Aggregator

FEDORA-2026-956f05a733 Packages in this update:

• djvulibre-3.5.30-1.fc44

Update description:

Update to 3.5.30.

FEDORA-2026-01aa80d160 Packages in this update:

• djvulibre-3.5.30-1.fc42

Update description:

Update to 3.5.30.

FEDORA-2026-bfa185dbb3 Packages in this update:

• djvulibre-3.5.30-1.fc43

Update description:

Update to 3.5.30.

It was discovered that PostgreSQL did not correctly enforce authorization for CREATE TYPE. An attacker could possibly use this issue to execute arbitrary SQL functions. (CVE-2026-6472) It was discovered that PostgreSQL incorrectly handled large user input in multiple server features. An attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-6473) It was discovered that PostgreSQL incorrectly handled format strings in the timeofday() function. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-6474) It was discovered that PostgreSQL incorrectly followed symbolic links in pg_basebackup and pg_rewind. An attacker could possibly use this issue to overwrite local files and execute arbitrary code. (CVE-2026-6475) It was discovered that PostgreSQL had an SQL injection vulnerability in pg_createsubscriber. An attacker could possibly use this issue to execute arbitrary SQL as a superuser. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-6476) It was discovered that PostgreSQL used an unsafe libpq function in large object operations. An attacker could possibly use this issue to overwrite client memory and execute arbitrary code. (CVE-2026-6477) It was discovered that PostgreSQL did not compare MD5-hashed passwords in constant time. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-6478) It was discovered that PostgreSQL had uncontrolled recursion during SSL and GSS negotiation. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-6479) It was discovered that PostgreSQL incorrectly handled array length mismatches in pg_restore_attribute_stats(). An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-6575) It was discovered that PostgreSQL had a stack buffer overflow in the refint module. An attacker could use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-6637) It was discovered that PostgreSQL had an SQL injection vulnerability in logical replication REFRESH PUBLICATION. An attacker could possibly use this issue to execute arbitrary SQL. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-6638)

FEDORA-2026-b9f338a467 Packages in this update:

• kernel-6.19.14-108.fc42

Update description:

The 6.19.14-108 stable kernel update contains a couple if important security fixes.

FEDORA-2026-9a3a98bc24 Packages in this update:

• xrdp-0.10.6-2.fc44

Update description:

Close TCP socket in default configuration, because we want just Unix domain socket connections to Xvnc.

FEDORA-2026-6af8517b94 Packages in this update:

• xrdp-0.10.6-2.fc42

Update description:

Close TCP socket in default configuration, because we want just Unix domain socket connections to Xvnc.

FEDORA-EPEL-2026-8d69cba26b Packages in this update:

• xrdp-0.10.6-2.el9

Update description:

Close TCP socket in default configuration, because we want just Unix domain socket connections to Xvnc.

FEDORA-2026-8aeca78af9 Packages in this update:

• xrdp-0.10.6-2.fc43

Update description:

Close TCP socket in default configuration, because we want just Unix domain socket connections to Xvnc.

FEDORA-EPEL-2026-cf191f562d Packages in this update:

• xrdp-0.10.6-2.el8

Update description:

Close TCP socket in default configuration, because we want just Unix domain socket connections to Xvnc.

FEDORA-2026-5d9b0e2c17 Packages in this update:

• haveged-1.9.22-1.fc43

Update description:

Update to 1.9.22 — fix systemd sandboxing: add ReadWritePaths=/dev/shm for semaphore creation

Backport fix for CVE-2026-41054: privilege escalation via command socket

FEDORA-2026-8fa79f47e1 Packages in this update:

• haveged-1.9.22-1.fc42

Update description:

Update to 1.9.22 — fix systemd sandboxing: add ReadWritePaths=/dev/shm for semaphore creation

Backport fix for CVE-2026-41054: privilege escalation via command socket

Vitaly Simonovich discovered that Bind could exhaust memory during GSS-API TKEY negotiation. A remote attacker could possibly use this issue to cause Bind to use excessive resources, leading to a denial of service. (CVE-2026-3039) Shuhan Zhang discovered that Bind incorrectly handled self-pointed glue records. A remote attacker could possibly use this issue to use Bind in denial of service amplification attacks against other systems. (CVE-2026-3592) Naresh Kandula Parmar discovered that Bind incorrectly handled memory in the DNS-over-HTTPS implementation. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-3593) It was discovered that Bind incorrectly handled DNS messages whose class was not IN. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2026-5946) Naoki Wakamatsu discovered that Bind incorrectly handled SIG(0) validation during a query flood. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-5947) Billy Baraja discovered that Bind had an unbounded resend loop in the resolver. A remote attacker could possibly use this issue to cause Bind to use excessive resources, leading to a denial of service. (CVE-2026-5950)

FEDORA-2026-66bba52149 Packages in this update:

• kernel-7.0.9-205.fc44

Update description:

The 7.0.9-105/205 stable kernel updates contain a couple if important security fixes.

FEDORA-2026-94731f4ace Packages in this update:

• kernel-7.0.9-105.fc43

Update description:

The 7.0.9-105/205 stable kernel updates contain a couple if important security fixes.

FEDORA-2026-b626e83a45 Packages in this update:

• bind-9.18.49-1.fc43
• bind-dyndb-ldap-11.11-13.fc43

Update description: Update to 9.18.49 (rhbz#2480121) Security Fixes:

• Limit resolver server list size. (CVE-2026-3592)
• Fix GSS-API resource leak. (CVE-2026-3039)
• Disable recursion, UPDATE, and NOTIFY for non-IN views. (CVE-2026-5946)
• Avoid unbounded recursion loop. (CVE-2026-5950)
• Fix outgoing zone transfers' quota issue.

Feature Changes:

• Fix CPU spikes and slow queries when cache approaches memory limit.

Bug Fixes:

• Fix named crash when processing SIG records in dynamic updates.
• Fix rndc modzone behavior for a zone in named.conf.
• Fix zone verification of NSEC3 signed zones.
• Prevent a crash when using both dns64 and filter-aaaa.
• Fixed an assertion failure when processing catalog zones.
• Prevent malicious DNSSEC zones from exhausting validator CPU.
• Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits.
• Prevent crafted queries from degrading RRL performance.
• Fix a bug in allow-query/allow-transfer catalog zone custom properties.
• Fix a memory leak issue in catalog zones.
• Fix suppressed missing-glue check in named-checkzone.
• Reject record sets too large to serve in DNS.

Source: https://downloads.isc.org/isc/bind9/9.18.49/doc/arm/html/notes.html#notes-for-bind-9-18-49

FEDORA-2026-411248c8d9 Packages in this update:

• bind-9.18.49-1.fc44
• bind-dyndb-ldap-11.11-15.fc44

Update description: Update to 9.18.49 (rhbz#2480121) Security Fixes:

• Limit resolver server list size. (CVE-2026-3592)
• Fix GSS-API resource leak. (CVE-2026-3039)
• Disable recursion, UPDATE, and NOTIFY for non-IN views. (CVE-2026-5946)
• Avoid unbounded recursion loop. (CVE-2026-5950)
• Fix outgoing zone transfers' quota issue.

Feature Changes:

• Fix CPU spikes and slow queries when cache approaches memory limit.

Bug Fixes:

• Fix named crash when processing SIG records in dynamic updates.
• Fix rndc modzone behavior for a zone in named.conf.
• Fix zone verification of NSEC3 signed zones.
• Prevent a crash when using both dns64 and filter-aaaa.
• Fixed an assertion failure when processing catalog zones.
• Prevent malicious DNSSEC zones from exhausting validator CPU.
• Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits.
• Prevent crafted queries from degrading RRL performance.
• Fix a bug in allow-query/allow-transfer catalog zone custom properties.
• Fix a memory leak issue in catalog zones.
• Fix suppressed missing-glue check in named-checkzone.
• Reject record sets too large to serve in DNS.

Source: https://downloads.isc.org/isc/bind9/9.18.49/doc/arm/html/notes.html#notes-for-bind-9-18-49

FEDORA-EPEL-2026-86e966dca4 Packages in this update:

• pdns-5.0.5-1.el10_3

Update description:

• Update to 5.0.5
• Fix for CVE-2026-42000, CVE-2026-42001, CVE-2026-42002, CVE-2026-41999, CVE-2026-42396

Security Advisory: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html