Fedora Security Advisories

• caddy-2.10.2-9.el10_3

Security update resolving 22 CVEs across both caddy itself and its vendored libraries.

• haveged-1.9.25-1.el9

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

• haveged-1.9.25-1.el10_3

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

• haveged-1.9.25-1.el10_2

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

• haveged-1.9.25-1.fc43

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

• haveged-1.9.25-1.fc44

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

• caddy-2.10.2-9.fc43

Security update resolving 22 CVEs across both caddy itself and its vendored libraries.

• caddy-2.10.2-9.fc44

Security update resolving 17 CVEs across both caddy itself and its vendored libraries.

• rclone-1.74.3-1.el9

Update to 1.74.3

• rclone-1.74.3-1.el10_3

Update to 1.74.3

• rclone-1.74.3-1.el10_2

Update to 1.74.3

• rclone-1.74.3-1.fc43

Update to 1.74.3

• rclone-1.74.3-1.fc44

Update to 1.74.3

• perl-Socket-2.041-1.fc44

2.041- BUGFIXES - Fix reuse of STRLEN len variable in pack_ip_mreq_source()

• perl-Socket-2.041-1.fc43

2.041- BUGFIXES - Fix reuse of STRLEN len variable in pack_ip_mreq_source()

• goose-1.36.0-1.el10_3

Update goose to 1.36.0

• goose-1.36.0-1.fc43

Update goose to 1.36.0

• goose-1.36.0-1.el9

Update goose to 1.36.0

• goose-1.36.0-1.el10_2

Update goose to 1.36.0

• goose-1.36.0-1.fc44

Update goose to 1.36.0