Aggregator

FEDORA-2026-f4371b21f0 Packages in this update:

• xen-4.19.4-3.fc42

Update description:

Use after free of paging structures in EPT [XSA-480, CVE-2026-23554] Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]

USN-8097-1 fixed a vulnerability in roundcube. The update caused a regression affecting the HTML sanitizer, preventing Roundcube from rendering any email message body. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Roundcube Webmail did not properly sanitize the animate tag within SVG documents. An attacker could possibly use this issue to cause a cross-site scripting attack.

FEDORA-2026-8ae1a1c3d7 Packages in this update:

• xen-4.20.2-4.fc43

Update description:

Use after free of paging structures in EPT [XSA-480, CVE-2026-23554] Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]

FEDORA-2026-5697f4e025 Packages in this update:

• pyOpenSSL-26.0.0-1.fc44

Update description:

Update to version 26.0.0

• Added support for using aws-lc instead of OpenSSL.
• Properly raise an error if a DTLS cookie callback returned a cookie longer than DTLS1_COOKIE_LENGTH bytes. Previously this would result in a buffer-overflow. Credit to dark_haxor for reporting the issue. CVE-2026-27459
• Added OpenSSL.SSL.Connection.get_group_name to determine which group name was negotiated.
• Context.set_tlsext_servername_callback now handles exceptions raised in the callback by calling sys.excepthook and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. Credit to Leury Castillo for reporting this issue. CVE-2026-27448

It was discovered that Bouncy Castle did not sanitize user input when inserting it into an LDAP search filter. An attacker could possibly use this issue to perform an LDAP injection attack. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2023-33201) It was discovered that Bouncy Castle incorrectly handled specially crafted F2m parameters in the ECCurve algorithm. An attacker could possibly use this issue to cause Bouncy Castle to use excessive resources, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-29857) It was discovered that Bouncy Castle leaked timing information when handling exceptions during an RSA handshake. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-30171) It was discovered that Bouncy Castle incorrectly handled endpoint identification with an SSL socket enabled without an explicit hostname. An attacker could possibly use this issue to perform a DNS poisoning attack. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-34447) Bing Shi discovered that Bouncy Castle incorrectly handled resource memory allocation. An attacker could possibly use this issue to cause Bouncy Castle to use excessive resources, leading to a denial of service. This issue only affected Ubuntu 24.04 LTS. (CVE-2025-8916)

FEDORA-2026-76033f35ea Packages in this update:

• headscale-0.28.0-1.fc44

Update description:

update to 0.28.0

FEDORA-2026-c3c02ffe75 Packages in this update:

• headscale-0.28.0-1.fc43

Update description:

update to 0.28.0

Version:next-20260318 (linux-next) Released:2026-03-18

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - x86 architecture; - GPIO subsystem; - GPU drivers; - MMC subsystem; - BTRFS file system; - XFRM subsystem; - IPv4 networking; - IPv6 networking; - MAC80211 subsystem; - SMC sockets; (CVE-2021-47599, CVE-2022-48875, CVE-2022-49072, CVE-2022-49267, CVE-2024-49927, CVE-2024-56640, CVE-2025-21780, CVE-2025-40215)

Qualys discovered that several vulnerabilities existed in the AppArmor Linux kernel Security Module (LSM). An unprivileged local attacker could use these issues to load, replace, and remove arbitrary AppArmor profiles causing denial of service, exposure of sensitive information (kernel memory), local privilege escalation, or possibly escape a container. (LP: #2143853) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - x86 architecture; - GPIO subsystem; - GPU drivers; - MMC subsystem; - BTRFS file system; - XFRM subsystem; - IPv4 networking; - IPv6 networking; - MAC80211 subsystem; - SMC sockets; (CVE-2021-47599, CVE-2022-48875, CVE-2022-49072, CVE-2022-49267, CVE-2024-49927, CVE-2024-56640, CVE-2025-21780, CVE-2025-40215)

It was discovered that Valkey incorrectly handled errors for lua scripts. An attacker could possibly use this issue to inject arbitrary information into the response stream for other clients. (CVE-2025-67733) It was discovered that Valkey incorrectly handled malformed cluster bus messages. A remote attacker could possibly use this issue to cause Valkey to crash, resulting in a denial of service. (CVE-2026-21863)

It was discovered that FreeRDP incorrectly handled certain RDP packets. A remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code.

FEDORA-2026-62fb46caac Packages in this update:

• openssh-10.2p1-6.fc44

Update description:

• CVE-2026-3497: Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex

FEDORA-2026-39819a3d62 Packages in this update:

• openssh-9.9p1-13.fc42

Update description:

• CVE-2026-3497: Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex

FEDORA-2026-bab4aa5da7 Packages in this update:

• openssh-10.0p1-7.fc43

Update description:

• CVE-2026-3497: Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex

FEDORA-2026-4f7402837e Packages in this update:

• fontforge-20230101-20.fc43

Update description:

Resolves: CVE-2025-15270

FEDORA-2026-3dbd8c4b89 Packages in this update:

• fontforge-20230101-19.fc42

Update description:

Resolves: CVE-2025-15270

FEDORA-2026-55f82da186 Packages in this update:

• vtk-9.2.6-44.fc43

Update description:

Add patch to fix integer overflow on 32-bit in KissFFT (CVE-2025-34297)

FEDORA-2026-ff768f8e37 Packages in this update:

• vtk-9.2.6-38.fc42

Update description:

Add patch to fix integer overflow on 32-bit in KissFFT (CVE-2025-34297)

Shourya Jaiswal discovered that Flask did not correctly mark certain web responses as user-specific. A remote attacker could possibly use this issue to obtain sensitive information.