Wiki - https://fedoraproject.org/wiki/Changes/golang1.23
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-golang-1-23-system-wide/118631
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Update of Go (golang package) to the upcoming version 1.23 in Fedora 41.
== Owner ==
* Name: [[User:alexsaezm| Alejandro Sáez Morollón]]
* Email: asm@redhat.com
== Detailed Description ==
Update of Go (golang package) to the upcoming version 1.23 in Fedora
41. Go 1.23 is expected to be released in
[https://tip.golang.org/doc/go1.23 August 2024]. A mass rebuild of all
of the dependent packages is required.
== Feedback ==
No feedback yet.
There is an [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/ZQROWTMARIUS45KIQZIUNAA45K3NWLRW/
ongoing conversation] about removing a patch and revert to the
defaults a couple of variables.
== Benefit to Fedora ==
Up-to-date and latest Go release will be delivered to Fedora users.
Being close to upstream allows us to avoid security issues and provide
more up-to-date features. Therefore, Fedora will be providing a
reliable development platform for the Go language and projects written
in it.
For a complete list of changes, see upstream change notes at
https://tip.golang.org/doc/go1.23
== Scope ==
* Proposal owners:
Rebase Golang package in Fedora 41, and help resolve possible issues
found during package rebuilds.
* Other developers:
Fix possible issues, with help from Golang maintainers.
* Release engineering: [https://pagure.io/releng/issues #Releng issue number]
Rebuild of dependent packages as part of planned mass-rebuild.
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
It doesn't align directly with the current objectives, but it helps
maintain the quality of the project.
== Upgrade/compatibility impact ==
No upgrade or compatibility impact.
== How To Test ==
# Install golang 1.23 from rawhide and use it to build your
application(s)/package(s).
# Perform a scratch build against rawhide.
# Your application/package built using golang 1.23 should work as expected.
== User Experience ==
Users will have a newer version of Go, with new features described in
the release notes and security fixes.
== Dependencies ==
<pre>
dnf repoquery -q --releasever=rawhide --disablerepo='*'
--qf='%{name}' --enablerepo=fedora-source --enablerepo=updates-source
--enablerepo=updates-testing-source --archlist=src --whatrequires
'golang'
dnf repoquery -q --releasever=rawhide --disablerepo='*'
--qf='%{name}' --enablerepo=fedora-source --enablerepo=updates-source
--enablerepo=updates-testing-source --archlist=src --whatrequires
'compiler(go-compiler)'
dnf repoquery -q --releasever=rawhide --disablerepo='*'
--qf='%{name}' --enablerepo=fedora-source --enablerepo=updates-source
--enablerepo=updates-testing-source --archlist=src --whatrequires
'go-rpm-macros'
</pre>
<pre>
Omitted due to the number of packages listed: ~2000.
</pre>
== Contingency Plan ==
* Contingency mechanism: Revert to Go 1.22.X if significant issues are
discovered
* Contingency deadline: Beta freeze
* Blocks release? No
== Documentation ==
https://tip.golang.org/doc/go1.23
== Release Notes ==
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Friday, May 31, 2024
[USN-6804-1] GNU C Library vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6804-1
May 31, 2024
glibc vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in GNU C Library.
Software Description:
- glibc: GNU C Library
Details:
It was discovered that GNU C Library nscd daemon contained a stack-based buffer
overflow. A local attacker could use this to cause a denial of service
(system crash). (CVE-2024-33599)
It was discovered that GNU C Library nscd daemon did not properly check the
cache content, leading to a null pointer dereference vulnerability. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2024-33600)
It was discovered that GNU C Library nscd daemon did not properly validate
memory allocation in certain situations, leading to a null pointer dereference
vulnerability. A local attacker could use this to cause a denial of service
(system crash). (CVE-2024-33601)
It was discovered that GNU C Library nscd daemon did not properly handle memory
allocation, which could lead to memory corruption. A local attacker could use
this to cause a denial of service (system crash). (CVE-2024-33602)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
nscd 2.39-0ubuntu8.2
Ubuntu 23.10
nscd 2.38-1ubuntu6.3
Ubuntu 22.04 LTS
nscd 2.35-0ubuntu3.8
Ubuntu 20.04 LTS
nscd 2.31-0ubuntu9.16
Ubuntu 18.04 LTS
nscd 2.27-3ubuntu1.6+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
nscd 2.23-0ubuntu11.3+esm7
Available with Ubuntu Pro
After a standard system update you need to restart nscd to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6804-1
CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602
Package Information:
https://launchpad.net/ubuntu/+source/glibc/2.39-0ubuntu8.2
https://launchpad.net/ubuntu/+source/glibc/2.38-1ubuntu6.3
https://launchpad.net/ubuntu/+source/glibc/2.35-0ubuntu3.8
https://launchpad.net/ubuntu/+source/glibc/2.31-0ubuntu9.16
Ubuntu Security Notice USN-6804-1
May 31, 2024
glibc vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in GNU C Library.
Software Description:
- glibc: GNU C Library
Details:
It was discovered that GNU C Library nscd daemon contained a stack-based buffer
overflow. A local attacker could use this to cause a denial of service
(system crash). (CVE-2024-33599)
It was discovered that GNU C Library nscd daemon did not properly check the
cache content, leading to a null pointer dereference vulnerability. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2024-33600)
It was discovered that GNU C Library nscd daemon did not properly validate
memory allocation in certain situations, leading to a null pointer dereference
vulnerability. A local attacker could use this to cause a denial of service
(system crash). (CVE-2024-33601)
It was discovered that GNU C Library nscd daemon did not properly handle memory
allocation, which could lead to memory corruption. A local attacker could use
this to cause a denial of service (system crash). (CVE-2024-33602)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
nscd 2.39-0ubuntu8.2
Ubuntu 23.10
nscd 2.38-1ubuntu6.3
Ubuntu 22.04 LTS
nscd 2.35-0ubuntu3.8
Ubuntu 20.04 LTS
nscd 2.31-0ubuntu9.16
Ubuntu 18.04 LTS
nscd 2.27-3ubuntu1.6+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
nscd 2.23-0ubuntu11.3+esm7
Available with Ubuntu Pro
After a standard system update you need to restart nscd to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6804-1
CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602
Package Information:
https://launchpad.net/ubuntu/+source/glibc/2.39-0ubuntu8.2
https://launchpad.net/ubuntu/+source/glibc/2.38-1ubuntu6.3
https://launchpad.net/ubuntu/+source/glibc/2.35-0ubuntu3.8
https://launchpad.net/ubuntu/+source/glibc/2.31-0ubuntu9.16
F41 Change Proposal: Unprivileged updates for Fedora Atomic Desktops (Self-Contained)
Wiki - https://fedoraproject.org/wiki/Changes/UnprivilegedUpdatesAtomicDesktops
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-unprivileged-updates-for-fedora-atomic-desktops-self-contained/118556
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
We want to update the Polkit rule currently controlling access to the
rpm-ostree daemon on Fedora Atomic Desktops to do the following:
* Enable users to update the system without being an administrator or
typing a password.
* Restrict the current rule for administrators to make more operations
explicitly require a password.
== Owner ==
* [[User:boredsquirrel| Henning]], boredsquirrel@secure.mailbox.org
* [[User:Siosm| Timothée Ravier]], siosm@fedoraproject.org
== Detailed Description ==
This change tries to address two issues:
* Give more users the permission to update their systems as this
should be an entirely safe operation on Fedora Atomic Desktops.
** Silverblue already automatically update the system and Flatpaks by
default and Kinoite is looking at doing it as well:
https://fedoraproject.org/wiki/Changes/KDEKinoiteAutoUpdateByDefault
** We will thus enable all active and interactive users to update the
system without being an administrator or typing a password.
** Note that this is only about system updates (and repo metadata
updates) and no other operations.
* Reduce access to the most privileged operations of rpm-ostree for
administrators to avoid mistakes.
** The current setup is not directly a security issue as it only
allows those operations for users that are part of the wheel group and
thus assumed to be administrators.
** However, some of those operations can be more dangerous than others
so we should ask the administrator to confirm them or let them do it
via `sudo`.
** Operations such as changing kernel arguments, installing a local
package, rebasing to another image, etc. will thus be removed from the
current Polkit rule and will now require the administrator password,
similarly to calling it via `sudo`.
** Only the install/uninstall packages from the repos, upgrade,
rollback, cancel and cleanup operations will remain password-less, to
match the behavior on package mode Fedora with dnf.
See:
* https://gitlab.com/fedora/ostree/sig/-/issues/7
* https://github.com/rohanssrao/silverblue-privesc/issues/4
* https://bugzilla.redhat.com/show_bug.cgi?id=2203555
Initial work in:
* https://src.fedoraproject.org/rpms/fedora-release/pull-request/324
* https://src.fedoraproject.org/rpms/fedora-release/pull-request/325
== Feedback ==
Nothing here so far beyond comments in the PRs, which have mostly been
addressed.
== Benefit to Fedora ==
This change will make it easier to setup a Fedora system with
non-administrator (unprivileged) users that can still update the
system without administrator intervention. Note that major version
upgrades (rebase operation) will still require privileges (or an
administrator password) for now. This is due to a limit of the current
rpm-ostree interface.
This is also a step towards the goals of the
[https://fedoraproject.org/wiki/SIGs/ConfinedUsers Confined Users
Special Interest Group (SIG)].
== Scope ==
* Proposal owners:
** Implement the change in the polkit rules
** Validate that this changes works on all Fedora Atomic Desktops
(notably with GNOME Software and Plasma Discover)
* Other developers:
** Developers depending on the current polkit rules might have to
adapt their software. We don't know of any software impacted right
now.
* Release engineering: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy: Not specificaly
== Upgrade/compatibility impact ==
This change does not remove any interface so it should not have any
impact for users on upgrade. If some of the now "password-full"
operations were used previously, they will now ask for a password.
If administrators previously disabled or overwrote the current polkit
rules, then they might have to update their override for the new
behavior.
== Early Testing (Optional) ==
Do you require 'QA Blueprint' support? No
== How To Test ==
* Write the following file:
`/etc/polkit-1/rules.d/org.projectatomic.rpmostree1.rules`
<pre>
polkit.addRule(function(action, subject) {
if ((action.id == "org.projectatomic.rpmostree1.repo-refresh" ||
action.id == "org.projectatomic.rpmostree1.upgrade") &&
subject.active == true &&
subject.local == true) {
return polkit.Result.YES;
}
if ((action.id ==
"org.projectatomic.rpmostree1.install-uninstall-packages" ||
action.id == "org.projectatomic.rpmostree1.rollback" ||
action.id == "org.projectatomic.rpmostree1.reload-daemon" ||
action.id == "org.projectatomic.rpmostree1.cancel" ||
action.id == "org.projectatomic.rpmostree1.cleanup" ||
action.id == "org.projectatomic.rpmostree1.client-management") &&
subject.active == true &&
subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
if ((
action.id == "org.projectatomic.rpmostree1.install-local-packages" ||
action.id == "org.projectatomic.rpmostree1.override" ||
action.id == "org.projectatomic.rpmostree1.deploy" ||
action.id == "org.projectatomic.rpmostree1.rebase" ||
action.id == "org.projectatomic.rpmostree1.rollback" ||
action.id == "org.projectatomic.rpmostree1.bootconfig" ) &&
subject.active == true &&
subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.AUTH_ADMIN;
}
});
</pre>
* Test that normal / unprivileged users can '''only do''' the
following operations '''without a password''':
** Update the system: `rpm-ostree update`
** Refresh the metadata: `rpm-ostree refresh-md`
* Test that admin / privileged users can do the following operations
'''without a password''':
** Install a package from the official Fedora repos: `rpm-ostree install strace`
** Cancel an in-progress transaction: `rpm-ostree cancel`
** Rollback to a previous version: `rpm-ostree rollback`
** Reload the daemon: `rpm-ostree reload`
** Cleanup pending or rollback deployments: `rpm-ostree cleanup`
* Test that admin / privileged users are '''asked a password''' for
the following operations:
** Install a local RPM package: `rpm-ostree install ./foo.rpm`
** Override replace a package: `rpm-ostree override replace vim-x.y.z.rpm`
** Deploy a specific version: `rpm-ostree deploy 40.20240518.1`
** Rebase to any version: `rpm-ostree rebase ...` (try with Kinoite on
Silverblue, etc.)
** Change kernel argments: `rpm-ostree kargs --append=foo=bar`
== User Experience ==
This change should be mostly transparent for users.
If some of the now "password-full" operations were used previously,
they will now ask for a password.
Unprivileged users will be able to update the system.
== Dependencies ==
The rules are shipped as part of the `fedora-release` RPM. There are
no other dependencies.
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?)
** We can revert the change to the `fedora-release` package at any time.
** Will be done by the change owners.
* Contingency deadline: Beta freeze or final freeze
* Blocks release? No
== Documentation ==
No additional documentation.
== Release Notes ==
To be written once the change is accepted.
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-unprivileged-updates-for-fedora-atomic-desktops-self-contained/118556
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
We want to update the Polkit rule currently controlling access to the
rpm-ostree daemon on Fedora Atomic Desktops to do the following:
* Enable users to update the system without being an administrator or
typing a password.
* Restrict the current rule for administrators to make more operations
explicitly require a password.
== Owner ==
* [[User:boredsquirrel| Henning]], boredsquirrel@secure.mailbox.org
* [[User:Siosm| Timothée Ravier]], siosm@fedoraproject.org
== Detailed Description ==
This change tries to address two issues:
* Give more users the permission to update their systems as this
should be an entirely safe operation on Fedora Atomic Desktops.
** Silverblue already automatically update the system and Flatpaks by
default and Kinoite is looking at doing it as well:
https://fedoraproject.org/wiki/Changes/KDEKinoiteAutoUpdateByDefault
** We will thus enable all active and interactive users to update the
system without being an administrator or typing a password.
** Note that this is only about system updates (and repo metadata
updates) and no other operations.
* Reduce access to the most privileged operations of rpm-ostree for
administrators to avoid mistakes.
** The current setup is not directly a security issue as it only
allows those operations for users that are part of the wheel group and
thus assumed to be administrators.
** However, some of those operations can be more dangerous than others
so we should ask the administrator to confirm them or let them do it
via `sudo`.
** Operations such as changing kernel arguments, installing a local
package, rebasing to another image, etc. will thus be removed from the
current Polkit rule and will now require the administrator password,
similarly to calling it via `sudo`.
** Only the install/uninstall packages from the repos, upgrade,
rollback, cancel and cleanup operations will remain password-less, to
match the behavior on package mode Fedora with dnf.
See:
* https://gitlab.com/fedora/ostree/sig/-/issues/7
* https://github.com/rohanssrao/silverblue-privesc/issues/4
* https://bugzilla.redhat.com/show_bug.cgi?id=2203555
Initial work in:
* https://src.fedoraproject.org/rpms/fedora-release/pull-request/324
* https://src.fedoraproject.org/rpms/fedora-release/pull-request/325
== Feedback ==
Nothing here so far beyond comments in the PRs, which have mostly been
addressed.
== Benefit to Fedora ==
This change will make it easier to setup a Fedora system with
non-administrator (unprivileged) users that can still update the
system without administrator intervention. Note that major version
upgrades (rebase operation) will still require privileges (or an
administrator password) for now. This is due to a limit of the current
rpm-ostree interface.
This is also a step towards the goals of the
[https://fedoraproject.org/wiki/SIGs/ConfinedUsers Confined Users
Special Interest Group (SIG)].
== Scope ==
* Proposal owners:
** Implement the change in the polkit rules
** Validate that this changes works on all Fedora Atomic Desktops
(notably with GNOME Software and Plasma Discover)
* Other developers:
** Developers depending on the current polkit rules might have to
adapt their software. We don't know of any software impacted right
now.
* Release engineering: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy: Not specificaly
== Upgrade/compatibility impact ==
This change does not remove any interface so it should not have any
impact for users on upgrade. If some of the now "password-full"
operations were used previously, they will now ask for a password.
If administrators previously disabled or overwrote the current polkit
rules, then they might have to update their override for the new
behavior.
== Early Testing (Optional) ==
Do you require 'QA Blueprint' support? No
== How To Test ==
* Write the following file:
`/etc/polkit-1/rules.d/org.projectatomic.rpmostree1.rules`
<pre>
polkit.addRule(function(action, subject) {
if ((action.id == "org.projectatomic.rpmostree1.repo-refresh" ||
action.id == "org.projectatomic.rpmostree1.upgrade") &&
subject.active == true &&
subject.local == true) {
return polkit.Result.YES;
}
if ((action.id ==
"org.projectatomic.rpmostree1.install-uninstall-packages" ||
action.id == "org.projectatomic.rpmostree1.rollback" ||
action.id == "org.projectatomic.rpmostree1.reload-daemon" ||
action.id == "org.projectatomic.rpmostree1.cancel" ||
action.id == "org.projectatomic.rpmostree1.cleanup" ||
action.id == "org.projectatomic.rpmostree1.client-management") &&
subject.active == true &&
subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
if ((
action.id == "org.projectatomic.rpmostree1.install-local-packages" ||
action.id == "org.projectatomic.rpmostree1.override" ||
action.id == "org.projectatomic.rpmostree1.deploy" ||
action.id == "org.projectatomic.rpmostree1.rebase" ||
action.id == "org.projectatomic.rpmostree1.rollback" ||
action.id == "org.projectatomic.rpmostree1.bootconfig" ) &&
subject.active == true &&
subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.AUTH_ADMIN;
}
});
</pre>
* Test that normal / unprivileged users can '''only do''' the
following operations '''without a password''':
** Update the system: `rpm-ostree update`
** Refresh the metadata: `rpm-ostree refresh-md`
* Test that admin / privileged users can do the following operations
'''without a password''':
** Install a package from the official Fedora repos: `rpm-ostree install strace`
** Cancel an in-progress transaction: `rpm-ostree cancel`
** Rollback to a previous version: `rpm-ostree rollback`
** Reload the daemon: `rpm-ostree reload`
** Cleanup pending or rollback deployments: `rpm-ostree cleanup`
* Test that admin / privileged users are '''asked a password''' for
the following operations:
** Install a local RPM package: `rpm-ostree install ./foo.rpm`
** Override replace a package: `rpm-ostree override replace vim-x.y.z.rpm`
** Deploy a specific version: `rpm-ostree deploy 40.20240518.1`
** Rebase to any version: `rpm-ostree rebase ...` (try with Kinoite on
Silverblue, etc.)
** Change kernel argments: `rpm-ostree kargs --append=foo=bar`
== User Experience ==
This change should be mostly transparent for users.
If some of the now "password-full" operations were used previously,
they will now ask for a password.
Unprivileged users will be able to update the system.
== Dependencies ==
The rules are shipped as part of the `fedora-release` RPM. There are
no other dependencies.
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?)
** We can revert the change to the `fedora-release` package at any time.
** Will be done by the change owners.
* Contingency deadline: Beta freeze or final freeze
* Blocks release? No
== Documentation ==
No additional documentation.
== Release Notes ==
To be written once the change is accepted.
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
41 Change Proposal: Make Tuned the Default Power Profile Management Daemon (System-Wide)
Wiki - https://fedoraproject.org/wiki/Changes/TunedAsTheDefaultPowerProfileManagementDaemon
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-make-tuned-the-default-power-profile-management-daemon-system-wide/118554
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
This Change makes 'tuned' the default power profile management daemon
in Fedora Workstation, KDE Plasma, and Budgie instead of
power-profiles-daemon.
* tuned-ppd provides a drop-in replacement for power-profiles-daemon,
which allows it to be used with current desktops
* power users can customize the desktop-exposed power profiles by
editing /etc/tuned/ppd.conf
== Owner ==
* Name: [[User:smallorange| Kate Hsuan]], [[User:jskarvad | Jaroslav Škarvada]]
* Email: <hpa@redhat.com>, <jskarvad@redhat.com>
== Detailed Description ==
<p>
Tuned and power-profiles-daemon provide a similar function to set and
tune the power status of a system. Both of them have similar features,
if they can be integrated into one, it allows the Fedora user to have
more options for power settings of their system and benefits the
users. In this proposal, we set up tuned to the default power profile
management daemon for the GNOME in Fedora Workstation and the KDE
Plasma Spin. Tuned already provides power profiles for different use
cases. Recently, tuned released the translation API layer called
tuned-ppd which can translate the power-profiles-daemon API to tuned.
The applications that use power-profiles-daemon API can access tuned
without modifying the code. For now, the Fedora user can immediately
switch to tuned by installing the tuned-ppd package without impacting
the user experience. Therefore, tuned can be the default power profile
management daemon for Fedora.
</p>
<p>
This work would replace power-profiles-daemon with tuned. Since tuned
already provides a wide range of power profiles for different
purposes, this allows the user to have more options for configuring
the system power profile.
Tuned provides many kinds of advanced and basic profiles for different
purposes. Power-profiles-daemon provides the basic power profiles and
the profiles can be set to the system through platform_profiles, Intel
p-state and AMD p-state. That is simple and clever. However, if the
users want to ask for an advanced profile, they need to install
another power utility, such as tuned to fine-tune their system. With
tuned as the default power profile management daemon, users have a
wider range of profiles to fine-tune the system.
</p>
<p>
Tuned released a new translation API service called tuned-ppd
<ref>https://github.com/redhat-performance/tuned/tree/master/tuned/ppd</ref>.
tuned-ppd can translate the power-profiles-daemon API to the tuned API
so applications can talk with tuned without modification. Moreover,
the GUI settings, such as gnome-control-center can configure tuned
profiles through tuned-ppd. tuned-ppd also allows the user to override
the basic three power profiles, including power-saver, balanced, and
performance through the config file /etc/tuned/ppd.conf
<ref>https://github.com/redhat-performance/tuned/blob/master/tuned/ppd/ppd.conf</ref>.
If the user wants to use a customized profile, they can edit the
config file and map the custom profile to the basic three
power-profiles-daemon profile names. In this way, gnome-control-center
can keep the original design to configure the customized profile.
</p>
<p>
The work expects tuned to replace the power-profiles-daemons to offer
a wider range of power profiles to Fedora users. tuned-ppd resolved
the API translation issue so the application can access tuned service
through power-profiles-daemon API without converting to the tuned API.
Moreover, the three basic profiles can be overridden when the user
needs it for their use case. It also benefits GNOME applications that
can keep the original design and designing a new GUI tool for custom
profiles is unnecessary. Therefore, tuned can be the default power
setting service for Fedora.
</p>
== Feedback ==
'''From fedora-devel'''
<p>
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/B3UJKFOCRAY3BEEPTHVPW4RY5GFBZWHU/#B3UJKFOCRAY3BEEPTHVPW4RY5GFBZWHU
1. The dependency concern. Since tuned is written by Python, that
causes a dependency impact on Fedora installation.
2. The power-profiles-daemon API should be ported to tuned to provide
the function to the application that uses power-profiles-daemon API,
such as gnome-shell and gnome-control-center.
</p>
'''From the hardware vendor'''
<p>
Moreover, we discuss it with vendors through the mail.
1. Since tuned covers several kinds of system tuning schemes that
allow the vendor to implement their power profile for different
devices or workloads. For power-profile-daemon, it only has three
profiles to set and every detail setting should be done through the
firmware level. If tuned can replace power-profiles-daemon, they can
imagine they can develop the profile in a much more flexible manner.
</p>
'''The previous discussions'''
<p>
https://discussion.fedoraproject.org/t/f40-change-proposal-tuned-replaces-power-profiles-daemon-self-contained/94995
</p>
== Benefit to Fedora ==
<p>
<ol>
<li>Benefits the user. The user would have more options to tune their
system.</li>
<li>Benefits the maintainer. Integrate similar software into one
software to reduce the maintenance effort.</li>
</ol>
</p>
== Scope ==
* Proposal owners:
** for GNOME: update gnome-control-center weak dependency on
power-profile-daemon to tuned-ppd
** for KDE: update powerdevil weak dependency on power-profile-daemon
to tuned-ppd
** for Budgie: update budgie-control-center weak dependency on
power-profile-daemon to tuned-ppd
* Other developers:
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
== Upgrade/compatibility impact ==
<p>
Since tuned-ppd provides the ppd APIs and features, there is no impact
on other applications.
</p>
== Early Testing (Optional) ==
Do you require 'QA Blueprint' support? Y/N
== How To Test ==
<ol>
<li>
Remove power-profiles-daemon.<br>
$ sudo dnf remove power-profiles-daemon
</li>
<li>Install tuned and tuned-ppd through the following command<br>
$ sudo dnf install tuned<br>
$ sudo dnf install tuned-ppd
</li>
<li>
Run gnome-control-center and switch to the power panel and then select
one of the three power profiles.
Click the top-right corner of the screen and you can see the "Power
Mode" shows the profile name that you selected previously.
</li>
<li>
Run the following command to show the active profile. Since tuned-adm
shows the tuned profile name, the profile name mapping can be found in
/etc/tuned/ppd.conf.<br>
$ tuned-adm active
</li>
</ol>
== User Experience ==
<ol>
<li>
The workstation user can set the power profile through the gnome-control-center.
</li>
<li>
The server users switch the profile through the tuned command line.
</li>
</ol>
== Dependencies ==
<p>
tuned is written by Python so it depends on python packages and its 40 packages.
</p>
== Contingency Plan ==
* Contingency mechanism:
<p>
Use the original power-profiles-daemon
</p>
* Contingency deadline:
<p>
Before F41 beta freeze.
</p>
* Blocks release?
<p>
No, tuned-ppd provides all the power-profiles-daemon APIs otherwise
the original power-profile-daemon can be used when the plan blocks the
release.
</p>
== Documentation ==
I have talked with tuned about this information.<br>
https://github.com/redhat-performance/tuned/issues/559
== Release Notes ==
* https://github.com/redhat-performance/tuned/tree/master/tuned/ppd
* https://github.com/redhat-performance/tuned/blob/master/tuned/ppd/ppd.conf
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-make-tuned-the-default-power-profile-management-daemon-system-wide/118554
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
This Change makes 'tuned' the default power profile management daemon
in Fedora Workstation, KDE Plasma, and Budgie instead of
power-profiles-daemon.
* tuned-ppd provides a drop-in replacement for power-profiles-daemon,
which allows it to be used with current desktops
* power users can customize the desktop-exposed power profiles by
editing /etc/tuned/ppd.conf
== Owner ==
* Name: [[User:smallorange| Kate Hsuan]], [[User:jskarvad | Jaroslav Škarvada]]
* Email: <hpa@redhat.com>, <jskarvad@redhat.com>
== Detailed Description ==
<p>
Tuned and power-profiles-daemon provide a similar function to set and
tune the power status of a system. Both of them have similar features,
if they can be integrated into one, it allows the Fedora user to have
more options for power settings of their system and benefits the
users. In this proposal, we set up tuned to the default power profile
management daemon for the GNOME in Fedora Workstation and the KDE
Plasma Spin. Tuned already provides power profiles for different use
cases. Recently, tuned released the translation API layer called
tuned-ppd which can translate the power-profiles-daemon API to tuned.
The applications that use power-profiles-daemon API can access tuned
without modifying the code. For now, the Fedora user can immediately
switch to tuned by installing the tuned-ppd package without impacting
the user experience. Therefore, tuned can be the default power profile
management daemon for Fedora.
</p>
<p>
This work would replace power-profiles-daemon with tuned. Since tuned
already provides a wide range of power profiles for different
purposes, this allows the user to have more options for configuring
the system power profile.
Tuned provides many kinds of advanced and basic profiles for different
purposes. Power-profiles-daemon provides the basic power profiles and
the profiles can be set to the system through platform_profiles, Intel
p-state and AMD p-state. That is simple and clever. However, if the
users want to ask for an advanced profile, they need to install
another power utility, such as tuned to fine-tune their system. With
tuned as the default power profile management daemon, users have a
wider range of profiles to fine-tune the system.
</p>
<p>
Tuned released a new translation API service called tuned-ppd
<ref>https://github.com/redhat-performance/tuned/tree/master/tuned/ppd</ref>.
tuned-ppd can translate the power-profiles-daemon API to the tuned API
so applications can talk with tuned without modification. Moreover,
the GUI settings, such as gnome-control-center can configure tuned
profiles through tuned-ppd. tuned-ppd also allows the user to override
the basic three power profiles, including power-saver, balanced, and
performance through the config file /etc/tuned/ppd.conf
<ref>https://github.com/redhat-performance/tuned/blob/master/tuned/ppd/ppd.conf</ref>.
If the user wants to use a customized profile, they can edit the
config file and map the custom profile to the basic three
power-profiles-daemon profile names. In this way, gnome-control-center
can keep the original design to configure the customized profile.
</p>
<p>
The work expects tuned to replace the power-profiles-daemons to offer
a wider range of power profiles to Fedora users. tuned-ppd resolved
the API translation issue so the application can access tuned service
through power-profiles-daemon API without converting to the tuned API.
Moreover, the three basic profiles can be overridden when the user
needs it for their use case. It also benefits GNOME applications that
can keep the original design and designing a new GUI tool for custom
profiles is unnecessary. Therefore, tuned can be the default power
setting service for Fedora.
</p>
== Feedback ==
'''From fedora-devel'''
<p>
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/B3UJKFOCRAY3BEEPTHVPW4RY5GFBZWHU/#B3UJKFOCRAY3BEEPTHVPW4RY5GFBZWHU
1. The dependency concern. Since tuned is written by Python, that
causes a dependency impact on Fedora installation.
2. The power-profiles-daemon API should be ported to tuned to provide
the function to the application that uses power-profiles-daemon API,
such as gnome-shell and gnome-control-center.
</p>
'''From the hardware vendor'''
<p>
Moreover, we discuss it with vendors through the mail.
1. Since tuned covers several kinds of system tuning schemes that
allow the vendor to implement their power profile for different
devices or workloads. For power-profile-daemon, it only has three
profiles to set and every detail setting should be done through the
firmware level. If tuned can replace power-profiles-daemon, they can
imagine they can develop the profile in a much more flexible manner.
</p>
'''The previous discussions'''
<p>
https://discussion.fedoraproject.org/t/f40-change-proposal-tuned-replaces-power-profiles-daemon-self-contained/94995
</p>
== Benefit to Fedora ==
<p>
<ol>
<li>Benefits the user. The user would have more options to tune their
system.</li>
<li>Benefits the maintainer. Integrate similar software into one
software to reduce the maintenance effort.</li>
</ol>
</p>
== Scope ==
* Proposal owners:
** for GNOME: update gnome-control-center weak dependency on
power-profile-daemon to tuned-ppd
** for KDE: update powerdevil weak dependency on power-profile-daemon
to tuned-ppd
** for Budgie: update budgie-control-center weak dependency on
power-profile-daemon to tuned-ppd
* Other developers:
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
== Upgrade/compatibility impact ==
<p>
Since tuned-ppd provides the ppd APIs and features, there is no impact
on other applications.
</p>
== Early Testing (Optional) ==
Do you require 'QA Blueprint' support? Y/N
== How To Test ==
<ol>
<li>
Remove power-profiles-daemon.<br>
$ sudo dnf remove power-profiles-daemon
</li>
<li>Install tuned and tuned-ppd through the following command<br>
$ sudo dnf install tuned<br>
$ sudo dnf install tuned-ppd
</li>
<li>
Run gnome-control-center and switch to the power panel and then select
one of the three power profiles.
Click the top-right corner of the screen and you can see the "Power
Mode" shows the profile name that you selected previously.
</li>
<li>
Run the following command to show the active profile. Since tuned-adm
shows the tuned profile name, the profile name mapping can be found in
/etc/tuned/ppd.conf.<br>
$ tuned-adm active
</li>
</ol>
== User Experience ==
<ol>
<li>
The workstation user can set the power profile through the gnome-control-center.
</li>
<li>
The server users switch the profile through the tuned command line.
</li>
</ol>
== Dependencies ==
<p>
tuned is written by Python so it depends on python packages and its 40 packages.
</p>
== Contingency Plan ==
* Contingency mechanism:
<p>
Use the original power-profiles-daemon
</p>
* Contingency deadline:
<p>
Before F41 beta freeze.
</p>
* Blocks release?
<p>
No, tuned-ppd provides all the power-profiles-daemon APIs otherwise
the original power-profile-daemon can be used when the plan blocks the
release.
</p>
== Documentation ==
I have talked with tuned about this information.<br>
https://github.com/redhat-performance/tuned/issues/559
== Release Notes ==
* https://github.com/redhat-performance/tuned/tree/master/tuned/ppd
* https://github.com/redhat-performance/tuned/blob/master/tuned/ppd/ppd.conf
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[HEADS UP] Fedora 41 Python 3.13 rebuilds to start in a side tag (hopefully) next week
Hello,
To deliver Python 3.13 with Fedora Linux 41, we will run a coordinated
rebuild in a side tag.
https://fedoraproject.org/wiki/Changes/Python3.13
Python 3.13.0b2 is scheduled for Tuesday, Jun 4th 2024.
We hope to start the mass rebuild shortly after it's available.
TL;DR: If you can, for the period of the mass rebuild just don't build
your packages in rawhide.
We will let you know when the side tag rebuild actually starts and when
it is merged and it's safe to build in rawhide with Python 3.13.
Details:
If you see a "Rebuilt for Python 3.13" (or similar) commit in your package,
please don't rebuild it in regular rawhide or another rawhide side tag.
If you need to, please let us know, so we can coordinate.
If you'd like to build a package after we already rebuilt it, you should
be able to build it in the side tag via:
on branch rawhide:
$ fedpkg build --target=f41-python
$ koji wait-repo f41-python --build <nvr>
It takes time to build all the essential packages,
so don't expect all your dependencies to be available right away.
Any attempts to build your packages in the side tag before we do will
likely fail due to missing dependencies.
When in trouble, ask here or on Fedora's Matrix - Fedora Python room
(https://matrix.to/#/#python:fedoraproject.org)
Ping me (ksurma) or Miro (mhroncok) if you need to talk to us.
Builds will appear here:
https://koji.fedoraproject.org/koji/builds?latest=0&tagID=f41-python&order=-build_id&inherited=0
Please avoid any potentially disturbing or major changes in Python
packages until the rebuild is over.
Thanks!
Karolina
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
To deliver Python 3.13 with Fedora Linux 41, we will run a coordinated
rebuild in a side tag.
https://fedoraproject.org/wiki/Changes/Python3.13
Python 3.13.0b2 is scheduled for Tuesday, Jun 4th 2024.
We hope to start the mass rebuild shortly after it's available.
TL;DR: If you can, for the period of the mass rebuild just don't build
your packages in rawhide.
We will let you know when the side tag rebuild actually starts and when
it is merged and it's safe to build in rawhide with Python 3.13.
Details:
If you see a "Rebuilt for Python 3.13" (or similar) commit in your package,
please don't rebuild it in regular rawhide or another rawhide side tag.
If you need to, please let us know, so we can coordinate.
If you'd like to build a package after we already rebuilt it, you should
be able to build it in the side tag via:
on branch rawhide:
$ fedpkg build --target=f41-python
$ koji wait-repo f41-python --build <nvr>
It takes time to build all the essential packages,
so don't expect all your dependencies to be available right away.
Any attempts to build your packages in the side tag before we do will
likely fail due to missing dependencies.
When in trouble, ask here or on Fedora's Matrix - Fedora Python room
(https://matrix.to/#/#python:fedoraproject.org)
Ping me (ksurma) or Miro (mhroncok) if you need to talk to us.
Builds will appear here:
https://koji.fedoraproject.org/koji/builds?latest=0&tagID=f41-python&order=-build_id&inherited=0
Please avoid any potentially disturbing or major changes in Python
packages until the rebuild is over.
Thanks!
Karolina
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
F41 Change Proposal: Removing network-scripts package (System-Wide)
Wiki - https://fedoraproject.org/wiki/Changes/NetworkScriptsRemoval
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-removing-network-scripts-package-system-wide/118553
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
<code>network-scripts</code> package will be removed in Fedora 41. By
removing the package, we also remove support for legacy
<code>ifup/ifdown</code> network scripts that have been deprecated
since 2018.
== Owner ==
* Name: [[User:jamacku| Jan Macku]]
* Name: [[User:lnykryn| Lukáš Nykrýn]]
* Email: [mailto:jamacku@redhat.com jamacku@redhat.com]
* Email: [mailto:lnykryn@redhat.com lnykryn@redhat.com]
== Detailed Description ==
<code>network-scripts</code> will be removed in Fedora 41. It provides
legacy <code>ifup</code>/<code>ifdown</code> scripts as well as
<code>network.service</code>.
The <code>network-scripts</code> were '''deprecated in 2018''', and
since then, upstream has provided only limited support.
The main reason for removing <code>network-scripts</code> is that ISC
dhcp has not been maintained upstream since the end of 2022. There is
[https://fedoraproject.org/wiki/Changes/dhclient_deprecation plan to
remove it upcoming Fedora release]. Network scripts heavily depend on
the DHCP client, and since Network Scripts are no longer developed,
there is no chance of updating them to use an alternative client.
== Feedback ==
== Benefit to Fedora ==
We don't deliver software that has been deprecated for many years,
unmaintained upstream, and for which we don't have resources to
maintain downstream. Additionally, it simplifies networking tasks for
users and administrators because NetworkManager will be used more
uniformly across Fedora environments.
== Scope ==
* Proposal owners: Removing of <code>network-scripts</code> rpm package.
* Other developers: Make sure that dependency on
<code>network-scripts</code> package is removed (see
[[Changes/NetworkScriptsRemoval#Dependencies| #Dependencies]]).
* Release engineering: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Community Initiatives: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
<code>ifup/ifdown</code> command are no longer available. Use
<code>nmcli connection up/down</code> or <code>networkctl
up/down</code> instead.
Old <code>ifcfg</code> network configuration should still work thanks
to <code>NetworkManager-initscripts-ifcfg-rh</code> package. No
migration is needed, but it is recommended to migrate from
<code>ifcfg</code> to <code>keyfiles</code> configuration.
You can use one of the following articles on how to migrate:
* https://fedoramagazine.org/converting-networkmanager-from-ifcfg-to-keyfiles/
* https://opensource.com/article/22/8/migrate-networkmanager-keyfiles-configuration
== How To Test ==
Networking should work as before the removal of
<code>network-scripts</code> package.
== User Experience ==
== Dependencies ==
RPM packages that depends in some form on <code>network-scripts</code>:
* <code>libteam</code> - https://bugzilla.redhat.com/show_bug.cgi?id=2262986
* <code>NetworkManager</code> -
https://bugzilla.redhat.com/show_bug.cgi?id=2275295
* <code>openvswitch</code> - https://bugzilla.redhat.com/show_bug.cgi?id=2262982
* <code>ppp</code> - https://bugzilla.redhat.com/show_bug.cgi?id=2262981
Note that this will also affect all users with local custom
network-scripts that require functionality from
<code>network-scripts</code> package.
== Contingency Plan ==
* Contingency mechanism: Since
[https://fedoraproject.org/wiki/Changes/dhclient_deprecation dhcp
client is no longer maintained] and is going to be deprecated in
Fedora, there is currently no contingency mechanism.
* Contingency deadline: beta freeze
* Blocks release: No
== Documentation ==
* Upstream Deprecation notice -
https://github.com/fedora-sysv/initscripts/commit/b748244cf9905696baf1bc16e0432f85093414c2
== Release Notes ==
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-removing-network-scripts-package-system-wide/118553
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
<code>network-scripts</code> package will be removed in Fedora 41. By
removing the package, we also remove support for legacy
<code>ifup/ifdown</code> network scripts that have been deprecated
since 2018.
== Owner ==
* Name: [[User:jamacku| Jan Macku]]
* Name: [[User:lnykryn| Lukáš Nykrýn]]
* Email: [mailto:jamacku@redhat.com jamacku@redhat.com]
* Email: [mailto:lnykryn@redhat.com lnykryn@redhat.com]
== Detailed Description ==
<code>network-scripts</code> will be removed in Fedora 41. It provides
legacy <code>ifup</code>/<code>ifdown</code> scripts as well as
<code>network.service</code>.
The <code>network-scripts</code> were '''deprecated in 2018''', and
since then, upstream has provided only limited support.
The main reason for removing <code>network-scripts</code> is that ISC
dhcp has not been maintained upstream since the end of 2022. There is
[https://fedoraproject.org/wiki/Changes/dhclient_deprecation plan to
remove it upcoming Fedora release]. Network scripts heavily depend on
the DHCP client, and since Network Scripts are no longer developed,
there is no chance of updating them to use an alternative client.
== Feedback ==
== Benefit to Fedora ==
We don't deliver software that has been deprecated for many years,
unmaintained upstream, and for which we don't have resources to
maintain downstream. Additionally, it simplifies networking tasks for
users and administrators because NetworkManager will be used more
uniformly across Fedora environments.
== Scope ==
* Proposal owners: Removing of <code>network-scripts</code> rpm package.
* Other developers: Make sure that dependency on
<code>network-scripts</code> package is removed (see
[[Changes/NetworkScriptsRemoval#Dependencies| #Dependencies]]).
* Release engineering: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Community Initiatives: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
<code>ifup/ifdown</code> command are no longer available. Use
<code>nmcli connection up/down</code> or <code>networkctl
up/down</code> instead.
Old <code>ifcfg</code> network configuration should still work thanks
to <code>NetworkManager-initscripts-ifcfg-rh</code> package. No
migration is needed, but it is recommended to migrate from
<code>ifcfg</code> to <code>keyfiles</code> configuration.
You can use one of the following articles on how to migrate:
* https://fedoramagazine.org/converting-networkmanager-from-ifcfg-to-keyfiles/
* https://opensource.com/article/22/8/migrate-networkmanager-keyfiles-configuration
== How To Test ==
Networking should work as before the removal of
<code>network-scripts</code> package.
== User Experience ==
== Dependencies ==
RPM packages that depends in some form on <code>network-scripts</code>:
* <code>libteam</code> - https://bugzilla.redhat.com/show_bug.cgi?id=2262986
* <code>NetworkManager</code> -
https://bugzilla.redhat.com/show_bug.cgi?id=2275295
* <code>openvswitch</code> - https://bugzilla.redhat.com/show_bug.cgi?id=2262982
* <code>ppp</code> - https://bugzilla.redhat.com/show_bug.cgi?id=2262981
Note that this will also affect all users with local custom
network-scripts that require functionality from
<code>network-scripts</code> package.
== Contingency Plan ==
* Contingency mechanism: Since
[https://fedoraproject.org/wiki/Changes/dhclient_deprecation dhcp
client is no longer maintained] and is going to be deprecated in
Fedora, there is currently no contingency mechanism.
* Contingency deadline: beta freeze
* Blocks release: No
== Documentation ==
* Upstream Deprecation notice -
https://github.com/fedora-sysv/initscripts/commit/b748244cf9905696baf1bc16e0432f85093414c2
== Release Notes ==
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
F41 Change Proposal: LLVM 19 (System-Wide)
Wiki - https://fedoraproject.org/wiki/Changes/LLVM-19
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-llvm-19-system-wide/118552
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Update all llvm sub-projects in Fedora Linux to version 19.
== Owner ==
* Name: [[User:tstellar| Tom Stellard]]
* Email: <tstellar@redhat.com>
== Detailed Description ==
All llvm sub-projects in Fedora will be updated to version 19, and
there will be a soname version change for the llvm libraries.
Compatibility packages clang18, llvm18, lld18, compiler-rt18, and
libomp18 will be added to ensure that packages that currently depend
on clang and llvm version 18 libraries will continue to work. We may
add other compatibility packages too if they're determined to be
necessary to maintain functionality in other RPMS that use llvm/clang.
Any compatibility packages we add for Fedora 41 will be retired or
orphaned before the Fedora 42 branch date. As stated in the
[[Changes/LLVM-18 | LLVM-18 change proposal]], we plan to retire or
orphan these older compatibility packages prior to the Fedora 41
branch date:
* llvm17
* clang17
* lld17
* compiler-rt17
* libomp17
Other notable changes:
* '''Build compat packages (e.g. llvm18) as early as possible.'''
When we package a new major release of llvm, we create a compat
package so that packages that aren't compatible with the new version
can still use the old version. In the past, we've waited to introduce
the compat packages until the new version of LLVM was ready (typically
during the Beta Freeze). However, this proved to be an issue this
release for packages the were ready to switch to the compat packages
early in the release cycle, but then had to wait for Beta freeze.
* '''Spec file merge.''' We plan to retire the clang, compiler-rt,
lld and libomp packages and merge them in with llvm and have them be
sub-packages of the llvm package. All these packages have their
sources in the same upstream git repository and use the same
versioning. This change will allow us to use the build configuration
recommended by upstream and also make it possible to optimize the
packages using Profile-Guided Optimizations (PGO). It's possible that
in future releases (f42+), we may decided to merge more packages in
with llvm too.
* '''Fat LTO'''. All RPMS built with clang will default to using the
-ffat-lto option. Fat LTO is a feature that allows the compiler to
produce libraries that contain LTO bitcode along side the traditional
ELF binary code so that the libraries can be linked in both LTO mode
and non-LTO mode. gcc also supports this feature and has it enabled in
Fedora. In Fedora 40 and older, with LTO enabled, clang produces
binaries with only LTO bitcode, so we need to run a post-processing
script (brp-llvm-compile-to-elf) on the libraries to convert them to
ELF code so they can be used by other packages. Enabling Fat LTO will
allow us to remove this script and simplify the build process. We
originally proposed this feature for Fedora 40, but it was not ready
in time.
===Planned Schedule===
Our plan is to push 19.1.0-rc3 into Fedora 41 as a Beta Freeze
exception. Updates after 19.1.0-rc3 will generally be very small and
can be done after the Beta Freeze is over. If we are late packaging
releases after 19.1.0-rc3, we will not ask for a Final Freeze
exception, unless they contain a fix for a critical release blocking
bug.
We are not planning to push 19.1.0-rc1 into rawhide because the
library ABI is not stabilized at that point. Typically, the ABI
stabilizes after -rc3, but there are no guarantees from upstream about
this. Given the history of minimal ABI changes after -rc3, we feel
like it's safe to push -rc3 into rawhide and Fedora 41. The worst
case scenario would be an ABI change in -rc4 or the final release that
would force us to patch LLVM to maintain compatibility with the -rc3
ABI. This scenario would not require rebuilding LLVM library users in
Fedora, so it would merely be a self-contained change to LLVM.
====Important Dates====
Dates may change depending on circumstances.
* Jun 4: Build llvm18, clang18, lld18, compiler-rt18, and lld18
compat packages in rawhide.
* July 26: Begin building LLVM 19.1.0-rc1 in COPR.
* Aug 6: Begin building LLVM 19.1.0-rc2 in COPR.
* '''''Aug 6: Fedora f41 branches created.'''''
* Aug 20: Begin building LLVM 19.1.0-rc3 in Rawhide and f41 side-tags.
* '''''Aug 20: Fedora f41 Beta Freeze'''''
* Aug 20-> Sep 10: Request Beta Freeze Exception and push 19.1.0-rc3
into f41 stable.
* Sep 3: Begin building LLVM 19.1.0-rc4 in Rawhide side-tag.
* Sep 17: Begin building LLVM 19.1.0 in Rawhide and f41 side-tags.
* Sep 17 -> Oct 1: Push 19.1.0 into f41 stable.
* '''''Oct 1: Fedora f41 Final Freeze.'''''
== Feedback ==
== Benefit to Fedora ==
New features and bug fixes provided by the latest version of LLVM.
== Scope ==
* Proposal owners:
** Review existing llvm and clang compatibility packages and orphan
any packages that are no longer used.
** Build and test early release candidates of LLVM 19 in COPR.
* Other developers:
** Fix build issues found with LLVM-19 or switch their package to use
the llvm18 compat libs. The LLVM team will not block Bodhi updates on
dependent packages that fail to build or run with LLVM-19. There
should be around 6-8 weeks between when -rc1 lands in the koji
side-tag and the Final Freeze for package maintainers to fix issues
uncovered with the LLVM-19 update.
* Release engineering: [https://pagure.io/releng/issue/12118]
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
== Upgrade/compatibility impact ==
This change should not impact upgrades.
== Early Testing (Optional) ==
Do you require 'QA Blueprint' support? N
== How To Test ==
The CI tests for the llvm sub-packages in Fedora will be used to catch
regressions that might be potentially introduced by the update to LLVM
19.
== User Experience ==
== Dependencies ==
Packages that depend on one of the llvm packages will need to be
updated to work with LLVM19 or will need to switch to using one of the
llvm18 compat packages.
== Contingency Plan ==
If there are major problems with LLVM 19, the compatibility package
provide a way for other packages to continue using LLVM 18.
* Contingency deadline:Final Freeze
* Blocks release? No (not a System Wide Change)
== Documentation ==
LLVM sub-projects in Fedora have been updated to version 19:
* llvm (now includes clang, lld, compiler-rt, libomp)
* lldb
* llvm-test-suite
* libcxx
* python-lit
* flang
* mlir
* polly
* libclc
* llvm-bolt
== Release Notes ==
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-llvm-19-system-wide/118552
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Update all llvm sub-projects in Fedora Linux to version 19.
== Owner ==
* Name: [[User:tstellar| Tom Stellard]]
* Email: <tstellar@redhat.com>
== Detailed Description ==
All llvm sub-projects in Fedora will be updated to version 19, and
there will be a soname version change for the llvm libraries.
Compatibility packages clang18, llvm18, lld18, compiler-rt18, and
libomp18 will be added to ensure that packages that currently depend
on clang and llvm version 18 libraries will continue to work. We may
add other compatibility packages too if they're determined to be
necessary to maintain functionality in other RPMS that use llvm/clang.
Any compatibility packages we add for Fedora 41 will be retired or
orphaned before the Fedora 42 branch date. As stated in the
[[Changes/LLVM-18 | LLVM-18 change proposal]], we plan to retire or
orphan these older compatibility packages prior to the Fedora 41
branch date:
* llvm17
* clang17
* lld17
* compiler-rt17
* libomp17
Other notable changes:
* '''Build compat packages (e.g. llvm18) as early as possible.'''
When we package a new major release of llvm, we create a compat
package so that packages that aren't compatible with the new version
can still use the old version. In the past, we've waited to introduce
the compat packages until the new version of LLVM was ready (typically
during the Beta Freeze). However, this proved to be an issue this
release for packages the were ready to switch to the compat packages
early in the release cycle, but then had to wait for Beta freeze.
* '''Spec file merge.''' We plan to retire the clang, compiler-rt,
lld and libomp packages and merge them in with llvm and have them be
sub-packages of the llvm package. All these packages have their
sources in the same upstream git repository and use the same
versioning. This change will allow us to use the build configuration
recommended by upstream and also make it possible to optimize the
packages using Profile-Guided Optimizations (PGO). It's possible that
in future releases (f42+), we may decided to merge more packages in
with llvm too.
* '''Fat LTO'''. All RPMS built with clang will default to using the
-ffat-lto option. Fat LTO is a feature that allows the compiler to
produce libraries that contain LTO bitcode along side the traditional
ELF binary code so that the libraries can be linked in both LTO mode
and non-LTO mode. gcc also supports this feature and has it enabled in
Fedora. In Fedora 40 and older, with LTO enabled, clang produces
binaries with only LTO bitcode, so we need to run a post-processing
script (brp-llvm-compile-to-elf) on the libraries to convert them to
ELF code so they can be used by other packages. Enabling Fat LTO will
allow us to remove this script and simplify the build process. We
originally proposed this feature for Fedora 40, but it was not ready
in time.
===Planned Schedule===
Our plan is to push 19.1.0-rc3 into Fedora 41 as a Beta Freeze
exception. Updates after 19.1.0-rc3 will generally be very small and
can be done after the Beta Freeze is over. If we are late packaging
releases after 19.1.0-rc3, we will not ask for a Final Freeze
exception, unless they contain a fix for a critical release blocking
bug.
We are not planning to push 19.1.0-rc1 into rawhide because the
library ABI is not stabilized at that point. Typically, the ABI
stabilizes after -rc3, but there are no guarantees from upstream about
this. Given the history of minimal ABI changes after -rc3, we feel
like it's safe to push -rc3 into rawhide and Fedora 41. The worst
case scenario would be an ABI change in -rc4 or the final release that
would force us to patch LLVM to maintain compatibility with the -rc3
ABI. This scenario would not require rebuilding LLVM library users in
Fedora, so it would merely be a self-contained change to LLVM.
====Important Dates====
Dates may change depending on circumstances.
* Jun 4: Build llvm18, clang18, lld18, compiler-rt18, and lld18
compat packages in rawhide.
* July 26: Begin building LLVM 19.1.0-rc1 in COPR.
* Aug 6: Begin building LLVM 19.1.0-rc2 in COPR.
* '''''Aug 6: Fedora f41 branches created.'''''
* Aug 20: Begin building LLVM 19.1.0-rc3 in Rawhide and f41 side-tags.
* '''''Aug 20: Fedora f41 Beta Freeze'''''
* Aug 20-> Sep 10: Request Beta Freeze Exception and push 19.1.0-rc3
into f41 stable.
* Sep 3: Begin building LLVM 19.1.0-rc4 in Rawhide side-tag.
* Sep 17: Begin building LLVM 19.1.0 in Rawhide and f41 side-tags.
* Sep 17 -> Oct 1: Push 19.1.0 into f41 stable.
* '''''Oct 1: Fedora f41 Final Freeze.'''''
== Feedback ==
== Benefit to Fedora ==
New features and bug fixes provided by the latest version of LLVM.
== Scope ==
* Proposal owners:
** Review existing llvm and clang compatibility packages and orphan
any packages that are no longer used.
** Build and test early release candidates of LLVM 19 in COPR.
* Other developers:
** Fix build issues found with LLVM-19 or switch their package to use
the llvm18 compat libs. The LLVM team will not block Bodhi updates on
dependent packages that fail to build or run with LLVM-19. There
should be around 6-8 weeks between when -rc1 lands in the koji
side-tag and the Final Freeze for package maintainers to fix issues
uncovered with the LLVM-19 update.
* Release engineering: [https://pagure.io/releng/issue/12118]
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
== Upgrade/compatibility impact ==
This change should not impact upgrades.
== Early Testing (Optional) ==
Do you require 'QA Blueprint' support? N
== How To Test ==
The CI tests for the llvm sub-packages in Fedora will be used to catch
regressions that might be potentially introduced by the update to LLVM
19.
== User Experience ==
== Dependencies ==
Packages that depend on one of the llvm packages will need to be
updated to work with LLVM19 or will need to switch to using one of the
llvm18 compat packages.
== Contingency Plan ==
If there are major problems with LLVM 19, the compatibility package
provide a way for other packages to continue using LLVM 18.
* Contingency deadline:Final Freeze
* Blocks release? No (not a System Wide Change)
== Documentation ==
LLVM sub-projects in Fedora have been updated to version 19:
* llvm (now includes clang, lld, compiler-rt, libomp)
* lldb
* llvm-test-suite
* libcxx
* python-lit
* flang
* mlir
* polly
* libclc
* llvm-bolt
== Release Notes ==
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
F41 Change Proposal: Anaconda as native Wayland application (System Wide)
Wiki - https://fedoraproject.org/wiki/Changes/Anaconda_As_Native_Wayland_Application
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-anaconda-as-native-wayland-application-system-wide/118550
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Currently, Anaconda is still an X11 application, which we would like
to fix and make Anaconda Wayland native application to allow us drop
of the X11 dependencies from installation ISO images. However, this
change is not just a simple switch and we need to do some adjustments
during the path which will impact user experience.
== Owner ==
* Name: Anaconda team ([[User:jkonecny| Jiří Konečný]])
* Email: jkonecny@redhat.com
== Detailed Description ==
Anaconda is required to migrate to Wayland native application to drop
dependencies from the installation ISO images which are deprecated.
Package owners want to drop libXklavier from Fedora (see
https://bugzilla.redhat.com/show_bug.cgi?id=1955025 ) but also Xorg
server from CentOS Stream and RHEL. However, this change won't be just
simple switching from X11 to Wayland, we also need to change a few
things in Anaconda to be able to remove the X11 dependencies. This
will have two main visible impacts listed below.
=== VNC switch to RDP for remote GUI installations ===
Anaconda has to remove 'TigerVNC' which is used for VNC connection to
be able to install your machine remotely with graphical UI. Reason is
that TigerVNC is built from the Xorg server sources, so we would still
depend on the Xorg server with this project. As replacement, we follow
the recommendation of the Fedora Workstation to switch to Gnome Remote
Desktop (grd) with a better protocol Remote Desktop Protocol (RDP)
which gives users better performance and security.
This will have an impact on current vnc kickstart commands and kernel
boot options of Anaconda. This will impact only the Anaconda
installation environment (boot.iso).
=== Consistent keyboard control ===
Currently, Anaconda experiences difficulties in handling keyboard
layouts in the installation environment, particularly on Wayland.
Formerly, libXklavier was utilized by Anaconda to manage keyboard
layout configuration, however, it proved unstable on Wayland. As a
result, Anaconda has disabled keyboard handling during Wayland Live
media installations due to unexpected behavior (refer to
https://bugzilla.redhat.com/show_bug.cgi?id=2016613 ). This approach
may lead to situations when users encountering issues while unlocking
LUKS devices or using user passwords in the installed system because
installation was done with a different keyboard layout.
To exacerbate the situation, there is no universally applicable
solution for keyboard handling on Wayland systems, as Wayland lacks a
unified API for keyboard management. It means that each Fedora Desktop
Environment developed their own API. Unfortunately, the Anaconda team
is not able to maintain a custom solution for each Fedora spin. Some
Desktop environments started to use '''systemd-localed''' DBus API to
address this issue and similar issues. The systemd-localed API seems
to be the best approach currently, so we want to promote it as a
shared solution for all Fedora spins.
The plan is:
* All Fedora spins and Anaconda listen on
'''org.freedesktop.locale1''' and reflect configuration on the
currently running system (might be only for Live media if desired)
* All Fedora spins and Anaconda reflect their configuration to
org.freedesktop.locale1
* In case Fedora spin will not support '''org.freedesktop.locale1''',
the keyboard configuration of Anaconda won't be reflected in the
current system and the situation will be similar to the current Live
Wayland experience
All the spin owners were notified about this request:
* https://pagure.io/fedora-workstation/issue/430
* https://pagure.io/fedora-kde/SIG/issue/504
* https://gitlab.com/fedora/sigs/sway/SIG/-/issues/36
* https://bugzilla.redhat.com/show_bug.cgi?id=2278655
* https://bugzilla.redhat.com/show_bug.cgi?id=2278658
* https://bugzilla.redhat.com/show_bug.cgi?id=2278656
* https://bugzilla.redhat.com/show_bug.cgi?id=2278864
* https://bugzilla.redhat.com/show_bug.cgi?id=2278866
* https://bugzilla.redhat.com/show_bug.cgi?id=2278869
* https://bugzilla.redhat.com/show_bug.cgi?id=2278874
* https://pagure.io/fedora-cosmic/SIG/issue/1
* https://pagure.io/fedora-budgie/project/issue/4
* https://pagure.io/fedora-lxqt/SIG/issue/4
* https://pagure.io/i3-sig/Fedora-i3-Spin/issue/70
== Feedback ==
We have some feedback from the SIG owners for the keyboard handling
(see the links above).
We don't have feedback for the VNC to RDP switch yet.
== Benefit to Fedora ==
* This change will enable removal of X11 dependencies from the
Anaconda which may result in reduction of installed software to the
system when installing from Live ISO where ISO content is copied to
the installed system (depends on the spin dependencies).
* Switching from VNC to RDP allow users to use remote graphical
installations which are more secure and have better performance .
== Scope ==
* Proposal owners: The Anaconda team will implement changes required
in the Anaconda project. More specifically:
** Switch Anaconda code to start Wayland environment on boot.iso instead of X11
** Change keyboard switching logic to use systemd-localed DBus instead
of libXklavier
** Switch remote graphical installations from VNC (TigerVNC) to RDP (GRD)
* Other developers: Fedora SIG owners needs to add support for their
environment to listen and use systemd-localed DBus API to reflect
current state of the DE/WM or they won't have support of keyboard
layout switching in Anaconda.
* Release engineering: [https://pagure.io/releng/issue/12138 #12138]
* Policies and guidelines: Yes should be done after the implementation
(https://docs.fedoraproject.org/en-US/fedora-server/installation/interactive-remote
should switch to RDP)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
== Upgrade/compatibility impact ==
This will impact only Fedora installations so no compatibility or
upgrade issues.
== Early Testing (Optional) ==
We will reach Fedora QE to coordinate testing approach.
== How To Test ==
# Download any installation media
# Run the installation
# Look for breakages during the installation
Testing should be especially focused on:
* Changing resolution with ''inst.resolution'' kernel boot option
* Test new RDP solution (API will be clarified)
** Password can be set to the RDP
** Username can be set to the RDP
* Test keyboard layout switching works correctly
** On Live media, Anaconda should react on keyboard layout change in
the DE and set that to the installed system
** On Live media, Anaconda should be able to set the keyboard layout
changes to the live environment
** In the network installation (boot.iso) Anaconda should correctly
reflect keyboard layouts changes so text in the Anaconda is written by
the correct layout
** Check if specific keyboard layouts are configured and installed as expected
== User Experience ==
The only visible change to a user should be:
* Remote graphical installations will use RDP instead of VNC.
* Anaconda will be able to control keyboard layouts in the Wayland
environment on Live ISOs. This will improve user experience when
installing Fedora Workstation, Fedora KDE, Fedora Sway and other
Wayland based environments.
== Dependencies ==
No dependencies of this package related to this change.
== Contingency Plan ==
* Contingency mechanism: Postpone this change to the next Fedora
release. Revert landed changes in Anaconda if required.
* Contingency deadline: 100% code completion deadline
* Blocks release? No
== Documentation ==
No documentation yet. However, there are a few PRs ready for merge for
CentOS Stream 10:
* https://github.com/rhinstaller/anaconda/pull/5463
* https://github.com/rhinstaller/anaconda/pull/5470
* https://github.com/rhinstaller/anaconda/pull/5485
* https://github.com/rhinstaller/anaconda/pull/5498
== Release Notes ==
TBD
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-anaconda-as-native-wayland-application-system-wide/118550
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Currently, Anaconda is still an X11 application, which we would like
to fix and make Anaconda Wayland native application to allow us drop
of the X11 dependencies from installation ISO images. However, this
change is not just a simple switch and we need to do some adjustments
during the path which will impact user experience.
== Owner ==
* Name: Anaconda team ([[User:jkonecny| Jiří Konečný]])
* Email: jkonecny@redhat.com
== Detailed Description ==
Anaconda is required to migrate to Wayland native application to drop
dependencies from the installation ISO images which are deprecated.
Package owners want to drop libXklavier from Fedora (see
https://bugzilla.redhat.com/show_bug.cgi?id=1955025 ) but also Xorg
server from CentOS Stream and RHEL. However, this change won't be just
simple switching from X11 to Wayland, we also need to change a few
things in Anaconda to be able to remove the X11 dependencies. This
will have two main visible impacts listed below.
=== VNC switch to RDP for remote GUI installations ===
Anaconda has to remove 'TigerVNC' which is used for VNC connection to
be able to install your machine remotely with graphical UI. Reason is
that TigerVNC is built from the Xorg server sources, so we would still
depend on the Xorg server with this project. As replacement, we follow
the recommendation of the Fedora Workstation to switch to Gnome Remote
Desktop (grd) with a better protocol Remote Desktop Protocol (RDP)
which gives users better performance and security.
This will have an impact on current vnc kickstart commands and kernel
boot options of Anaconda. This will impact only the Anaconda
installation environment (boot.iso).
=== Consistent keyboard control ===
Currently, Anaconda experiences difficulties in handling keyboard
layouts in the installation environment, particularly on Wayland.
Formerly, libXklavier was utilized by Anaconda to manage keyboard
layout configuration, however, it proved unstable on Wayland. As a
result, Anaconda has disabled keyboard handling during Wayland Live
media installations due to unexpected behavior (refer to
https://bugzilla.redhat.com/show_bug.cgi?id=2016613 ). This approach
may lead to situations when users encountering issues while unlocking
LUKS devices or using user passwords in the installed system because
installation was done with a different keyboard layout.
To exacerbate the situation, there is no universally applicable
solution for keyboard handling on Wayland systems, as Wayland lacks a
unified API for keyboard management. It means that each Fedora Desktop
Environment developed their own API. Unfortunately, the Anaconda team
is not able to maintain a custom solution for each Fedora spin. Some
Desktop environments started to use '''systemd-localed''' DBus API to
address this issue and similar issues. The systemd-localed API seems
to be the best approach currently, so we want to promote it as a
shared solution for all Fedora spins.
The plan is:
* All Fedora spins and Anaconda listen on
'''org.freedesktop.locale1''' and reflect configuration on the
currently running system (might be only for Live media if desired)
* All Fedora spins and Anaconda reflect their configuration to
org.freedesktop.locale1
* In case Fedora spin will not support '''org.freedesktop.locale1''',
the keyboard configuration of Anaconda won't be reflected in the
current system and the situation will be similar to the current Live
Wayland experience
All the spin owners were notified about this request:
* https://pagure.io/fedora-workstation/issue/430
* https://pagure.io/fedora-kde/SIG/issue/504
* https://gitlab.com/fedora/sigs/sway/SIG/-/issues/36
* https://bugzilla.redhat.com/show_bug.cgi?id=2278655
* https://bugzilla.redhat.com/show_bug.cgi?id=2278658
* https://bugzilla.redhat.com/show_bug.cgi?id=2278656
* https://bugzilla.redhat.com/show_bug.cgi?id=2278864
* https://bugzilla.redhat.com/show_bug.cgi?id=2278866
* https://bugzilla.redhat.com/show_bug.cgi?id=2278869
* https://bugzilla.redhat.com/show_bug.cgi?id=2278874
* https://pagure.io/fedora-cosmic/SIG/issue/1
* https://pagure.io/fedora-budgie/project/issue/4
* https://pagure.io/fedora-lxqt/SIG/issue/4
* https://pagure.io/i3-sig/Fedora-i3-Spin/issue/70
== Feedback ==
We have some feedback from the SIG owners for the keyboard handling
(see the links above).
We don't have feedback for the VNC to RDP switch yet.
== Benefit to Fedora ==
* This change will enable removal of X11 dependencies from the
Anaconda which may result in reduction of installed software to the
system when installing from Live ISO where ISO content is copied to
the installed system (depends on the spin dependencies).
* Switching from VNC to RDP allow users to use remote graphical
installations which are more secure and have better performance .
== Scope ==
* Proposal owners: The Anaconda team will implement changes required
in the Anaconda project. More specifically:
** Switch Anaconda code to start Wayland environment on boot.iso instead of X11
** Change keyboard switching logic to use systemd-localed DBus instead
of libXklavier
** Switch remote graphical installations from VNC (TigerVNC) to RDP (GRD)
* Other developers: Fedora SIG owners needs to add support for their
environment to listen and use systemd-localed DBus API to reflect
current state of the DE/WM or they won't have support of keyboard
layout switching in Anaconda.
* Release engineering: [https://pagure.io/releng/issue/12138 #12138]
* Policies and guidelines: Yes should be done after the implementation
(https://docs.fedoraproject.org/en-US/fedora-server/installation/interactive-remote
should switch to RDP)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
== Upgrade/compatibility impact ==
This will impact only Fedora installations so no compatibility or
upgrade issues.
== Early Testing (Optional) ==
We will reach Fedora QE to coordinate testing approach.
== How To Test ==
# Download any installation media
# Run the installation
# Look for breakages during the installation
Testing should be especially focused on:
* Changing resolution with ''inst.resolution'' kernel boot option
* Test new RDP solution (API will be clarified)
** Password can be set to the RDP
** Username can be set to the RDP
* Test keyboard layout switching works correctly
** On Live media, Anaconda should react on keyboard layout change in
the DE and set that to the installed system
** On Live media, Anaconda should be able to set the keyboard layout
changes to the live environment
** In the network installation (boot.iso) Anaconda should correctly
reflect keyboard layouts changes so text in the Anaconda is written by
the correct layout
** Check if specific keyboard layouts are configured and installed as expected
== User Experience ==
The only visible change to a user should be:
* Remote graphical installations will use RDP instead of VNC.
* Anaconda will be able to control keyboard layouts in the Wayland
environment on Live ISOs. This will improve user experience when
installing Fedora Workstation, Fedora KDE, Fedora Sway and other
Wayland based environments.
== Dependencies ==
No dependencies of this package related to this change.
== Contingency Plan ==
* Contingency mechanism: Postpone this change to the next Fedora
release. Revert landed changes in Anaconda if required.
* Contingency deadline: 100% code completion deadline
* Blocks release? No
== Documentation ==
No documentation yet. However, there are a few PRs ready for merge for
CentOS Stream 10:
* https://github.com/rhinstaller/anaconda/pull/5463
* https://github.com/rhinstaller/anaconda/pull/5470
* https://github.com/rhinstaller/anaconda/pull/5485
* https://github.com/rhinstaller/anaconda/pull/5498
== Release Notes ==
TBD
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thursday, May 30, 2024
[USN-6803-1] FFmpeg vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEhC9y9XdAFQPCvYXchGmXSGiknnUFAmZYxr0FAwAAAAAACgkQhGmXSGiknnUB
ehAAvW1wsPkSGQNA+I5A9VL8VbYbqkqJrdtc42AAPWvopcqe+uUwif9pgyB75Lz4+AhOdgNG41Oz
bv1/kWe0V1ey4fFiGovqq1xhRntaK+jRaN+FsjfxZ1eaeCX7abWPLnqkqUuVgTmwDJOUpQRBM2Pm
kpP5BS5UYRKiQf+sTuxuIxb4kU6x9bX7gOEGE3VBF13gNpf9MoJzKU8mbFWUNltXOsriB7Ujb8zC
Ht437PUWizsPwK4sbn8bmPgJxOkyZ6LjH32hjt4Akiscx9ueEBhs16Owfi0MC/Osk6bOefDGSfn7
WsvjJv2jpkiAkmrgmc3c2NTGmilntGVBq7rbzxlGsvt46AclQa52WNEh8eM82m4UfWERJuDEWl/l
DykIf/MbEndPwh+Bo+Zr3zaS+XrQtV3Rew/eBdGaPuCYNrmV3ZuRL/V04ZFAc3Vp0iWWOljpZfDd
YAF3hTMxSDNwHOC/UfA63175UdGOTGET0+9Bbchdh+mdDCScCjJpRoAGdCgPR7iKTUk0AwyWpJWu
gKQ5bfUUErChOqFMbL5P1iIHrGqBcimRESjrdjtoB6yZqTPjbeDghBA3N9RPta+/RIFSTAV7GdtR
CyxtSQMBjY+hdx5BTZgCzz1NTmSWu/UdFbHxx4FRkmZgAB9Cs8gZ2HkkK8Tg/Qv/PIv8sxwELgY9
k88=
=MhEQ
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6803-1
May 30, 2024
ffmpeg vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
FFmpeg could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- ffmpeg: Tools for transcoding, streaming and playing of multimedia files
Details:
Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 24.04 LTS. (CVE-2023-49501)
Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.
(CVE-2023-49502)
Zhang Ling and Zeng Yunxiang discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 23.10 and
Ubuntu 24.04 LTS. (CVE-2023-49528)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS.
(CVE-2023-50007)
Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 23.10 and
Ubuntu 24.04 LTS. (CVE-2023-50008)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 23.10. (CVE-2023-50009)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-50010)
Zeng Yunxiang and Li Zeyuan discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 23.10 and
Ubuntu 24.04 LTS. (CVE-2023-51793)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-51794, CVE-2023-51798)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 23.10. (CVE-2023-51795, CVE-2023-51796)
It was discovered that discovered that FFmpeg incorrectly handled certain
input files. An attacker could possibly use this issue to cause FFmpeg to
crash, resulting in a denial of service, or potential arbitrary code
execution. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2024-31578)
It was discovered that discovered that FFmpeg incorrectly handled certain
input files. An attacker could possibly use this issue to cause FFmpeg to
crash, resulting in a denial of service, or potential arbitrary code
execution. This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS.
(CVE-2024-31582)
It was discovered that discovered that FFmpeg incorrectly handled certain
input files. An attacker could possibly use this issue to cause FFmpeg to
crash, resulting in a denial of service, or potential arbitrary code
execution. This issue only affected Ubuntu 23.10. (CVE-2024-31585)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
ffmpeg 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavcodec-extra60 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavcodec60 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavdevice60 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavfilter-extra9 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavfilter9 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavformat-extra60 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavformat60 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavutil58 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libpostproc57 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libswresample4 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libswscale7 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
Ubuntu 23.10
ffmpeg 7:6.0-6ubuntu1.1
libavcodec-extra60 7:6.0-6ubuntu1.1
libavcodec60 7:6.0-6ubuntu1.1
libavdevice60 7:6.0-6ubuntu1.1
libavfilter-extra9 7:6.0-6ubuntu1.1
libavfilter9 7:6.0-6ubuntu1.1
libavformat-extra60 7:6.0-6ubuntu1.1
libavformat60 7:6.0-6ubuntu1.1
libavutil58 7:6.0-6ubuntu1.1
libpostproc57 7:6.0-6ubuntu1.1
libswresample4 7:6.0-6ubuntu1.1
libswscale7 7:6.0-6ubuntu1.1
Ubuntu 22.04 LTS
ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavcodec-extra58 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavcodec58 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavdevice58 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavfilter-extra7 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavfilter7 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavformat-extra 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavformat-extra58 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavformat58 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavutil56 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libpostproc55 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libswresample3 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libswscale5 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
Ubuntu 20.04 LTS
ffmpeg 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavcodec-extra58 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavcodec58 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavdevice58 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavfilter-extra7 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavfilter7 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavformat58 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavresample4 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavutil56 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libpostproc55 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libswresample3 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libswscale5 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
Ubuntu 18.04 LTS
ffmpeg 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavcodec-extra57 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavcodec57 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavdevice57 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavfilter-extra6 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavfilter6 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavformat57 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavresample3 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavutil55 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libpostproc54 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libswresample2 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libswscale4 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
Ubuntu 16.04 LTS
ffmpeg 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavcodec-ffmpeg-extra56 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavcodec-ffmpeg56 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavdevice-ffmpeg56 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavfilter-ffmpeg5 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavformat-ffmpeg56 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavresample-ffmpeg2 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavutil-ffmpeg54 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libpostproc-ffmpeg53 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libswresample-ffmpeg1 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libswscale-ffmpeg3 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6803-1
CVE-2023-49501, CVE-2023-49502, CVE-2023-49528, CVE-2023-50007,
CVE-2023-50008, CVE-2023-50009, CVE-2023-50010, CVE-2023-51793,
CVE-2023-51794, CVE-2023-51795, CVE-2023-51796, CVE-2023-51798,
CVE-2024-31578, CVE-2024-31582, CVE-2024-31585
Package Information:
https://launchpad.net/ubuntu/+source/ffmpeg/7:6.0-6ubuntu1.1
wsF5BAABCAAjFiEEhC9y9XdAFQPCvYXchGmXSGiknnUFAmZYxr0FAwAAAAAACgkQhGmXSGiknnUB
ehAAvW1wsPkSGQNA+I5A9VL8VbYbqkqJrdtc42AAPWvopcqe+uUwif9pgyB75Lz4+AhOdgNG41Oz
bv1/kWe0V1ey4fFiGovqq1xhRntaK+jRaN+FsjfxZ1eaeCX7abWPLnqkqUuVgTmwDJOUpQRBM2Pm
kpP5BS5UYRKiQf+sTuxuIxb4kU6x9bX7gOEGE3VBF13gNpf9MoJzKU8mbFWUNltXOsriB7Ujb8zC
Ht437PUWizsPwK4sbn8bmPgJxOkyZ6LjH32hjt4Akiscx9ueEBhs16Owfi0MC/Osk6bOefDGSfn7
WsvjJv2jpkiAkmrgmc3c2NTGmilntGVBq7rbzxlGsvt46AclQa52WNEh8eM82m4UfWERJuDEWl/l
DykIf/MbEndPwh+Bo+Zr3zaS+XrQtV3Rew/eBdGaPuCYNrmV3ZuRL/V04ZFAc3Vp0iWWOljpZfDd
YAF3hTMxSDNwHOC/UfA63175UdGOTGET0+9Bbchdh+mdDCScCjJpRoAGdCgPR7iKTUk0AwyWpJWu
gKQ5bfUUErChOqFMbL5P1iIHrGqBcimRESjrdjtoB6yZqTPjbeDghBA3N9RPta+/RIFSTAV7GdtR
CyxtSQMBjY+hdx5BTZgCzz1NTmSWu/UdFbHxx4FRkmZgAB9Cs8gZ2HkkK8Tg/Qv/PIv8sxwELgY9
k88=
=MhEQ
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6803-1
May 30, 2024
ffmpeg vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
FFmpeg could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- ffmpeg: Tools for transcoding, streaming and playing of multimedia files
Details:
Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 24.04 LTS. (CVE-2023-49501)
Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.
(CVE-2023-49502)
Zhang Ling and Zeng Yunxiang discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 23.10 and
Ubuntu 24.04 LTS. (CVE-2023-49528)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS.
(CVE-2023-50007)
Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 23.10 and
Ubuntu 24.04 LTS. (CVE-2023-50008)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 23.10. (CVE-2023-50009)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-50010)
Zeng Yunxiang and Li Zeyuan discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 23.10 and
Ubuntu 24.04 LTS. (CVE-2023-51793)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-51794, CVE-2023-51798)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 23.10. (CVE-2023-51795, CVE-2023-51796)
It was discovered that discovered that FFmpeg incorrectly handled certain
input files. An attacker could possibly use this issue to cause FFmpeg to
crash, resulting in a denial of service, or potential arbitrary code
execution. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2024-31578)
It was discovered that discovered that FFmpeg incorrectly handled certain
input files. An attacker could possibly use this issue to cause FFmpeg to
crash, resulting in a denial of service, or potential arbitrary code
execution. This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS.
(CVE-2024-31582)
It was discovered that discovered that FFmpeg incorrectly handled certain
input files. An attacker could possibly use this issue to cause FFmpeg to
crash, resulting in a denial of service, or potential arbitrary code
execution. This issue only affected Ubuntu 23.10. (CVE-2024-31585)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
ffmpeg 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavcodec-extra60 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavcodec60 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavdevice60 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavfilter-extra9 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavfilter9 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavformat-extra60 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavformat60 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libavutil58 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libpostproc57 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libswresample4 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
libswscale7 7:6.1.1-3ubuntu5+esm1
Available with Ubuntu Pro
Ubuntu 23.10
ffmpeg 7:6.0-6ubuntu1.1
libavcodec-extra60 7:6.0-6ubuntu1.1
libavcodec60 7:6.0-6ubuntu1.1
libavdevice60 7:6.0-6ubuntu1.1
libavfilter-extra9 7:6.0-6ubuntu1.1
libavfilter9 7:6.0-6ubuntu1.1
libavformat-extra60 7:6.0-6ubuntu1.1
libavformat60 7:6.0-6ubuntu1.1
libavutil58 7:6.0-6ubuntu1.1
libpostproc57 7:6.0-6ubuntu1.1
libswresample4 7:6.0-6ubuntu1.1
libswscale7 7:6.0-6ubuntu1.1
Ubuntu 22.04 LTS
ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavcodec-extra58 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavcodec58 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavdevice58 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavfilter-extra7 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavfilter7 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavformat-extra 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavformat-extra58 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavformat58 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libavutil56 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libpostproc55 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libswresample3 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
libswscale5 7:4.4.2-0ubuntu0.22.04.1+esm4
Available with Ubuntu Pro
Ubuntu 20.04 LTS
ffmpeg 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavcodec-extra58 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavcodec58 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavdevice58 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavfilter-extra7 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavfilter7 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavformat58 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavresample4 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavutil56 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libpostproc55 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libswresample3 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
libswscale5 7:4.2.7-0ubuntu0.1+esm5
Available with Ubuntu Pro
Ubuntu 18.04 LTS
ffmpeg 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavcodec-extra57 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavcodec57 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavdevice57 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavfilter-extra6 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavfilter6 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavformat57 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavresample3 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libavutil55 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libpostproc54 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libswresample2 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
libswscale4 7:3.4.11-0ubuntu0.1+esm5
Available with Ubuntu Pro
Ubuntu 16.04 LTS
ffmpeg 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavcodec-ffmpeg-extra56 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavcodec-ffmpeg56 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavdevice-ffmpeg56 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavfilter-ffmpeg5 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavformat-ffmpeg56 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavresample-ffmpeg2 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libavutil-ffmpeg54 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libpostproc-ffmpeg53 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libswresample-ffmpeg1 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
libswscale-ffmpeg3 7:2.8.17-0ubuntu0.1+esm7
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6803-1
CVE-2023-49501, CVE-2023-49502, CVE-2023-49528, CVE-2023-50007,
CVE-2023-50008, CVE-2023-50009, CVE-2023-50010, CVE-2023-51793,
CVE-2023-51794, CVE-2023-51795, CVE-2023-51796, CVE-2023-51798,
CVE-2024-31578, CVE-2024-31582, CVE-2024-31585
Package Information:
https://launchpad.net/ubuntu/+source/ffmpeg/7:6.0-6ubuntu1.1
[USN-6802-1] PostgreSQL vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmZYjNIACgkQZWnYVadE
vpNjQw//ZLG6HK2rWn/13iO0qeusET7XMGc5HHKQCbnCdmzH5XKoOAnir42SGCgw
Ym1c09xYJfTLDZdvlIfuhkeSfe4uo50GEA+94/3riYGFc7YfXD0FlQxvNhCflrae
KJcingoe0XY7/a/r82pILMPPGo1Nz09RubycPax34FjT0oUEW+rG/wKu7pQk4msL
e2Hg+RdktSo8aRBO83H8G6r154X2E+NPPjHvawU/L/MNwUBfhkJ2nwMTKOyIhqCK
ouzteVApLUqFWicbE7edlm4ikFlXX2XtNzTMl/nCRobtVXy1+wWPNxuvfF1EaPs2
I0Kt+caOCOyAddQDyynk+paawH+hVjyIbkNK6wFrXBptjZ+l8vd26Fp3POQbFpt0
Kf2z8ZnT3ZVQmlpIqHvF4ZRaghNocVNu9THdwqyMy4w8/rFqS/ZrTFsyt8M6bSF/
OslPYZ6zhFeUgT++u99U95nkmTiKPaZwehm5DrlrEAAoq1isZM2+qu1aF2JJRz/B
xnfYhLgfTXSQbR4bhN3LMemxRP8xKu7SGk21n3tfDcTVJRbIi5hOGluD4m03rajl
SOum7uFwS/7EH+Eiu8/JITSG4CpFAHvy4QDrnBfOxap6Hi8hDRVdNdwXSH+gxYFy
ESr/ZGM+9BqGosyVljb6hxZNYWcDrU9XqFsWcN8TJXHf8Vulo0U=
=UYxs
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6802-1
May 30, 2024
postgresql-14, postgresql-15, postgresql-16 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
Summary:
PostgreSQL could be made to expose sensitive information.
Software Description:
- postgresql-16: Object-relational SQL database
- postgresql-15: Object-relational SQL database
- postgresql-14: Object-relational SQL database
Details:
Lukas Fittl discovered that PostgreSQL incorrectly performed authorization
in the built-in pg_stats_ext and pg_stats_ext_exprs views. An unprivileged
database user can use this issue to read most common values and other
statistics from CREATE STATISTICS commands of other users.
NOTE: This update will only fix fresh PostgreSQL installations. Current
PostgreSQL installations will remain vulnerable to this issue until manual
steps are performed. Please see the instructions in the changelog located
at /usr/share/doc/postgresql-*/changelog.Debian.gz after the updated
packages have been installed, or in the PostgreSQL release notes located
here:
https://www.postgresql.org/docs/16/release-16-3.html
https://www.postgresql.org/docs/15/release-15-7.html
https://www.postgresql.org/docs/14/release-14-12.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
postgresql-16 16.3-0ubuntu0.24.04.1
postgresql-client-16 16.3-0ubuntu0.24.04.1
Ubuntu 23.10
postgresql-15 15.7-0ubuntu0.23.10.1
postgresql-client-15 15.7-0ubuntu0.23.10.1
Ubuntu 22.04 LTS
postgresql-14 14.12-0ubuntu0.22.04.1
postgresql-client-14 14.12-0ubuntu0.22.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes, and possibly perform manual steps as
described above.
References:
https://ubuntu.com/security/notices/USN-6802-1
CVE-2024-4317
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-16/16.3-0ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/postgresql-15/15.7-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/postgresql-14/14.12-0ubuntu0.22.04.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmZYjNIACgkQZWnYVadE
vpNjQw//ZLG6HK2rWn/13iO0qeusET7XMGc5HHKQCbnCdmzH5XKoOAnir42SGCgw
Ym1c09xYJfTLDZdvlIfuhkeSfe4uo50GEA+94/3riYGFc7YfXD0FlQxvNhCflrae
KJcingoe0XY7/a/r82pILMPPGo1Nz09RubycPax34FjT0oUEW+rG/wKu7pQk4msL
e2Hg+RdktSo8aRBO83H8G6r154X2E+NPPjHvawU/L/MNwUBfhkJ2nwMTKOyIhqCK
ouzteVApLUqFWicbE7edlm4ikFlXX2XtNzTMl/nCRobtVXy1+wWPNxuvfF1EaPs2
I0Kt+caOCOyAddQDyynk+paawH+hVjyIbkNK6wFrXBptjZ+l8vd26Fp3POQbFpt0
Kf2z8ZnT3ZVQmlpIqHvF4ZRaghNocVNu9THdwqyMy4w8/rFqS/ZrTFsyt8M6bSF/
OslPYZ6zhFeUgT++u99U95nkmTiKPaZwehm5DrlrEAAoq1isZM2+qu1aF2JJRz/B
xnfYhLgfTXSQbR4bhN3LMemxRP8xKu7SGk21n3tfDcTVJRbIi5hOGluD4m03rajl
SOum7uFwS/7EH+Eiu8/JITSG4CpFAHvy4QDrnBfOxap6Hi8hDRVdNdwXSH+gxYFy
ESr/ZGM+9BqGosyVljb6hxZNYWcDrU9XqFsWcN8TJXHf8Vulo0U=
=UYxs
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6802-1
May 30, 2024
postgresql-14, postgresql-15, postgresql-16 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
Summary:
PostgreSQL could be made to expose sensitive information.
Software Description:
- postgresql-16: Object-relational SQL database
- postgresql-15: Object-relational SQL database
- postgresql-14: Object-relational SQL database
Details:
Lukas Fittl discovered that PostgreSQL incorrectly performed authorization
in the built-in pg_stats_ext and pg_stats_ext_exprs views. An unprivileged
database user can use this issue to read most common values and other
statistics from CREATE STATISTICS commands of other users.
NOTE: This update will only fix fresh PostgreSQL installations. Current
PostgreSQL installations will remain vulnerable to this issue until manual
steps are performed. Please see the instructions in the changelog located
at /usr/share/doc/postgresql-*/changelog.Debian.gz after the updated
packages have been installed, or in the PostgreSQL release notes located
here:
https://www.postgresql.org/docs/16/release-16-3.html
https://www.postgresql.org/docs/15/release-15-7.html
https://www.postgresql.org/docs/14/release-14-12.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
postgresql-16 16.3-0ubuntu0.24.04.1
postgresql-client-16 16.3-0ubuntu0.24.04.1
Ubuntu 23.10
postgresql-15 15.7-0ubuntu0.23.10.1
postgresql-client-15 15.7-0ubuntu0.23.10.1
Ubuntu 22.04 LTS
postgresql-14 14.12-0ubuntu0.22.04.1
postgresql-client-14 14.12-0ubuntu0.22.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes, and possibly perform manual steps as
described above.
References:
https://ubuntu.com/security/notices/USN-6802-1
CVE-2024-4317
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-16/16.3-0ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/postgresql-15/15.7-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/postgresql-14/14.12-0ubuntu0.22.04.1
[USN-6801-1] PyMySQL vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmZYjLAACgkQZWnYVadE
vpPoKw/+KEIgbJZspzZ4UUfcFbzpDnc3dpdPRzuEGukazBtvuFaBfuBvw9rPNZ28
7iGx9CkGrNsHpuT0TMyH/cDMhKquwb2Sg+Zv6FToCSZs+3zsDs1pf9ASxJrwM8WB
zEfXyGmxc/7ypkfFBWlAFctJwcPgZl2Lmq7cBY9LxTXY+f7jnv0vcm/dBFji7vyp
eC9xWoLM+/1tZopumLC8SfSg+SfNgnYf783yqa9VYI/qcr7IiMSfqvybbeN/vnNj
byulWl89eWtHfg0sZ8S6HGhrXErnlIBqU8rWt6DdWB5UTUCiQMupEuATy5+6oxkF
18biYthsnrULYftQ9+1WJ1jaq8UNaQ020xa84h0S/PIBxEzCQ67z7Nx6hOq076nq
M8Dwgvd5BRwIvJHOm9B2EBkFpeT8sut38fHf6TesXkbu0miJb+HwkHddW2Gb7fJ9
kKt6mQ6MnuS7Bzbjd1SFypd4xySoIzNg6/mGzZPc6JS1ikehRdlss8XIGSPrXKe9
UwCfeTq0coFZVrV+8+uRY0gNVvnAe7ruy+0HUrXLXI3u8DCHfJubvU9ib3Sigjgi
m7N1aurZ9C12FoDop+tccAFbztdDcnWfhOyT1AG4jhEmtOrFj9k8MF55XuNXmiJs
CJ9TbjSVgNduWLI1UaAGqtczMgWJvF5KjdrkEHgTGpRB0ENNAVI=
=O8kd
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6801-1
May 30, 2024
python-pymysql vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
PyMySQL could be vulnerable to SQL injection attacks.
Software Description:
- python-pymysql: Pure-Python MySQL driver
Details:
It was discovered that PyMySQL incorrectly escaped untrusted JSON input. An
attacker could possibly use this issue to perform SQL injection attacks.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-pymysql 1.0.2-2ubuntu1.1
Ubuntu 23.10
python3-pymysql 1.0.2-1ubuntu1.23.10.1
Ubuntu 22.04 LTS
python3-pymysql 1.0.2-1ubuntu1.22.04.1
Ubuntu 20.04 LTS
python3-pymysql 0.9.3-2ubuntu3.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6801-1
CVE-2024-36039
Package Information:
https://launchpad.net/ubuntu/+source/python-pymysql/1.0.2-2ubuntu1.1
https://launchpad.net/ubuntu/+source/python-pymysql/1.0.2-1ubuntu1.23.10.1
https://launchpad.net/ubuntu/+source/python-pymysql/1.0.2-1ubuntu1.22.04.1
https://launchpad.net/ubuntu/+source/python-pymysql/0.9.3-2ubuntu3.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmZYjLAACgkQZWnYVadE
vpPoKw/+KEIgbJZspzZ4UUfcFbzpDnc3dpdPRzuEGukazBtvuFaBfuBvw9rPNZ28
7iGx9CkGrNsHpuT0TMyH/cDMhKquwb2Sg+Zv6FToCSZs+3zsDs1pf9ASxJrwM8WB
zEfXyGmxc/7ypkfFBWlAFctJwcPgZl2Lmq7cBY9LxTXY+f7jnv0vcm/dBFji7vyp
eC9xWoLM+/1tZopumLC8SfSg+SfNgnYf783yqa9VYI/qcr7IiMSfqvybbeN/vnNj
byulWl89eWtHfg0sZ8S6HGhrXErnlIBqU8rWt6DdWB5UTUCiQMupEuATy5+6oxkF
18biYthsnrULYftQ9+1WJ1jaq8UNaQ020xa84h0S/PIBxEzCQ67z7Nx6hOq076nq
M8Dwgvd5BRwIvJHOm9B2EBkFpeT8sut38fHf6TesXkbu0miJb+HwkHddW2Gb7fJ9
kKt6mQ6MnuS7Bzbjd1SFypd4xySoIzNg6/mGzZPc6JS1ikehRdlss8XIGSPrXKe9
UwCfeTq0coFZVrV+8+uRY0gNVvnAe7ruy+0HUrXLXI3u8DCHfJubvU9ib3Sigjgi
m7N1aurZ9C12FoDop+tccAFbztdDcnWfhOyT1AG4jhEmtOrFj9k8MF55XuNXmiJs
CJ9TbjSVgNduWLI1UaAGqtczMgWJvF5KjdrkEHgTGpRB0ENNAVI=
=O8kd
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6801-1
May 30, 2024
python-pymysql vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
PyMySQL could be vulnerable to SQL injection attacks.
Software Description:
- python-pymysql: Pure-Python MySQL driver
Details:
It was discovered that PyMySQL incorrectly escaped untrusted JSON input. An
attacker could possibly use this issue to perform SQL injection attacks.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-pymysql 1.0.2-2ubuntu1.1
Ubuntu 23.10
python3-pymysql 1.0.2-1ubuntu1.23.10.1
Ubuntu 22.04 LTS
python3-pymysql 1.0.2-1ubuntu1.22.04.1
Ubuntu 20.04 LTS
python3-pymysql 0.9.3-2ubuntu3.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6801-1
CVE-2024-36039
Package Information:
https://launchpad.net/ubuntu/+source/python-pymysql/1.0.2-2ubuntu1.1
https://launchpad.net/ubuntu/+source/python-pymysql/1.0.2-1ubuntu1.23.10.1
https://launchpad.net/ubuntu/+source/python-pymysql/1.0.2-1ubuntu1.22.04.1
https://launchpad.net/ubuntu/+source/python-pymysql/0.9.3-2ubuntu3.1
[USN-6800-1] browserify-sign vulnerability
-----BEGIN PGP SIGNATURE-----
wsD5BAABCAAjFiEELRdhz3KY7FGicMD8Vjg+NdFTuLIFAmZYhMcFAwAAAAAACgkQVjg+NdFTuLJ3
Igv+JIaooE1DEwS/l3S2G/SNDwAm/lmL/NS3h8FGVryyQNsOGPMsq59rUYi9+Igl9yaUo14tCAta
UbXoAb9wiXVGLRiV+fQRAFNwOId47QvSVQSRWy4bJTPmw7IAhFcAi4a0cdoOFxLAQE+UMOKxysUF
cAIXGtE+CZEastcEmgfZsR8mRcAhM504lCFGxajwAK1KffcyTTmZscZBPIp81Ws6JDjLqzX8VftG
CcwOFsww1oPGoQGJbGF2+MaHSsUvVVHcvzaNaVM22vOyfGvebaMG1S/MrdwkCzYJyfIdg9QT3yD9
pR9KP5oVYzGbyLeM/dELsTrDjkj737zO/1ZAhhUJR/aKgYIybPdqiYrEgI56Tor770IOUSLC8lqt
NeOfd1rEo3pKrsLH0C/d/j531bVL0zpJTLau3LgvILznalJdy09j2nT6YvDP11p5QKjK9UI180Ax
JrL5tn8LDSo7LLLrvWPrSJae6ua+37nxKaoOfdbyu4XNKDkTx/XzIVk29gbY
=4MDO
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6800-1
May 30, 2024
node-browserify-sign vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
browserify-sign could allow unintended access if it opened a specially crafted
file.
Software Description:
- node-browserify-sign: createSign and createVerify in your browser
Details:
It was discovered that browserify-sign incorrectly handled an upper bound check
in signature verification. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to perform a signature forgery attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10
node-browserify-sign 4.2.1-3ubuntu0.1
Ubuntu 22.04 LTS
node-browserify-sign 4.2.1-2ubuntu0.1
Ubuntu 20.04 LTS
node-browserify-sign 4.0.4-2ubuntu0.20.04.1
Ubuntu 18.04 LTS
node-browserify-sign 4.0.4-2ubuntu0.18.04.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6800-1
CVE-2023-46234
Package Information:
https://launchpad.net/ubuntu/+source/node-browserify-sign/4.2.1-3ubuntu0.1
https://launchpad.net/ubuntu/+source/node-browserify-sign/4.2.1-2ubuntu0.1
https://launchpad.net/ubuntu/+source/node-browserify-sign/4.0.4-2ubuntu0.20.04.1
wsD5BAABCAAjFiEELRdhz3KY7FGicMD8Vjg+NdFTuLIFAmZYhMcFAwAAAAAACgkQVjg+NdFTuLJ3
Igv+JIaooE1DEwS/l3S2G/SNDwAm/lmL/NS3h8FGVryyQNsOGPMsq59rUYi9+Igl9yaUo14tCAta
UbXoAb9wiXVGLRiV+fQRAFNwOId47QvSVQSRWy4bJTPmw7IAhFcAi4a0cdoOFxLAQE+UMOKxysUF
cAIXGtE+CZEastcEmgfZsR8mRcAhM504lCFGxajwAK1KffcyTTmZscZBPIp81Ws6JDjLqzX8VftG
CcwOFsww1oPGoQGJbGF2+MaHSsUvVVHcvzaNaVM22vOyfGvebaMG1S/MrdwkCzYJyfIdg9QT3yD9
pR9KP5oVYzGbyLeM/dELsTrDjkj737zO/1ZAhhUJR/aKgYIybPdqiYrEgI56Tor770IOUSLC8lqt
NeOfd1rEo3pKrsLH0C/d/j531bVL0zpJTLau3LgvILznalJdy09j2nT6YvDP11p5QKjK9UI180Ax
JrL5tn8LDSo7LLLrvWPrSJae6ua+37nxKaoOfdbyu4XNKDkTx/XzIVk29gbY
=4MDO
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6800-1
May 30, 2024
node-browserify-sign vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
browserify-sign could allow unintended access if it opened a specially crafted
file.
Software Description:
- node-browserify-sign: createSign and createVerify in your browser
Details:
It was discovered that browserify-sign incorrectly handled an upper bound check
in signature verification. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to perform a signature forgery attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10
node-browserify-sign 4.2.1-3ubuntu0.1
Ubuntu 22.04 LTS
node-browserify-sign 4.2.1-2ubuntu0.1
Ubuntu 20.04 LTS
node-browserify-sign 4.0.4-2ubuntu0.20.04.1
Ubuntu 18.04 LTS
node-browserify-sign 4.0.4-2ubuntu0.18.04.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6800-1
CVE-2023-46234
Package Information:
https://launchpad.net/ubuntu/+source/node-browserify-sign/4.2.1-3ubuntu0.1
https://launchpad.net/ubuntu/+source/node-browserify-sign/4.2.1-2ubuntu0.1
https://launchpad.net/ubuntu/+source/node-browserify-sign/4.0.4-2ubuntu0.20.04.1
Wednesday, May 29, 2024
[USN-6798-1] GStreamer Base Plugins vulnerability
==========================================================================
Ubuntu Security Notice USN-6798-1
May 29, 2024
gst-plugins-base1.0 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
GStreamer Base Plugins could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- gst-plugins-base1.0: GStreamer plugins
Details:
It was discovered that GStreamer Base Plugins incorrectly handled certain
EXIF metadata. An attacker could possibly use this issue to execute arbitrary
code or cause a crash.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
gstreamer1.0-plugins-base 1.24.2-1ubuntu0.1
Ubuntu 23.10
gstreamer1.0-plugins-base 1.22.6-1ubuntu0.1
Ubuntu 22.04 LTS
gstreamer1.0-plugins-base 1.20.1-1ubuntu0.2
Ubuntu 20.04 LTS
gstreamer1.0-plugins-base 1.16.3-0ubuntu1.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6798-1
CVE-2024-4453
Package Information:
https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.24.2-1ubuntu0.1
https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.22.6-1ubuntu0.1
https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.20.1-1ubuntu0.2
https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.16.3-0ubuntu1.3
Ubuntu Security Notice USN-6798-1
May 29, 2024
gst-plugins-base1.0 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
GStreamer Base Plugins could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- gst-plugins-base1.0: GStreamer plugins
Details:
It was discovered that GStreamer Base Plugins incorrectly handled certain
EXIF metadata. An attacker could possibly use this issue to execute arbitrary
code or cause a crash.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
gstreamer1.0-plugins-base 1.24.2-1ubuntu0.1
Ubuntu 23.10
gstreamer1.0-plugins-base 1.22.6-1ubuntu0.1
Ubuntu 22.04 LTS
gstreamer1.0-plugins-base 1.20.1-1ubuntu0.2
Ubuntu 20.04 LTS
gstreamer1.0-plugins-base 1.16.3-0ubuntu1.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6798-1
CVE-2024-4453
Package Information:
https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.24.2-1ubuntu0.1
https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.22.6-1ubuntu0.1
https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.20.1-1ubuntu0.2
https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.16.3-0ubuntu1.3
[USN-6796-1] TPM2 Software Stack vulnerabilities
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsBNBGYUCwcBCADePknZsI3jVCSYTZlTCqJ3mqJoaiNyxyz7rRXxhJIfWNnutXI7
IdI8e/9xORO+hC3efLRn1ZMluxQIhcVo5mBsKSeaWRNqmza+8lMaGrNBrBnL/dmP
gQLQJDF/aNEGt5rgr41Ckg28kYknxpXiStN7O+8tZYeEnPRaVd1aiSXvl0xijccZ
cpFm0oSlqMw2SQiujr8iunXHHDrF7yW9pQ5u5aIVxvBikzUakCz3WYdAy592hI3Q
J2+5a7ByR5YG0PxJXePaEKTBEgRLfEi+Q891J4I1L3t+ZWDA1x1l56AQJbzKT5xz
kgzJZ6VECdNwiECkjQ7EA/BJrirqRBnqypqtABEBAAHNM0ZlZGVyaWNvIFF1YXR0
cmluIDxmZWRlcmljby5xdWF0dHJpbkBjYW5vbmljYWwuY29tPsLAjgQTAQoAOBYh
BCscPcjoCqmp+/5PtnA6rZEEbNduBQJmFAsHAhsDBQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEHA6rZEEbNduFY0H/39060yxwRt8ctMAIc20msDGUjOJ23z4QkIC
SpocEnQdJAVNtG63ndlmiuNE+FPkRQniWbkd6nBeK302KuA8rD0C8xOknrtMwwiN
0vO69EtZZ3dUCkM6uB9YV/YZOsjhdL1DOkEGzwGbmNrpSNWQ24RwvjU7a19EtRvO
Ty4AhzouUxaEH6nyJsQ8GzbTva3QhKN6hypWUfeBed5rpdQmq+Rk79oy1YjQlLPo
IbuwXJXEBE94/+vuriGQEA8E4S6QrokrrEQWfdGmYFR6UqXQ1YpffoCCUFlUWyKU
H6bvGgdu8TKbacd8E5mvPKO+UWGIA4p5EwaRkdu/CXjoqsGhcPjOwE0EZhQLBwEI
ANSQiRO2jf6yMhHTTlyHM6z4siVyJ7YAgpc8pPxtzPtijr/K4lUWqr9+mj7FBF5F
YbwG6DPWmm1n6vG5JmhT3+57MxOR9Z4smqD0v+48F1UD+2M7LQjUWNA0Z/QmQapL
qdVn24qKl7ONiw79iykkg1e0Ruzju3Ri6lg6+ehakAYlNFqmTTVIDNcw6rTiVfMi
WcumRDBxg/giTERjzkh0R5lZN6buybitEqKNTKQm3UYkxzT6EDl13wmPU0L+PO2Z
RhgEAy6y2ubhnAnAJAlb+m2If04pjM1d3CILmilEew7t5j2pTzyDKdYpbjiEcz+Y
bVGfFzOinbeYezZUjci4BD0AEQEAAcLAdgQYAQoAIBYhBCscPcjoCqmp+/5PtnA6
rZEEbNduBQJmFAsHAhsMAAoJEHA6rZEEbNduWvMIAI16CZMlL78YVwl/jhV6npfX
0M1YMGJa/D5Fp+df02gXwQAhnAZM0fVDR3T+qNGFEYbLOWsAD6feERXaE9L7fH6G
i2j+GV82b461nXfl5MT22o5UlT9iq2GUM5rGrL8LIcbt6ypdGpcOmasC6W3FM/eg
iHx7O4VZYukGvtx+mdznFUusE3y7PIdFx8cUcCPuTHPTZXkQiFapEsF45BEmhOdx
5nUZEC+cDd3S1WRpYpSoAE7bNGhNiu6YiWUtrNSt7+Ri2qSA499uEJyNxVLzY8DU
d38osSWIfGAFJb8+chdhNOnJOUg0NYacyvcOIDsmzYpxP69fbbLgbonATayFcLk=
=SlBa
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEKxw9yOgKqan7/k+2cDqtkQRs124FAmZXVHAFAwAAAAAACgkQcDqtkQRs127p
Rgf+NGbS11BNlwwoe85FcH0/KCIUE2RozQjZ/S/X6wlQd/WdLVYSwzmc7unm44FgLjObmz8Sd0xu
ZKUI8jPBP2oHyKJjhNB/JKw/MaM1GAdOBhCIp0KwR9V3Y6kpsVBE0C342dxEaH8IOevKA6bUAkRU
GVe6gl0x8KrX7JmRPD7msLOUI20UBiXJqlpXXnCk82jvBUvbOWTRw7/2kEfFqtGf0qPM4yI/NpwR
bVPSRQWuYWwdyfwrVODr80dOWzB8/sbQ4OcHBrzXYUehHnB0mYSg+Ms4T0yluvBrJYct+lMX5kFw
t5ZP6+asfNX4KaW/Vle8eUc5cIN65LX1qKBj2yQq0A==
=eQLx
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6796-1
May 29, 2024
tpm2-tss vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in TPM2 Software Stack.
Software Description:
- tpm2-tss: TPM2 Software Stack library
Details:
Fergus Dall discovered that TPM2 Software Stack did not properly handle
layer arrays. An attacker could possibly use this issue to cause
TPM2 Software Stack to crash, resulting in a denial of service, or
possibly execute arbitrary code.
(CVE-2023-22745)
Jurgen Repp and Andreas Fuchs discovered that TPM2 Software Stack did not
validate the quote data after deserialization. An attacker could generate
an arbitrary quote and cause TPM2 Software Stack to have unknown behavior.
(CVE-2024-29040)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libtss2-esys-3.0.2-0t64 4.0.1-7.1ubuntu5.1
libtss2-fapi1t64 4.0.1-7.1ubuntu5.1
libtss2-mu-4.0.1-0t64 4.0.1-7.1ubuntu5.1
libtss2-policy0t64 4.0.1-7.1ubuntu5.1
libtss2-rc0t64 4.0.1-7.1ubuntu5.1
libtss2-sys1t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-cmd0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-device0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-libtpms0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-mssim0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-pcap0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-spi-helper0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-swtpm0t64 4.0.1-7.1ubuntu5.1
libtss2-tctildr0t64 4.0.1-7.1ubuntu5.1
Ubuntu 23.10
libtss2-esys-3.0.2-0 4.0.1-3ubuntu1.1
libtss2-fapi1 4.0.1-3ubuntu1.1
libtss2-mu0 4.0.1-3ubuntu1.1
libtss2-policy0 4.0.1-3ubuntu1.1
libtss2-rc0 4.0.1-3ubuntu1.1
libtss2-sys1 4.0.1-3ubuntu1.1
libtss2-tcti-cmd0 4.0.1-3ubuntu1.1
libtss2-tcti-device0 4.0.1-3ubuntu1.1
libtss2-tcti-libtpms0 4.0.1-3ubuntu1.1
libtss2-tcti-mssim0 4.0.1-3ubuntu1.1
libtss2-tcti-pcap0 4.0.1-3ubuntu1.1
libtss2-tcti-spi-helper0 4.0.1-3ubuntu1.1
libtss2-tcti-swtpm0 4.0.1-3ubuntu1.1
libtss2-tctildr0 4.0.1-3ubuntu1.1
Ubuntu 22.04 LTS
libtss2-esys-3.0.2-0 3.2.0-1ubuntu1.1
libtss2-fapi1 3.2.0-1ubuntu1.1
libtss2-mu0 3.2.0-1ubuntu1.1
libtss2-rc0 3.2.0-1ubuntu1.1
libtss2-sys1 3.2.0-1ubuntu1.1
libtss2-tcti-cmd0 3.2.0-1ubuntu1.1
libtss2-tcti-device0 3.2.0-1ubuntu1.1
libtss2-tcti-mssim0 3.2.0-1ubuntu1.1
libtss2-tcti-swtpm0 3.2.0-1ubuntu1.1
libtss2-tctildr0 3.2.0-1ubuntu1.1
Ubuntu 20.04 LTS
libtss2-esys0 2.3.2-1ubuntu0.20.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6796-1
CVE-2023-22745, CVE-2024-29040
Package Information:
https://launchpad.net/ubuntu/+source/tpm2-tss/4.0.1-7.1ubuntu5.1
https://launchpad.net/ubuntu/+source/tpm2-tss/4.0.1-3ubuntu1.1
https://launchpad.net/ubuntu/+source/tpm2-tss/3.2.0-1ubuntu1.1
https://launchpad.net/ubuntu/+source/tpm2-tss/2.3.2-1ubuntu0.20.04.2
xsBNBGYUCwcBCADePknZsI3jVCSYTZlTCqJ3mqJoaiNyxyz7rRXxhJIfWNnutXI7
IdI8e/9xORO+hC3efLRn1ZMluxQIhcVo5mBsKSeaWRNqmza+8lMaGrNBrBnL/dmP
gQLQJDF/aNEGt5rgr41Ckg28kYknxpXiStN7O+8tZYeEnPRaVd1aiSXvl0xijccZ
cpFm0oSlqMw2SQiujr8iunXHHDrF7yW9pQ5u5aIVxvBikzUakCz3WYdAy592hI3Q
J2+5a7ByR5YG0PxJXePaEKTBEgRLfEi+Q891J4I1L3t+ZWDA1x1l56AQJbzKT5xz
kgzJZ6VECdNwiECkjQ7EA/BJrirqRBnqypqtABEBAAHNM0ZlZGVyaWNvIFF1YXR0
cmluIDxmZWRlcmljby5xdWF0dHJpbkBjYW5vbmljYWwuY29tPsLAjgQTAQoAOBYh
BCscPcjoCqmp+/5PtnA6rZEEbNduBQJmFAsHAhsDBQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEHA6rZEEbNduFY0H/39060yxwRt8ctMAIc20msDGUjOJ23z4QkIC
SpocEnQdJAVNtG63ndlmiuNE+FPkRQniWbkd6nBeK302KuA8rD0C8xOknrtMwwiN
0vO69EtZZ3dUCkM6uB9YV/YZOsjhdL1DOkEGzwGbmNrpSNWQ24RwvjU7a19EtRvO
Ty4AhzouUxaEH6nyJsQ8GzbTva3QhKN6hypWUfeBed5rpdQmq+Rk79oy1YjQlLPo
IbuwXJXEBE94/+vuriGQEA8E4S6QrokrrEQWfdGmYFR6UqXQ1YpffoCCUFlUWyKU
H6bvGgdu8TKbacd8E5mvPKO+UWGIA4p5EwaRkdu/CXjoqsGhcPjOwE0EZhQLBwEI
ANSQiRO2jf6yMhHTTlyHM6z4siVyJ7YAgpc8pPxtzPtijr/K4lUWqr9+mj7FBF5F
YbwG6DPWmm1n6vG5JmhT3+57MxOR9Z4smqD0v+48F1UD+2M7LQjUWNA0Z/QmQapL
qdVn24qKl7ONiw79iykkg1e0Ruzju3Ri6lg6+ehakAYlNFqmTTVIDNcw6rTiVfMi
WcumRDBxg/giTERjzkh0R5lZN6buybitEqKNTKQm3UYkxzT6EDl13wmPU0L+PO2Z
RhgEAy6y2ubhnAnAJAlb+m2If04pjM1d3CILmilEew7t5j2pTzyDKdYpbjiEcz+Y
bVGfFzOinbeYezZUjci4BD0AEQEAAcLAdgQYAQoAIBYhBCscPcjoCqmp+/5PtnA6
rZEEbNduBQJmFAsHAhsMAAoJEHA6rZEEbNduWvMIAI16CZMlL78YVwl/jhV6npfX
0M1YMGJa/D5Fp+df02gXwQAhnAZM0fVDR3T+qNGFEYbLOWsAD6feERXaE9L7fH6G
i2j+GV82b461nXfl5MT22o5UlT9iq2GUM5rGrL8LIcbt6ypdGpcOmasC6W3FM/eg
iHx7O4VZYukGvtx+mdznFUusE3y7PIdFx8cUcCPuTHPTZXkQiFapEsF45BEmhOdx
5nUZEC+cDd3S1WRpYpSoAE7bNGhNiu6YiWUtrNSt7+Ri2qSA499uEJyNxVLzY8DU
d38osSWIfGAFJb8+chdhNOnJOUg0NYacyvcOIDsmzYpxP69fbbLgbonATayFcLk=
=SlBa
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEKxw9yOgKqan7/k+2cDqtkQRs124FAmZXVHAFAwAAAAAACgkQcDqtkQRs127p
Rgf+NGbS11BNlwwoe85FcH0/KCIUE2RozQjZ/S/X6wlQd/WdLVYSwzmc7unm44FgLjObmz8Sd0xu
ZKUI8jPBP2oHyKJjhNB/JKw/MaM1GAdOBhCIp0KwR9V3Y6kpsVBE0C342dxEaH8IOevKA6bUAkRU
GVe6gl0x8KrX7JmRPD7msLOUI20UBiXJqlpXXnCk82jvBUvbOWTRw7/2kEfFqtGf0qPM4yI/NpwR
bVPSRQWuYWwdyfwrVODr80dOWzB8/sbQ4OcHBrzXYUehHnB0mYSg+Ms4T0yluvBrJYct+lMX5kFw
t5ZP6+asfNX4KaW/Vle8eUc5cIN65LX1qKBj2yQq0A==
=eQLx
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6796-1
May 29, 2024
tpm2-tss vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in TPM2 Software Stack.
Software Description:
- tpm2-tss: TPM2 Software Stack library
Details:
Fergus Dall discovered that TPM2 Software Stack did not properly handle
layer arrays. An attacker could possibly use this issue to cause
TPM2 Software Stack to crash, resulting in a denial of service, or
possibly execute arbitrary code.
(CVE-2023-22745)
Jurgen Repp and Andreas Fuchs discovered that TPM2 Software Stack did not
validate the quote data after deserialization. An attacker could generate
an arbitrary quote and cause TPM2 Software Stack to have unknown behavior.
(CVE-2024-29040)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libtss2-esys-3.0.2-0t64 4.0.1-7.1ubuntu5.1
libtss2-fapi1t64 4.0.1-7.1ubuntu5.1
libtss2-mu-4.0.1-0t64 4.0.1-7.1ubuntu5.1
libtss2-policy0t64 4.0.1-7.1ubuntu5.1
libtss2-rc0t64 4.0.1-7.1ubuntu5.1
libtss2-sys1t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-cmd0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-device0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-libtpms0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-mssim0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-pcap0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-spi-helper0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-swtpm0t64 4.0.1-7.1ubuntu5.1
libtss2-tctildr0t64 4.0.1-7.1ubuntu5.1
Ubuntu 23.10
libtss2-esys-3.0.2-0 4.0.1-3ubuntu1.1
libtss2-fapi1 4.0.1-3ubuntu1.1
libtss2-mu0 4.0.1-3ubuntu1.1
libtss2-policy0 4.0.1-3ubuntu1.1
libtss2-rc0 4.0.1-3ubuntu1.1
libtss2-sys1 4.0.1-3ubuntu1.1
libtss2-tcti-cmd0 4.0.1-3ubuntu1.1
libtss2-tcti-device0 4.0.1-3ubuntu1.1
libtss2-tcti-libtpms0 4.0.1-3ubuntu1.1
libtss2-tcti-mssim0 4.0.1-3ubuntu1.1
libtss2-tcti-pcap0 4.0.1-3ubuntu1.1
libtss2-tcti-spi-helper0 4.0.1-3ubuntu1.1
libtss2-tcti-swtpm0 4.0.1-3ubuntu1.1
libtss2-tctildr0 4.0.1-3ubuntu1.1
Ubuntu 22.04 LTS
libtss2-esys-3.0.2-0 3.2.0-1ubuntu1.1
libtss2-fapi1 3.2.0-1ubuntu1.1
libtss2-mu0 3.2.0-1ubuntu1.1
libtss2-rc0 3.2.0-1ubuntu1.1
libtss2-sys1 3.2.0-1ubuntu1.1
libtss2-tcti-cmd0 3.2.0-1ubuntu1.1
libtss2-tcti-device0 3.2.0-1ubuntu1.1
libtss2-tcti-mssim0 3.2.0-1ubuntu1.1
libtss2-tcti-swtpm0 3.2.0-1ubuntu1.1
libtss2-tctildr0 3.2.0-1ubuntu1.1
Ubuntu 20.04 LTS
libtss2-esys0 2.3.2-1ubuntu0.20.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6796-1
CVE-2023-22745, CVE-2024-29040
Package Information:
https://launchpad.net/ubuntu/+source/tpm2-tss/4.0.1-7.1ubuntu5.1
https://launchpad.net/ubuntu/+source/tpm2-tss/4.0.1-3ubuntu1.1
https://launchpad.net/ubuntu/+source/tpm2-tss/3.2.0-1ubuntu1.1
https://launchpad.net/ubuntu/+source/tpm2-tss/2.3.2-1ubuntu0.20.04.2
[USN-6799-1] Werkzeug vulnerability
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEE2WgtvmwmcgaEBLlnCAvK1QvD6SAFAmZXTbUFAwAAAAAACgkQCAvK1QvD6SAF
zBAAjNpFl5BAuW9EiDh+5nrsXw9G00klFl7ZSRDX5JWcwtpbkxCnbvwYxdPk6xb33j7xxuQIxcM2
xEMpZGHpjHM6WmJbZSrWV881a+Hf6HU1xGGuQKz/iavPwJXrIOiWE1AJY4GyWf4kyZKxWK0NKLpM
SP/LSt6GRwpvLdRs33JMQNgnga9K7IZp5h4JoCmX85w/iIMdnd+RMWbF8WFjrhMHzDrjYcBf0JdO
hztvQ0KJsfQIiyu14vJu8rsbtZqdJVb7iyUN78SbqvWeHV100EggKfpKLeMMiRFvev87+DVu2Mol
RpZ7oPbjZNGNQBxO7tdix4xBgDYG0UO8PeG3sx7sJVeCmYS0KEdnISKPFH+KKhZg5U+B9x6ygGu+
4tA5fazNhT6hjCn81xT9AKcfi0bAzrkECzwFF2fVE/aPVi+4MAS2aDFqlegH0UcZ7sl/uRqNuAvg
uQkOP6Lsx7SBZuvK7RNIF3SNzBna3U+vdf82k+TqPG/V4/imzqVL+aBc016syxmzewOgkOqMoCQL
pyaf0wnHeBsiDNIBP0jT4B+sd7k2T1XcvVCb52H5u3WglUCoG5eqsOQa9ktemejgcALiia++Tntb
c5Xs/Yul3MKi5LY9Bxpice7PdZcvnE5PXXN4V+wQfYZ8xLtSoJYSqIFe3j83+cs+ux7ZjvwvRBiQ
hcI=
=bxuc
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6799-1
May 29, 2024
python-werkzeug vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Werkzeug could be made to execute code under certain circumstances.
Software Description:
- python-werkzeug: collection of utilities for WSGI applications
Details:
It was discovered that the debugger in Werkzeug was not restricted to
trusted hosts. A remote attacker could possibly use this issue to execute
code on the host under certain circumstances.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-werkzeug 3.0.1-3ubuntu0.1
Ubuntu 23.10
python3-werkzeug 2.2.2-3ubuntu0.1
Ubuntu 22.04 LTS
python3-werkzeug 2.0.2+dfsg1-1ubuntu0.22.04.2
Ubuntu 20.04 LTS
python3-werkzeug 0.16.1+dfsg1-2ubuntu0.2
Ubuntu 18.04 LTS
python-werkzeug 0.14.1+dfsg1-1ubuntu0.2+esm1
Available with Ubuntu Pro
python3-werkzeug 0.14.1+dfsg1-1ubuntu0.2+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python-werkzeug 0.10.4+dfsg1-1ubuntu1.2+esm2
Available with Ubuntu Pro
python3-werkzeug 0.10.4+dfsg1-1ubuntu1.2+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6799-1
CVE-2024-34069
Package Information:
https://launchpad.net/ubuntu/+source/python-werkzeug/3.0.1-3ubuntu0.1
https://launchpad.net/ubuntu/+source/python-werkzeug/2.2.2-3ubuntu0.1
https://launchpad.net/ubuntu/+source/python-werkzeug/2.0.2+dfsg1-1ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/python-werkzeug/0.16.1+dfsg1-2ubuntu0.2
wsF5BAABCAAjFiEE2WgtvmwmcgaEBLlnCAvK1QvD6SAFAmZXTbUFAwAAAAAACgkQCAvK1QvD6SAF
zBAAjNpFl5BAuW9EiDh+5nrsXw9G00klFl7ZSRDX5JWcwtpbkxCnbvwYxdPk6xb33j7xxuQIxcM2
xEMpZGHpjHM6WmJbZSrWV881a+Hf6HU1xGGuQKz/iavPwJXrIOiWE1AJY4GyWf4kyZKxWK0NKLpM
SP/LSt6GRwpvLdRs33JMQNgnga9K7IZp5h4JoCmX85w/iIMdnd+RMWbF8WFjrhMHzDrjYcBf0JdO
hztvQ0KJsfQIiyu14vJu8rsbtZqdJVb7iyUN78SbqvWeHV100EggKfpKLeMMiRFvev87+DVu2Mol
RpZ7oPbjZNGNQBxO7tdix4xBgDYG0UO8PeG3sx7sJVeCmYS0KEdnISKPFH+KKhZg5U+B9x6ygGu+
4tA5fazNhT6hjCn81xT9AKcfi0bAzrkECzwFF2fVE/aPVi+4MAS2aDFqlegH0UcZ7sl/uRqNuAvg
uQkOP6Lsx7SBZuvK7RNIF3SNzBna3U+vdf82k+TqPG/V4/imzqVL+aBc016syxmzewOgkOqMoCQL
pyaf0wnHeBsiDNIBP0jT4B+sd7k2T1XcvVCb52H5u3WglUCoG5eqsOQa9ktemejgcALiia++Tntb
c5Xs/Yul3MKi5LY9Bxpice7PdZcvnE5PXXN4V+wQfYZ8xLtSoJYSqIFe3j83+cs+ux7ZjvwvRBiQ
hcI=
=bxuc
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6799-1
May 29, 2024
python-werkzeug vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Werkzeug could be made to execute code under certain circumstances.
Software Description:
- python-werkzeug: collection of utilities for WSGI applications
Details:
It was discovered that the debugger in Werkzeug was not restricted to
trusted hosts. A remote attacker could possibly use this issue to execute
code on the host under certain circumstances.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-werkzeug 3.0.1-3ubuntu0.1
Ubuntu 23.10
python3-werkzeug 2.2.2-3ubuntu0.1
Ubuntu 22.04 LTS
python3-werkzeug 2.0.2+dfsg1-1ubuntu0.22.04.2
Ubuntu 20.04 LTS
python3-werkzeug 0.16.1+dfsg1-2ubuntu0.2
Ubuntu 18.04 LTS
python-werkzeug 0.14.1+dfsg1-1ubuntu0.2+esm1
Available with Ubuntu Pro
python3-werkzeug 0.14.1+dfsg1-1ubuntu0.2+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python-werkzeug 0.10.4+dfsg1-1ubuntu1.2+esm2
Available with Ubuntu Pro
python3-werkzeug 0.10.4+dfsg1-1ubuntu1.2+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6799-1
CVE-2024-34069
Package Information:
https://launchpad.net/ubuntu/+source/python-werkzeug/3.0.1-3ubuntu0.1
https://launchpad.net/ubuntu/+source/python-werkzeug/2.2.2-3ubuntu0.1
https://launchpad.net/ubuntu/+source/python-werkzeug/2.0.2+dfsg1-1ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/python-werkzeug/0.16.1+dfsg1-2ubuntu0.2
Subscribe to:
Posts (Atom)