Aggregator

FEDORA-2026-04a531cece Packages in this update:

• cpp-httplib-0.37.2-1.fc42

Update description: Update to 0.37.2

• Fixes silent TLS certificate verification bypass on HTTPS Redirect via proxy (CVE-2026-32627, rhbz#2448105)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.2

It was discovered that pyOpenSSL incorrectly handled exceptions in the tlsext_servername callback. This could result in connections being accepted after an exception, contrary to expectations. (CVE-2026-27448) It was discovered that pyOpenSSL incorrectly handled the DTLS cookie generation callback. If a callback provided cookie values greater than 256 bytes, an attacker could use this issue to cause pyOpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-27459)

It was discovered that the GVfs FTP backend incorrectly handled IP addresses and ports returned by passive mode responses. A malicious remote server could possibly use this issue to help scan for open ports. (CVE-2026-28295) It was discovered that the GVfs FTP backend incorrectly handled crafted file paths. A remote attacker could use this issue to terminate or inject arbitrary FTP commands, or possibly execute arbitrary code. (CVE-2026-28296)

FEDORA-2026-e76feaf213 Packages in this update:

• cpp-httplib-0.38.0-1.fc43

Update description: Update to 0.38.0 (rhbz#2447261)

• Filename sanitization for path traversal prevention — Added sanitize_filename() to prevent path traversal attacks via malicious filenames in multipart uploads (83e98a2)

• Symlink protection in static file server — Static file serving now detects and rejects symlinks that point outside the mount directory, preventing symlink-based directory traversal (f787f31)

• Brotli compression support — Added Brotli (br) as a supported content encoding alongside gzip and deflate (ec1ffbc)

• Accept-Encoding quality parameter parsing — The server now parses q= quality values in the Accept-Encoding header and selects the best encoding accordingly (bb7c7ab)
• SSL proxy connection support — SSLClient can now establish connections through HTTPS proxies, with a new setup_proxy_connection method for cleaner proxy handling (f6ed5fc, b1bb2b7)

• WebSocket ping interval runtime configuration — WebSocket ping interval can now be configured at runtime instead of only at compile time (257b266)

• Benchmark test suite — Added benchmark tests and configurations for performance evaluation (ba0d0b8)

• Unicode path component decoding tests — Added test coverage for Unicode characters in decode_path_component (43a54a3)

• Documentation updates — Enhanced TLS backend documentation with platform-specific certificate handling details; clarified progress callback usage and user data handling in examples (511e3ef, 2e61fd3)

• Fix port conflict in test — Fixed port number in OpenStreamMalformedContentLength test to avoid conflicts (4978f26)

• Removed large data tests for GzipDecompressor and SSLClientServerTest that caused memory issues (5ecba74, 69d468f)

• Enabled BindDualStack test (69d468f)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.38.0

• Fixes silent TLS certificate verification bypass on HTTPS Redirect via proxy (CVE-2026-32627, rhbz#2448105)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.2

It was discovered that LibTIFF did not properly handle memory when processing certain images. An attacker could possibly use this issue to cause LibTIFF to crash, resulting in a denial of service. (CVE-2025-61143) It was discovered that LibTIFF did not properly handle memory when processing malformed TIFF directories. An attacker could possibly use this issue to cause LibTIFF to crash, resulting in a denial of service. (CVE-2025-61144)

FEDORA-2026-03599f0b32 Packages in this update:

• cpp-httplib-0.38.0-1.fc44

Update description: Update to 0.38.0 (rhbz#2447261)

• Filename sanitization for path traversal prevention — Added sanitize_filename() to prevent path traversal attacks via malicious filenames in multipart uploads (83e98a2)

• Symlink protection in static file server — Static file serving now detects and rejects symlinks that point outside the mount directory, preventing symlink-based directory traversal (f787f31)

• Brotli compression support — Added Brotli (br) as a supported content encoding alongside gzip and deflate (ec1ffbc)

• Accept-Encoding quality parameter parsing — The server now parses q= quality values in the Accept-Encoding header and selects the best encoding accordingly (bb7c7ab)
• SSL proxy connection support — SSLClient can now establish connections through HTTPS proxies, with a new setup_proxy_connection method for cleaner proxy handling (f6ed5fc, b1bb2b7)

• WebSocket ping interval runtime configuration — WebSocket ping interval can now be configured at runtime instead of only at compile time (257b266)

• Benchmark test suite — Added benchmark tests and configurations for performance evaluation (ba0d0b8)

• Unicode path component decoding tests — Added test coverage for Unicode characters in decode_path_component (43a54a3)

• Documentation updates — Enhanced TLS backend documentation with platform-specific certificate handling details; clarified progress callback usage and user data handling in examples (511e3ef, 2e61fd3)

• Fix port conflict in test — Fixed port number in OpenStreamMalformedContentLength test to avoid conflicts (4978f26)

• Removed large data tests for GzipDecompressor and SSLClientServerTest that caused memory issues (5ecba74, 69d468f)

• Enabled BindDualStack test (69d468f)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.38.0

• Fixes silent TLS certificate verification bypass on HTTPS Redirect via proxy (CVE-2026-32627, rhbz#2448105)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.2

FEDORA-2026-dbf8b26cfb Packages in this update:

• perl-XML-Parser-2.51-1.fc42

Update description:

2.51 bump - Fix CVE-2006-10002, CVE-2006-10003

FEDORA-2026-b7182d65b7 Packages in this update:

• perl-XML-Parser-2.51-1.fc43

Update description:

2.51 bump - Fix CVE-2006-10002, CVE-2006-10003

FEDORA-2026-dcb80f8e23 Packages in this update:

• perl-XML-Parser-2.51-1.fc44

Update description:

2.51 bump - Fix CVE-2006-10002, CVE-2006-10003

FEDORA-2026-7d5754535f Packages in this update:

• perl-XML-Parser-2.51-1.fc45

Update description:

Automatic update for perl-XML-Parser-2.51-1.fc45.

Changelog * Mon Mar 23 2026 Jitka Plesnikova <jplesnik@redhat.com> - 2.51-1 - 2.51 bump (rhbz#2448965) - Fix CVE-2006-10002 (rhbz#2449269), CVE-2006-10003 (rhbz#2449278)

FEDORA-2026-82783c3c1d Packages in this update:

• rust-cargo-c-0.10.19-2.fc42

Update description:

Rebuilt with rust-tar 0.4.45 for CVE-2026-33056

FEDORA-2026-1fa97a41a7 Packages in this update:

• rust-sccache-0.13.0-4.fc44

Update description:

Rebuilt with rust-tar 0.4.45 for CVE-2026-33056

FEDORA-2026-f5938ebad0 Packages in this update:

• rust-ingredients-0.2.2-3.fc44

Update description:

Rebuilt with rust-tar 0.4.45 for CVE-2026-33056

FEDORA-EPEL-2026-c30f139d34 Packages in this update:

• rust-cargo-vendor-filterer-0.5.18-4.el10_3

Update description:

Rebuilt with rust-tar 0.4.45 for CVE-2026-33056

FEDORA-2026-1a04e4e1ed Packages in this update:

• rust-cargo-vendor-filterer-0.5.18-4.fc42

Update description:

Rebuilt with rust-tar 0.4.45 for CVE-2026-33056

FEDORA-2026-f0710d7a56 Packages in this update:

• rust-cargo-vendor-filterer-0.5.18-4.fc43

Update description:

Rebuilt with rust-tar 0.4.45 for CVE-2026-33056

FEDORA-2026-433d51e09b Packages in this update:

• rust-cargo-rpmstatus-0.2.4-3.fc42

Update description:

Rebuilt with rust-tar 0.4.45 for CVE-2026-33056

FEDORA-2026-7624cdcfb6 Packages in this update:

• rust-cargo-c-0.10.19-2.fc43

Update description:

Rebuilt with rust-tar 0.4.45 for CVE-2026-33056

FEDORA-2026-38f7b7fc51 Packages in this update:

• libopenmpt-0.8.5-1.fc43

Update description:

Potential security fix plus bug-fixes in 0.8.5: https://lib.openmpt.org/libopenmpt/2026/03/22/security-updates-0.8.5-0.7.18-0.6.27-0.5.41-0.4.53/