Aggregator

FEDORA-2026-63831abaee Packages in this update:

• perl-GD-2.86-1.fc43

Update description:

This update fixes a command injection issue resulting from the use of the 2-argument form of open (CVE-2026-11526).

It was discovered that Tomcat did not properly limit the size of WebDAV LOCK and PROPFIND request bodies. A remote attacker could use this issue to cause Tomcat to consume excessive memory, resulting in a denial of service. (CVE-2026-41284) It was discovered that Tomcat incorrectly validated HTTP/2 header fields. A remote attacker could use this issue to cause Tomcat to crash or possibly execute arbitrary code. (CVE-2026-41293) It was discovered that Tomcat did not properly clear HTTP authentication headers during WebSocket connection upgrades and redirects. A remote attacker could use this issue to obtain sensitive credentials. (CVE-2026-42498) It was discovered that Tomcat incorrectly handled digest authentication. A remote attacker could possibly use this issue to bypass authentication restrictions. (CVE-2026-43512) It was discovered that Tomcat incorrectly handled case sensitivity in LockOutRealm. A remote attacker could possibly use this issue to bypass account lockout protections and obtain sensitive information. (CVE-2026-43513) It was discovered that Tomcat incorrectly handled authorization when multiple method constraints defined the same HTTP method. A remote attacker could possibly use this issue to bypass authorization restrictions. (CVE-2026-43515)

FEDORA-2026-7174ee9a91 Packages in this update:

• librabbitmq-0.16.0-1.fc44

Update description: Version 0.16.0 - 2026-06-08 Security

• Fix out-of-bounds read via undersized frames in amqp_handle_input (GHSA-9mmv-r8g3-qp46, #878)
• Fix client crash when server negotiates frame_max below the AMQP protocol minimum (GHSA-jh48-qjf5-fx5v)

Added

• Add amqp_bytes_from_buffer macro to create amqp_bytes_t from an arbitrary byte buffer with explicit length (#856, #866)

Fixed

• Fix NULL pointer dereferences on allocation failure in tools/publish.c (#860, #861)
• Fix NULL pointer dereference in tools/consume.c stringify_bytes() on allocation failure (#858)
• Fix file stream leak in tools/common.c read_authfile() (#859)
• Fix handling of absolute CMAKE_INSTALL_INCLUDEDIR in exported CMake targets (#849)

Changed

• amqp_literal_bytes macro now uses an explicit (void *) cast (#853)

FEDORA-2026-454722e3d8 Packages in this update:

• librabbitmq-0.16.0-1.fc43

Update description: Version 0.16.0 - 2026-06-08 Security

• Fix out-of-bounds read via undersized frames in amqp_handle_input (GHSA-9mmv-r8g3-qp46, #878)
• Fix client crash when server negotiates frame_max below the AMQP protocol minimum (GHSA-jh48-qjf5-fx5v)

Added

• Add amqp_bytes_from_buffer macro to create amqp_bytes_t from an arbitrary byte buffer with explicit length (#856, #866)

Fixed

• Fix NULL pointer dereferences on allocation failure in tools/publish.c (#860, #861)
• Fix NULL pointer dereference in tools/consume.c stringify_bytes() on allocation failure (#858)
• Fix file stream leak in tools/common.c read_authfile() (#859)
• Fix handling of absolute CMAKE_INSTALL_INCLUDEDIR in exported CMake targets (#849)

Changed

• amqp_literal_bytes macro now uses an explicit (void *) cast (#853)

FEDORA-2026-8f225adf49 Packages in this update:

• bird-3.3.1-1.fc44

Update description: BIRD 3.3.1 (2026-06-09)

• BGP: Fix crash when incoming connection for disabled protocol arrives
• BGP: Fix parsing labelled NLRIs with no next hop
• BGP: Fix cork behavior in collision with graceful restart
• BGP: Fix crash on dumping pending export statistics
• BGP: Fix several issues in Flowspec handling
• BMP/Nest: No refeed after listener or protocol restart
• MPLS: Fix crash on reconfiguring CS_DOWN channel
• OSPF: Fix handling of LLS data length field
• OSPF: Fix OOB read in authentication check
• OSPF: Fix OOB read in Router-LSA validation
• Proto: Fix regression in protocol enabling
• Channel: Fix refeeds and reloads during graceful restart
• Export: Mitigate duplicate withdrawals
• Filters: Fix crash when setting gateway on recursive nexthops
• Filters: Fix path matching when AS path is too long
• Table: Fix RCU double-anchor
• Table: Propagate thread group config into aux
• RCU: Catch leaks sooner

See also: https://trubka.network.cz/pipermail/bird-users/2026-June/018790.html

FEDORA-EPEL-2026-af4408a35e Packages in this update:

• bird-3.3.1-1.el9

Update description: BIRD 3.3.1 (2026-06-09)

• BGP: Fix crash when incoming connection for disabled protocol arrives
• BGP: Fix parsing labelled NLRIs with no next hop
• BGP: Fix cork behavior in collision with graceful restart
• BGP: Fix crash on dumping pending export statistics
• BGP: Fix several issues in Flowspec handling
• BMP/Nest: No refeed after listener or protocol restart
• MPLS: Fix crash on reconfiguring CS_DOWN channel
• OSPF: Fix handling of LLS data length field
• OSPF: Fix OOB read in authentication check
• OSPF: Fix OOB read in Router-LSA validation
• Proto: Fix regression in protocol enabling
• Channel: Fix refeeds and reloads during graceful restart
• Export: Mitigate duplicate withdrawals
• Filters: Fix crash when setting gateway on recursive nexthops
• Filters: Fix path matching when AS path is too long
• Table: Fix RCU double-anchor
• Table: Propagate thread group config into aux
• RCU: Catch leaks sooner

See also: https://trubka.network.cz/pipermail/bird-users/2026-June/018790.html

FEDORA-EPEL-2026-3dfbc6a1df Packages in this update:

• bird-3.3.1-1.el10_2

Update description: BIRD 3.3.1 (2026-06-09)

• BGP: Fix crash when incoming connection for disabled protocol arrives
• BGP: Fix parsing labelled NLRIs with no next hop
• BGP: Fix cork behavior in collision with graceful restart
• BGP: Fix crash on dumping pending export statistics
• BGP: Fix several issues in Flowspec handling
• BMP/Nest: No refeed after listener or protocol restart
• MPLS: Fix crash on reconfiguring CS_DOWN channel
• OSPF: Fix handling of LLS data length field
• OSPF: Fix OOB read in authentication check
• OSPF: Fix OOB read in Router-LSA validation
• Proto: Fix regression in protocol enabling
• Channel: Fix refeeds and reloads during graceful restart
• Export: Mitigate duplicate withdrawals
• Filters: Fix crash when setting gateway on recursive nexthops
• Filters: Fix path matching when AS path is too long
• Table: Fix RCU double-anchor
• Table: Propagate thread group config into aux
• RCU: Catch leaks sooner

See also: https://trubka.network.cz/pipermail/bird-users/2026-June/018790.html

FEDORA-2026-564680920c Packages in this update:

• bird-3.3.1-1.fc43

Update description: BIRD 3.3.1 (2026-06-09)

• BGP: Fix crash when incoming connection for disabled protocol arrives
• BGP: Fix parsing labelled NLRIs with no next hop
• BGP: Fix cork behavior in collision with graceful restart
• BGP: Fix crash on dumping pending export statistics
• BGP: Fix several issues in Flowspec handling
• BMP/Nest: No refeed after listener or protocol restart
• MPLS: Fix crash on reconfiguring CS_DOWN channel
• OSPF: Fix handling of LLS data length field
• OSPF: Fix OOB read in authentication check
• OSPF: Fix OOB read in Router-LSA validation
• Proto: Fix regression in protocol enabling
• Channel: Fix refeeds and reloads during graceful restart
• Export: Mitigate duplicate withdrawals
• Filters: Fix crash when setting gateway on recursive nexthops
• Filters: Fix path matching when AS path is too long
• Table: Fix RCU double-anchor
• Table: Propagate thread group config into aux
• RCU: Catch leaks sooner

See also: https://trubka.network.cz/pipermail/bird-users/2026-June/018790.html

FEDORA-EPEL-2026-50135c9a61 Packages in this update:

• bird-3.3.1-1.el10_3

Update description: BIRD 3.3.1 (2026-06-09)

• BGP: Fix crash when incoming connection for disabled protocol arrives
• BGP: Fix parsing labelled NLRIs with no next hop
• BGP: Fix cork behavior in collision with graceful restart
• BGP: Fix crash on dumping pending export statistics
• BGP: Fix several issues in Flowspec handling
• BMP/Nest: No refeed after listener or protocol restart
• MPLS: Fix crash on reconfiguring CS_DOWN channel
• OSPF: Fix handling of LLS data length field
• OSPF: Fix OOB read in authentication check
• OSPF: Fix OOB read in Router-LSA validation
• Proto: Fix regression in protocol enabling
• Channel: Fix refeeds and reloads during graceful restart
• Export: Mitigate duplicate withdrawals
• Filters: Fix crash when setting gateway on recursive nexthops
• Filters: Fix path matching when AS path is too long
• Table: Fix RCU double-anchor
• Table: Propagate thread group config into aux
• RCU: Catch leaks sooner

See also: https://trubka.network.cz/pipermail/bird-users/2026-June/018790.html

FEDORA-EPEL-2026-80fc55f890 Packages in this update:

• bird-3.3.1-1.el8

Update description: BIRD 3.3.1 (2026-06-09)

• BGP: Fix crash when incoming connection for disabled protocol arrives
• BGP: Fix parsing labelled NLRIs with no next hop
• BGP: Fix cork behavior in collision with graceful restart
• BGP: Fix crash on dumping pending export statistics
• BGP: Fix several issues in Flowspec handling
• BMP/Nest: No refeed after listener or protocol restart
• MPLS: Fix crash on reconfiguring CS_DOWN channel
• OSPF: Fix handling of LLS data length field
• OSPF: Fix OOB read in authentication check
• OSPF: Fix OOB read in Router-LSA validation
• Proto: Fix regression in protocol enabling
• Channel: Fix refeeds and reloads during graceful restart
• Export: Mitigate duplicate withdrawals
• Filters: Fix crash when setting gateway on recursive nexthops
• Filters: Fix path matching when AS path is too long
• Table: Fix RCU double-anchor
• Table: Propagate thread group config into aux
• RCU: Catch leaks sooner

See also: https://trubka.network.cz/pipermail/bird-users/2026-June/018790.html

FEDORA-2026-f276b2154e Packages in this update:

• perl-HTTP-Daemon-6.17-1.fc43

Update description:

Changes:

6.17 2026-05-19 23:11:06Z

• Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when a string argument was derived from attacker- influenced input. send_file() now uses 3-arg open() with an explicit '<' read mode, so the path is always treated as a literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |', '> path', etc.) are no longer interpreted. send_file() now also returns '0E0' (true zero) on a successful zero-byte transfer so callers can distinguish empty file from open failure (undef). See https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory. Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist, Olaf Alders)

FEDORA-2026-8982379b5c Packages in this update:

• perl-HTTP-Daemon-6.17-1.fc44

Update description:

Changes:

6.17 2026-05-19 23:11:06Z

• Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when a string argument was derived from attacker- influenced input. send_file() now uses 3-arg open() with an explicit '<' read mode, so the path is always treated as a literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |', '> path', etc.) are no longer interpreted. send_file() now also returns '0E0' (true zero) on a successful zero-byte transfer so callers can distinguish empty file from open failure (undef). See https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory. Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist, Olaf Alders)

USN-8414-1 fixed several vulnerabilities in OpenSSL. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: Frank Buss discovered that OpenSSL had a heap buffer over-read in ASN.1 content parsing. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or obtain sensitive information. (CVE-2026-34180) Asim Viladi Oglu Manizada and Alex Gaynor discovered that OpenSSL could accept forged CMS AuthEnvelopedData messages. An attacker could possibly use this issue to bypass message authentication checks. (CVE-2026-34182) Mayank Jangid, Kushal Khemka, Hari Priandana, Bhabani Sankar Das, and Qifan Zhang discovered that OpenSSL had a possible NULL dereference in password- based CMS decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-42766) Zhanpeng Liu, Guannan Wang, and Guancheng Li discovered that OpenSSL had a NULL pointer dereference in CRMF EncryptedValue decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-42767) Thai Duong discovered that OpenSSL had a heap use-after-free in PKCS7_verify(). An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-45447) Zehua Qiao and Jinwen He discovered that OpenSSL had a possible heap buffer overflow in ASN.1 multibyte string conversion. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-7383) Bhabani Sankar Das discovered that OpenSSL had an out-of-bounds read in CMS password-based decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-9076)

Version:next-20260609 (linux-next) Released:2026-06-09

It was discovered that Go Networking incorrectly handled certain Punycode-encoded labels in the idna package. An attacker could possibly use this issue to bypass hostname-based access restrictions.

It was discovered that Vim incorrectly handled marked filenames in the netrw plugin. An attacker could possibly use this issue to execute arbitrary code. (CVE-2026-43961) It was discovered that Vim incorrectly handled filenames when decompressing certain archives. An attacker could possibly use this issue to execute arbitrary code. (CVE-2026-46483)

Frank Buss discovered that OpenSSL had a heap buffer over-read in ASN.1 content parsing. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or obtain sensitive information. (CVE-2026-34180) Pavol Zacik and Alex Gaynor discovered that OpenSSL incorrectly accepted PKCS#12 files with short HMAC keys when using PBMAC1. An attacker could possibly use this issue to bypass integrity checks. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-34181) Asim Viladi Oglu Manizada and Alex Gaynor discovered that OpenSSL could accept forged CMS AuthEnvelopedData messages. An attacker could possibly use this issue to bypass message authentication checks. (CVE-2026-34182) Abhinav Agarwal discovered that OpenSSL had unbounded memory growth in the QUIC PATH_CHALLENGE handler. A remote attacker could possibly use this issue to cause OpenSSL to use excessive resources, leading to a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-34183) Sunwoo Lee, Hyuk Lim, and Seunghyun Yoon discovered that OpenSSL had a NULL pointer dereference in QUIC server initial packet handling. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-42764) Mayank Jangid, Kushal Khemka, Hari Priandana, Bhabani Sankar Das, and Qifan Zhang discovered that OpenSSL had a possible NULL dereference in password- based CMS decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-42766) Zhanpeng Liu, Guannan Wang, and Guancheng Li discovered that OpenSSL had a NULL pointer dereference in CRMF EncryptedValue decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-42767) Alex Gaynor discovered that OpenSSL had a Bleichenbacher oracle in CMS_decrypt() and PKCS7_decrypt() with multiple RecipientInfo values. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-42768) Alex Gaynor discovered that OpenSSL had a trust-anchor substitution issue in CMP rootCaKeyUpdate processing. An attacker could possibly use this issue to bypass certificate trust validation. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-42769) Alex Gaynor discovered that OpenSSL used attacker-supplied parameters when validating FFC-DH peers. An attacker could possibly use this issue to weaken key validation and compromise security guarantees. (CVE-2026-42770) Alex Gaynor discovered that OpenSSL could ignore the IV in AES-OCB mode on the EVP_Cipher() path. An attacker could possibly use this issue to bypass cryptographic protections and obtain sensitive information. (CVE-2026-45445) Alex Gaynor discovered that OpenSSL had incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. An attacker could possibly use this issue to bypass cryptographic integrity checks. (CVE-2026-45446) Thai Duong discovered that OpenSSL had a heap use-after-free in PKCS7_verify(). An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-45447) Zehua Qiao and Jinwen He discovered that OpenSSL had a possible heap buffer overflow in ASN.1 multibyte string conversion. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-7383) Bhabani Sankar Das discovered that OpenSSL had an out-of-bounds read in CMS password-based decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-9076)

It was discovered that uriparser incorrectly handled certain URI strings. An attacker could possibly use this issue to cause uriparser to crash, resulting in a denial of service.