Aggregator

FEDORA-2026-f36864b408 Packages in this update:

• 7zip-26.01-1.fc43

Update description:

• Fixes CVE-2026-48092: Information disclosure in 32-bit builds
• Fixes CVE-2026-48095: Arbitrary code execution in NTFS handler
• Fixes CVE-2026-48101: Information disclosure in UEFI capsule parser
• Fixes CVE-2026-48102: Information disclosure and DOS via crafted UDF image
• Fixes CVE-2026-48103: Off-by-one buffer over-read in WIM archive handler
• Fixes CVE-2026-48104: Uninitialized heap read in SquashFS archive handler
• Fixes CVE-2026-48111: Off-by-one OOB read in UEFI firmware image parser
• Fixes CVE-2026-48112: Heap-based buffer over-read in Ar handler BSD SYMDEF parser

FEDORA-2026-4be7569210 Packages in this update:

• 7zip-26.01-1.fc44

Update description:

• Fixes CVE-2026-48092: Information disclosure in 32-bit builds
• Fixes CVE-2026-48095: Arbitrary code execution in NTFS handler
• Fixes CVE-2026-48101: Information disclosure in UEFI capsule parser
• Fixes CVE-2026-48102: Information disclosure and DOS via crafted UDF image
• Fixes CVE-2026-48103: Off-by-one buffer over-read in WIM archive handler
• Fixes CVE-2026-48104: Uninitialized heap read in SquashFS archive handler
• Fixes CVE-2026-48111: Off-by-one OOB read in UEFI firmware image parser
• Fixes CVE-2026-48112: Heap-based buffer over-read in Ar handler BSD SYMDEF parser

It was discovered that Ruby's Net::IMAP library did not properly verify that Transport Layer Security (TLS) encryption was started after issuing a STARTTLS command. A remote attacker could possibly use this issue to perform a machine-in-the-middle attack and silently bypass TLS encryption. (CVE-2026-42246) It was also discovered that Ruby's Net::IMAP library did not validate string arguments passed to certain commands. A remote attacker could possibly use this issue to inject arbitrary IMAP commands. (CVE-2026-42257)

Version:next-20260615 (linux-next) Released:2026-06-15

FEDORA-2026-2419096432 Packages in this update:

• buildah-1.44.0-1.fc45
• containers-common-0.68.0-1.fc45
• podman-6.0.0~rc1-1.fc45
• skopeo-1.23.0-1.fc45

Update description:

Automatic update for buildah-1.44.0-1.fc45, podman-6.0.0~rc1-1.fc45, skopeo-1.23.0-1.fc45, containers-common-0.68.0-1.fc45.

Changelog for buildah * Wed May 27 2026 Packit <hello@packit.dev> - 2:1.44.0-1 - Update to 1.44.0 upstream release Changelog for podman * Mon Jun 15 2026 Packit <hello@packit.dev> - 5:6.0.0~rc1-1 - Update to 6.0.0-rc1 upstream release * Fri Jun 12 2026 Yaakov Selkowitz <yselkowi@redhat.com> - 5:5.8.2-2 - Rebuilt for openssl 4.0 Changelog for skopeo * Tue May 26 2026 Packit <hello@packit.dev> - 1:1.23.0-1 - Update to 1.23.0 upstream release Changelog for containers-common * Thu May 21 2026 Packit <hello@packit.dev> - 5:0.68.0-1 - Update to 0.68.0 upstream release

FEDORA-2026-41453e7fa4 Packages in this update:

• sudo-1.9.17-13.p2.fc45

Update description:

Automatic update for sudo-1.9.17-13.p2.fc45.

Changelog * Mon Jun 15 2026 Alejandro López <allopez@redhat.com> - 1.9.17-12.p2 - Removed some unneeded build-time dependencies * Mon Jun 15 2026 Alejandro López <allopez@redhat.com> - 1.9.17-11.p2 - Resolves: rhbz#2379016 - don't recommend sudo-python-plugins

FEDORA-2026-28df92c223 Packages in this update:

• tig-2.6.1-1.fc43

Update description:

• Fix editor command injection vulnerability (only affectsversion 2.6.0). (#1432)
• https://github.com/jonas/tig/issues/1432

FEDORA-2026-5cb64cc909 Packages in this update:

• tig-2.6.1-1.fc44

Update description:

• Fix editor command injection vulnerability (only affectsversion 2.6.0). (#1432)
• https://github.com/jonas/tig/issues/1432

It was discovered that tmux incorrectly handled image cleanup, leading to a use-after-free vulnerability. A local attacker could possibly use this issue to cause tmux to crash, resulting in a denial of service.

USN-8398-1 fixed a vulnerability in nginx. The update caused a regression and was temporarily reverted in USN-8398-2. This update introduces a complete fix for CVE-2026-49975. We apologize for the inconvenience. Original advisory details: It was discovered that nginx incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nginx to consume excessive resources, resulting in a denial of service.

USN-8405-1 fixed vulnerabilities in CUPS. The update introduced a regression that cause CUPS to crash when parsing certain large printer PPD files. This update fixes the problem. Original advisory details: Ariel Silver discovered that CUPS incorrectly handled username comparisons during authorization checks. A local attacker could possibly use this issue to gain unauthorized access to restricted operations. (CVE-2026-27447) Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled notify-recipient-uri values in the RSS notifier. A remote attacker could possibly use this issue to overwrite lp-writable files and cause a denial of service. (CVE-2026-34978) Jacob Newman discovered that CUPS incorrectly handled filter option strings when processing job attributes. An attacker could use this issue to cause CUPS to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-34979) Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled page-border values in shared PostScript queues. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-34980) Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled localhost authentication to attacker-controlled IPP services. A local attacker could possibly use this issue to overwrite arbitrary files and execute arbitrary code. (CVE-2026-34990) Tomer Fichman discovered that CUPS incorrectly handled negative job-password-supported values. A local attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service. (CVE-2026-39314) Tomer Fichman discovered that CUPS incorrectly handled temporary printer deletion. An attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service, or to execute arbitrary code. (CVE-2026-39316) Tomer Fichman discovered that CUPS incorrectly handled certain malformed SNMP responses. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-41079)

It was discovered that Mesa did not properly validate memory allocation sizes in WebGPU under certain circumstances. An attacker could use this issue to cause Mesa to crash, resulting in a denial of service, or possibly execute arbitrary code.

FEDORA-EPEL-2026-abb2a8237d Packages in this update:

• perl-Crypt-DSA-1.17-30.el9

Update description:

This update prevents key material reuse for multiple signing events (CVE-2026-12205, CWE-323).

FEDORA-EPEL-2026-18f1bb66c7 Packages in this update:

• perl-Crypt-DSA-1.17-30.el8

Update description:

This update prevents key material reuse for multiple signing events (CVE-2026-12205, CWE-323).

FEDORA-2026-f4a6b0c635 Packages in this update:

• perl-Crypt-DSA-1.21-1.fc44

Update description:

This update, to the current upstream release, prevents key material reuse for multiple signing events (CVE-2026-12205, CWE-323).

FEDORA-EPEL-2026-954ec464c6 Packages in this update:

• perl-Crypt-DSA-1.21-1.el10_3

Update description:

This update, to the current upstream release, prevents key material reuse for multiple signing events (CVE-2026-12205, CWE-323).

FEDORA-EPEL-2026-027ffba596 Packages in this update:

• perl-Crypt-DSA-1.21-1.el10_2

Update description:

This update, to the current upstream release, prevents key material reuse for multiple signing events (CVE-2026-12205, CWE-323).

FEDORA-2026-5cf57e43e3 Packages in this update:

• perl-Crypt-DSA-1.21-1.fc43

Update description:

This update, to the current upstream release, prevents key material reuse for multiple signing events (CVE-2026-12205, CWE-323).

FEDORA-2026-cf622b92d7 Packages in this update:

• perl-Crypt-DSA-1.21-1.fc45

Update description:

Automatic update for perl-Crypt-DSA-1.21-1.fc45.

Changelog * Mon Jun 15 2026 Paul Howarth <paul@city-fan.org> - 1.21-1 - Update to 1.21 - Fixed key material reuse for multiple signing events (CVE-2026-12205, CWE-323) - sign() reused the DSA nonce k across signatures (r and k^-1 were cached on the key and not regenerated), allowing private-key recovery from two signatures over different messages - Now generates a fresh nonce per signature - Keys used to sign more than once with an affected version should be considered compromised * Fri Jun 12 2026 Yaakov Selkowitz <yselkowi@redhat.com> - 1.20-2 - Rebuilt for openssl 4.0

FEDORA-2026-59f46c195f Packages in this update:

• chromium-149.0.7827.114-1.fc44

Update description:

Update to 149.0.7827.114

• CVE-2026-12007: Use after free Core
• CVE-2026-12008: Use after free DigitalCredentials
• CVE-2026-12009: Insufficient validation of untrusted input Accessibility
• CVE-2026-12010: Heap buffer overflow GPU
• CVE-2026-12011: Use after free WebMIDI
• CVE-2026-12012: Use after free Network
• CVE-2026-12013: Use after free Media
• CVE-2026-12014: Use after free Cast
• CVE-2026-12015: Use after free Autofill
• CVE-2026-12016: Insufficient validation of untrusted input DevTools
• CVE-2026-12017: Insufficient validation of untrusted input Extensions
• CVE-2026-12018: Inappropriate implementation Mojo
• CVE-2026-12019: Out of bounds write Codecs
• CVE-2026-12020: Use after free Autofill
• CVE-2026-12022: Race Safe Browsing
• CVE-2026-12023: Use after free GPU
• CVE-2026-12024: Insufficient policy enforcement DevTools
• CVE-2026-12025: Insufficient validation of untrusted input Network
• CVE-2026-12026: Out of bounds read Video
• CVE-2026-12027: Insufficient policy enforcement Headless
• CVE-2026-12028: Use after free GPU
• CVE-2026-12029: Use after free Video
• CVE-2026-12030: Heap buffer overflow GPU
• CVE-2026-12031: Inappropriate implementation Views
• CVE-2026-12032: Inappropriate implementation Passwords
• CVE-2026-12033: Out of bounds read VideoCapture
• CVE-2026-12034: Insufficient validation of untrusted input Linux Toolkit Theming
• CVE-2026-12035: Use after free Views
• Disable AI Mode settings