Aggregator

gum-0.17.0-3.fc44

Fedora Security Advisories
3 hours 40 minutes ago
FEDORA-2026-10cf6ce616 Packages in this update:
  • gum-0.17.0-3.fc44
Update description:

Update vendored goldmark to 1.7.17 to resolve CVE-2026-5160.

USN-8182-1: Rack vulnerabilities

Ubuntu Security Advisories
5 hours 7 minutes ago
Andrew Lacambra discovered that Rack did not properly parse certain regular expressions. An attacker could possibly use this issue to bypass network security filters. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-26961) William T. Nelson discovered that Rack did not handle multipart headers correctly. An attacker could possibly use this issue to cause downstream parsing issues or a denial of service. This issue only affected Ubuntu 25.10. (CVE-2026-26962) It was discovered that Rack did not handle the Forwarded header correctly. An attacker could possibly use this issue to manipulate header values. This issue only affected Ubuntu 25.10. (CVE-2026-32762) It was discovered that Rack could consume excessive CPU when handling certain Accept-Encoding values. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-34230) Haruki Oyama discovered that certain configurations of Rack could erroneously fail to derive the displayed directory path, and expose the full filesystem path. An attacker could possibly use this issue to disclose deployment details such as layout and usernames. (CVE-2026-34763) It was discovered that Rack did not properly handle static file paths. An attacker could possibly use this issue to exfiltrate unintentionally served data. (CVE-2026-34785) Haruki Oyama discovered that Rack did not apply header rules to certain requests for URL-encoded static paths. An attacker could possibly use this issue to bypass security-relevant response headers. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34786) It was discovered that Rack did not limit the number of ranges requested in the Range header. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34826) It was discovered that Rack could consume excessive CPU when parsing certain multipart parameters. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 25.10. (CVE-2026-34827) It was discovered that Rack could consume unbounded disk space when handling requests without a Content-Length header. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34829) Mehtab Zafar discovered that Rack directly interpreted the X-Accel-Mapping header as a regular expression without escaping. An attacker could possibly use this issue to exfiltrate arbitrary files from internal locations. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34830) It was discovered that Rack did not properly handle messages with Unicode. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-34831) It was discovered that Rack did not properly parse the Host header. An attacker could possibly use this issue to bypass security filters or poison generated links. This issue only affected Ubuntu 25.10. (CVE-2026-34835)

coturn-4.10.0-1.el10_3

Fedora Security Advisories
6 hours 4 minutes ago
FEDORA-EPEL-2026-8022001aef Packages in this update:
  • coturn-4.10.0-1.el10_3
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.fc42

Fedora Security Advisories
6 hours 4 minutes ago
FEDORA-2026-e673311164 Packages in this update:
  • coturn-4.10.0-1.fc42
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.el10_1

Fedora Security Advisories
6 hours 4 minutes ago
FEDORA-EPEL-2026-63737a3630 Packages in this update:
  • coturn-4.10.0-1.el10_1
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.fc44

Fedora Security Advisories
6 hours 4 minutes ago
FEDORA-2026-1c11dc3e37 Packages in this update:
  • coturn-4.10.0-1.fc44
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.el9

Fedora Security Advisories
6 hours 4 minutes ago
FEDORA-EPEL-2026-e0c1b77ba1 Packages in this update:
  • coturn-4.10.0-1.el9
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.el10_2

Fedora Security Advisories
6 hours 4 minutes ago
FEDORA-EPEL-2026-5e71b7731b Packages in this update:
  • coturn-4.10.0-1.el10_2
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.fc43

Fedora Security Advisories
6 hours 4 minutes ago
FEDORA-2026-1adc5f1ef8 Packages in this update:
  • coturn-4.10.0-1.fc43
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.el8

Fedora Security Advisories
6 hours 4 minutes ago
FEDORA-EPEL-2026-84fff0d811 Packages in this update:
  • coturn-4.10.0-1.el8
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

USN-8181-1: ESAPI vulnerabilities

Ubuntu Security Advisories
11 hours 34 minutes ago
Jaroslav Lobačevski discovered that ESAPI incorrectly validated directory paths during path verification. An attacker could possibly use this issue to bypass directory validation checks, leading to control-flow bypass. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-23457) Kevin W. Wall and Sebastian Passaro discovered that ESAPI did not properly sanitize javascript URLs because of an incorrect regular expression. An attacker could possibly use this issue to perform a cross-site scripting attack. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-24891) Longlong Gong discovered that ESAPI did not properly neutralize special elements during SQL injection defense. A remote attacker could possibly use this issue to perform SQL injection. (CVE-2025-5878)

USN-8148-7: Linux kernel (NVIDIA) vulnerabilities

Ubuntu Security Advisories
11 hours 54 minutes ago
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Netfilter; - Network traffic control; (CVE-2026-23060, CVE-2026-23074, CVE-2026-23111)