Aggregator

FEDORA-EPEL-2026-5f723f26cd Packages in this update:

• gum-0.17.0-3.el10_3

Update description:

Update from version 0.16.1 to version 0.17.0. This update also resolves CVE-2025-47906 and CVE-2026-5160.

• https://github.com/charmbracelet/gum/releases/tag/v0.16.2
• https://github.com/charmbracelet/gum/releases/tag/v0.17.0

FEDORA-2026-10cf6ce616 Packages in this update:

• gum-0.17.0-3.fc44

Update description:

Update vendored goldmark to 1.7.17 to resolve CVE-2026-5160.

FEDORA-2026-bebf3b0544 Packages in this update:

• gum-0.16.1-2.fc42

Update description:

Rebuild with latest golang to resolve CVE-2025-47906.

Andrew Lacambra discovered that Rack did not properly parse certain regular expressions. An attacker could possibly use this issue to bypass network security filters. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-26961) William T. Nelson discovered that Rack did not handle multipart headers correctly. An attacker could possibly use this issue to cause downstream parsing issues or a denial of service. This issue only affected Ubuntu 25.10. (CVE-2026-26962) It was discovered that Rack did not handle the Forwarded header correctly. An attacker could possibly use this issue to manipulate header values. This issue only affected Ubuntu 25.10. (CVE-2026-32762) It was discovered that Rack could consume excessive CPU when handling certain Accept-Encoding values. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-34230) Haruki Oyama discovered that certain configurations of Rack could erroneously fail to derive the displayed directory path, and expose the full filesystem path. An attacker could possibly use this issue to disclose deployment details such as layout and usernames. (CVE-2026-34763) It was discovered that Rack did not properly handle static file paths. An attacker could possibly use this issue to exfiltrate unintentionally served data. (CVE-2026-34785) Haruki Oyama discovered that Rack did not apply header rules to certain requests for URL-encoded static paths. An attacker could possibly use this issue to bypass security-relevant response headers. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34786) It was discovered that Rack did not limit the number of ranges requested in the Range header. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34826) It was discovered that Rack could consume excessive CPU when parsing certain multipart parameters. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 25.10. (CVE-2026-34827) It was discovered that Rack could consume unbounded disk space when handling requests without a Content-Length header. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34829) Mehtab Zafar discovered that Rack directly interpreted the X-Accel-Mapping header as a regular expression without escaping. An attacker could possibly use this issue to exfiltrate arbitrary files from internal locations. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34830) It was discovered that Rack did not properly handle messages with Unicode. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34831) It was discovered that Rack did not properly parse the Host header. An attacker could possibly use this issue to bypass security filters or poison generated links. This issue only affected Ubuntu 25.10. (CVE-2026-34835)

FEDORA-EPEL-2026-8022001aef Packages in this update:

• coturn-4.10.0-1.el10_3

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-2026-e673311164 Packages in this update:

• coturn-4.10.0-1.fc42

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-EPEL-2026-63737a3630 Packages in this update:

• coturn-4.10.0-1.el10_1

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-2026-1c11dc3e37 Packages in this update:

• coturn-4.10.0-1.fc44

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-EPEL-2026-e0c1b77ba1 Packages in this update:

• coturn-4.10.0-1.el9

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-EPEL-2026-5e71b7731b Packages in this update:

• coturn-4.10.0-1.el10_2

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-2026-1adc5f1ef8 Packages in this update:

• coturn-4.10.0-1.fc43

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-EPEL-2026-84fff0d811 Packages in this update:

• coturn-4.10.0-1.el8

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-2026-afe659aa4d Packages in this update:

• opam-2.5.1-1.fc44

Update description:

See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1.

FEDORA-2026-42ff51d2c7 Packages in this update:

• opam-2.5.1-1.fc43

Update description:

See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1.

FEDORA-2026-301505f38f Packages in this update:

• opam-2.5.1-1.fc42

Update description:

See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1.

Jaroslav Lobačevski discovered that ESAPI incorrectly validated directory paths during path verification. An attacker could possibly use this issue to bypass directory validation checks, leading to control-flow bypass. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-23457) Kevin W. Wall and Sebastian Passaro discovered that ESAPI did not properly sanitize javascript URLs because of an incorrect regular expression. An attacker could possibly use this issue to perform a cross-site scripting attack. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-24891) Longlong Gong discovered that ESAPI did not properly neutralize special elements during SQL injection defense. A remote attacker could possibly use this issue to perform SQL injection. (CVE-2025-5878)