Aggregator

Version:6.1.172 (longterm) Released:2026-05-08 Source:linux-6.1.172.tar.xz PGP Signature:linux-6.1.172.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.1.172

Version:5.15.206 (longterm) Released:2026-05-08 Source:linux-5.15.206.tar.xz PGP Signature:linux-5.15.206.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-5.15.206

USN-8248-1 fixed vulnerabilities in NASM. Unfortunately the update introduced a regression which could cause NASM to crash. This update fixes the problem by reverting the fix for CVE-2021-33450 and CVE-2021-33452 in Ubuntu 24.04 LTS. We apologize for the inconvenience. Original advisory details: Daisy Chen discovered that NASM was vulnerable to a heap buffer overflow when handling certain input. An attacker could possibly use this issue to cause NASM to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-31722) It was discovered that NASM incorrectly handled memory allocation. An attacker could possibly use this issue to cause NASM to use excessive resources, leading to a denial of service. This issue only affected Ubuntu 24.04 LTS. (CVE-2021-33452, CVE-2021-33450)

FEDORA-2026-8ad863685a Packages in this update:

• python-pulp-glue-0.37.0-5.fc43
• python-requests-2.33.1-1.fc43

Update description: 2.33.1 (2026-03-30)

Bugfixes - Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. - Fixed Content-Type header parsing for malformed values. - Improved error consistency for malformed header values.

2.33.0 (2026-03-25)

Announcements - 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security - CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements - Migrated to a PEP 517 build system using setuptools.

Bugfixes - Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+.

Deprecations - Dropped support for Python 3.9 following its end of support.

Documentation - Various typo fixes and doc improvements.

FEDORA-2026-44919b3d9f Packages in this update:

• python-pulp-glue-0.37.0-5.fc44
• python-requests-2.33.1-1.fc44

Update description: 2.33.1 (2026-03-30)

Bugfixes - Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. - Fixed Content-Type header parsing for malformed values. - Improved error consistency for malformed header values.

2.33.0 (2026-03-25)

Announcements - 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security - CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements - Migrated to a PEP 517 build system using setuptools.

Bugfixes - Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+.

Deprecations - Dropped support for Python 3.9 following its end of support.

Documentation - Various typo fixes and doc improvements.

Version:next-20260508 (linux-next) Released:2026-05-08

Version:6.1.171 (longterm) Released:2026-05-08 Source:linux-6.1.171.tar.xz PGP Signature:linux-6.1.171.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.1.171

Version:5.15.205 (longterm) Released:2026-05-08 Source:linux-5.15.205.tar.xz PGP Signature:linux-5.15.205.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-5.15.205

Version:5.10.255 (longterm) Released:2026-05-08 Source:linux-5.10.255.tar.xz PGP Signature:linux-5.10.255.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-5.10.255

It was discovered that the Lua parser incorrectly handled garbage collection when processing specially crafted Lua scripts. A remote attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

Version:7.0.5 (stable) Released:2026-05-08 Source:linux-7.0.5.tar.xz PGP Signature:linux-7.0.5.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-7.0.5

Version:6.18.28 (longterm) Released:2026-05-08 Source:linux-6.18.28.tar.xz PGP Signature:linux-6.18.28.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.18.28

Version:6.12.87 (longterm) Released:2026-05-08 Source:linux-6.12.87.tar.xz PGP Signature:linux-6.12.87.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.12.87

Version:6.6.138 (longterm) Released:2026-05-08 Source:linux-6.6.138.tar.xz PGP Signature:linux-6.6.138.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.6.138

FEDORA-2026-793b55138d Packages in this update:

• python-jupytext-1.19.1-4.fc42

Update description:

This update contains upgrades to various npm packages used during the build to address CVEs, namely:

• CVE-2025-69873 (ajv)
• CVE-2026-0540 (DOMPurify)
• CVE-2026-3449 (@tootallnate/once)
• CVE-2026-4800 (lodash)
• CVE-2026-6321 (fast-uri)
• CVE-2026-41240 (DOMPurify)

This is probably unimportant since these packages are used at build-time only. They are not shipped with python3-jupytext and therefore do not affect runtime.