Aggregator
openssh-10.2p1-11.fc44
- openssh-10.2p1-11.fc44
- CVE-2026-55653: Fix double free in openssh DH-GEX client path during FIPS known-group validation that leads to client-side denial of service
- CVE-2026-55654: Fix heap out-of-bounds read during GSSAPI indicator cleanup due to missing NULL terminator
- CVE-2026-55655: Fix MITM of X11 forwarding via abstract UNIX socket pre-binding
openssh-10.0p1-10.fc43
- openssh-10.0p1-10.fc43
- CVE-2026-55653: Fix double free in openssh DH-GEX client path during FIPS known-group validation that leads to client-side denial of service
- CVE-2026-55654: Fix heap out-of-bounds read during GSSAPI indicator cleanup due to missing NULL terminator
- CVE-2026-55655: Fix MITM of X11 forwarding via abstract UNIX socket pre-binding
perl-Imager-1.033-1.fc43
- perl-Imager-1.033-1.fc43
1.033 - CVE-2026-14454: Fix mishandling of large EXIF IFD entry count values — treated as negative numbers, could lead to allocation failure and program exit - JPEG: depend on Imager 1.033 for the EXIF fix - Fix thread context object reference count leak in bumpmap and bumpmap_complex filters - TIFF: fix a leak from processing the TIFF warnings buffer (introduced in Imager 1.021)
perl-Imager-1.033-1.fc44
- perl-Imager-1.033-1.fc44
1.033 - CVE-2026-14454: Fix mishandling of large EXIF IFD entry count values — treated as negative numbers, could lead to allocation failure and program exit - JPEG: depend on Imager 1.033 for the EXIF fix - Fix thread context object reference count leak in bumpmap and bumpmap_complex filters - TIFF: fix a leak from processing the TIFF warnings buffer (introduced in Imager 1.021)
USN-8515-1: Addressable vulnerability
xrdp-0.10.6.1-1.fc43
- xrdp-0.10.6.1-1.fc43
This release fixes 10 vulnerabilities and 1 regression introduced by a vulnerability fix in the previous release.
If you like xrdp, please consider sponsoring or donating to the project. We accept financial contributions through Open Collective, and direct donations to individual developers via GitHub Sponsors are also welcome.
Security fixes- CVE-2026-41252
- CVE-2026-41521
- CVE-2026-44178
- CVE-2026-42218
- CVE-2026-44978
- CVE-2026-54538
- CVE-2026-55238
- CVE-2026-55626
- CVE-2026-55639
- CVE-2026-55645
- None
- regression: Fix SEGV in xrdp when running over TLS (#3793)
xrdp-0.10.6.1-1.fc44
- xrdp-0.10.6.1-1.fc44
This release fixes 10 vulnerabilities and 1 regression introduced by a vulnerability fix in the previous release.
If you like xrdp, please consider sponsoring or donating to the project. We accept financial contributions through Open Collective, and direct donations to individual developers via GitHub Sponsors are also welcome.
Security fixes- CVE-2026-41252
- CVE-2026-41521
- CVE-2026-44178
- CVE-2026-42218
- CVE-2026-44978
- CVE-2026-54538
- CVE-2026-55238
- CVE-2026-55626
- CVE-2026-55639
- CVE-2026-55645
- None
- regression: Fix SEGV in xrdp when running over TLS (#3793)
xrdp-0.10.6.1-1.el9
- xrdp-0.10.6.1-1.el9
This release fixes 10 vulnerabilities and 1 regression introduced by a vulnerability fix in the previous release.
If you like xrdp, please consider sponsoring or donating to the project. We accept financial contributions through Open Collective, and direct donations to individual developers via GitHub Sponsors are also welcome.
Security fixes- CVE-2026-41252
- CVE-2026-41521
- CVE-2026-44178
- CVE-2026-42218
- CVE-2026-44978
- CVE-2026-54538
- CVE-2026-55238
- CVE-2026-55626
- CVE-2026-55639
- CVE-2026-55645
- None
- regression: Fix SEGV in xrdp when running over TLS (#3793)
xrdp-0.10.6.1-1.el8
- xrdp-0.10.6.1-1.el8
This release fixes 10 vulnerabilities and 1 regression introduced by a vulnerability fix in the previous release.
If you like xrdp, please consider sponsoring or donating to the project. We accept financial contributions through Open Collective, and direct donations to individual developers via GitHub Sponsors are also welcome.
Security fixes- CVE-2026-41252
- CVE-2026-41521
- CVE-2026-44178
- CVE-2026-42218
- CVE-2026-44978
- CVE-2026-54538
- CVE-2026-55238
- CVE-2026-55626
- CVE-2026-55639
- CVE-2026-55645
- None
- regression: Fix SEGV in xrdp when running over TLS (#3793)
upower-1.91.3-2.fc43
- upower-1.91.3-2.fc43
upower 1.91.3:
- Feature: up-device-battery: Prefer "Standard" over "Fast" charging (!316 (merged), #344 (closed))
- Fix: Resolve potential leaks (!327 (merged))
- Fix: Potential out-of-bound access (!328 (merged))
- Fix: Improve access control (!326 (merged))
- Fix: Remove unused codes (!329 (merged))
- Fix: Fix for Asus Battery Charge Threshold Detection (!330 (merged), #347 (closed))
upower-1.91.3-1.fc44
- upower-1.91.3-1.fc44
upower 1.91.3:
- Feature: up-device-battery: Prefer "Standard" over "Fast" charging (!316 (merged), #344 (closed))
- Fix: Resolve potential leaks (!327 (merged))
- Fix: Potential out-of-bound access (!328 (merged))
- Fix: Improve access control (!326 (merged))
- Fix: Remove unused codes (!329 (merged))
- Fix: Fix for Asus Battery Charge Threshold Detection (!330 (merged), #347 (closed))
firefox-152.0.4-1.fc43
- firefox-152.0.4-1.fc43
- Updated to latest upstream (152.0.4)
Update to latest upstream version
python-bcrypt-4.3.0-14.el10_3
- python-bcrypt-4.3.0-14.el10_3
Update PyO3 to 0.29; addresses RUSTSEC-2026-0176 and RUSTSEC-2026-0177
python-bcrypt-4.3.0-14.fc43
- python-bcrypt-4.3.0-14.fc43
Update PyO3 to 0.29; addresses RUSTSEC-2026-0176 and RUSTSEC-2026-0177
python-bcrypt-4.3.0-14.fc44
- python-bcrypt-4.3.0-14.fc44
Update PyO3 to 0.29; addresses RUSTSEC-2026-0176 and RUSTSEC-2026-0177
roundcubemail-1.7.2-1.fc44
- roundcubemail-1.7.2-1.fc44
- Add HEAD request handler to the static.php
- Fix so the oauth_password_claim claim is retrieved via token or userinfo request (#9631)
- Fix bug where static.php would return a 416 error on a specific Range request (#10194)
- Fix bug where configured skin logo wasn't loaded via static.php resulting in 404 error (#10191)
- Fix bug where installto.sh would fail if public_html folder does not exist in the target directory (#10202)
- Revert "Prefer 8bit over quoted-printable for HTML parts, when force_7bit is disabled (#8477)" (#10198)
- Fix incorrect unfolding of folded lines when importing vCard 2.1 contacts (#9647)
- Fix bug where Imagick could leave large temporary files on failure (#10230)
- Fix bug where redis/memcache session could have been updated more often than needed
- Fix support for untyped tokens in OIDC backchannel logout, require unset nonce (#10097)
- Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
- Security: Fix various vulnerabilities in the password plugin using session-injected username
- Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
- Security: Fix SSRF bypass via specific local address URLs - two new cases
- Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
- Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
roundcubemail-1.6.17-1.fc43
- roundcubemail-1.6.17-1.fc43
- Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
- Enigma: Kolab WOAT Support (#8626)
- Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
- Security: Fix various vulnerabilities in the password plugin using session-injected username
- Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
- Security: Fix SSRF bypass via specific local address URLs - two new cases
- Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
- Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
roundcubemail-1.6.17-1.el10_2
- roundcubemail-1.6.17-1.el10_2
- Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
- Enigma: Kolab WOAT Support (#8626)
- Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
- Security: Fix various vulnerabilities in the password plugin using session-injected username
- Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
- Security: Fix SSRF bypass via specific local address URLs - two new cases
- Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
- Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
roundcubemail-1.6.17-1.el10_3
- roundcubemail-1.6.17-1.el10_3
- Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
- Enigma: Kolab WOAT Support (#8626)
- Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
- Security: Fix various vulnerabilities in the password plugin using session-injected username
- Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
- Security: Fix SSRF bypass via specific local address URLs - two new cases
- Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
- Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file