Aggregator

Ryota K discovered that Git LFS may leak login credentials in certain instances due to failing to check for URL-encoded characters. An attacker could possibly use this issue to learn sensitive information. (CVE-2024-53263) It was discovered that Git LFS could have its git lfs checkout and git lfs pull commands abused to write to any file on a user's system. An attacker could possibly use this issue to execute arbitrary code. This issue was only addressed in Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-26625)

Ben Shonaldmann discovered that Form-data incorrectly generated boundary values for multipart form-encoded data, leading to predictable values. A remote attacker could possibly use this issue to make arbitrary requests to internal systems.

FEDORA-EPEL-2026-1f5a2c5f39 Packages in this update:

• python-python-multipart-0.0.22-1.el10_1

Update description:

Security fix for CVE-2026-24486 / GHSA-wp53-j4wj-2cfg.

0.0.22 (2026-01-25)

• Drop directory path from filename in File

FEDORA-2026-720b8d0c6c Packages in this update:

• python-python-multipart-0.0.22-1.fc42

Update description:

Security fix for CVE-2026-24486 / GHSA-wp53-j4wj-2cfg.

0.0.22 (2026-01-25)

• Drop directory path from filename in File

FEDORA-2026-08c12edc84 Packages in this update:

• python-python-multipart-0.0.22-1.fc43

Update description:

Security fix for CVE-2026-24486 / GHSA-wp53-j4wj-2cfg.

0.0.22 (2026-01-25)

• Drop directory path from filename in File

FEDORA-2026-ebabb127fb Packages in this update:

• gimp-3.0.8-4.fc43

Update description:

This is an upstream bugfix and security update. Please refer to the upstream release notes for details about the changes in this version.

FEDORA-2026-bda4a20a3c Packages in this update:

• gimp-3.0.8-4.fc42

Update description:

This is an upstream bugfix and security update. Please refer to the upstream release notes for details about the changes in this version.

Version:6.19-rc7 (mainline) Released:2026-01-25 Source:linux-6.19-rc7.tar.gz Patch:full (incremental)

FEDORA-2026-216041a3e7 Packages in this update:

• openttd-15.1-1.fc42

Update description: 15.x 15.1 (2026-01-24)

• Fix #15088: When building a new train, the refit button state may be incorrect (#15162)
• Fix #15160: Incorrect company names displayed in load game window (#15161)
• Fix #15153: Wrong tile used to get bridge reservation overlay (#15154)
• Fix #15116: Old cargo/industry sets without cargo translation table broken (#15150)
• Fix: Possible crash converting company liveries in older savegames/scenarios (#15148)
• Fix: Allow infinite water to be (de)selected when loading heightmap (#15146)
• Fix: Tile suitability test for farm field no longer handled snow tiles (#15134)
• Fix #15131: Trees no longer spread on partially snowy tiles (#15133)
• Fix: Change tooltips to match change from checkboxes to switches (#15123)
• Fix: [Script] Potential out of bounds array/string slice indexes (#15106)
• Fix: [Script] Potential out of bounds indexed string access (#15106)
• Fix: [Script] Check if array sort function modified array (#15106)
• Fix #15069: World generation map edges GUI starts in an invalid state (#15082)
• Fix #15079: Incorrect dates shown on town cargo history graph (#15080)
• Fix #15067: Mark NewGRF settings as modified after moving by drag & drop (#15068)
• Fix: Incorrect error message for aqueducts reaching northern map borders (#14974)
• Fix: Standardize wording of GRF/NewGRF (#15059)
• Fix #15046: Crash on loading game due to invalid group parents (#15049)
• Fix: Disable_elrails handling with engines that use both RAIL and ELRL (#15045)
• Fix: [Fluidsynth] Read settings from system and user config files if available (#15044)
• Fix #15039: Name and version can disappear from content list (#15040)
• Fix #15026: Remove incorrect info from base sounds tooltip (#15029)
• Fix: [Script] Improve reporting of invalid GetAPIVersion return (#15015)
• Fix: [Script] Undefined behaviour after calling SwapList during iteration (#14805)

FEDORA-2026-dd8314c4f3 Packages in this update:

• openttd-15.1-1.fc43

Update description: 15.x 15.1 (2026-01-24)

• Fix #15088: When building a new train, the refit button state may be incorrect (#15162)
• Fix #15160: Incorrect company names displayed in load game window (#15161)
• Fix #15153: Wrong tile used to get bridge reservation overlay (#15154)
• Fix #15116: Old cargo/industry sets without cargo translation table broken (#15150)
• Fix: Possible crash converting company liveries in older savegames/scenarios (#15148)
• Fix: Allow infinite water to be (de)selected when loading heightmap (#15146)
• Fix: Tile suitability test for farm field no longer handled snow tiles (#15134)
• Fix #15131: Trees no longer spread on partially snowy tiles (#15133)
• Fix: Change tooltips to match change from checkboxes to switches (#15123)
• Fix: [Script] Potential out of bounds array/string slice indexes (#15106)
• Fix: [Script] Potential out of bounds indexed string access (#15106)
• Fix: [Script] Check if array sort function modified array (#15106)
• Fix #15069: World generation map edges GUI starts in an invalid state (#15082)
• Fix #15079: Incorrect dates shown on town cargo history graph (#15080)
• Fix #15067: Mark NewGRF settings as modified after moving by drag & drop (#15068)
• Fix: Incorrect error message for aqueducts reaching northern map borders (#14974)
• Fix: Standardize wording of GRF/NewGRF (#15059)
• Fix #15046: Crash on loading game due to invalid group parents (#15049)
• Fix: Disable_elrails handling with engines that use both RAIL and ELRL (#15045)
• Fix: [Fluidsynth] Read settings from system and user config files if available (#15044)
• Fix #15039: Name and version can disappear from content list (#15040)
• Fix #15026: Remove incorrect info from base sounds tooltip (#15029)
• Fix: [Script] Improve reporting of invalid GetAPIVersion return (#15015)
• Fix: [Script] Undefined behaviour after calling SwapList during iteration (#14805)

FEDORA-2026-c5295ae3b9 Packages in this update:

• cef-144.0.11^chromium144.0.7559.96-1.fc43

Update description:

Update to cef-144.0.11+ge135be2 + chromium 144.0.7559.96 (rhbz#2432335)

• CVE-2026-1220: Race in V8
• CVE-2026-0899: Out of bounds memory access in V8
• CVE-2026-0900: Inappropriate implementation in V8
• CVE-2026-0901: Inappropriate implementation in Blink
• CVE-2026-0902: Inappropriate implementation in V8
• CVE-2026-0903: Insufficient validation of untrusted input in Downloads
• CVE-2026-0904: Incorrect security UI in Digital Credentials
• CVE-2026-0905: Insufficient policy enforcement in Network
• CVE-2026-0906: Incorrect security UI
• CVE-2026-0907: Incorrect security UI in Split View
• CVE-2026-0908: Use after free in ANGLE

FEDORA-2026-68ca733984 Packages in this update:

• cef-144.0.11^chromium144.0.7559.96-1.fc42

Update description:

Update to cef-144.0.11+ge135be2 + chromium 144.0.7559.96 (rhbz#2432335)

• CVE-2026-1220: Race in V8
• CVE-2026-0899: Out of bounds memory access in V8
• CVE-2026-0900: Inappropriate implementation in V8
• CVE-2026-0901: Inappropriate implementation in Blink
• CVE-2026-0902: Inappropriate implementation in V8
• CVE-2026-0903: Insufficient validation of untrusted input in Downloads
• CVE-2026-0904: Incorrect security UI in Digital Credentials
• CVE-2026-0905: Insufficient policy enforcement in Network
• CVE-2026-0906: Incorrect security UI
• CVE-2026-0907: Incorrect security UI in Split View
• CVE-2026-0908: Use after free in ANGLE

FEDORA-2026-205d532069 Packages in this update:

• glibc-2.42-9.fc43

Update description:

This update switches the currency symbol for Bulgaria to the Euro.

Furthermore, it addresses several security vulnerabilities:

• A crash when wordexp is used with WRDE_REUSE (CVE-2025-15281)
• Information leakage from the stack if getnetbyaddr is called for the zero address (CVE-2026-0915)
• An integer overflow in memalign and related functions if they are called with out-of-bounds size/alignment combinations (CVE-2026-0861)
• LD_PROFILE is now ignored with a warning if LD_PROFILE_OUTPUT is not specified, rather than using the insecure /var/tmp default.

Version:next-20260123 (linux-next) Released:2026-01-23

FEDORA-2026-78d626bfca Packages in this update:

• mingw-python-wheel-0.46.3-1.fc42

Update description:

Update to 0.46.3, fixes CVE-2026-24049.

FEDORA-2026-3d31544140 Packages in this update:

• mingw-python-wheel-0.46.3-1.fc43

Update description:

Update to 0.46.3, fixes CVE-2026-24049.

FEDORA-2026-0895af5ebe Packages in this update:

• tar-1.35-8.fc44

Update description:

Automatic update for tar-1.35-8.fc44.

Changelog * Wed Jan 21 2026 Pavel Cahyna <pcahyna@redhat.com> - 2:1.35-8 - Backport upstream fix for savannah bug 65838, commit 1e6ce98e (fedora#2427654) - added "padding with zeros" info message (#2089298) - do not report disk error as file shrank (#2089316) - upstream fix for savannah bug 64581, commit 51142180 (crash with TAR_OPTIONS) (fedora#2389217) - Backport fix for regression in the --no-overwrite-dir option Upstream commit 4e742fc8674064a9fa00d4483d06aca48d5b0463, discussed in https://www.mail-archive.com/bug-tar@gnu.org/msg06445.html - Backport upstream changes to jailify extraction directory Includes related gnulib changes to add openat2 Fixes CVE-2025-45582 (fedora#2380007)

FEDORA-2026-28a177c207 Packages in this update:

• python-wheel-0.45.1-5.fc42

Update description:

• Security fix for CVE-2026-24049