Aggregator

fasterxml-oss-parent-75-1.fc45 jackson-annotations-2.21-6.fc45 jackson-bom-2.21.5-1.fc45 jackson-core-2.21.5-1.fc45 jackson-databind-2.21.5-1.fc45 jackson-jaxrs-providers-2.21.5-1.fc45 jackson-modules-base-2.21.5-1.fc45 jackson-parent-2.21-1.fc45

9 hours 6 minutes ago
FEDORA-2026-ddde3cf003 Packages in this update:
  • fasterxml-oss-parent-75-1.fc45
  • jackson-annotations-2.21-6.fc45
  • jackson-bom-2.21.5-1.fc45
  • jackson-core-2.21.5-1.fc45
  • jackson-databind-2.21.5-1.fc45
  • jackson-jaxrs-providers-2.21.5-1.fc45
  • jackson-modules-base-2.21.5-1.fc45
  • jackson-parent-2.21-1.fc45
Update description:

Rebase to 2.21.5 to solve the CVE-2026-54518, CVE-2026-54517, CVE-2026-54516, CVE-2026-54515, CVE-2026-54513, CVE-2026-54512

USN-8543-1: Wget vulnerabilities

10 hours 38 minutes ago
It was discovered that Wget mishandled semicolons in the userinfo subcomponent of a URL. A remote attacker could possibly use this issue to trick a user into connecting to a different host than intended. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-38428) It was discovered that Wget incorrectly handled Metalink documents containing a whitespace-only URL. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-58469) It was discovered that Wget incorrectly handled Content-Range header values, leading to an integer overflow. A remote attacker could possibly use this issue to cause download desynchronization. (CVE-2026-58470) It was discovered that Wget incorrectly handled character set conversion of server-supplied filenames. A remote attacker could possibly use this issue to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-58471) It was discovered that Wget incorrectly handled HTML attributes requiring entity encoding. A remote attacker could possibly use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2026-58472)

USN-8542-1: Dnsmasq vulnerabilities

12 hours 1 minute ago
Yiwei Hou discovered that Dnsmasq incorrectly handled logging of DS or DNSKEY. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2026-12725) It was discovered that Dnsmasq incorrectly validated the length of fixed-length DNS record fields when parsing NS section records. A remote attacker could possibly use this issue to cause Dnsmasq to read out of bounds, possibly exposing sensitive information. (CVE-2026-12969)

USN-8526-2: libheif vulnerabilities

13 hours 15 minutes ago
USN-8526-1 fixed vulnerabilities in libheif. This update provides the corresponding updates for CVE-2026-47709 and CVE-2026-47714 in Ubuntu 24.04 LTS. Original advisory details: Junyi Liu discovered that libheif had a null pointer dereference in its image tiling interface. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-47709) Calvin Young and Enoch Chow discovered that libheif had an integer overflow in its inline mask size calculation. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-47714)

USN-8541-1: Vim vulnerabilities

13 hours 28 minutes ago
Hirohito Higashi discovered that Vim incorrectly escaped class or trait names when performing PHP omni-completion. An attacker could possibly use this issue to trick a user into opening a specially crafted PHP file and executing arbitrary commands. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-59856) Hirohito Higashi discovered that Vim incorrectly handled sound-folding of certain words when using a spell file. An attacker could possibly use this issue to cause Vim to crash, resulting in a denial of service. (CVE-2026-59857) It was discovered that Vim incorrectly escaped certain tags file fields when performing C omni-completion. An attacker could possibly use this issue to trick a user into opening a specially crafted file and executing arbitrary commands. (CVE-2026-59858)

USN-8540-1: OpenVPN vulnerabilities

14 hours 5 minutes ago
It was discovered that OpenVPN had a 1-byte buffer overrun when handling NTLMv2 proxy responses. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-11771) It was discovered that OpenVPN incorrectly handled metadata when extracting tls-crypt-v2 client keys. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-12932) It was discovered that OpenVPN had a use-after-free in the ack_write_buf handling. An attacker could use this issue to cause OpenVPN to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-12996) It was discovered that OpenVPN had a use-after-free in the tls_wrap_reneg handling. An attacker could use this issue to cause OpenVPN to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-13117) It was discovered that OpenVPN incorrectly validated authentication tokens when external authentication was enabled. A remote attacker could possibly use this issue to cause OpenVPN to crash, resulting in a denial of service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-13122) It was discovered that OpenVPN had a memory leak when handling tls-crypt-v2 client keys. A remote attacker with a valid tls-crypt-v2 client key could possibly use this issue to cause OpenVPN to consume excessive resources, leading to a denial of service. (CVE-2026-13698)

USN-8539-1: GnuTLS vulnerabilities

14 hours 29 minutes ago
Haruto Kimura discovered that GnuTLS did not properly apply permitted name constraints in certain certificate validation paths. A remote attacker could possibly use this issue to bypass certificate validation, leading to a machine-in-the-middle attack. (CVE-2026-42011) Oleh Konko discovered that GnuTLS incorrectly fell back to Common Name checks for certain URI and SRV subject alternative names. A remote attacker could possibly use this issue to bypass certificate validation, leading to a machine-in-the-middle attack. (CVE-2026-42012) Haruto Kimura and Joshua Rogers discovered that GnuTLS incorrectly fell back to Common Name checks when subject alternative names were oversized. A remote attacker could possibly use this issue to bypass certificate validation, leading to a machine-in-the-middle attack. (CVE-2026-42013) Luigino Camastra and Joshua Rogers discovered that GnuTLS had a use-after-free issue when changing PKCS#11 token security officer PINs in certain cases. An attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-42014) Zou Dikai discovered that GnuTLS did not properly validate PKCS#12 bag sizes in certain cases. An attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-42015)

spoofdpi-1.5.3-1.fc45

15 hours 14 minutes ago
FEDORA-2026-b382f3a576 Packages in this update:
  • spoofdpi-1.5.3-1.fc45
Update description:

Automatic update for spoofdpi-1.5.3-1.fc45.

Changelog * Tue Jul 14 2026 Emir Akdag <infraw.linux@proton.me> - 1.5.3-1 - Update spoofdpi to 1.5.3 - Update to 1.5.3 to fix CVE-2026-27145 - Add missing license for go-localereader - Fix build directory case sensitivity issue - Resolves: rhbz#2494220, rhbz#2494389

USN-8538-1: alsa-lib vulnerability

17 hours 42 minutes ago
It was discovered that alsa-lib incorrectly handled certain ALSA configuration text. An attacker could use this issue to cause alsa-lib to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-8537-1: httplib2 vulnerability

17 hours 48 minutes ago
It was discovered that httplib2 performed unbounded decompression of HTTP response bodies when the server used gzip or deflate Content-Encoding. A remote attacker could possibly use this issue to cause httplib2 to use excessive resources, leading to a denial of service.

USN-8536-1: MariaDB vulnerabilities

18 hours ago
It was discovered that MariaDB did not properly validate parameters supplied by a joiner node during a State Snapshot Transfer using the mariabackup method. An attacker could possibly use this issue to execute arbitrary shell commands on the donor node. (CVE-2026-44168) It was discovered that MariaDB did not properly enforce the SHOW CREATE ROUTINE privilege when a user obtained access to a stored routine via a role. An authenticated user could possibly use this issue to obtain sensitive information. (CVE-2026-44169) It was discovered that MariaDB's mbstream utility did not properly validate paths when unpacking archives. An attacker could possibly use this issue to write files outside of the intended target directory. (CVE-2026-44171) It was discovered that MariaDB's mysql_real_escape_string() function incorrectly handled the big5 character set. An attacker could possibly use this issue to perform SQL injection attacks. (CVE-2026-44172) It was discovered that MariaDB did not properly check the FILE privilege when the FROM clause of a SELECT ... INTO OUTFILE or SELECT ... INTO DUMPFILE statement contained only subqueries. An authenticated user could possibly use this issue to write files to unintended locations. (CVE-2026-44173) It was discovered that MariaDB did not properly validate parameters supplied by a joiner node during a State Snapshot Transfer using the rsync method. An attacker could possibly use this issue to execute arbitrary shell commands on the donor node. (CVE-2026-48163) It was discovered that MariaDB allowed a high-privileged user to set certain Galera system variables to values containing shell commands, which were then executed by the server process. An authenticated user could possibly use this issue to execute arbitrary shell commands. (CVE-2026-48165) It was discovered that MariaDB executed shell commands embedded in the name of a joiner node when wsrep_notify_cmd was enabled. A remote attacker could possibly use this issue to execute arbitrary shell commands. (CVE-2026-49261)

perl-YAML-Syck-1.47-1.el9

19 hours 17 minutes ago
FEDORA-EPEL-2026-57e759c14c Packages in this update:
  • perl-YAML-Syck-1.47-1.el9
Update description:

This update addresses four libsyck memory-safety CVEs reachable from the default YAML::Syck::Load() path on untrusted input with no special flags:

  • CVE-2026-57075 (CWE-125): Out-of-bounds read in the base64 decoder caused by signed-char indexing of the decode table on !!binary input
  • CVE-2026-57076 (CWE-416): Use-after-free of an anchor key string shared between the node and the anchors table
  • CVE-2026-57077 (CWE-125): One-byte out-of-bounds read in the lexer newline scan during block-scalar parsing (incomplete-fix follow-on to CVE-2025-11683)
  • CVE-2026-13713 (CWE-416/CWE-415): Use-after-free / double-free of an anchor node on anchor redefinition, a remote-crash DoS from a 7-byte input

There are also a few other bug-fixes included.