Aggregator

It was discovered that QtSvg incorrectly handled certain SVG images. An attacker could possibly use this issue to cause QtSvg to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2018-19869) It was discovered that QtSvg incorrectly handled certain SVG images. An attacker could use this issue to cause QtSvg to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-3481, CVE-2021-28025, CVE-2021-45930) It was discovered that QtSvg incorrectly handled certain SVG images. An attacker could use this issue to cause QtSvg to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-32573)

Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An attacker could possibly use this issue to perform SQL injection attacks. (CVE-2025-14179) It was discovered that PHP incorrectly handled certain encoding names in mbstring. An attacker could possibly use this issue to obtain sensitive information or cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-6104) It was discovered that PHP incorrectly handled object references while parsing crafted SOAP requests. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-6722) It was discovered that PHP incorrectly sanitized certain data in the PHP-FPM status page. A remote attacker could possibly use this issue to inject arbitrary JavaScript code. (CVE-2026-6735) It was discovered that PHP had an encoding mismatch in mbstring. An attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2026-7259) It was discovered that PHP incorrectly handled SOAP session persistence after errors. A remote attacker could possibly use this issue to obtain sensitive information or cause PHP to crash, resulting in a denial of service. (CVE-2026-7261) It was discovered that PHP incorrectly handled missing values in SOAP typemap decoding. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2026-7262) It was discovered that PHP incorrectly handled XML canonicalization in DOMNode::C14N(). An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-7263) It was discovered that PHP incorrectly handled very long input in metaphone(). An attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2026-7568)

It was discovered that pyOpenSSL incorrectly handled exceptions in the tlsext_servername callback. This could result in connections being accepted after an exception, contrary to expectations.

Thomas Beckers discovered that the JAXP component of CRaC JDK 25 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. (CVE-2026-22016) It was discovered that the Networking component of CRaC JDK 25 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-34282) It was discovered that the JSSE component of CRaC JDK 25 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22021) It was discovered that the JGSS component of CRaC JDK 25 did not correctly authenticate certain APIs. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-22013) It was discovered that the 2D component of CRaC JDK 25 did not correctly handle certain integer arithmetic. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to leak sensitive information. (CVE-2026-23865) It was discovered that the Libraries component of CRaC JDK 25 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service or gain unauthorized modification of data privileges. (CVE-2026-22008, CVE-2026-22018) Ken Pyle discovered that the Security component of CRaC JDK 25 did not correctly authenticate certain APIs. A local attacker could possibly use this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-04-21

Thomas Beckers discovered that the JAXP component of CRaC JDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. (CVE-2026-22016) It was discovered that the Networking component of CRaC JDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-34282) It was discovered that the JSSE component of CRaC JDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22021) It was discovered that the JGSS component of CRaC JDK 21 did not correctly authenticate certain APIs. A remote attacker could possibly use this issue to obtain sensitive information.(CVE-2026-22013) It was discovered that the 2D component of CRaC JDK 21 did not correctly handle certain integer arithmetic. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to leak sensitive information. (CVE-2026-23865) It was discovered that the Libraries component of CRaC JDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22018) Ken Pyle discovered that the Security component of CRaC JDK 21 did not correctly authenticate certain APIs. A local attacker could possibly use this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-04-21

Thomas Beckers discovered that the JAXP component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. (CVE-2026-22016) It was discovered that the Networking component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-34282) It was discovered that the JSSE component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22021) It was discovered that the JGSS component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-22013) It was discovered that the 2D component of CRaC JDK 17 did not correctly handle certain integer arithmetic. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to leak sensitive information. (CVE-2026-23865) It was discovered that the Libraries component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22018) Ken Pyle discovered that the Security component of CRaC JDK 17 did not correctly authenticate certain APIs. A local attacker could possibly use this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-04-21

Thomas Beckers discovered that the JAXP component of OpenJDK 11 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. (CVE-2026-22016) It was discovered that the Networking component of OpenJDK 11 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-34282) It was discovered that the JSSE component of OpenJDK 11 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22021) It was discovered that the JGSS component of OpenJDK 11 did not correctly authenticate certain APIs. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-22013) It was discovered that the 2D component of OpenJDK 11 did not correctly handle certain integer arithmetic. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to leak sensitive information. (CVE-2026-23865) It was discovered that the Libraries component of OpenJDK 11 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22018) Ken Pyle discovered that the Security component of OpenJDK 11 did not correctly authenticate certain APIs. A local attacker could possibly use this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-04-21

Thomas Beckers discovered that the JAXP component of OpenJDK 8 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. (CVE-2026-22016) It was discovered that the JSSE component of OpenJDK 8 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22021) It was discovered that the JGSS component of OpenJDK 8 did not correctly authenticate certain APIs. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-22013) It was discovered that the 2D component of OpenJDK 8 did not correctly handle certain integer arithmetic. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to leak sensitive information. (CVE-2026-23865) It was discovered that the Libraries component of OpenJDK 8 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22018) Ken Pyle discovered that the Security component of OpenJDK 8 did not correctly authenticate certain APIs. A local attacker could possibly use this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-04-21

FEDORA-2026-2d0a32ddc0 Packages in this update:

• rubygem-yard-0.9.37-5.fc43

Update description:

Backport 0.9.41 / 0.9.44 fixes for possible path traversal issues

FEDORA-2026-acefc1fe48 Packages in this update:

• rubygem-yard-0.9.40-2.fc44

Update description:

Backport 0.9.41 / 0.9.44 fixes for possible path traversal issues

It was discovered that the FFmpeg CAF decoder incorrectly handled certain file size calculations. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service.

Thomas Beckers discovered that the JAXP component of OpenJDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. (CVE-2026-22016) It was discovered that the Networking component of OpenJDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-34282) It was discovered that the JSSE component of OpenJDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22021) It was discovered that the JGSS component of OpenJDK 21 did not correctly authenticate certain APIs. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-22013) It was discovered that the 2D component of OpenJDK 21 did not correctly handle certain integer arithmetic. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to leak sensitive information. (CVE-2026-23865) It was discovered that the Libraries component of OpenJDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22018) Ken Pyle discovered that the Security component of OpenJDK 21 did not correctly authenticate certain APIs. A local attacker could possibly use this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-04-21

FEDORA-EPEL-2026-ea9af18b11 Packages in this update:

• strongswan-6.0.6-1.el9

Update description:

Update to 6.0.6 to fix CVE-2026-35328, CVE-2026-35329, CVE-2026-35330, CVE-2026-35331, CVE-2026-35332, CVE-2026-35333, CVE-2026-35334, CVE-2026-25075, CVE-2025-9615, CVE-2025-62291

FEDORA-2026-ecfadb29a1 Packages in this update:

• rust-sequoia-cert-store-0.7.3-1.fc43
• rust-sequoia-chameleon-gnupg-0.13.1-13.fc43
• rust-sequoia-octopus-librnp-1.11.1-7.fc43
• rust-sequoia-sop-0.37.3-4.fc43
• rust-sequoia-sq-1.3.1-12.fc43
• rust-sequoia-wot-0.15.2-1.fc43

Update description:

• Update the sequoia-wot crate to version 0.15.2.
• Update the sequoia-keystore crate to version 0.7.3.

This includes a rebuild of all dependent applications to address three low-severity security vulnerabilities in sequoia-wot:

• https://gitlab.com/sequoia-pgp/sequoia-wot/-/commit/77605b2f
• https://gitlab.com/sequoia-pgp/sequoia-wot/-/commit/81210321
• https://gitlab.com/sequoia-pgp/sequoia-wot/-/commit/dd2ffb50

FEDORA-2026-5c5f4f40a4 Packages in this update:

• rust-sequoia-cert-store-0.7.3-1.fc44
• rust-sequoia-chameleon-gnupg-0.13.1-13.fc44
• rust-sequoia-octopus-librnp-1.11.1-7.fc44
• rust-sequoia-sop-0.37.3-4.fc44
• rust-sequoia-sq-1.3.1-12.fc44
• rust-sequoia-wot-0.15.2-1.fc44

Update description:

• Update the sequoia-wot crate to version 0.15.2.
• Update the sequoia-keystore crate to version 0.7.3.

This includes a rebuild of all dependent applications to address three low-severity security vulnerabilities in sequoia-wot:

• https://gitlab.com/sequoia-pgp/sequoia-wot/-/commit/77605b2f
• https://gitlab.com/sequoia-pgp/sequoia-wot/-/commit/81210321
• https://gitlab.com/sequoia-pgp/sequoia-wot/-/commit/dd2ffb50

FEDORA-2026-4a6b728056 Packages in this update:

• dolphin-emu-2503a-16.fc45

Update description:

Automatic update for dolphin-emu-2503a-16.fc45.

Changelog * Wed May 27 2026 Jeremy Newton <alexjnewt@hotmail.com> - 2503a-16 - Fix RHBZ#2454084