Aggregator

Millie Solem discovered that Authlib did not properly restrict algorithm selection during JWT verification, allowing HMAC verification with asymmetric public keys when no algorithm was specified. A remote attacker could possibly use this issue to bypass signature verification and forge tokens, resulting in authentication bypass or privilege escalation. (CVE-2024-37568) Muhammad Noman Ilyas discovered that Authlib did not properly enforce critical header parameter handling during JSON Web Signature verification, leading to unknown critical parameters being incorrectly accepted. A remote attacker could possibly use this issue to bypass security policies in mixed deployments, resulting in authentication bypass, replay attacks, or privilege escalation. (CVE-2025-59420) Muhammad Noman Ilyas discovered that Authlib did not properly limit the size of JSON Web Signature or JSON Web Token header and signature segments. A remote attacker could possibly use this issue to cause excessive memory or processor consumption, leading to a denial of service. (CVE-2025-61920) Muhammad Noman Ilyas discovered that Authlib performed unbounded decompression when processing certain compressed encrypted tokens. A remote attacker could possibly use this issue to send a specially crafted token that can be expanded to a large size during decompression, causing a denial of service. (CVE-2025-62706) It was discovered that Authlib did not properly bind cached state information to the initiating user session during OAuth authentication flows. A remote attacker could possibly use this issue to perform cross- site request forgery attacks, resulting in unauthorized actions or authentication bypass. This issue only affected Ubuntu 24.04 LTS. (CVE-2025-68158)

FEDORA-2026-c6d7c9de1d Packages in this update:

• udisks2-2.11.1-1.fc43

Update description:

Rebase to latest upstream release

FEDORA-2026-b8847e1e2c Packages in this update:

• udisks2-2.11.1-1.fc44

Update description:

Rebase to latest upstream release

Version:next-20260225 (linux-next) Released:2026-02-25

Eliot Horowitz discovered that MongoDB may fail to validate some instances of malformed BSON. A remote attacker could possibly use this issue to cause MongoDB to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-1609) It was discovered that MongoDB read raw permissions from .dbshell history files. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6494) Travis Brown discovered that MongoDB may be unable to parse specially crafted UTF-8 strings in BSON requests. A remote attacker could possibly use this issue to cause MongoDB to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-20802)

FEDORA-2026-766e3a6ec8 Packages in this update:

• firefox-148.0-1.fc43

Update description:

• New upstream release (148.0)

USN-5376-1 fixed a vulnerability in Git. It was discovered that the safety checks introduced in the update were not able to be set using the command line, contrary to expectations. This update fixes the problem. We apologize for the inconvenience. Original advisory details: 俞晨东 discovered that Git incorrectly handled certain repository paths in platforms with multiple users support. An attacker could possibly use this issue to run arbitrary commands.

It was discovered that Protocol Buffers incorrectly handled recursion when the Python google.protobuf.json_format.ParseDict() function is being used. An attacker could possibly use this issue to cause Protocol Buffers to consume resources, resulting in a denial of service.

FEDORA-2026-be60dd75d9 Packages in this update:

• freerdp-3.23.0-1.fc43

Update description:

Update to 3.23.0 to fix CVE-2026-26965, CVE-2026-26955, CVE-2026-26271, CVE-2026-25997, CVE-2026-25959, CVE-2026-25955, CVE-2026-25954, CVE-2026-25953, CVE-2026-25952, CVE-2026-25942, CVE-2026-25941

FEDORA-2026-a160e550ec Packages in this update:

• freerdp-3.23.0-1.fc44

Update description:

Update to 3.23.0 to fix CVE-2026-26965, CVE-2026-26955, CVE-2026-26271, CVE-2026-25997, CVE-2026-25959, CVE-2026-25955, CVE-2026-25954, CVE-2026-25953, CVE-2026-25952, CVE-2026-25942, CVE-2026-25941

FEDORA-2026-53fe996a57 Packages in this update:

• freerdp-3.23.0-1.fc42

Update description:

Update to 3.23.0 to fix CVE-2026-26965, CVE-2026-26955, CVE-2026-26271, CVE-2026-25997, CVE-2026-25959, CVE-2026-25955, CVE-2026-25954, CVE-2026-25953, CVE-2026-25952, CVE-2026-25942, CVE-2026-25941

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - GPU drivers; - MMC subsystem; (CVE-2022-49267, CVE-2025-21780)

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - SMB network file system; (CVE-2025-22037, CVE-2025-37899)

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - SMB network file system; (CVE-2025-22037, CVE-2025-37899)

FEDORA-2026-b5bde68630 Packages in this update:

• firefox-148.0-1.fc44
• nss-3.120.1-1.fc44

Update description:

Update NSS to 3.120.1 Update to Firefox 148.0

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - SMB network file system; (CVE-2025-22037, CVE-2025-37899)

FEDORA-2026-57cd5704e9 Packages in this update:

• libsixel-1.10.5-5.fc42

Update description:

Apply fix for CVE-2025-61146

FEDORA-2026-b227fad171 Packages in this update:

• libsixel-1.10.5-5.fc43

Update description:

Apply fix for CVE-2025-61146

FEDORA-2026-a800d3417b Packages in this update:

• libsixel-1.10.5-6.fc44

Update description:

Apply fix for CVE-2025-61146