More information about this security flaw is available in the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=2322054 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
This message is a reminder that Fedora Linux 40 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 40 on 2025-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '40'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 40 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Rawhide still affected. Possible fix in 10.1, but not confirmed by upstream: https://github.com/leethomason/tinyxml2/issues/996#issuecomment-2715203587 . 11.0 is out, too.
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
I asked upstream for input in https://github.com/leethomason/tinyxml2/issues/996#issuecomment-3192009888. I’ll work on shipping the probable fix https://github.com/leethomason/tinyxml2/commit/494735de30c946bc7d684c65ff8ece05beeb232d in EPEL10 and Fedora 42+. I do not yet know if it will be practical to backport the probable fix to tinyxml2 9.0.0 in F41 and EPEL9.
It looks like 10.1.0 accidentally changed ABI without bumping the SONAME version[1], so the way forward will be to go straight to 11.0.0 (bug 2350891) in F43+. That at least fixes CVE-2024-50615; hopefully it fixes CVE-2024-50614 as well. I don’t think I will be able to invest the time to try to backport the fix to 10.0.0 or to 9.0.0 without breaking ABI, so F42, F41, EPEL10, and EPEL9 will have to remain as they are. PR’s are welcome, if someone turns out to be more invested in this than I am. [1] https://github.com/leethomason/tinyxml2/issues/1018
FEDORA-2025-7c42801720 (ags-3.6.2.12-4.fc44, bullet-3.08-15.fc44, and 18 more) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2025-7c42801720
FEDORA-2025-9b8c8ca077 (ags-3.6.2.12-4.fc43, bullet-3.08-15.fc43, and 18 more) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-9b8c8ca077
FEDORA-2025-7c42801720 (ags-3.6.2.12-4.fc44, bullet-3.08-15.fc44, and 18 more) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-9b8c8ca077 (ags-3.6.2.12-4.fc43, bullet-3.08-15.fc43, and 18 more) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.