-39317, CVE-2022-39318, CVE-2022-39319,
CVE-2022-39320, CVE-2022-41877 and CVE-2022-39347).
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 30 2022 Ondrej Holy <oholy(a)redhat.com> - 2:2.9.0-1
- Update to 2.9.0 (CVE-2022-39316, CVE-2022-39317, CVE-2022-39318,
CVE-2022-39319, CVE-2022-39320, CVE-2022-41877, CVE-2022-39347).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2143642 - CVE-2022-39316 freerdp: out of bounds read in zgfx decoder
https://bugzilla.redhat.com/show_bug.cgi?id=2143642
[ 2 ] Bug #2143643 - CVE-2022-39317 freerdp: undefined behaviour in zgfx decoder
https://bugzilla.redhat.com/show_bug.cgi?id=2143643
[ 3 ] Bug #2143644 - CVE-2022-39318 freerdp: division by zero in urbdrc channel
https://bugzilla.redhat.com/show_bug.cgi?id=2143644
[ 4 ] Bug #2143645 - CVE-2022-39319 freerdp: missing length validation in urbdrc
channel
https://bugzilla.redhat.com/show_bug.cgi?id=2143645
[ 5 ] Bug #2143646 - CVE-2022-39320 freerdp: heap buffer overflow in urbdrc channel
https://bugzilla.redhat.com/show_bug.cgi?id=2143646
[ 6 ] Bug #2143647 - CVE-2022-39347 freerdp: missing path sanitation with `drive`
channel
https://bugzilla.redhat.com/show_bug.cgi?id=2143647
[ 7 ] Bug #2143648 - CVE-2022-41877 freerdp: missing input length validation in `drive`
channel
https://bugzilla.redhat.com/show_bug.cgi?id=2143648
--------------------------------------------------------------------------------
================================================================================
mame-0.250-1.fc35 (FEDORA-2022-479e121d48)
Multiple Arcade Machine Emulator
--------------------------------------------------------------------------------
Update Information:
Update to the latest upstream release: *
https://www.mamedev.org/?p=519
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 29 2022 Julian Sikorski <belegdol(a)fedoraproject.org> 0.250-1
- Update to 0.250 and enable system asio on F37
--------------------------------------------------------------------------------
================================================================================
menulibre-2.3.0-1.fc35 (FEDORA-2022-0c3b725110)
FreeDesktop.org compliant menu editor
--------------------------------------------------------------------------------
Update Information:
Updating to 2.3.0 (fix #2096289)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 29 2022 Lyes Saadi <lyessaadi(a)fedoraproject.org> 2.3.0-1
- Updating to 2.3.0 (fix #2096289)
* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> 2.2.3-5
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Jun 13 2022 Python Maint <python-maint(a)redhat.com> 2.2.3-4
- Rebuilt for Python 3.11
* Thu Jan 20 2022 Fedora Release Engineering <releng(a)fedoraproject.org> 2.2.3-3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2096289 - menulibre-2.3.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2096289
--------------------------------------------------------------------------------
================================================================================
mutter-41.9-2.fc35 (FEDORA-2022-6a61088a67)
Window and compositing manager based on Clutter
--------------------------------------------------------------------------------
Update Information:
This update backports a fix for an occasional crash on logout.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 30 2022 Adam Williamson <awilliam(a)redhat.com> - 41.9-2
- Backport MR #2609 to fix #2036604
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2036604 - [abrt] gnome-shell: meta_context_terminate(): gnome-shell killed by
SIGSEGV
https://bugzilla.redhat.com/show_bug.cgi?id=2036604
--------------------------------------------------------------------------------
================================================================================
nextcloud-25.0.1-1.fc35 (FEDORA-2022-49b20342c0)
Private file sync and share server
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2022-39346
--------------------------------------------------------------------------------
ChangeLog:
* Mon Nov 28 2022 Iv��n Chavero <ichavero(a)chavero.com.mx> 25.0.1-1
- Update for 25.0.1
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2148815 - CVE-2022-39346 nextcloud: Missing length validation of user
displayname allows to generate an SQL error
https://bugzilla.redhat.com/show_bug.cgi?id=2148815
--------------------------------------------------------------------------------
================================================================================
osbuild-composer-69-1.fc35 (FEDORA-2022-3dd30710bd)
An image building service based on osbuild
--------------------------------------------------------------------------------
Update Information:
Automatic update for osbuild-composer-69-1.fc35. ##### **Changelog for osbuild-
composer** ``` * Wed Nov 30 2022 Packit <hello(a)packit.dev> - 69-1 Changes with
69 ---------------- * Add /blueprints/change/NAME/COMMIT route and save
blueprint changes in the store (#3121) * CloudAPI: add description for
`Repository` definition (#3158) * Rewrite RHEL 9 and CS9 image definitions
using the new framework (#3120) * SPEC: run the %preun commands in worker
package only on removal (#3149) * Update snapshots to 20221115 (#3136) *
azure-sap image (#3074) * ci: update Fedora 37 runners to GA (#3157) *
cloudapi/v2: pass rhsm requirement to ostree resolve job (#3142) * disk: align
LVM2 volumes to the extent size (#3137) * image: create image-installer image
type for fedora (#3077) * tools: silence version comparison in
get_build_info() (#3150) Contributions from: Achilleas Koutsou, Antonio
Murdaca, Brian C. Lane, Christian Kellner, Ond��ej Budai, Sanne Raymaekers,
Sarita Mahajan, Simon de Vlieger, Tom���� Hozza, Xiaofeng Wang, fkolwa, schutzbot
��� Somewhere on the Internet, 2022-11-30 ```
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 30 2022 Packit <hello(a)packit.dev> - 69-1
Changes with 69
----------------
* Add /blueprints/change/NAME/COMMIT route and save blueprint changes in the store
(#3121)
* CloudAPI: add description for `Repository` definition (#3158)
* Rewrite RHEL 9 and CS9 image definitions using the new framework (#3120)
* SPEC: run the %preun commands in worker package only on removal (#3149)
* Update snapshots to 20221115 (#3136)
* azure-sap image (#3074)
* ci: update Fedora 37 runners to GA (#3157)
* cloudapi/v2: pass rhsm requirement to ostree resolve job (#3142)
* disk: align LVM2 volumes to the extent size (#3137)
* image: create image-installer image type for fedora (#3077)
* tools: silence version comparison in get_build_info() (#3150)
Contributions from: Achilleas Koutsou, Antonio Murdaca, Brian C. Lane, Christian Kellner,
Ond��ej Budai, Sanne Raymaekers, Sarita Mahajan, Simon de Vlieger, Tom���� Hozza, Xiaofeng
Wang, fkolwa, schutzbot
��� Somewhere on the Internet, 2022-11-30
--------------------------------------------------------------------------------
================================================================================
python-glymur-0.12.1-1.fc35 (FEDORA-2022-20580c24df)
Interface to the OpenJPEG library for working with JPEG 2000 files
--------------------------------------------------------------------------------
Update Information:
### November 28, 2022 - v0.12.1 - Do not error out for JP2 files with multiple
codestreams. - Relax validation for invalid JP2 files with multiple jp2h boxes.
- Drop support for python 3.7.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 30 2022 Benjamin A. Beasley <code(a)musicinmybrain.net> 0.12.1-1
- Update to 0.12.1 (close RHBZ#2148803)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2148803 - python-glymur-0.12.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2148803
--------------------------------------------------------------------------------
================================================================================
python-specfile-0.10.0-1.fc35 (FEDORA-2022-3ededc36cf)
A library for parsing and manipulating RPM spec files
--------------------------------------------------------------------------------
Update Information:
Automatic update for python-specfile-0.10.0-1.fc35.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 30 2022 Packit <hello(a)packit.dev> - 0.10.0-1
- Fixed an issue that caused empty lines originally inside changelog entries to appear at
the end. (#140)
- Renamed the `ignore_missing_includes` option to a more general `force_parse`. If
specified, it allows to attempt to parse the spec file even if one or more sources
required to be present at parsing time are not available. Such sources include sources
referenced from shell expansions in tag values and sources included using the `%include`
directive. (#137)
--------------------------------------------------------------------------------
================================================================================
ruby-3.0.5-155.fc35 (FEDORA-2022-b9b710f199)
An interpreter of object-oriented scripting language
--------------------------------------------------------------------------------
Update Information:
Upgrade to Ruby 3.0.5.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 30 2022 V��t Ondruch <vondruch(a)redhat.com> - 3.0.4-155
- Upgrade to Ruby 3.0.5.
* Fri Nov 4 2022 Jun Aruga <jaruga(a)redhat.com> - 3.0.4-154
- Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.
Resolves: rhbz#2120354
- Bypass git submodule test failure on Git >= 2.38.1.
--------------------------------------------------------------------------------
================================================================================
setzer-0.4.8-1.fc35 (FEDORA-2022-2df17e2d23)
LaTeX editor written in Python with Gtk
--------------------------------------------------------------------------------
Update Information:
Updating to 0.4.8 (fix #2112453)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 29 2022 Lyes Saadi <fedora(a)lyes.eu> - 0.4.8-1
- Updating to 0.4.8 (fix #2112453)
* Sat Jul 23 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 0.4.7-3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Jun 14 2022 Python Maint <python-maint(a)redhat.com> - 0.4.7-2
- Rebuilt for Python 3.11
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2112453 - setzer-0.4.8 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2112453
--------------------------------------------------------------------------------
================================================================================
sfnt2woff-zopfli-1.3.1-3.fc35 (FEDORA-2022-458378be7a)
Create WOFF files with Zopfli compression
--------------------------------------------------------------------------------
Update Information:
Fix a possible double free in woffEncode()
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 29 2022 Benjamin A. Beasley <code(a)musicinmybrain.net> 1.3.1-3
- Fix a possible double free in woffEncode()
--------------------------------------------------------------------------------
================================================================================
woff-0.20091126-33.fc35 (FEDORA-2022-d50ded078e)
Encoding and decoding for Web Open Font Format (WOFF)
--------------------------------------------------------------------------------
Update Information:
Fix a possible double free in `woffEncode()`. - Update License to SPDX -
improved summary and description - Add hand-written man pages - Install HTML
format description as documentation
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 29 2022 Benjamin A. Beasley <code(a)musicinmybrain.net> 0.20091126-33
- Improved summary and description
* Tue Nov 29 2022 Benjamin A. Beasley <code(a)musicinmybrain.net> 0.20091126-32
- Update License to SPDX
* Tue Nov 29 2022 Benjamin A. Beasley <code(a)musicinmybrain.net> - 0.20091126-26
- Clarify URL/Source situation, and do not claim to have a working source
archive URL
- General tidying of spec file; use modern macros and install HTML format
description as documentation
- Add hand-written man pages
* Sun Jun 5 2022 Benson Muite <benson_muite(a)emailplus.org> - 0.20091126-25
- Source URL update
--------------------------------------------------------------------------------