Aggregator

tmux-3.7b-3.fc43

12 hours 27 minutes ago
FEDORA-2026-7fa12630d5 Packages in this update:
  • tmux-3.7b-3.fc43
Update description:

fdf6afc update to 3.7b fixes rhbz#2498485

CHANGES FROM 3.7a TO 3.7b

  • Fix so that the end of a synchronized update again triggers a redraw.

CHANGES FROM 3.7 TO 3.7a

  • Fix crash in break-pane when no name is provided.

  • Scrollbar options are now cached rather than being looked up for every redraw (issue 5298).

  • Only forbid #( in names, allow #[, empty names, : and .

tmux-3.7b-2.fc44

12 hours 27 minutes ago
FEDORA-2026-f5dd9fb83f Packages in this update:
  • tmux-3.7b-2.fc44
Update description:

fdf6afc update to 3.7b fixes rhbz#2498485

CHANGES FROM 3.7a TO 3.7b

  • Fix so that the end of a synchronized update again triggers a redraw.

CHANGES FROM 3.7 TO 3.7a

  • Fix crash in break-pane when no name is provided.

  • Scrollbar options are now cached rather than being looked up for every redraw (issue 5298).

  • Only forbid #( in names, allow #[, empty names, : and .

USN-8526-1: libheif vulnerabilities

13 hours 3 minutes ago
Xianrui Dong discovered that libheif had an out-of-bounds read in its HEIF sequence track parser. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-47254) Junyi Liu discovered that libheif had a null pointer dereference in its image tiling interface. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-47709) Calvin Young and Enoch Chow discovered that libheif had an integer overflow in its inline mask size calculation. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-47714) Ariel Koren discovered that libheif had an integer underflow in its grid image tile coordinate transform. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-48029) It was discovered that libheif had a missing bound check in its HEIF sequence parser, allowing unbounded heap allocation. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-50142)

USN-8525-1: curl vulnerabilities

13 hours 14 minutes ago
Harry Sintonen discovered that curl incorrectly handled credentials when following HTTP redirects in conjunction with .netrc files. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. (CVE-2024-11053) Hiroki Kurosawa discovered that curl incorrectly handled OCSP stapling responses. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-8096) Joshua Rogers discovered that curl had a use-after-free vulnerability when resetting and cleaning up HTTP/2 stream handles. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2026-10536) Quac Tran and Ngoc Hieu discovered that curl incorrectly reused connections when switching authentication methods to the same host. An attacker could possibly use this issue to obtain sensitive information or perform unauthorized actions. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-5545) Osama Hamad discovered that curl incorrectly reused SMB connections when the target share differed between transfers. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2026-5773) Muhamad Arga Reksapati discovered that curl incorrectly forwarded Digest proxy authentication credentials to a different proxy host. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2026-7168) It was discovered that curl incorrectly skipped SSH host verification options when using schemeless URLs with --proto-default. An attacker could possibly use this issue to perform machine-in-the-middle attacks. This issue only affected Ubuntu 25.04 and Ubuntu 25.10. (CVE-2026-12064) It was discovered that curl did not enforce an upper bound on memory allocated for unacknowledged WebSocket PING frames. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10. (CVE-2026-11586) It was discovered that curl could stall indefinitely when a malicious HTTP/3 server sent a continuous stream of empty UDP datagrams. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10. (CVE-2026-11352) It was discovered that curl could incorrectly continue trusting a native platform CA store after an application switched the handle to use custom CA material. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 25.10. (CVE-2026-11564)

sssd-2.12.0-3.fc43

13 hours 34 minutes ago
FEDORA-2026-9ab663dcd4 Packages in this update:
  • sssd-2.12.0-3.fc43
Update description:

CVE fixes: CVE-2026-12610 CVE-2026-14474 CVE-2026-14476 - rhbz#2494777: CVE-2026-12610 sssd: Use-after-free crash in SSSD' 'sssd_pam' process - rhbz#2497650: CVE-2026-14476 sssd: sssd: GPO cache path traversal via unsanitized gPCFileSysPath allows Kerberos authentication bypass - rhbz#2497651: CVE-2026-14474 sssd: sssd: sudo LDAP provider searches entire directory tree for sudoRole objects by default, enabling privilege escalation

sssd-2.13.1-2.fc44

14 hours 30 minutes ago
FEDORA-2026-5acfb0243b Packages in this update:
  • sssd-2.13.1-2.fc44
Update description:

CVE fixes: CVE-2026-12610 CVE-2026-14474 CVE-2026-14476 - rhbz#2494777: CVE-2026-12610 sssd: Use-after-free crash in SSSD' 'sssd_pam' process - rhbz#2497650: CVE-2026-14476 sssd: sssd: GPO cache path traversal via unsanitized gPCFileSysPath allows Kerberos authentication bypass - rhbz#2497651: CVE-2026-14474 sssd: sssd: sudo LDAP provider searches entire directory tree for sudoRole objects by default, enabling privilege escalation

USN-8524-1: Python vulnerability

17 hours 17 minutes ago
It was discovered that Python did not use sufficient entropy for Expat hash-flooding protection in the xml.parsers.expat and xml.etree.ElementTree modules. An attacker could use this to cause a denial of service via a crafted XML document.

USN-8523-1: libsoup vulnerabilities

18 hours 16 minutes ago
Eric Su and Samuel Dainard discovered that libsoup incorrectly handled content with zero-length resources. An attacker could possibly use this issue to trigger a buffer over-read, resulting in information disclosure or a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-2369) Kona Arctic discovered that libsoup did not properly protect sensitive cookies when establishing HTTPS tunnels through an HTTP proxy. An attacker could possibly use this issue to intercept session cookies, resulting in session hijacking or user impersonation. (CVE-2026-5119)

ruby-3.4.10-31.fc43

19 hours 36 minutes ago
FEDORA-2026-7b7c2b373e Packages in this update:
  • ruby-3.4.10-31.fc43
Update description:

Ruby 3.4.10 is released. This new version contains severay security bug fixes in zlib, net-imap and erb..

USN-8522-1: LibRaw vulnerabilities

19 hours 43 minutes ago
It was discovered that LibRaw incorrectly handled certain Nikon RAW image files. An attacker could possibly use this issue to cause LibRaw to crash, resulting in a denial of service. (CVE-2026-5342) It was discovered that LibRaw had an integer overflow in its DNG image loader. An attacker could possibly use this issue to cause LibRaw to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-20884) It was discovered that LibRaw incorrectly handled certain X3F thumbnail data. An attacker could possibly use this issue to cause LibRaw to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-20889) It was discovered that LibRaw had a heap-based buffer overflow in its lossless JPEG image loader. An attacker could possibly use this issue to cause LibRaw to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-21413) It was discovered that LibRaw had an integer overflow in its uncompressed floating-point DNG image loader. An attacker could possibly use this issue to cause LibRaw to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.04. (CVE-2026-24450) It was discovered that LibRaw had a heap-based buffer overflow in its X3F Huffman decoder. An attacker could possibly use this issue to cause LibRaw to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-24660)

USN-8520-1: Expat vulnerability

20 hours 38 minutes ago
It was discovered that Expat used insufficient entropy when generating hash salt values for its internal hash table. An attacker could use this to craft an XML document that triggers hash flooding, leading to a denial of service.

attr-2.6.0-1.fc45

22 hours 4 minutes ago
FEDORA-2026-c7aafa6056 Packages in this update:
  • attr-2.6.0-1.fc45
Update description:

Automatic update for attr-2.6.0-1.fc45.

Changelog * Thu Jul 9 2026 Lukáš Zaoral <lzaoral@redhat.com> - 2.6.0-1 - rebase to the latest upstream release (rhbz#2494157) - CVE-2026-54371 - Symlink Traversal Privilege Escalation via getfattr (rhbz#2494172) - remove a long-overdue workaround for /usr/include/attr/xattr.h