The following Fedora EPEL 9 Security updates need testing:
Age URL
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-1dbf6380d2
java-latest-openjdk-24.0.2.0.12-1.rolling.el9
4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-11ee8c8dc3
chromium-138.0.7204.168-1.el9
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-ab0fae74f1
opentofu-1.10.3-1.el9
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-72356603ed
node-exporter-1.9.1-2.el9
The following builds have been pushed to Fedora EPEL 9 updates-testing
osc-1.19.0-457.2.1.el9
perl-Crypt-CBC-3.07-1.el9
rclone-1.70.3-1.el9
Details about builds:
================================================================================
osc-1.19.0-457.2.1.el9 (FEDORA-EPEL-2025-79f9b46fba)
Open Build Service Commander
--------------------------------------------------------------------------------
Update Information:
New upstream release 1.19.0, fixes rhbz#2383995
New upstream release 1.18.0, fixes rhbz#2382633
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jul 28 2025 Dan Äermák <dan.cer...@posteo.net> - 1.19.0-457.2.1
- New upstream release 1.19.0, fixes rhbz#2383995
* Thu Jul 24 2025 Fedora Release Engineering <rel...@fedoraproject.org> -
1.18.0-453.4.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Wed Jul 23 2025 Dan Äermák <dan.cer...@posteo.net> - 1.18.0-453.4.1
- New upstream release 1.18.0, fixes rhbz#2382633
* Tue Jun 24 2025 Dan Äermák <dan.cer...@posteo.net> - 1.17.0-451.2.1
- New upstream release 1.17.0, fixes rhbz#2374601
* Tue Jun 3 2025 Python Maint <python-ma...@redhat.com> - 1.16.0-448.1.2
- Rebuilt for Python 3.14
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2382633 - osc-1.18.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2382633
[ 2 ] Bug #2383995 - osc-1.19.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2383995
--------------------------------------------------------------------------------
================================================================================
perl-Crypt-CBC-3.07-1.el9 (FEDORA-EPEL-2025-e0c2088c0b)
Encrypt Data with Cipher Block Chaining Mode
--------------------------------------------------------------------------------
Update Information:
This update, to the current upstream release version, includes a fix to source
random numbers using the Crypt::URandom module rather than trying to read
/dev/urandom and falling back to Perl's insecure rand() function if /dev/urandom
is not usable (CVE-2025-2814).
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jul 28 2025 Paul Howarth <p...@city-fan.org> - 3.07-1
- Update to 3.07 (rhbz#2383870)
- New upstream maintainer
- Fix CVE-2025-2814 by using Crypt::URandom
- Fix decryption of ciphertext created with 'header' => 'randomiv'
- Fixed bug in which manually-specified key and -pkdf=>"none" was not having
any effect
- Converted build process to Dist::Zilla
- Miscellaneous minor Dist::Zilla related changes
- Switch upstream source URL from cpan.metacpan.org to www.cpan.org to skip a
redirect
- Package new LICENSE, SECURITY.md and vulnerabilities.txt files
* Fri Jul 25 2025 Fedora Release Engineering <rel...@fedoraproject.org> -
3.04-18
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Sat Jan 18 2025 Fedora Release Engineering <rel...@fedoraproject.org> -
3.04-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Thu Jul 18 2024 Fedora Release Engineering <rel...@fedoraproject.org> -
3.04-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Thu Jan 25 2024 Fedora Release Engineering <rel...@fedoraproject.org> -
3.04-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <rel...@fedoraproject.org> -
3.04-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2359383 - CVE-2025-2814 perl-Crypt-CBC: Crypt::CBC versions
between 1.21 and 3.04 for Perl may use insecure rand() function for
cryptographic functions [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2359383
--------------------------------------------------------------------------------
================================================================================
rclone-1.70.3-1.el9 (FEDORA-EPEL-2025-3ad6d2fe5c)
Rsync for cloud storage
--------------------------------------------------------------------------------
Update Information:
Update to 1.70.3 and adopt go-vendor-tools
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mi...@olasagasti.info> - 1.70.3-1
- Update to 1.70.3 - Closes rhbz#2379085
* Mon Jul 28 2025 Fedora Release Engineering <rel...@fedoraproject.org> -
1.70.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mi...@olasagasti.info> - 1.70.2-1
- Update to 1.70.2 - Closes rhbz#2254045 rhbz#2336979 rhbz#2337234
rhbz#2341265 rhbz#2348838 rhbz#2350844 rhbz#2352327 rhbz#2354433
rhbz#2360615 rhbz#2360653
* Mon Jul 28 2025 Yaakov Selkowitz <yselk...@redhat.com> - 1.68.2-5
- Fix build with golang 1.24
* Mon Jul 28 2025 Fedora Release Engineering <rel...@fedoraproject.org> -
1.68.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mi...@olasagasti.info> - 1.68.2-3
- Restore previous version
* Mon Jul 28 2025 Robert-André Mauchin <zebo...@gmail.com> - 1.68.2-2
- Update to 1.68.2
- Move to bundling with gotmax23 tool
- Bump golang.org/x/net/html to v0.33.0 to fix CVE-2024-45338
- Bump golang.org/x/crypto/ssh to v0.31.0 to fix CVE-2024-45337
- Bump github.com/quic-go/quic-go to 0.48.2 to fix CVE-2024-53259 and
CVE-2024-22189
- s390x is temporarly disable until a workaround to
https://github.com/cronokirby/saferith/issues/52 is found
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mi...@olasagasti.info> - 1.68.2-1
- Update to 1.68.2 - Closes rhbz#2311287 rhbz#2326578 rhbz#2333262
rhbz#2333238 rhbz#2331989 rhbz#2331961
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mi...@olasagasti.info> - 1.67.0-2
- Fix version ldflag - Closes rhbz#2315855
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mi...@olasagasti.info> - 1.67.0-1
- Update to 1.67.0 - Closes rhbz#2251762 rhbz#2292717 rhbz#2301235
rhbz#2255106
* Mon Jul 28 2025 Fedora Release Engineering <rel...@fedoraproject.org> -
1.64.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Mon Jul 28 2025 Maxwell G <maxw...@gtmx.me> - 1.64.2-4
- Rebuild for golang 1.22.0
* Mon Jul 28 2025 Fedora Release Engineering <rel...@fedoraproject.org> -
1.64.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Jul 28 2025 Fedora Release Engineering <rel...@fedoraproject.org> -
1.64.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mi...@olasagasti.info> - 1.64.2-1
- Update to 1.64.2 - Closes rhbz#2244697
* Mon Jul 28 2025 Jonathan Steffan <jstef...@fedoraproject.org> - 1.64.0-2
- Add mount.rclone for systemd.mount support
- Create symlink for utilization in systemd units
- Create optional rclonefs symlink, per documentation
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mi...@olasagasti.info> - 1.64.0-1
- Update to 1.64.0 - Closes rhbz#2238581 rhbz#2229610 rhbz#2229606
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mi...@olasagasti.info> - 1.63.1-1
- Update to 1.63.1 - Closes rhbz#2155701 rhbz#2163286 rhbz#2171700
rhbz#2178480 rhbz#2226392
- Don't build storj backend by default
- Use shell completion macros
* Mon Jul 28 2025 Fedora Release Engineering <rel...@fedoraproject.org> -
1.60.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Mon Jul 28 2025 Fedora Release Engineering <rel...@fedoraproject.org> -
1.60.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mi...@olasagasti.info> - 1.60.1-1
- Update to 1.60.1 - Closes rhbz#2144108
* Mon Jul 28 2025 Mikel Olasagasti Uranga <mi...@olasagasti.info> - 1.60.0-1
- Update to 1.60.0
* Mon Jul 28 2025 Fedora Release Engineering <rel...@fedoraproject.org> -
1.57.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Jul 28 2025 Maxwell G <gotmax@e.email> - 1.57.0-8
- Rebuild for
CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang
* Mon Jul 28 2025 Maxwell G <gotmax@e.email> - 1.57.0-7
- Rebuild for CVE-2022-{24675,28327,29526 in golang}
* Mon Jul 28 2025 Maxwell G <gotmax@e.email> - 1.57.0-6
- Rebuild for CVE-2022-{24675,28327,29526} in golang
* Mon Jul 28 2025 Robert-André Mauchin <zebo...@gmail.com> - 1.57.0-5
- Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327,
CVE-2022-27191, CVE-2022-29526, CVE-2022-30629
* Mon Jul 28 2025 Zbigniew JÄdrzejewski-Szmek <zbys...@in.waw.pl> - 1.57.0-4
- Disable package notes because gold linker is used
* Mon Jul 28 2025 Fedora Release Engineering <rel...@fedoraproject.org> -
1.57.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2067349 - CVE-2022-21698 rclone: prometheus/client_golang: Denial
of service using InstrumentHandlerCounter [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2067349
[ 2 ] Bug #2074250 - CVE-2022-27191 rclone: golang: crash in a
golang.org/x/crypto/ssh server [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2074250
[ 3 ] Bug #2141826 - EPEL9 update from 1.57 to at least 1.58?
https://bugzilla.redhat.com/show_bug.cgi?id=2141826
[ 4 ] Bug #2163049 - CVE-2022-41717 rclone: golang: net/http: An attacker can
cause excessive memory growth in a Go server accepting HTTP/2 requests
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2163049
[ 5 ] Bug #2178405 - CVE-2022-41723 rclone: golang.org/x/net/http2: avoid
quadratic complexity in HPACK decoding [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2178405
[ 6 ] Bug #2229581 - CVE-2023-3978 rclone: golang.org/x/net/html: Cross site
scripting [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2229581
[ 7 ] Bug #2248231 - rclone: golang: net/http, x/net/http2: rapid stream
resets can cause excessive work (CVE-2023-39325) [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2248231
[ 8 ] Bug #2255068 - CVE-2023-48795 rclone: ssh: Prefix truncation attack on
Binary Packet Protocol (BPP) [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2255068
[ 9 ] Bug #2292673 - CVE-2024-24789 rclone: golang: archive/zip: Incorrect
handling of certain ZIP files [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2292673
[ 10 ] Bug #2326579 - CVE-2024-52522 rclone: improper permission and
ownership handling on symlink targets with --links and --metadata [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2326579
[ 11 ] Bug #2331935 - CVE-2024-45337 rclone: Misuse of
ServerConfig.PublicKeyCallback may cause authorization bypass in
golang.org/x/crypto [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2331935
[ 12 ] Bug #2333216 - CVE-2024-45338 rclone: Non-linear parsing of
case-insensitive content in golang.org/x/net/html [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2333216
[ 13 ] Bug #2339076 - Update to match F42 version 1.68.2
https://bugzilla.redhat.com/show_bug.cgi?id=2339076
[ 14 ] Bug #2348790 - CVE-2025-22868 rclone: Unexpected memory consumption
during token parsing in golang.org/x/oauth2 [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2348790
--------------------------------------------------------------------------------
--
_______________________________________________
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
