The following Fedora EPEL 9 Security updates need testing:
Age URL
12 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-9a55de96db
xpdf-4.06-1.el9
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-6495526449
restic-0.18.1-1.el9
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-054eae36ef
openbao-2.4.4-1.el9
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-a91b94e5c1
stb-0^20251025gitf1c79c0-2.el9
5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-16dc0220ef
fcgi-2.4.7-1.el9
The following builds have been pushed to Fedora EPEL 9 updates-testing
baresip-4.3.0-1.el9
imhex-1.37.4-3.el9
libre-4.3.0-1.el9
libwebsockets-4.3.7-2.el9
lunasvg-3.5.0-1.el9
partclone-0.3.40-1.el9
plutovg-1.3.2-1.el9
rust-sequoia-gpg-agent-0.6.2-1.el9
rust-sequoia-keystore-0.7.1-1.el9
rust-sequoia-keystore-softkeys-0.7.1-1.el9
suricata-7.0.13-1.el9
Details about builds:
================================================================================
baresip-4.3.0-1.el9 (FEDORA-EPEL-2025-b27a155fa9)
Modular SIP user-agent with audio and video support
--------------------------------------------------------------------------------
Update Information:
Baresip v4.3.0 (2025-11-19)
video: find new encoder if not available
video: null pointer checks for codec functions
test/ccheck: ignore reversed list_unlink
g722: add libg722 module as alternative to avoid spandsp dependency
pulse: return err if unsupported stream
jbuf: update copyright
jbuf: remove unused jbuf_frames() in API
rtprecv, aureceiver: fix ssrc re-invite
test: remove include to menu.h
play: warnings for failed audio devices
account: added account_set_pubint API function
Baresip v4.2.0 (2025-10-15)
menu: check return value from str_dup()
ctrl_dbus: check return value of str_dup()
core: set bundle rtpext before aulevel
ice: use icem_rcand_ready
mpa: move MPA audio codec to baresip-apps
webrtc_aecm: removed module
ci-windows: bump choco openssl version to 3.5.3
audiounit: remove unused member int fmt
audiounit: remove int ch already present in struct ausrc_prm
call,bevent: add call contacturi
test/ua: add test_ua_cuser
ua: rename setting to sip_cuser_random
menu: fix some typos
call: send local SDP event not too early
call: call_modify() - local SDP event before SDP encode
test: add test_uag_find_msg()
video: better sendrate and burst_bits defaults
webrtc_aec: update module to Debian Trixie compatibility
call: add missing input argument checking (struct call pointer)
ci,windows: bump Choco to OpenSSL version 3.5.4
modules: fix minor typos
config: remove mpa module from template
avfilter: fix av_opt_set_int_list deprecation warning
ci/macos: use default ffmpeg (currently 8.0)
cmake: fix usage of SPANDSP_HINTS
ci/coverage: increase min. coverage
bump version number to 4.2.0
libre v4.3.0 (2025-11-19)
cmake: remove macOS include path
test: sort testcases in alphabetical order
test: increase coverage of websock test with protocol on/off
sdp/media: fix sdp_media_align_formats pt handling
dns: fix AAAA address comparison in getaddr_dup()
test: add support for IPv6 DNS testing
ci: add clang-21
sys/fs: improve fs_fread error handling
test: compare DNS RR records data in order to increase test-coverage
dns: correct comment in dnsc_query_srv()
h265: Fix NAL Decode nuh_layer_id
auframe: avoid auframe_bytes_to_ms division by zero
aumix: add aumix_latency and new defaults
dns: remove get_android_dns()
test: add testing of DNS nameservers
cmake/re-config: fix HAVE_THREADS discovery
libre v4.2.0 (2025-10-15)
test: add testcode for btrace module
types: add ETIME fallback
test: add testing of conf_get_bool()
test/btrace: skip thread test
Revert "dtls: remove dtls_set_handlers() -- unused"
ice/icem: add icem_rcand_ready helper
ice/sdp: remove mDNS AI_V4MAPPED and log late candidate
tls: minor improvements to SNI and Common-name comparison
tls: revert wrong match-checking in SNI function
ci-windows: bump choco openssl version to 3.5.3
tls: sni - a null pointer check
test: fix some minor typos
dbg: remove dbg_close() -- unused
ci,windows: bump choco openssl to 3.5.4
misc: fix some minor typos
test: test both fragmented and non-fragmented H.265 packets
test: add negative AES testcases
test: add test for conf_apply()
ci/android: Upgrade to API-level 29 (Android 10.0)
ci/android: remove AVD cache
ci/android: revert to android api level 26
bump version number to 4.2.0
--------------------------------------------------------------------------------
ChangeLog:
* Sat Nov 29 2025 Robert Scheck <[email protected]> 4.3.0-1
- Upgrade to 4.3.0 (#2404130)
* Tue Nov 11 2025 Adam Williamson <[email protected]> - 4.1.0-3
- rebuild against libre with fixed thread detection
* Mon Nov 10 2025 Adam Williamson <[email protected]> - 4.1.0-2
- rebuild for FFmpeg 8
- build with -DHAVE_THREADS=1 to fix build failure with recent glibc
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2404092 - libre-4.3.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2404092
[ 2 ] Bug #2404130 - baresip-4.3.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2404130
--------------------------------------------------------------------------------
================================================================================
imhex-1.37.4-3.el9 (FEDORA-EPEL-2025-51d4080725)
A hex editor for reverse engineers and programmers
--------------------------------------------------------------------------------
Update Information:
Unbundle plutovg from lunasvg, this avoids shipping a duplicate library with
conflicting files.
Update lunasvg to consume the plutovg version already available in the
repositories and to fix various CVEs.
Rebuild imhex for the updated lunasvg.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 1 2025 Simone Caronni <[email protected]> - 1.37.4-3
- Rebuild for updated build requirements.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2295891 - lunasvg-3.5.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2295891
[ 2 ] Bug #2341675 - CVE-2024-57719 CVE-2024-57720 CVE-2024-57721
CVE-2024-57722 CVE-2024-57723 CVE-2024-57724 lunasvg: various flaws [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2341675
[ 3 ] Bug #2343567 - CVE-2024-55456 lunasvg: From CVEorg collector [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2343567
[ 4 ] Bug #2400407 - file conflict between plutovg-devel and lunasvg-devel
https://bugzilla.redhat.com/show_bug.cgi?id=2400407
--------------------------------------------------------------------------------
================================================================================
libre-4.3.0-1.el9 (FEDORA-EPEL-2025-b27a155fa9)
Generic library for real-time communications
--------------------------------------------------------------------------------
Update Information:
Baresip v4.3.0 (2025-11-19)
video: find new encoder if not available
video: null pointer checks for codec functions
test/ccheck: ignore reversed list_unlink
g722: add libg722 module as alternative to avoid spandsp dependency
pulse: return err if unsupported stream
jbuf: update copyright
jbuf: remove unused jbuf_frames() in API
rtprecv, aureceiver: fix ssrc re-invite
test: remove include to menu.h
play: warnings for failed audio devices
account: added account_set_pubint API function
Baresip v4.2.0 (2025-10-15)
menu: check return value from str_dup()
ctrl_dbus: check return value of str_dup()
core: set bundle rtpext before aulevel
ice: use icem_rcand_ready
mpa: move MPA audio codec to baresip-apps
webrtc_aecm: removed module
ci-windows: bump choco openssl version to 3.5.3
audiounit: remove unused member int fmt
audiounit: remove int ch already present in struct ausrc_prm
call,bevent: add call contacturi
test/ua: add test_ua_cuser
ua: rename setting to sip_cuser_random
menu: fix some typos
call: send local SDP event not too early
call: call_modify() - local SDP event before SDP encode
test: add test_uag_find_msg()
video: better sendrate and burst_bits defaults
webrtc_aec: update module to Debian Trixie compatibility
call: add missing input argument checking (struct call pointer)
ci,windows: bump Choco to OpenSSL version 3.5.4
modules: fix minor typos
config: remove mpa module from template
avfilter: fix av_opt_set_int_list deprecation warning
ci/macos: use default ffmpeg (currently 8.0)
cmake: fix usage of SPANDSP_HINTS
ci/coverage: increase min. coverage
bump version number to 4.2.0
libre v4.3.0 (2025-11-19)
cmake: remove macOS include path
test: sort testcases in alphabetical order
test: increase coverage of websock test with protocol on/off
sdp/media: fix sdp_media_align_formats pt handling
dns: fix AAAA address comparison in getaddr_dup()
test: add support for IPv6 DNS testing
ci: add clang-21
sys/fs: improve fs_fread error handling
test: compare DNS RR records data in order to increase test-coverage
dns: correct comment in dnsc_query_srv()
h265: Fix NAL Decode nuh_layer_id
auframe: avoid auframe_bytes_to_ms division by zero
aumix: add aumix_latency and new defaults
dns: remove get_android_dns()
test: add testing of DNS nameservers
cmake/re-config: fix HAVE_THREADS discovery
libre v4.2.0 (2025-10-15)
test: add testcode for btrace module
types: add ETIME fallback
test: add testing of conf_get_bool()
test/btrace: skip thread test
Revert "dtls: remove dtls_set_handlers() -- unused"
ice/icem: add icem_rcand_ready helper
ice/sdp: remove mDNS AI_V4MAPPED and log late candidate
tls: minor improvements to SNI and Common-name comparison
tls: revert wrong match-checking in SNI function
ci-windows: bump choco openssl version to 3.5.3
tls: sni - a null pointer check
test: fix some minor typos
dbg: remove dbg_close() -- unused
ci,windows: bump choco openssl to 3.5.4
misc: fix some minor typos
test: test both fragmented and non-fragmented H.265 packets
test: add negative AES testcases
test: add test for conf_apply()
ci/android: Upgrade to API-level 29 (Android 10.0)
ci/android: remove AVD cache
ci/android: revert to android api level 26
bump version number to 4.2.0
--------------------------------------------------------------------------------
ChangeLog:
* Sat Nov 29 2025 Robert Scheck <[email protected]> 4.3.0-1
- Upgrade to 4.3.0 (#2404092)
* Tue Nov 11 2025 Adam Williamson <[email protected]> - 4.1.0-2
- Backport PR #1466 to fix threading detection
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2404092 - libre-4.3.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2404092
[ 2 ] Bug #2404130 - baresip-4.3.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2404130
--------------------------------------------------------------------------------
================================================================================
libwebsockets-4.3.7-2.el9 (FEDORA-EPEL-2025-02dd502cb2)
Lightweight C library for Websockets
--------------------------------------------------------------------------------
Update Information:
Update to 4.3.7, enable glib event loop
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 1 2025 Peter Robinson <[email protected]> - 4.3.7-2
- Enable glib event loop support
* Sun Nov 30 2025 Peter Robinson <[email protected]> - 4.3.7-1
- Update to 4.3.7
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405213 - CVE-2025-11679 libwebsockets: Out-of-bounds Read in
libwebsockets PNG parsing [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405213
[ 2 ] Bug #2405215 - CVE-2025-11679 libwebsockets: Out-of-bounds Read in
libwebsockets PNG parsing [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2405215
[ 3 ] Bug #2405217 - CVE-2025-11679 libwebsockets: Out-of-bounds Read in
libwebsockets PNG parsing [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2405217
[ 4 ] Bug #2405247 - CVE-2025-11677 libwebsockets: Use After Free in
libwebsockets WebSocket server [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405247
[ 5 ] Bug #2405249 - CVE-2025-11677 libwebsockets: Use After Free in
libwebsockets WebSocket server [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2405249
[ 6 ] Bug #2405251 - CVE-2025-11677 libwebsockets: Use After Free in
libwebsockets WebSocket server [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2405251
[ 7 ] Bug #2405258 - CVE-2025-11680 libwebsockets: Out-of-bounds Write in
libwebsockets PNG parsing [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405258
[ 8 ] Bug #2405260 - CVE-2025-11680 libwebsockets: Out-of-bounds Write in
libwebsockets PNG parsing [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2405260
[ 9 ] Bug #2405262 - CVE-2025-11680 libwebsockets: Out-of-bounds Write in
libwebsockets PNG parsing [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2405262
[ 10 ] Bug #2405566 - CVE-2025-11678 libwebsockets: Stack-based Buffer
Overflow in libwebsockets [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405566
[ 11 ] Bug #2405569 - CVE-2025-11678 libwebsockets: Stack-based Buffer
Overflow in libwebsockets [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2405569
--------------------------------------------------------------------------------
================================================================================
lunasvg-3.5.0-1.el9 (FEDORA-EPEL-2025-51d4080725)
Standalone SVG rendering library in C++
--------------------------------------------------------------------------------
Update Information:
Unbundle plutovg from lunasvg, this avoids shipping a duplicate library with
conflicting files.
Update lunasvg to consume the plutovg version already available in the
repositories and to fix various CVEs.
Rebuild imhex for the updated lunasvg.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 1 2025 Simone Caronni <[email protected]> - 3.5.0-1
- Update to 3.5.0, remove bundled plutovg (#2400407)
* Thu Jul 24 2025 Fedora Release Engineering <[email protected]> -
3.1.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Fri Jan 17 2025 Fedora Release Engineering <[email protected]> -
3.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2295891 - lunasvg-3.5.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2295891
[ 2 ] Bug #2341675 - CVE-2024-57719 CVE-2024-57720 CVE-2024-57721
CVE-2024-57722 CVE-2024-57723 CVE-2024-57724 lunasvg: various flaws [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2341675
[ 3 ] Bug #2343567 - CVE-2024-55456 lunasvg: From CVEorg collector [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2343567
[ 4 ] Bug #2400407 - file conflict between plutovg-devel and lunasvg-devel
https://bugzilla.redhat.com/show_bug.cgi?id=2400407
--------------------------------------------------------------------------------
================================================================================
partclone-0.3.40-1.el9 (FEDORA-EPEL-2025-569533f1e8)
Utility to clone and restore a partition
--------------------------------------------------------------------------------
Update Information:
partclone v0.3.40
xfsclone: prevent startblock truncation to support filesystems larger than 16 TB
Localization: Updated PO files, removed \r escape sequences from gettext
messages
Documentation: Updated logs, docs, and formatting
Miscellaneous: Minor test updates, merges, and configure.ac changes
--------------------------------------------------------------------------------
ChangeLog:
* Sat Nov 29 2025 Robert Scheck <[email protected]> 0.3.40-1
- Upgrade to 0.3.40 (#2416946)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2416946 - partclone-0.3.40 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2416946
--------------------------------------------------------------------------------
================================================================================
plutovg-1.3.2-1.el9 (FEDORA-EPEL-2025-d6c9d570df)
Tiny 2D vector graphics library in C
--------------------------------------------------------------------------------
Update Information:
Update to 1.3.2.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Nov 27 2025 Simone Caronni <[email protected]> - 1.3.2-1
- Update to 1.3.2
--------------------------------------------------------------------------------
================================================================================
rust-sequoia-gpg-agent-0.6.2-1.el9 (FEDORA-EPEL-2025-41a112be68)
Library for interacting with GnuPG's gpg-agent
--------------------------------------------------------------------------------
Update Information:
Update to version 0.6.2.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 1 2025 Fabio Valentini <[email protected]> - 0.6.2-1
- Update to version 0.6.2
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
0.6.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
rust-sequoia-keystore-0.7.1-1.el9 (FEDORA-EPEL-2025-6b1fa5e022)
Sequoia's private key store server
--------------------------------------------------------------------------------
Update Information:
Update the sequoia-keystore and sequoia-keystore-softkeys crates to version
0.7.1.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 1 2025 Fabio Valentini <[email protected]> - 0.7.1-1
- Update to version 0.7.1
--------------------------------------------------------------------------------
================================================================================
rust-sequoia-keystore-softkeys-0.7.1-1.el9 (FEDORA-EPEL-2025-6b1fa5e022)
Soft key (in-memory key) backend for Sequoia's private key store
--------------------------------------------------------------------------------
Update Information:
Update the sequoia-keystore and sequoia-keystore-softkeys crates to version
0.7.1.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 1 2025 Fabio Valentini <[email protected]> - 0.7.1-1
- Update to version 0.7.1
--------------------------------------------------------------------------------
================================================================================
suricata-7.0.13-1.el9 (FEDORA-EPEL-2025-fbab8bc83a)
Intrusion Detection System
--------------------------------------------------------------------------------
Update Information:
Upstream security/bugfix release.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Nov 30 2025 Jason Taylor <[email protected]> 7.0.13-1
- Upstream bugfix/security release
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2382739 - CVE-2025-53538 suricata: Suricata resource starvation
[epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2382739
[ 2 ] Bug #2400922 - CVE-2025-59148 suricata: Suricata NULL pointer
dereference [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2400922
[ 3 ] Bug #2400926 - CVE-2025-59147 suricata: Suricata is Vulnerable to
Detection Bypass via Crafted Multiple SYN Packets [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2400926
[ 4 ] Bug #2401753 - CVE-2025-59149 suricata: Suricata: Stack buffer overflow
in rule parser when processing long keywords with transforms [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2401753
[ 5 ] Bug #2417514 - CVE-2025-64330 suricata: Suricata: Single byte read heap
overflow leads to denial of service [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2417514
--------------------------------------------------------------------------------
--
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
