Aggregator

It was discovered that Apache Tika incorrectly handled XML external entities when parsing XFA content in PDF files. An attacker could possibly use this issue to obtain sensitive information or send malicious requests to internal resources or third-party servers.

FEDORA-2026-f2c746ff8e Packages in this update:

• perl-Crypt-Argon2-0.031-1.fc43
• perl-Dist-Build-0.028-1.fc43
• perl-ExtUtils-Builder-0.020-1.fc43
• perl-ExtUtils-Builder-Compiler-0.036-1.fc43

Update description:

Update to 0.031 #2477035 #2481131 fixes CVE-2026-8463

It was discovered that Postorius did not properly escape HTML in message subjects when rendering the Held messages pop-up. An attacker could possibly use this issue to inject arbitrary HTML, resulting in exposure of sensitive information.

It was discovered that Apache Commons BeanUtils incorrectly allowed access to the declaredClass property of Java enum objects when handling externally supplied property paths. An attacker could possibly use this issue to execute arbitrary code.

It was discovered that Papers incorrectly handled PDF /GoToR actions. If a user were tricked into opening a specially crafted PDF file, an attacker could use this issue to manipulate command lines and possibly execute arbitrary code.

It was discovered that Memcached's SASL password database authentication had a timing side channel when handling username and password data. A remote attacker could possibly use this issue to obtain sensitive information.

It was discovered that Libgcrypt incorrectly handled crafted ECDH ciphertext. An attacker could possibly use this issue to cause Libgcrypt to crash, resulting in a denial of service. (CVE-2026-41989) It was discovered that Libgcrypt incorrectly handled Dilithium signing. An attacker could possibly use this issue to cause Libgcrypt to crash, resulting in a denial of service. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-41990)

It was discovered that libcaca incorrectly handled certain malformed files. An attacker could use this issue to cause libcaca to crash, resulting in a denial of service, or possibly execute arbitrary code.

FEDORA-2026-dafdad8fd3 Packages in this update:

• perl-Crypt-Argon2-0.031-1.fc44
• perl-Dist-Build-0.028-1.fc44
• perl-ExtUtils-Builder-0.020-1.fc44
• perl-ExtUtils-Builder-Compiler-0.036-1.fc44

Update description:

Update to 0.031 #2477035 #2481131 fixes CVE-2026-8463

It was discovered that GStreamer Good Plugins incorrectly handled certain MP4 audio tracks. An attacker could possibly use this issue to cause GStreamer Good Plugins to crash, resulting in a denial of service.

It was discovered that MediaWiki incorrectly handled group membership visibility in the OATHAuth extension. An authenticated attacker could use this issue to determine if other users had two-factor authentication enabled. (CVE-2026-34087) It was discovered that MediaWiki incorrectly handled suppressed log entry titles in the RecentChanges list. An unauthenticated attacker could use this issue to view titles of deleted or suppressed pages that should be hidden. (CVE-2026-34088) It was discovered that MediaWiki incorrectly handled resource loading timing information. An attacker could use this issue to determine if certain pages existed on a wiki. (CVE-2026-34092)

It was discovered that Expat, vendored in Ayttm, incorrectly handled certain files. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

It was discovered that Expat, vendored in XML-RPC, incorrectly handled certain files. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

FEDORA-2026-5d15cef372 Packages in this update:

• perl-Crypt-Argon2-0.031-1.fc45
• perl-Dist-Build-0.028-1.fc45
• perl-ExtUtils-Builder-0.020-1.fc45
• perl-ExtUtils-Builder-Compiler-0.036-1.fc45

Update description:

Update perl-Crypt-Argon2 to 0.031 #2477035 #2481131 fixes CVE-2026-8463

Santos Gallegos discovered that GitPython did not properly validate paths when resolving certain Git references. An attacker could possibly use this issue to cause files outside the .git directory to be accessed, leading to a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2023-41040) Wes Ring discovered that GitPython did not properly block certain unsafe Git options when they were provided as Python keyword arguments. An attacker could possibly use this issue to cause arbitrary command execution. (CVE-2026-42215) It was discovered that GitPython did not properly validate clone options before processing them. An attacker could possibly use this issue to inject unsafe Git configuration, leading to arbitrary command execution through Git hooks. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-42284) It was discovered that GitPython did not properly validate reference paths during reference operations. An attacker could possibly use this issue to write, overwrite, move, or delete files outside the repository. (CVE-2026-44243) Dan Aridor discovered that GitPython did not properly validate configuration values before writing them to Git configuration files. An attacker could possibly use this issue to inject unsafe Git configuration, leading to arbitrary command execution through Git hooks. (CVE-2026-44244)

USN-7972-1 fixed a vulnerability in OpenCC. This update provides the corresponding update for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Original advisory details: It was discovered that OpenCC incorrectly handled truncated UTF-8 input. An attacker could possibly use this issue to cause OpenCC to crash, resulting in a denial of service.