BZ#2294905 CVE-2024-6387 openssh: Possible remote code execution due to a race condition in signal handling [fedora-39]

I wouldn't say alone should be treated as a blocker, now that rawhide and F39 are updated to 3.8.2. We can include a fix in another iteration.

This update has been unpushed.

User Icon ueno commented & provided feedback on wine-7.9-1.fc35 2 years ago

This update fixes the CI issue in GnuTLS:

BZ#2073650 wine-7.9 is available

@ckujau, if you are in doubt, try (temporarily) blacklisting the cross-signed "COMODO RSA Certification Authority" on the system and see if the connection fails as expected:

$ trust list # check the URL of the cross-signed certificate
$ trust dump --filter 'pkcs11:id=%BB%AF%7E%02%3D%FA%A6%F1%3C%84%8E%AD%EE%38%98%EC%D9%32%32%D4;type=cert' > comodo-rsa.p11-kit
$ sudo cp comodo-rsa.p11-kit /etc/pki/ca-trust/source/blacklist/
$ gnutls-cli host:443
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

@ckujau, no, the message is just misleading. The certificate is internally dropped from the input chain, and the cross signed (non-expired) certificate is used from the system trust store. See the background of the fix:

I'll try to update the command output later.

Re-added ca-certificates with a versioned dependency on p11-kit.

@cmadams right, re-added ca-certificates with a versioned dependency on p11-kit. thanks!

@cmadams, yes, that's why this update contains both ca-certificates and p11-kit. @pizzadude, that's interesting; maybe the flatpak runtime needs an updated p11-kit.

Anyway I will drop ca-cerfificate from this update for now.


This seems to fix the false-positives we hit on the p11-kit CI:

This update has been unpushed.

Given that the AVC denials are through rtkit, updating only nspr/nss packages shouldn't cause any new denials. So I am dropping firefox for now.

BZ#1713777 Visiting results in SSL_ERROR_DECODE_ERROR_ALERT

Thank you Nils for the update (sorry for my laziness)!

User Icon ueno commented & provided feedback on nss-3.41.0-3.fc28 5 years ago

@cheimes, nss-3.41.0-3.fc28 has been ready for some time but I can't edit this update as it's locked, perhaps adding karma in the pending state confused the system...

@remi, possibly a repo problem on your side? I don't see anything wrong here:

$ rpm -qP nspr-4.20.0-1.fc27.x86_64.rpm | grep '^nspr'
nspr = 4.20.0-1.fc27
nspr(x86-64) = 4.20.0-1.fc27

$ rpm -qR thunderbird-60.0-1.fc27.x86_64.rpm | grep '^nspr'
nspr >= 4.20.0