1 week ago
FEDORA-2026-088b60c071
Packages in this update:
- pdns-recursor-5.4.3-1.fc44
Update description:
update to latest upstream release to fix CVEs
1 week ago
1 week ago
Version:next-20260625 (linux-next)
Released:2026-06-25
1 week 1 day ago
Oleksii Oleksenko, Cedric Fournet, Jana Hofmann, Boris Köpf, Stavros Volos,
and Flavien Solt discovered that some AMD processors may allow an attacker
to infer data from previous stores, potentially resulting in the leakage of
privileged information. A local attacker could possibly use this to expose
sensitive information. (CVE-2024-36350, CVE-2024-36357)
It was discovered that some AMD Zen 5 processors supporting RDSEED
instruction did not properly handle entropy, potentially resulting in the
consumption of insufficiently random values. A local attacker could
possibly use this issue to influence the values returned by the RDSEED
instruction causing loss of confidentiality and integrity. (CVE-2025-62626)
1 week 1 day ago
It was discovered that xrdp incorrectly handled bounds checking when
processing user domain information during the connection sequence. An
unauthenticated remote attacker could use this issue to cause xrdp to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2025-68670)
It was discovered that xrdp did not correctly enforce the maximum number of
login attempts configured by the MaxLoginRetry parameter. A remote attacker
could use this issue to perform an unlimited number of login attempts.
(CVE-2024-39917)
It was discovered that xrdp did not perform bounds checking when accessing
font glyphs. Since some of this data is controllable by the user, a remote
attacker could use this issue to cause xrdp to read out of bounds. This
issue only affected Ubuntu 24.04 LTS. (CVE-2023-42822)
It was discovered that xrdp did not properly handle session establishment
errors. A remote attacker could use this issue to bypass OS-level session
restrictions enforced by PAM, such as the maximum number of concurrent
sessions per user. This issue only affected Ubuntu 24.04 LTS.
(CVE-2023-40184)
1 week 1 day ago
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Henry Beberman and Robert Prast discovered that containerd incorrectly
validated image references when importing container checkpoints. An
attacker could possibly use this issue to poison the local image cache and
execute arbitrary code in other pods. This issue only affected Ubuntu
22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10 and Ubuntu 26.04 LTS.
(CVE-2026-50195)
Robert Prast discovered that containerd incorrectly propagated labels
from image configurations to containers. An attacker could possibly use
this issue to execute arbitrary code on the host. (CVE-2026-53488)
Yuming Zhang, Song Li, Sangwon Ryu, Henry Beberman, Robert Prast, Kyle
Elliott and Zhenchen Wang discovered that containerd incorrectly validated
symlinked paths when restoring container checkpoints. An attacker could
possibly use this issue to read arbitrary files on the host, resulting in
information disclosure. This issue only affected Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-53489)
Robert Prast discovered that containerd incorrectly trusted device
interface annotations when restoring container checkpoints. An attacker
could possibly use this issue to bypass resource allocation restrictions
and inject devices or host mounts into a container. This issue only
affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10 and Ubuntu
26.04 LTS. (CVE-2026-53492)
1 week 1 day ago
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. This issue
only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Robert Prast discovered that containerd incorrectly propagated labels
from image configurations to containers. An attacker could possibly use
this issue to execute arbitrary code on the host. This issue only affected
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS
and Ubuntu 26.04 LTS. (CVE-2026-53488)
1 week 1 day ago
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Henry Beberman and Robert Prast discovered that containerd incorrectly
validated image references when importing container checkpoints. An
attacker could possibly use this issue to poison the local image cache and
execute arbitrary code in other pods. (CVE-2026-50195)
Robert Prast discovered that containerd incorrectly propagated labels
from image configurations to containers. An attacker could possibly use
this issue to execute arbitrary code on the host. (CVE-2026-53488)
Yuming Zhang, Song Li, Sangwon Ryu, Henry Beberman, Robert Prast, Kyle
Elliott and Zhenchen Wang discovered that containerd incorrectly validated
symlinked paths when restoring container checkpoints. An attacker could
possibly use this issue to read arbitrary files on the host, resulting in
information disclosure. (CVE-2026-53489)
Robert Prast discovered that containerd incorrectly trusted device
interface annotations when restoring container checkpoints. An attacker
could possibly use this issue to bypass resource allocation restrictions
and inject devices or host mounts into a container. (CVE-2026-53492)
1 week 1 day ago
Version:next-20260624 (linux-next)
Released:2026-06-25
1 week 1 day ago
It was discovered that NSD incorrectly handled APL resource records with an
address length larger than permitted for the address family. A remote attacker
could use this to cause a stack-based buffer overflow when the zone is written
to disk, potentially executing arbitrary code with the privileges of the NSD
server. (CVE-2026-12246)
It was discovered that NSD incorrectly handled SVCB resource records. A remote
attacker could use this to cause a heap overflow, potentially executing
arbitrary code with the privileges of the NSD server. This issue only affected
Ubuntu 26.04 LTS. (CVE-2026-12244)
It was discovered that NSD had a use-after-free vulnerability in TLS
connection error logging. A remote attacker could use this to cause a denial
of service by crashing the server process. This issue only affected Ubuntu
26.04 LTS. (CVE-2026-12245)
It was discovered that NSD incorrectly handled TLS authentication for zone
transfers. An attacker could bypass transfer security restrictions when
certain conditions were met. This issue only affected Ubuntu 26.04 LTS.
(CVE-2026-12490)
1 week 1 day ago
1 week 1 day ago
1 week 1 day ago
1 week 1 day ago
1 week 1 day ago
FEDORA-EPEL-2026-a7b8aa88eb
Packages in this update:
Update description:
Update to 0.48.0 (rhbz#2481109)
Security fixes
- Complete the IP-host certificate identity fix from v0.47.0 for the
Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated
only via a matching iPAddress SAN, never via the certificate's Common
Name (RFC 9110) — matching what the OpenSSL backend already enforces
through X509_check_ip. Previously these backends fell back to the CN
when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte)
iPAddress SANs are matched as well, and the CN fallback is skipped for
both IPv4 and IPv6 literal hosts (#2476)
Improvements
- Replace the strtod-based from_chars for double with a hand-written,
locale-independent parser. The only double parsed by the library is the
HTTP quality value; strtod reads the decimal separator from the global C
locale, so an embedder calling setlocale(LC_ALL, "") into a
comma-decimal locale would mis-parse q-values. The new parser always
treats . as the decimal separator and is allocation-free (Fix #2475)
- Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the
thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the
subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry()
instead of the deprecated X509_STORE_get0_objects() and
X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep
using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2,
and 3.0
Behavior changes
- decode_query_component() now uses strict hex parsing for
percent-escapes, consistent with decode_uri_component() and
decode_path_component(). A % followed by non-hex characters (e.g. a sign
or whitespace such as %-1, %+5, % 5) is passed through literally instead
of being accepted as a valid escape (#2472)
Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0
Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352)
Security fixes
- Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed TLS and wolfSSL backends: with server certificate verification enabled, SSLClient skipped chain validation entirely (any untrusted certificate with a matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped verification altogether. Chain verification now stays enabled for IP hosts, and certificate identity is verified post-handshake against IP SANs on all backends. SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066 (CVE-2026-54919)
New features
- Add Server::set_start_handler(): a callback invoked when the server is ready to accept connections, useful when running the server in a background thread (#2467)
- Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading system CA certificates alongside a custom CA. The default is unchanged: a custom CA remains exclusive. The setting carries over to clients created for HTTPS redirects (#2471)
- Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address while keeping the original hostname for the handshake and certificate verification (#2463)
Behavior changes
- The request body is now read after route matching and the pre-request handler, so both the regular handler and ContentReader paths behave the same: route matching → pre-request handler → body read → handler. A request rejected by the pre-request handler (e.g. failed per-route authentication via req.matched_route) no longer buffers the body at all. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body; inspect headers, path, query parameters, or matched_route instead
- WebSocketClient with a custom CA no longer merges system CA certificates (it previously always merged them). This matches SSLClient behavior; call enable_system_ca(true) to load system CA certificates alongside the custom CA
- Range request headers are now ignored for streaming responses of unknown length instead of producing an invalid response (#2465)
Bug fixes
- Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA certificates were silently merged into the user-provided store, broadening the trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates over to clients created for HTTPS redirects
- Fix WebSocketClient dropping the query string from the URL during the upgrade handshake, so query parameters (e.g. auth tokens) are sent (#2468)
- Fix a use-after-free when reconnecting a WebSocketClient after set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL set_ca_cert_store() backends
- Fix MSVC warning C4309 (truncation of constant value) in SHA padding code (#2464)
- Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid undefined behavior with negative char values (#2469)
Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0
1 week 1 day ago
FEDORA-EPEL-2026-4d48176243
Packages in this update:
- cpp-httplib-0.48.0-1.el10_3
Update description:
Update to 0.48.0 (rhbz#2481109)
Security fixes
- Complete the IP-host certificate identity fix from v0.47.0 for the
Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated
only via a matching iPAddress SAN, never via the certificate's Common
Name (RFC 9110) — matching what the OpenSSL backend already enforces
through X509_check_ip. Previously these backends fell back to the CN
when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte)
iPAddress SANs are matched as well, and the CN fallback is skipped for
both IPv4 and IPv6 literal hosts (#2476)
Improvements
- Replace the strtod-based from_chars for double with a hand-written,
locale-independent parser. The only double parsed by the library is the
HTTP quality value; strtod reads the decimal separator from the global C
locale, so an embedder calling setlocale(LC_ALL, "") into a
comma-decimal locale would mis-parse q-values. The new parser always
treats . as the decimal separator and is allocation-free (Fix #2475)
- Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the
thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the
subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry()
instead of the deprecated X509_STORE_get0_objects() and
X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep
using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2,
and 3.0
Behavior changes
- decode_query_component() now uses strict hex parsing for
percent-escapes, consistent with decode_uri_component() and
decode_path_component(). A % followed by non-hex characters (e.g. a sign
or whitespace such as %-1, %+5, % 5) is passed through literally instead
of being accepted as a valid escape (#2472)
Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0
Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352)
Security fixes
- Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed TLS and wolfSSL backends: with server certificate verification enabled, SSLClient skipped chain validation entirely (any untrusted certificate with a matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped verification altogether. Chain verification now stays enabled for IP hosts, and certificate identity is verified post-handshake against IP SANs on all backends. SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066 (CVE-2026-54919)
New features
- Add Server::set_start_handler(): a callback invoked when the server is ready to accept connections, useful when running the server in a background thread (#2467)
- Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading system CA certificates alongside a custom CA. The default is unchanged: a custom CA remains exclusive. The setting carries over to clients created for HTTPS redirects (#2471)
- Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address while keeping the original hostname for the handshake and certificate verification (#2463)
Behavior changes
- The request body is now read after route matching and the pre-request handler, so both the regular handler and ContentReader paths behave the same: route matching → pre-request handler → body read → handler. A request rejected by the pre-request handler (e.g. failed per-route authentication via req.matched_route) no longer buffers the body at all. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body; inspect headers, path, query parameters, or matched_route instead
- WebSocketClient with a custom CA no longer merges system CA certificates (it previously always merged them). This matches SSLClient behavior; call enable_system_ca(true) to load system CA certificates alongside the custom CA
- Range request headers are now ignored for streaming responses of unknown length instead of producing an invalid response (#2465)
Bug fixes
- Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA certificates were silently merged into the user-provided store, broadening the trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates over to clients created for HTTPS redirects
- Fix WebSocketClient dropping the query string from the URL during the upgrade handshake, so query parameters (e.g. auth tokens) are sent (#2468)
- Fix a use-after-free when reconnecting a WebSocketClient after set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL set_ca_cert_store() backends
- Fix MSVC warning C4309 (truncation of constant value) in SHA padding code (#2464)
- Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid undefined behavior with negative char values (#2469)
Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0
1 week 1 day ago
FEDORA-2026-504709cab7
Packages in this update:
- chromium-149.0.7827.196-1.fc44
Update description:
chromium-149.0.7827.196 security release
* CVE-2026-13028: Use after free in WebGL
* CVE-2026-13032: Use after free in WebGL
* CVE-2026-13033: Out of bounds read in Blink>InterestGroups
* CVE-2026-13038: Use after free in Autofill
* CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials
* CVE-2026-13022: Inappropriate implementation in Autofill
* CVE-2026-13023: Uninitialized Use in GPU
* CVE-2026-13024: Insufficient validation of untrusted input in Navigation
* CVE-2026-13025: Insufficient validation of untrusted input in DevTools
* CVE-2026-13026: Use after free in Digital Credentials
* CVE-2026-13027: Use after free in FileSystem
* CVE-2026-13029: Use after free in Web Authentication
* CVE-2026-13030: Uninitialized Use in GPU
* CVE-2026-13031: Use after free in Blink
* CVE-2026-13034: Inappropriate implementation in Passwords
* CVE-2026-13035: Use after free in Bluetooth
* CVE-2026-13036: Use after free in Blink
* CVE-2026-13037: Use after free in WebView
1 week 1 day ago
FEDORA-2026-ddd87cb1db
Packages in this update:
- chromium-149.0.7827.196-1.fc43
Update description:
chromium-149.0.7827.196 security release
* CVE-2026-13028: Use after free in WebGL
* CVE-2026-13032: Use after free in WebGL
* CVE-2026-13033: Out of bounds read in Blink>InterestGroups
* CVE-2026-13038: Use after free in Autofill
* CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials
* CVE-2026-13022: Inappropriate implementation in Autofill
* CVE-2026-13023: Uninitialized Use in GPU
* CVE-2026-13024: Insufficient validation of untrusted input in Navigation
* CVE-2026-13025: Insufficient validation of untrusted input in DevTools
* CVE-2026-13026: Use after free in Digital Credentials
* CVE-2026-13027: Use after free in FileSystem
* CVE-2026-13029: Use after free in Web Authentication
* CVE-2026-13030: Uninitialized Use in GPU
* CVE-2026-13031: Use after free in Blink
* CVE-2026-13034: Inappropriate implementation in Passwords
* CVE-2026-13035: Use after free in Bluetooth
* CVE-2026-13036: Use after free in Blink
* CVE-2026-13037: Use after free in WebView
1 week 1 day ago
It was discovered that cpp-httplib incorrectly percent-decoded HTTP
request header values. A remote attacker could use this to inject crafted
header content possibly leading to response splitting, log injection
or proxy smuggling.
1 week 1 day ago