Aggregator

FEDORA-2026-a8a5f6b41b Packages in this update:

• ansible-13.7.0-1.fc45
• ansible-core-2.20.6-1.fc45

Update description:

Latest Ansible 13

• Close bogus CVEs

FEDORA-2026-3b48ba7dc7 Packages in this update:

• perl-libwww-perl-6.83-1.fc43

Update description:

Changes:

6.83 2026-05-12 11:41:48Z

- LWP::UserAgent now strips Authorization and Proxy-Authorization headers on cross-origin redirects (a different scheme, host, or port) to prevent credential leakage to the redirect target. Same-origin redirects retain credentials. Opt out with allow_credentialed_redirects => 1. CVE-2026-8368 reported by Kai Zen; PoC and initial patch by Stig Palmquist. - LWP::UserAgent now refuses https to http redirects by default to prevent leaking remaining request headers and bodies over plaintext. Opt in with allow_downgrade => 1. Related hardening alongside CVE-2026-8368; PoC by Stig Palmquist.

FEDORA-2026-8d1333fb52 Packages in this update:

• perl-libwww-perl-6.83-1.fc44

Update description:

Changes:

6.83 2026-05-12 11:41:48Z

- LWP::UserAgent now strips Authorization and Proxy-Authorization headers on cross-origin redirects (a different scheme, host, or port) to prevent credential leakage to the redirect target. Same-origin redirects retain credentials. Opt out with allow_credentialed_redirects => 1. CVE-2026-8368 reported by Kai Zen; PoC and initial patch by Stig Palmquist. - LWP::UserAgent now refuses https to http redirects by default to prevent leaking remaining request headers and bodies over plaintext. Opt in with allow_downgrade => 1. Related hardening alongside CVE-2026-8368; PoC by Stig Palmquist.

FEDORA-EPEL-2026-7c82182eba Packages in this update:

• openbao-2.5.4-1.el8

Update description:

Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808

FEDORA-EPEL-2026-89a3c4993d Packages in this update:

• openbao-2.5.4-1.el9

Update description:

Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808

FEDORA-2026-bf7889aec6 Packages in this update:

• openbao-2.5.4-1.fc44

Update description:

Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808

FEDORA-2026-b7d009831a Packages in this update:

• openbao-2.5.4-1.fc42

Update description:

Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808

FEDORA-EPEL-2026-cec027b6af Packages in this update:

• openbao-2.5.4-1.el10_3

Update description:

Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808

FEDORA-2026-d4e8f0a731 Packages in this update:

• openbao-2.5.4-1.fc43

Update description:

Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808

FEDORA-EPEL-2026-cc6a962bcc Packages in this update:

• openbao-2.5.4-1.el10_2

Update description:

Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808

It was discovered that Bubblewrap incorrectly handled the sandbox setup phase when installed in setuid mode. A local attacker could possibly use this issue to bypass sandbox restrictions.

It was discovered that XDG Desktop Portal incorrectly handled trashing files. A local attacker could possibly use this issue to delete arbitrary files on the host file system via a symlink attack.

FEDORA-2026-ce6cab40ac Packages in this update:

• libsoup3-3.6.6-8.fc44

Update description:

Patch for CVE-2026-5119

FEDORA-2026-3bfb774625 Packages in this update:

• perl-HTTP-Tiny-0.094-1.fc43

Update description:

0.094 - fix to prevent invalid characters in all headers, and prevent header smuggling (CVE-2026-7010)

FEDORA-2026-49c4be8260 Packages in this update:

• perl-Sereal-5.005-1.fc43
• perl-Sereal-Decoder-5.005-1.fc43
• perl-Sereal-Encoder-5.005-1.fc43

Update description:

This update includes a security fix to make sure that COPY tags cannot be used to read past end of the buffer.

FEDORA-2026-26bb3fe2c6 Packages in this update:

• perl-Sereal-5.005-1.fc44
• perl-Sereal-Decoder-5.005-1.fc44
• perl-Sereal-Encoder-5.005-1.fc44

Update description:

This update includes a security fix to make sure that COPY tags cannot be used to read past end of the buffer.

FEDORA-2026-ac9d9c87c8 Packages in this update:

• cockpit-362-1.fc44

Update description:

Automatic update for cockpit-362-1.fc44.

Changelog for cockpit * Wed May 20 2026 Packit <hello@packit.dev> - 362-1 - Bug fixes and translation updates - Fix arbitrary code execution via specially crafted logs page link (CVE-2026-4802)

FEDORA-2026-58cee40a55 Packages in this update:

• cockpit-362-1.fc43

Update description:

Automatic update for cockpit-362-1.fc43.

Changelog for cockpit * Wed May 20 2026 Packit <hello@packit.dev> - 362-1 - Bug fixes and translation updates - Fix arbitrary code execution via specially crafted logs page link (CVE-2026-4802)

Guannan Wang, Zhanpeng Liu, Guancheng Li, and Emma Reuter discovered that OpenVPN incorrectly handled suitably malformed packets with valid tls-crypt-v2 keys. An attacker could possibly use this issue to cause OpenVPN to crash, resulting in a denial of service. (CVE-2026-35058) Guannan Wang, Zhanpeng Liu, and Guancheng Li discovered that OpenVPN had a race condition in the TLS handshake process that could leak packet data from a previous handshake under certain circumstances. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-40215)

FEDORA-2026-49f37e16aa Packages in this update:

• unbound-1.25.1-1.fc44

Update description: Update to 1.25.1 (rhbz#2480119)

• Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report.
• Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report.
• Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report.
• Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

Swapped sources signature source number with systemd unit to have them close.

Update to 1.25.0 (rhbz#2463781) Feature changes:

• Improved TTL 0 handling
• Reload also certificates on reload if they have changed
• Allow control-interface specification also of port.
• Added new tls-protocols option. Can disable TLS 1.2 explicitly.

And bug fixes.

Remove merged patches.

Source: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-0