{"update": {"autokarma": true, "autotime": true, "stable_karma": 3, "stable_days": 7, "unstable_karma": -3, "require_bugs": false, "require_testcases": true, "display_name": "", "notes": "Security fix for CVE-2022-31116 and CVE-2022-31117.\n\n## 5.4.0\n\n**Added**\n\n- Add support for arbitrary size integers\n\n**Fixed**\n\n- CVE-2022-31116: Replace `wchar_t` string decoding implementation with a `uint32_t`-based one; fix handling of surrogates on decoding\n- CVE-2022-31117: Potential double free of buffer during string decoding\n- Fix memory leak on encoding errors when the buffer was resized\n- Integer parsing: always detect overflows\n- Fix handling of surrogates on encoding", "type": "security", "status": "stable", "request": null, "severity": "medium", "suggest": "unspecified", "locked": false, "pushed": true, "critpath": false, "critpath_groups": null, "close_bugs": true, "date_submitted": "2022-07-14 16:12:06", "date_modified": null, "date_approved": null, "date_testing": "2022-07-15 01:31:37", "date_stable": "2022-07-23 00:33:56", "alias": "FEDORA-EPEL-2022-1026769ad3", "test_gating_status": "ignored", "from_tag": null, "date_pushed": "2022-07-23 00:33:56", "meets_testing_requirements": true, "url": "https://bodhi.stg.fedoraproject.org/updates/FEDORA-EPEL-2022-1026769ad3", "title": "python-ujson-5.4.0-1.el9", "version_hash": "ca96c62e2010008cbe64851f95e3aea21a8e6b3d", "release": {"name": "EPEL-9", "long_name": "Fedora EPEL 9", "version": "9", "id_prefix": "FEDORA-EPEL", "branch": "epel9", "dist_tag": "epel9", "stable_tag": "epel9", "testing_tag": "epel9-testing", "candidate_tag": "epel9-testing-candidate", "pending_signing_tag": "epel9-signing-pending", "pending_testing_tag": "epel9-testing-pending", "pending_stable_tag": "epel9-pending", "override_tag": "epel9-override", "mail_template": "fedora_epel_legacy_errata_template", "state": "current", "composed_by_bodhi": true, "create_automatic_updates": false, "package_manager": "unspecified", "testing_repository": null, "released_on": null, "eol": null, "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "music", "email": "code@musicinmybrain.net", "id": 5936, "avatar": "https://seccdn.libravatar.org/avatar/cbba028ab32ef1c5c6bfa001d27d8e20aa2821bab34f8a9914a71c6eb18a873c?s=24&d=retro", "openid": "music.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "provenpackager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "neuro-sig"}, {"name": "rust-sig"}, {"name": "python-packagers-sig"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by music. ", "timestamp": "2022-07-14 16:12:06", "update_id": 426662, "user_id": 91, "id": 2617737, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'ignored'.", "timestamp": "2022-07-14 16:12:07", "update_id": 426662, "user_id": 91, "id": 2617738, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2022-07-15 01:32:19", "update_id": 426662, "user_id": 91, "id": 2618185, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for stable by bodhi. ", "timestamp": "2022-07-22 01:33:13", "update_id": 426662, "user_id": 91, "id": 2627975, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to stable.", "timestamp": "2022-07-23 00:34:30", "update_id": 426662, "user_id": 91, "id": 2629063, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "python-ujson-5.4.0-1.el9", "signed": true, "release_id": 61, "type": "rpm", "epoch": 0}], "bugs": [{"bug_id": 2103379, "title": "python-ujson-5.4.0 is available", "security": false, "parent": false, "feedback": []}, {"bug_id": 2104739, "title": "CVE-2022-31117 python-ujson: Potential double free of buffer during string decoding", "security": true, "parent": true, "feedback": []}, {"bug_id": 2104740, "title": "CVE-2022-31116 python-ujson: improper decoding of escaped surrogate characters may lead to string corruption, key confusion or value overwriting", "security": true, "parent": true, "feedback": []}, {"bug_id": 2106987, "title": "CVE-2022-31117 python-ujson: Potential double free of buffer during string decoding [epel-all]", "security": true, "parent": false, "feedback": []}, {"bug_id": 2106992, "title": "CVE-2022-31116 python-ujson: improper decoding of escaped surrogate characters may lead to string corruption, key confusion or value overwriting [epel-all]", "security": true, "parent": false, "feedback": []}], "updateid": "FEDORA-EPEL-2022-1026769ad3", "karma": 0, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}