Aggregator

FEDORA-EPEL-2026-31c7836113 Packages in this update:

• roundcubemail-1.6.14-1.el10_1

Update description:

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

FEDORA-EPEL-2026-b318120749 Packages in this update:

• roundcubemail-1.6.14-1.el10_3

Update description:

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

FEDORA-EPEL-2026-34a0375273 Packages in this update:

• roundcubemail-1.5.14-1.el9

Update description:

Version 1.5.14

• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview

USN-8018-1 fixed CVE-2025-12084, CVE-2025-15282, CVE-2026-0672, CVE-2026-0865 for python3. This update provides the corresponding updates for python2.7. Original advisory details: Denis Ledoux discovered that Python incorrectly parsed email message headers. An attacker could possibly use this issue to inject arbitrary headers into email messages. This issue only affected python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and python3.14 packages. (CVE-2025-11468) Jacob Walls, Shai Berger, and Natalia Bidart discovered that Python inefficiently parsed XML input with quadratic complexity. An attacker could possibly use this issue to cause a denial of service. (CVE-2025-12084) It was discovered that Python incorrectly parsed malicious plist files. An attacker could possibly use this issue to cause Python to use excessive resources, leading to a denial of service. This issue only affected python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and python3.14 packages. (CVE-2025-13837) Omar Hasan discovered that Python incorrectly parsed URL mediatypes. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2025-15282) Omar Hasan discovered that Python incorrectly parsed malicious IMAP inputs. An attacker could possibly use this issue to inject arbitrary IMAP commands. (CVE-2025-15366) Omar Hasan discovered that Python incorrectly parsed malicious POP3 inputs. An attacker could possibly use this issue to inject arbitrary POP3 commands. (CVE-2025-15367) Omar Hasan discovered that Python incorrectly parsed malicious HTTP cookie headers. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2026-0672) Omar Hasan discovered that Python incorrectly parsed malicious HTTP header names and values. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2026-0865)

FEDORA-2026-03583f302f Packages in this update:

• suricata-7.0.15-1.fc43

Update description:

Upstream security/bugfix release

FEDORA-2026-45a7e37b8a Packages in this update:

• suricata-8.0.4-1.fc44

Update description:

Upstream security/bugfix release.

FEDORA-2026-f4371b21f0 Packages in this update:

• xen-4.19.4-3.fc42

Update description:

Use after free of paging structures in EPT [XSA-480, CVE-2026-23554] Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]

USN-8097-1 fixed a vulnerability in roundcube. The update caused a regression affecting the HTML sanitizer, preventing Roundcube from rendering any email message body. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Roundcube Webmail did not properly sanitize the animate tag within SVG documents. An attacker could possibly use this issue to cause a cross-site scripting attack.

Dave Rolsky discovered that Net-CIDR did not properly sanitize IP addresses. An attacker could possibly use this to bypass IP-based restrictions.

FEDORA-2026-8ae1a1c3d7 Packages in this update:

• xen-4.20.2-4.fc43

Update description:

Use after free of paging structures in EPT [XSA-480, CVE-2026-23554] Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]

Jakub Wilk discovered that debmany in Debian Goodies incorrectly handled certain deb files. An attacker could possibly use this issue to execute arbitrary shell commands.

FEDORA-2026-5697f4e025 Packages in this update:

• pyOpenSSL-26.0.0-1.fc44

Update description:

Update to version 26.0.0

• Added support for using aws-lc instead of OpenSSL.
• Properly raise an error if a DTLS cookie callback returned a cookie longer than DTLS1_COOKIE_LENGTH bytes. Previously this would result in a buffer-overflow. Credit to dark_haxor for reporting the issue. CVE-2026-27459
• Added OpenSSL.SSL.Connection.get_group_name to determine which group name was negotiated.
• Context.set_tlsext_servername_callback now handles exceptions raised in the callback by calling sys.excepthook and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. Credit to Leury Castillo for reporting this issue. CVE-2026-27448

It was discovered that Bouncy Castle did not sanitize user input when inserting it into an LDAP search filter. An attacker could possibly use this issue to perform an LDAP injection attack. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2023-33201) It was discovered that Bouncy Castle incorrectly handled specially crafted F2m parameters in the ECCurve algorithm. An attacker could possibly use this issue to cause Bouncy Castle to use excessive resources, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-29857) It was discovered that Bouncy Castle leaked timing information when handling exceptions during an RSA handshake. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-30171) It was discovered that Bouncy Castle incorrectly handled endpoint identification with an SSL socket enabled without an explicit hostname. An attacker could possibly use this issue to perform a DNS poisoning attack. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-34447) Bing Shi discovered that Bouncy Castle incorrectly handled resource memory allocation. An attacker could possibly use this issue to cause Bouncy Castle to use excessive resources, leading to a denial of service. This issue only affected Ubuntu 24.04 LTS. (CVE-2025-8916)

FEDORA-2026-76033f35ea Packages in this update:

• headscale-0.28.0-1.fc44

Update description:

update to 0.28.0

FEDORA-2026-c3c02ffe75 Packages in this update:

• headscale-0.28.0-1.fc43

Update description:

update to 0.28.0

Version:next-20260318 (linux-next) Released:2026-03-18

Qualys discovered that several vulnerabilities existed in the AppArmor Linux kernel Security Module (LSM). An unprivileged local attacker could use these issues to load, replace, and remove arbitrary AppArmor profiles causing denial of service, exposure of sensitive information (kernel memory), local privilege escalation, or possibly escape a container. (LP: #2143853) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - x86 architecture; - GPIO subsystem; - GPU drivers; - MMC subsystem; - BTRFS file system; - XFRM subsystem; - IPv4 networking; - IPv6 networking; - MAC80211 subsystem; - SMC sockets; (CVE-2021-47599, CVE-2022-48875, CVE-2022-49072, CVE-2022-49267, CVE-2024-49927, CVE-2024-56640, CVE-2025-21780, CVE-2025-40215)

It was discovered that Valkey incorrectly handled errors for lua scripts. An attacker could possibly use this issue to inject arbitrary information into the response stream for other clients. (CVE-2025-67733) It was discovered that Valkey incorrectly handled malformed cluster bus messages. A remote attacker could possibly use this issue to cause Valkey to crash, resulting in a denial of service. (CVE-2026-21863)