Aggregator

USN-8398-4: nginx vulnerability

1 week ago
USN-8398-3 fixed a vulnerability in nginx. This update provides the corresponding fix for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that nginx incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nginx to consume excessive resources, resulting in a denial of service.

librabbitmq-0.17.0-1.fc43

1 week ago
FEDORA-2026-436ef78874 Packages in this update:
  • librabbitmq-0.17.0-1.fc43
Update description: Version 0.17.0 - 2026-07-01 Security
  • Fix size_t overflow in amqp_decode_bytes bounds check leading to out-of-bounds read (GHSA-jgjf-7fwf-f3c7, #888)
  • Fix heap buffer overflow in amqp_frame_to_bytes for oversized body frames (GHSA-hfjv-vcp3-39wh, #892)
Added
  • librabbitmq-tools fall back to the AMQP_URL environment variable when no connection options are given on the command line (#887)
Fixed
  • Fix undefined behavior in amqp_decode_properties when decoding content-header property flags (#883, #885)
  • Fix ioctlsocket type mismatch on Windows (#890)
  • Document buffer lifetime requirement of amqp_decode_table's encoded buffer to prevent use-after-free misuse (#895)
Changed
  • librabbitmq-tools now enable default SSL certificate verification paths unless --no-default-cert-paths is passed (fixes #868, #893)
  • Building the tools now requires POPT v1.14 or newer (#889)

librabbitmq-0.17.0-1.fc44

1 week ago
FEDORA-2026-fc2f661416 Packages in this update:
  • librabbitmq-0.17.0-1.fc44
Update description: Version 0.17.0 - 2026-07-01 Security
  • Fix size_t overflow in amqp_decode_bytes bounds check leading to out-of-bounds read (GHSA-jgjf-7fwf-f3c7, #888)
  • Fix heap buffer overflow in amqp_frame_to_bytes for oversized body frames (GHSA-hfjv-vcp3-39wh, #892)
Added
  • librabbitmq-tools fall back to the AMQP_URL environment variable when no connection options are given on the command line (#887)
Fixed
  • Fix undefined behavior in amqp_decode_properties when decoding content-header property flags (#883, #885)
  • Fix ioctlsocket type mismatch on Windows (#890)
  • Document buffer lifetime requirement of amqp_decode_table's encoded buffer to prevent use-after-free misuse (#895)
Changed
  • librabbitmq-tools now enable default SSL certificate verification paths unless --no-default-cert-paths is passed (fixes #868, #893)
  • Building the tools now requires POPT v1.14 or newer (#889)

USN-8467-2: Perl vulnerabilities

1 week ago
USN-8467-1 fixed vulnerabilities in Perl. This update provides the corresponding fix for Perl on Ubuntu 25.10. Original advisory details: It was discovered that Perl's Archive::Tar module incorrectly handled symlink and hardlink targets during extraction. An attacker could use this issue to read or overwrite arbitrary files outside the extraction directory. (CVE-2026-42496) It was discovered that Perl had a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2026-8376)

composer-2.10.2-1.el9

1 week ago
FEDORA-EPEL-2026-1e765d4f0c Packages in this update:
  • composer-2.10.2-1.el9
Update description: Version 2.10.2 - 2026-07-01
  • Security: Validate package names (GHSA-499r-g7pc-vmp9)
  • Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-rrxx)
  • Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3)
  • Security: Only follow HTTP redirects from HTTP responses (#12948)
  • Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
  • Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959)
  • Added warning output in self-update command when using a soon-to-be EOL version (#12920)
  • Added download retry when a GitHub codeload URL returns a 400 (#12962)
  • Fixed audit command to output the audit result to stdout (#12904)
  • Fixed backspace characters being output to non-decorated output (#12925)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)
  • Fixed provider packages hiding suggestions for the package they provide themselves (#12933)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)

composer-2.10.2-1.el10_3

1 week ago
FEDORA-EPEL-2026-6a8ea7a52d Packages in this update:
  • composer-2.10.2-1.el10_3
Update description: Version 2.10.2 - 2026-07-01
  • Security: Validate package names (GHSA-499r-g7pc-vmp9)
  • Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-rrxx)
  • Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3)
  • Security: Only follow HTTP redirects from HTTP responses (#12948)
  • Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
  • Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959)
  • Added warning output in self-update command when using a soon-to-be EOL version (#12920)
  • Added download retry when a GitHub codeload URL returns a 400 (#12962)
  • Fixed audit command to output the audit result to stdout (#12904)
  • Fixed backspace characters being output to non-decorated output (#12925)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)
  • Fixed provider packages hiding suggestions for the package they provide themselves (#12933)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)

composer-2.10.2-1.fc44

1 week ago
FEDORA-2026-22ba02bee3 Packages in this update:
  • composer-2.10.2-1.fc44
Update description: Version 2.10.2 - 2026-07-01
  • Security: Validate package names (GHSA-499r-g7pc-vmp9)
  • Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-rrxx)
  • Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3)
  • Security: Only follow HTTP redirects from HTTP responses (#12948)
  • Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
  • Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959)
  • Added warning output in self-update command when using a soon-to-be EOL version (#12920)
  • Added download retry when a GitHub codeload URL returns a 400 (#12962)
  • Fixed audit command to output the audit result to stdout (#12904)
  • Fixed backspace characters being output to non-decorated output (#12925)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)
  • Fixed provider packages hiding suggestions for the package they provide themselves (#12933)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)

composer-2.10.2-1.fc43

1 week ago
FEDORA-2026-3017b1bec1 Packages in this update:
  • composer-2.10.2-1.fc43
Update description: Version 2.10.2 - 2026-07-01
  • Security: Validate package names (GHSA-499r-g7pc-vmp9)
  • Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-rrxx)
  • Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3)
  • Security: Only follow HTTP redirects from HTTP responses (#12948)
  • Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
  • Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959)
  • Added warning output in self-update command when using a soon-to-be EOL version (#12920)
  • Added download retry when a GitHub codeload URL returns a 400 (#12962)
  • Fixed audit command to output the audit result to stdout (#12904)
  • Fixed backspace characters being output to non-decorated output (#12925)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)
  • Fixed provider packages hiding suggestions for the package they provide themselves (#12933)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)

composer-2.10.2-1.el10_2

1 week ago
FEDORA-EPEL-2026-084df34b74 Packages in this update:
  • composer-2.10.2-1.el10_2
Update description: Version 2.10.2 - 2026-07-01
  • Security: Validate package names (GHSA-499r-g7pc-vmp9)
  • Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-rrxx)
  • Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3)
  • Security: Only follow HTTP redirects from HTTP responses (#12948)
  • Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
  • Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959)
  • Added warning output in self-update command when using a soon-to-be EOL version (#12920)
  • Added download retry when a GitHub codeload URL returns a 400 (#12962)
  • Fixed audit command to output the audit result to stdout (#12904)
  • Fixed backspace characters being output to non-decorated output (#12925)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)
  • Fixed provider packages hiding suggestions for the package they provide themselves (#12933)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)

USN-8493-1: Linux kernel vulnerabilities

1 week 1 day ago
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - RISC-V architecture; - Cryptographic API; - InfiniBand drivers; - IOMMU subsystem; - Network drivers; - STMicroelectronics network drivers; - NVME drivers; - x86 platform drivers; - SCSI subsystem; - SPI subsystem; - TCM subsystem; - USB over IP driver; - File systems infrastructure; - HFS+ file system; - Network file system (NFS) server daemon; - SMB network file system; - IPv6 networking; - Tracing infrastructure; - Timer subsystem; - B.A.T.M.A.N. meshing protocol; - Bluetooth subsystem; - Ethernet bridge; - Ceph Core library; - IPv4 networking; - MAC80211 subsystem; - Multipath TCP; - Netfilter; - RxRPC session sockets; - SMC sockets; - Sun RPC protocol; - X.25 network layer; - AMD SoC Alsa drivers; - KVM subsystem; (CVE-2022-48816, CVE-2023-53673, CVE-2025-37778, CVE-2025-37822, CVE-2025-37924, CVE-2025-38201, CVE-2025-40082, CVE-2025-68214, CVE-2025-68263, CVE-2025-71089, CVE-2025-71220, CVE-2025-71222, CVE-2025-71224, CVE-2026-23176, CVE-2026-23180, CVE-2026-23182, CVE-2026-23190, CVE-2026-23193, CVE-2026-23198, CVE-2026-23202, CVE-2026-23206, CVE-2026-23216, CVE-2026-23256, CVE-2026-23257, CVE-2026-23258, CVE-2026-23262, CVE-2026-23272, CVE-2026-23278, CVE-2026-23428, CVE-2026-23450, CVE-2026-23455, CVE-2026-31402, CVE-2026-31418, CVE-2026-31478, CVE-2026-31607, CVE-2026-31637, CVE-2026-31649, CVE-2026-31657, CVE-2026-31659, CVE-2026-31668, CVE-2026-31669, CVE-2026-31682, CVE-2026-31685, CVE-2026-43011, CVE-2026-43037, CVE-2026-43038, CVE-2026-43071, CVE-2026-43114, CVE-2026-43117, CVE-2026-43186, CVE-2026-43304, CVE-2026-43341, CVE-2026-43383, CVE-2026-43406, CVE-2026-43407, CVE-2026-43414, CVE-2026-43493, CVE-2026-43501, CVE-2026-45988, CVE-2026-46043, CVE-2026-46119, CVE-2026-46135, CVE-2026-46195, CVE-2026-46243)