Aggregator

Bartlomiej Dmitruk and Stanislaw Strzalkowski discovered that Apache HTTP Server incorrectly handled certain memory operations when using the HTTP/2 protocol. A remote attacker could use this issue to cause Apache HTTP Server to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-23918) It was discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain privileges. A local attacker could possibly use this issue to obtain sensitive information. (CVE-2026-24072) Andrew Lacambra, Elhanan Haenel, Tianshuo Han, and Tristan Madani discovered that the Apache HTTP Server mod_proxy_ajp module incorrectly handled certain AJP server messages. An attacker in control of a backend AJP server could use this issue to cause Apache HTTP Server to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-28780) Pavel Kohout discovered that Apache HTTP Server did not properly limit resource allocation in mod_md when processing OCSP response data. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2026-29168) Pavel Kohout discovered that the Apache HTTP Server incorrectly handled certain memory operations in mod_dav_lock. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-29169) Nitescu Lucian discovered that Apache HTTP Server had a timing attack vulnerability in mod_auth_digest. A remote attacker could possibly use this issue to bypass Digest authentication. (CVE-2026-33006) Pavel Kohout and Arkadi Vainbrand discovered that Apache HTTP Server incorrectly handled certain memory operations in mod_authn_socache. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-33007) Haruki Oyama, Merih Mengisteab, and Dawit Jeong discovered that Apache HTTP Server had an HTTP response splitting vulnerability in multiple modules when used with untrusted or compromised backend servers. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2026-33523) Elhanan Haenel discovered that Apache HTTP Server incorrectly handled certain memory operations in mod_proxy_ajp. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-33857) Tianshuo Han and Jérôme Djouder discovered that Apache HTTP Server incorrectly handled certain string operations in mod_proxy_ajp. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-34032) Elhanan Haenel discovered that Apache HTTP Server incorrectly handled certain memory operations in mod_proxy_ajp. A remote attacker could use this issue to cause Apache HTTP Server to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2026-34059)

USN-8233-1 fixed a vulnerability in nghttp2. This update provides the corresponding update for Ubuntu 26.04 LTS. Original advisory details: Andrew MacPherson discovered that nghttp2 did not properly validate internal state when the session termination API was called. A remote attacker could possibly use this issue to cause nghttp2 to crash, resulting in a denial of service.

It was discovered that EditorConfig incorrectly handled specially crafted configuration files. A local attacker could possibly use this issue to cause EditorConfig to crash, resulting in a denial of service.

Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

Version:next-20260506 (linux-next) Released:2026-05-06

FEDORA-EPEL-2026-d67d81b1fd Packages in this update:

• GitPython-3.1.50-1.el9

Update description:

Update to 3.1.50; fixes CVE-2026-42215 / GHSA-mv93-w799-cj2w.

Fixes security defects GHSA-rpm5-65cw-6hj4, GHSA-x2qx-6953-8485, GHSA-7545-fcxq-7j24, and GHSA-v87r-6q3f-2j67.

FEDORA-EPEL-2026-99bca16ce8 Packages in this update:

• GitPython-3.1.50-1.el10_1

Update description:

Update to 3.1.50; fixes CVE-2026-42215 / GHSA-mv93-w799-cj2w.

Fixes security defects GHSA-rpm5-65cw-6hj4, GHSA-x2qx-6953-8485, GHSA-7545-fcxq-7j24, and GHSA-v87r-6q3f-2j67.

FEDORA-EPEL-2026-9c33ae0785 Packages in this update:

• GitPython-3.1.50-1.el10_2

Update description:

Update to 3.1.50; fixes CVE-2026-42215 / GHSA-mv93-w799-cj2w.

Fixes security defects GHSA-rpm5-65cw-6hj4, GHSA-x2qx-6953-8485, GHSA-7545-fcxq-7j24, and GHSA-v87r-6q3f-2j67.

FEDORA-EPEL-2026-ee98895c61 Packages in this update:

• GitPython-3.1.50-1.el10_3

Update description:

Update to 3.1.50; fixes CVE-2026-42215 / GHSA-mv93-w799-cj2w.

Fixes security defects GHSA-rpm5-65cw-6hj4, GHSA-x2qx-6953-8485, GHSA-7545-fcxq-7j24, and GHSA-v87r-6q3f-2j67.

FEDORA-2026-585a8768df Packages in this update:

• GitPython-3.1.50-1.fc42

Update description:

Update to 3.1.50; fixes CVE-2026-42215 / GHSA-mv93-w799-cj2w.

Fixes security defects GHSA-rpm5-65cw-6hj4, GHSA-x2qx-6953-8485, GHSA-7545-fcxq-7j24, and GHSA-v87r-6q3f-2j67.

It was discovered that Dynaconf was incorrectly handling template evaluation in its string resolvers. A remote attacker could possibly use this issue to execute arbitrary code.

FEDORA-2026-ee7b1c75b6 Packages in this update:

• GitPython-3.1.50-1.fc43

Update description:

Update to 3.1.50; fixes CVE-2026-42215 / GHSA-mv93-w799-cj2w.

FEDORA-2026-b4653c757d Packages in this update:

• GitPython-3.1.50-1.fc44

Update description:

Update to 3.1.50; fixes CVE-2026-42215 / GHSA-mv93-w799-cj2w.

FEDORA-2026-c66eaae759 Packages in this update:

• php-8.5.6-1.fc44

Update description:

PHP version 8.5.6 (07 May 2026)

Core:

• Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). (iliaal)
• Fixed ZEND_API mismatch on zend_ce_closure forward decl for Windows+Clang. (henderkes)
• Fixed bug GH-21504 (Incorrect RC-handling for ZEND_EXT_STMT op1). (ilutov)
• Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). (iliaal)
• Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
• Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). (macoaure)
• Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
• Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). (Pratik Bhujel)

CLI:

• Fixed bug GH-21754 (--rf command line option with a method triggers ext/reflection deprecation warnings). (DanielEScherzer)

Curl:

• Add support for brotli and zstd on Windows. (Shivam Mathur)

DOM:

• Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier)

FPM:

• Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) (Jakub Zelenka)

Iconv:

• Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)

Lexbor:

• Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov)

MBString:

• Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s)
• Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) (ilutov)

Opcache:

• Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). (Arnaud)
• Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
• Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
• Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)

OpenSSL:

• Fix memory leak regression in openssl_pbkdf2(). (ndossche)
• Fix a bunch of memory leaks and crashes on edge cases. (ndossche)

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

PDO_PGSQL:

• Fixed bug GH-21683 (pdo_pgsql throws with ATTR_PREFETCH=0 on empty result set). (thomasschiet)

Phar:

• Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
• Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). (iliaal)
• Fix memory leak in Phar::offsetGet(). (iliaal)
• Fix memory leak in phar_add_file(). (iliaal)
• Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). (iliaal)
• Fix memory leak in phar_verify_signature() when md_ctx is invalid. (JarneClauw)

Random:

• Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). (iliaal)

Session:

• Fixed memory leak when session GC callback return a refcounted value. (jorgsowa)

SOAP:

• Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) (ilutov)
• Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
• Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) (ilutov)

SPL:

• Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). (Girgias)
• Fix concurrent iteration and deletion issues in SplObjectStorage. (ndossche)

Sqlite3:

• Fixed wrong free list comparator pointer type. (David Carlier)

Standard:

• Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) (TimWolla)
• Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) (ilutov)

Streams:

• Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). (ndossche)

FEDORA-2026-c4d1ca4f16 Packages in this update:

• php-8.4.21-1.fc43

Update description:

PHP version 8.4.21 (07 May 2026)

Core:

• Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). (iliaal)
• Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). (iliaal)
• Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
• Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). (macoaure)
• Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
• Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). (Pratik Bhujel)

CLI:

• Fixed bug GH-21754 (--rf command line option with a method triggers ext/reflection deprecation warnings). (DanielEScherzer)

Curl:

• Add support for brotli and zstd on Windows. (Shivam Mathur)

DOM:

• Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier)
• Fixed bug GH-21688 (segmentation fault on empty HTMLDocument). (David Carlier)
• Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov)

FPM:

• Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) (Jakub Zelenka)

Iconv:

• Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)

MBString:

• Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s)
• Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) (ilutov)

Opcache:

• Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). (Arnaud)
• Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
• Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
• Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)

OpenSSL:

• Fix a bunch of memory leaks and crashes on edge cases. (ndossche)

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

Phar:

• Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
• Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). (iliaal)
• Fix memory leak in Phar::offsetGet(). (iliaal)
• Fix memory leak in phar_add_file(). (iliaal)
• Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). (iliaal)
• Fix memory leak in phar_verify_signature() when md_ctx is invalid. (JarneClauw)

Random:

• Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). (iliaal)

Session:

• Fixed memory leak when session GC callback return a refcounted value. (jorgsowa)

SOAP:

• Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) (ilutov)
• Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
• Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) (ilutov)

SPL:

• Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). (Girgias)
• Fix concurrent iteration and deletion issues in SplObjectStorage. (ndossche)

Standard:

• Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) (TimWolla)
• Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) (ilutov)

Streams:

• Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). (ndossche)

XSL:

• Fixed bug GH-21600 (Segfault on module shutdown). (David Carlier)

FEDORA-2026-3a58db70ca Packages in this update:

• php-8.4.21-1.fc42

Update description:

PHP version 8.4.21 (07 May 2026)

Core:

• Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). (iliaal)
• Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). (iliaal)
• Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
• Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). (macoaure)
• Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
• Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). (Pratik Bhujel)

CLI:

• Fixed bug GH-21754 (--rf command line option with a method triggers ext/reflection deprecation warnings). (DanielEScherzer)

Curl:

• Add support for brotli and zstd on Windows. (Shivam Mathur)

DOM:

• Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier)
• Fixed bug GH-21688 (segmentation fault on empty HTMLDocument). (David Carlier)
• Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov)

FPM:

• Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) (Jakub Zelenka)

Iconv:

• Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)

MBString:

• Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s)
• Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) (ilutov)

Opcache:

• Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). (Arnaud)
• Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
• Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
• Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)

OpenSSL:

• Fix a bunch of memory leaks and crashes on edge cases. (ndossche)

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

Phar:

• Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
• Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). (iliaal)
• Fix memory leak in Phar::offsetGet(). (iliaal)
• Fix memory leak in phar_add_file(). (iliaal)
• Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). (iliaal)
• Fix memory leak in phar_verify_signature() when md_ctx is invalid. (JarneClauw)

Random:

• Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). (iliaal)

Session:

• Fixed memory leak when session GC callback return a refcounted value. (jorgsowa)

SOAP:

• Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) (ilutov)
• Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
• Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) (ilutov)

SPL:

• Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). (Girgias)
• Fix concurrent iteration and deletion issues in SplObjectStorage. (ndossche)

Standard:

• Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) (TimWolla)
• Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) (ilutov)

Streams:

• Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). (ndossche)

XSL:

• Fixed bug GH-21600 (Segfault on module shutdown). (David Carlier)

It was discovered that BuildKit, contained within Docker, incorrectly handled file path validation when processing frontend API messages. An attacker could possibly use this issue to write files outside of the intended state directory. (CVE-2026-33747) It was discovered that BuildKit, contained within Docker, incorrectly validated the subdir component of Git URL fragments. An attacker could possibly use this issue to access files outside of the checked-out repository root. (CVE-2026-33748)

It was discovered that Mako incorrectly handled URIs with double-slash prefixes in TemplateLookup. A remote attacker could possibly use this issue to obtain sensitive information.