Aggregator

FEDORA-2026-9a8f233b8f Packages in this update:

• perl-Net-Statsd-0.13-1.fc43

Update description:

Metric names and values are now validated to ensure they do not contain characters below ASCII 32 (including newlines), colon (":") or pipe ("|") characters that might allow metric injection. Offending calls now croak.

It was discovered that Cyborg did not properly enforce project ownership in the Accelerator Request (ARQ) API. An authenticated user could possibly use this issue to delete ARQs bound to other projects' instances, resulting in a cross-tenant denial of service. (CVE-2026-40214) It was discovered that Cyborg used a permissive default policy that authorized any request carrying a valid authentication token, regardless of roles or scope, for multiple API endpoints. An authenticated user could possibly use this issue to perform unauthorized actions, such as reprogramming FPGA bitstreams on arbitrary compute nodes. (CVE-2026-40213)

FEDORA-EPEL-2026-2d971fc3b0 Packages in this update:

• ImageMagick-6.9.13.49-1.el9

Update description: Summary

This update fixes several security vulnerabilities, including multiple high-severity CVEs: Security fixes

• CVE-2026-33901 (High) — Heap buffer overflow in the MVG decoder that could result in an out-of-bounds write when processing a crafted image.
• CVE-2026-33908 (High) — Recursive DestroyXMLTree() call with no depth limit causes stack exhaustion when processing deeply nested XML structures, resulting in a Denial of Service (DoS).
• CVE-2026-40310 (High) — Heap out-of-bounds write in the JP2 encoder triggered when a user specifies an invalid sampling index.

Additional security and bug fixes are included in the upstream releases between 6.9.13.25 and 6.9.13.49. See the upstream release history at: https://github.com/ImageMagick/ImageMagick6/releases

FEDORA-EPEL-2026-fb9a9ab1e9 Packages in this update:

• ImageMagick-6.9.13.49-1.el8

Update description: Summary

This update fixes several security vulnerabilities, including multiple high-severity CVEs: Security fixes

• CVE-2026-33901 (High) — Heap buffer overflow in the MVG decoder that could result in an out-of-bounds write when processing a crafted image.
• CVE-2026-33908 (High) — Recursive DestroyXMLTree() call with no depth limit causes stack exhaustion when processing deeply nested XML structures, resulting in a Denial of Service (DoS).
• CVE-2026-40310 (High) — Heap out-of-bounds write in the JP2 encoder triggered when a user specifies an invalid sampling index.

Additional security and bug fixes are included in the upstream releases between 6.9.13.25 and 6.9.13.49. See the upstream release history at: https://github.com/ImageMagick/ImageMagick6/releases

It was discovered that Lodash was vulnerable to a prototype pollution issue in the zipObjectDeep function. An attacker could possibly use this issue to modify application behavior. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8203) Liyuan Chen discovered that Lodash was vulnerable to a regular expression denial of service issue in the toNumber, trim, and trimEnd functions. An attacker could possibly use this issue to consume excessive system resources, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28500) Marc Hassan discovered that Lodash did not properly sanitize input to the template function. An attacker could possibly use this issue to inject and execute arbitrary commands. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-23337) It was discovered that Lodash was vulnerable to a prototype pollution issue in the unset and omit functions. An attacker could possibly use this issue to delete properties from global prototypes, resulting in security restrictions being bypassed. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2025-13465) It was discovered that Lodash was vulnerable to a prototype pollution issue in the unset and omit functions. An attacker could possibly use this issue to delete properties from built-in prototypes, resulting in security restrictions being bypassed. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-2950) It was discovered that Lodash did not properly validate certain inputs to the template function. An attacker could possibly use this issue to inject malicious code during template processing, resulting in arbitrary code execution. (CVE-2026-4800)

FEDORA-2026-37947358ea Packages in this update:

• httpd-2.4.68-1.fc43

Update description:

• new version 2.4.68
• fixes various security issues

FEDORA-2026-d4136fe979 Packages in this update:

• httpd-2.4.68-1.fc44

Update description:

• new version 2.4.68
• fixes various security issues

USN-8398-1 fixed a vulnerability in nginx. The update introduced a regression causing nginx to crash when being used with external modules. This update reverts the fix for CVE-2026-49975 pending further investigation. We apologize for the inconvenience. Original advisory details: It was discovered that nginx incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nginx to consume excessive resources, resulting in a denial of service.

FEDORA-EPEL-2026-204e38b37f Packages in this update:

• python-ujson-5.8.0-5.el9

Update description:

Backport fix for CVE-2026-44660

Version:7.0.12 (stable) Released:2026-06-09 Source:linux-7.0.12.tar.xz PGP Signature:linux-7.0.12.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-7.0.12

Version:6.18.35 (longterm) Released:2026-06-09 Source:linux-6.18.35.tar.xz PGP Signature:linux-6.18.35.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.18.35

Version:6.12.93 (longterm) Released:2026-06-09 Source:linux-6.12.93.tar.xz PGP Signature:linux-6.12.93.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.12.93

USN-8044-1 fixed a vulnerability in alsa-lib. This update provides the corresponding fix for alsa-lib on Ubuntu 20.04 LTS. Original advisory details: It was discovered that alsa-lib incorrectly handled the topology mixer control decoder. A local attacker could use a specially crafted topology file to cause alsa-lib to crash, resulting in a denial of service, or possibly execute arbitrary code.

FEDORA-2026-884a9f0fc3 Packages in this update:

• vorbis-tools-1.4.3-5.fc44

Update description:

CVE-2026-34253 - fix arbitrary code execution via buffer underflow

FEDORA-2026-cbf4cd18d1 Packages in this update:

• vorbis-tools-1.4.3-4.fc43

Update description:

CVE-2026-34253 - fix arbitrary code execution via buffer underflow

Akshat Sinha discovered that shell-quote improperly validated object-token inputs. An attacker could possibly use this issue to cause shell-quote to crash, resulting in a denial of service, or execute arbitrary code.

FEDORA-2026-9c00940406 Packages in this update:

• vorbis-tools-1.4.3-5.fc45

Update description:

Automatic update for vorbis-tools-1.4.3-5.fc45.

Changelog * Tue Jun 9 2026 Lukáš Zaoral <lzaoral@redhat.com> - 1:1.4.3-5 - CVE-2026-34253 - fix arbitrary code execution via buffer underflow (rhbz#2479549)