FEDORA-EPEL-2025-6202015785
Packages in this update:
fluent-bit-3.2.8-1.el10_1
Update description:
Update to 3.2.8 – Closes rhbz#2137000 rhbz#2340164 rhbz#2300673
fluent-bit-3.2.8-1.el10_1
Update to 3.2.8 – Closes rhbz#2137000 rhbz#2340164 rhbz#2300673
fluent-bit-3.2.8-1.el9
Update to 3.2.8 – Closes rhbz#2137000 rhbz#2340164 rhbz#2300673
fluent-bit-3.2.8-1.fc40
Update to 3.2.8 – Closes rhbz#2137000 rhbz#2340164 rhbz#2300673
USN-7343-1 fixed vulnerabilities in Jinja2. The update introduced a
regression when attempting to import Jinja2 on Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Rafal Krupinski discovered that Jinja2 did not properly restrict
the execution of code in situations where templates are used maliciously.
An attacker with control over a template’s filename and content could
potentially use this issue to enable the execution of arbitrary code.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2024-56201)
It was discovered that Jinja2 sandboxed environments could be escaped
through a call to a string format method. An attacker could possibly use
this issue to enable the execution of arbitrary code. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2024-56326)
It was discovered that Jinja2 sandboxed environments could be escaped
through the malicious use of certain filters. An attacker could possibly
use this issue to enable the execution of arbitrary code. (CVE-2025-27516)
It was discovered that UnRAR incorrectly handled certain paths. If a user
or automated system were tricked into extracting a specially crafted RAR
archive, a remote attacker could possibly use this issue to write arbitrary
files outside of the targeted directory. (CVE-2022-30333, CVE-2022-48579)
It was discovered that UnRAR incorrectly handled certain recovery volumes.
If a user or automated system were tricked into extracting a specially
crafted RAR archive, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2023-40477)
Siddharth Dushantha discovered that UnRAR incorrectly handled ANSI escape
sequences when writing screen output. If a user or automated system were
tricked into processing a specially crafted RAR archive, a remote attacker
could possibly use this issue to spoof screen output or cause a denial of
service. (CVE-2024-33899)
It was discovered that RAR incorrectly handled certain paths. If a user or
automated system were tricked into extracting a specially crafted RAR
archive, a remote attacker could possibly use this issue to write arbitrary
files outside of the targeted directory. (CVE-2022-30333)
It was discovered that RAR incorrectly handled certain recovery volumes. If
a user or automated system were tricked into extracting a specially crafted
RAR archive, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2023-40477)
It was discovered that the Python ipaddress module contained incorrect
information about which IP address ranges were considered “private” or
“globally reachable”. This could possibly result in applications applying
incorrect security policies. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2024-4032)
It was discovered that Python incorrectly handled quoting path names when
using the venv module. A local attacker able to control virtual
environments could possibly use this issue to execute arbitrary code when
the virtual environment is activated. (CVE-2024-9287)
It was discovered that Python incorrectly handled parsing bracketed hosts.
A remote attacker could possibly use this issue to perform a Server-Side
Request Forgery (SSRF) attack. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2024-11168)
It was discovered that Python incorrectly handled parsing domain names that
included square brackets. A remote attacker could possibly use this issue
to perform a Server-Side Request Forgery (SSRF) attack. (CVE-2025-0938)
libssh2-1.11.1-1.el10_0
This update, to the current upstream libssh2 release, addresses a couple of security issues:
CVE-2023-6918 (missing checks for return values for digests)
CVE-2023-48795 (prefix truncation attack on Binary Packet Protocol (BPP) – “Terrapin”)
It also removes support for a number of legacy algorithms that were disabled by default or removed from OpenSSH in the 2015-2018 time period. See the RELEASE_NOTES file for full details.
In addition, there are a large number of bug fixes and enhancements, which again are described in the RELEASE_NOTES file.
libssh2-1.11.1-1.el10_1
This update, to the current upstream libssh2 release, addresses a couple of security issues:
CVE-2023-6918 (missing checks for return values for digests)
CVE-2023-48795 (prefix truncation attack on Binary Packet Protocol (BPP) – “Terrapin”)
It also removes support for a number of legacy algorithms that were disabled by default or removed from OpenSSH in the 2015-2018 time period. See the RELEASE_NOTES file for full details.
In addition, there are a large number of bug fixes and enhancements, which again are described in the RELEASE_NOTES file.
libssh2-1.11.1-1.fc40
This update, to the current upstream libssh2 release, addresses a couple of security issues:
CVE-2023-6918 (missing checks for return values for digests)
CVE-2023-48795 (prefix truncation attack on Binary Packet Protocol (BPP) – “Terrapin”)
It also removes support for a number of legacy algorithms that were disabled by default or removed from OpenSSH in the 2015-2018 time period. See the RELEASE_NOTES file for full details.
In addition, there are a large number of bug fixes and enhancements, which again are described in the RELEASE_NOTES file.