2 hours 2 minutes ago
2 hours 2 minutes ago
2 hours 35 minutes ago
FEDORA-2026-2843bb1cc8
Packages in this update:
Update description:
- Fix for CVE-2026-12244: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. Thanks to Qifan Zhang, Palo Alto Networks for the report https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt
- Fix for CVE-2026-12245: If NSD is configured with DNS over TLS, a client that performs a TLS action, closing the connection early, causes a crash and restart of the server process. An attacker can keep all children in a crash-restart loop denying DoT service. Thanks to Qifan Zhang, Palo Alto Networks for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt
- Fix for CVE-2026-12246: The RR type APL rdata address, if too large, causes out of bounds write on the stack, when the zonefile is written out. Thanks to Qifan Zhang from Palo Alto Networks, Haruki Oyama from Waseda University and zhangph for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt
- Fix for CVE-2026-12490: Secondaries authenticated by a client certificate to transfer a zone over TLS, can bypass verification by
transferring over TCP. Thanks to Qifan Zhang, Palo Alto Networks for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt
2 hours 35 minutes ago
FEDORA-2026-dd3a7926a3
Packages in this update:
Update description:
- Fix for CVE-2026-12244: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. Thanks to Qifan Zhang, Palo Alto Networks for the report https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt
- Fix for CVE-2026-12245: If NSD is configured with DNS over TLS, a client that performs a TLS action, closing the connection early, causes a crash and restart of the server process. An attacker can keep all children in a crash-restart loop denying DoT service. Thanks to Qifan Zhang, Palo Alto Networks for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt
- Fix for CVE-2026-12246: The RR type APL rdata address, if too large, causes out of bounds write on the stack, when the zonefile is written out. Thanks to Qifan Zhang from Palo Alto Networks, Haruki Oyama from Waseda University and zhangph for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt
- Fix for CVE-2026-12490: Secondaries authenticated by a client certificate to transfer a zone over TLS, can bypass verification by
transferring over TCP. Thanks to Qifan Zhang, Palo Alto Networks for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt
2 hours 39 minutes ago
FEDORA-2026-4d6aae2d33
Packages in this update:
- python-streamlink-8.4.0-1.fc43
Update description:
streamlink 8.4.0 (2026-05-06)
- SECURITY: fixed arbitrary local file read via file:// URI in HLS and DASH (CVE-2026-44353 / GHSA-hgqw-6m45-hw5f)
- Added: --stream-passthrough-encrypted for passing through encrypted HLS/DASH segments to the output stream without any checks (#6896)
- Fixed: --interface selection by name on macOS (#6908)
- Fixed: --interface not being applied to adapters mounted after session init (#6915)
- Updated plugins:
- goltelevision: rewritten and fixed plugin (#6916)
- twitcasting: improved ad segment filtering (#6910)
Full changelog
streamlink 8.3.0 (2026-04-10)
- Added: support for choosing the --interface by name on non-Windows systems, with optional prefixes, similar to curl (#6862)
- Added: support for also checking stream segments in HLSStream.parse_variant_playlist() by setting check_streams="segments" (#6878)
- Fixed: stdout/stderr streams in ProcessOutput not being fully line-buffered (#6868)
- Updated plugins:
- cdnbg: rewritten and fixed plugin (#6890)
- nicolive: added websocket reconnect attempts on HLS decryption key retrieval failure (#6871)
- soop: migrated to sooplive.com (#6876)
- telefe: rewritten and fixed plugin (#6891)
Full changelog
2 hours 39 minutes ago
FEDORA-2026-b9232006bb
Packages in this update:
- python-streamlink-8.4.0-1.fc44
Update description:
streamlink 8.4.0 (2026-05-06)
- SECURITY: fixed arbitrary local file read via file:// URI in HLS and DASH (CVE-2026-44353 / GHSA-hgqw-6m45-hw5f)
- Added: --stream-passthrough-encrypted for passing through encrypted HLS/DASH segments to the output stream without any checks (#6896)
- Fixed: --interface selection by name on macOS (#6908)
- Fixed: --interface not being applied to adapters mounted after session init (#6915)
- Updated plugins:
- goltelevision: rewritten and fixed plugin (#6916)
- twitcasting: improved ad segment filtering (#6910)
Full changelog
streamlink 8.3.0 (2026-04-10)
- Added: support for choosing the --interface by name on non-Windows systems, with optional prefixes, similar to curl (#6862)
- Added: support for also checking stream segments in HLSStream.parse_variant_playlist() by setting check_streams="segments" (#6878)
- Fixed: stdout/stderr streams in ProcessOutput not being fully line-buffered (#6868)
- Updated plugins:
- cdnbg: rewritten and fixed plugin (#6890)
- nicolive: added websocket reconnect attempts on HLS decryption key retrieval failure (#6871)
- soop: migrated to sooplive.com (#6876)
- telefe: rewritten and fixed plugin (#6891)
Full changelog
13 hours 45 minutes ago
It was discovered that tar incorrectly handled certain crafted archive files.
An attacker could possibly use this to inject hidden files with
attacker-controlled content, bypassing pre-extraction inspection mechanisms.
14 hours 46 minutes ago
FEDORA-EPEL-2026-b2d0fa716d
Packages in this update:
- chromium-149.0.7827.196-1.el10_3
Update description:
149.0.7827.196 security release
* CVE-2026-13028: Use after free in WebGL
* CVE-2026-13032: Use after free in WebGL
* CVE-2026-13033: Out of bounds read in Blink>InterestGroups
* CVE-2026-13038: Use after free in Autofill
* CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials
* CVE-2026-13022: Inappropriate implementation in Autofill
* CVE-2026-13023: Uninitialized Use in GPU
* CVE-2026-13024: Insufficient validation of untrusted input in Navigation
* CVE-2026-13025: Insufficient validation of untrusted input in DevTools
* CVE-2026-13026: Use after free in Digital Credentials
* CVE-2026-13027: Use after free in FileSystem
* CVE-2026-13029: Use after free in Web Authentication
* CVE-2026-13030: Uninitialized Use in GPU
* CVE-2026-13031: Use after free in Blink
* CVE-2026-13034: Inappropriate implementation in Passwords
* CVE-2026-13035: Use after free in Bluetooth
* CVE-2026-13036: Use after free in Blink
* CVE-2026-13037: Use after free in WebView
14 hours 46 minutes ago
FEDORA-EPEL-2026-262f68b5b5
Packages in this update:
- chromium-149.0.7827.196-1.el9
Update description:
149.0.7827.196 security release
* CVE-2026-13028: Use after free in WebGL
* CVE-2026-13032: Use after free in WebGL
* CVE-2026-13033: Out of bounds read in Blink>InterestGroups
* CVE-2026-13038: Use after free in Autofill
* CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials
* CVE-2026-13022: Inappropriate implementation in Autofill
* CVE-2026-13023: Uninitialized Use in GPU
* CVE-2026-13024: Insufficient validation of untrusted input in Navigation
* CVE-2026-13025: Insufficient validation of untrusted input in DevTools
* CVE-2026-13026: Use after free in Digital Credentials
* CVE-2026-13027: Use after free in FileSystem
* CVE-2026-13029: Use after free in Web Authentication
* CVE-2026-13030: Uninitialized Use in GPU
* CVE-2026-13031: Use after free in Blink
* CVE-2026-13034: Inappropriate implementation in Passwords
* CVE-2026-13035: Use after free in Bluetooth
* CVE-2026-13036: Use after free in Blink
* CVE-2026-13037: Use after free in WebView
14 hours 46 minutes ago
FEDORA-EPEL-2026-b9cf5268bd
Packages in this update:
- chromium-149.0.7827.196-1.el10_2
Update description:
149.0.7827.196 security release
* CVE-2026-13028: Use after free in WebGL
* CVE-2026-13032: Use after free in WebGL
* CVE-2026-13033: Out of bounds read in Blink>InterestGroups
* CVE-2026-13038: Use after free in Autofill
* CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials
* CVE-2026-13022: Inappropriate implementation in Autofill
* CVE-2026-13023: Uninitialized Use in GPU
* CVE-2026-13024: Insufficient validation of untrusted input in Navigation
* CVE-2026-13025: Insufficient validation of untrusted input in DevTools
* CVE-2026-13026: Use after free in Digital Credentials
* CVE-2026-13027: Use after free in FileSystem
* CVE-2026-13029: Use after free in Web Authentication
* CVE-2026-13030: Uninitialized Use in GPU
* CVE-2026-13031: Use after free in Blink
* CVE-2026-13034: Inappropriate implementation in Passwords
* CVE-2026-13035: Use after free in Bluetooth
* CVE-2026-13036: Use after free in Blink
* CVE-2026-13037: Use after free in WebView
15 hours 56 minutes ago
FEDORA-EPEL-2026-fa6af7decc
Packages in this update:
- pdns-recursor-5.4.3-1.el10_2
Update description:
update to latest upstream release to fix CVEs
15 hours 56 minutes ago
FEDORA-EPEL-2026-5d2a639bd3
Packages in this update:
- pdns-recursor-5.4.3-1.el10_3
Update description:
update to latest upstream release to fix CVEs
15 hours 56 minutes ago
FEDORA-2026-34cca3d390
Packages in this update:
- pdns-recursor-5.2.11-1.fc43
Update description:
update to latest upstream release to fix CVEs
15 hours 56 minutes ago
FEDORA-2026-088b60c071
Packages in this update:
- pdns-recursor-5.4.3-1.fc44
Update description:
update to latest upstream release to fix CVEs
16 hours 24 minutes ago
17 hours 52 minutes ago
Version:next-20260625 (linux-next)
Released:2026-06-25
19 hours 33 minutes ago
Oleksii Oleksenko, Cedric Fournet, Jana Hofmann, Boris Köpf, Stavros Volos,
and Flavien Solt discovered that some AMD processors may allow an attacker
to infer data from previous stores, potentially resulting in the leakage of
privileged information. A local attacker could possibly use this to expose
sensitive information. (CVE-2024-36350, CVE-2024-36357)
It was discovered that some AMD Zen 5 processors supporting RDSEED
instruction did not properly handle entropy, potentially resulting in the
consumption of insufficiently random values. A local attacker could
possibly use this issue to influence the values returned by the RDSEED
instruction causing loss of confidentiality and integrity. (CVE-2025-62626)
19 hours 55 minutes ago
It was discovered that xrdp incorrectly handled bounds checking when
processing user domain information during the connection sequence. An
unauthenticated remote attacker could use this issue to cause xrdp to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2025-68670)
It was discovered that xrdp did not correctly enforce the maximum number of
login attempts configured by the MaxLoginRetry parameter. A remote attacker
could use this issue to perform an unlimited number of login attempts.
(CVE-2024-39917)
It was discovered that xrdp did not perform bounds checking when accessing
font glyphs. Since some of this data is controllable by the user, a remote
attacker could use this issue to cause xrdp to read out of bounds. This
issue only affected Ubuntu 24.04 LTS. (CVE-2023-42822)
It was discovered that xrdp did not properly handle session establishment
errors. A remote attacker could use this issue to bypass OS-level session
restrictions enforced by PAM, such as the maximum number of concurrent
sessions per user. This issue only affected Ubuntu 24.04 LTS.
(CVE-2023-40184)
21 hours 24 minutes ago
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Henry Beberman and Robert Prast discovered that containerd incorrectly
validated image references when importing container checkpoints. An
attacker could possibly use this issue to poison the local image cache and
execute arbitrary code in other pods. This issue only affected Ubuntu
22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10 and Ubuntu 26.04 LTS.
(CVE-2026-50195)
Robert Prast discovered that containerd incorrectly propagated labels
from image configurations to containers. An attacker could possibly use
this issue to execute arbitrary code on the host. (CVE-2026-53488)
Yuming Zhang, Song Li, Sangwon Ryu, Henry Beberman, Robert Prast, Kyle
Elliott and Zhenchen Wang discovered that containerd incorrectly validated
symlinked paths when restoring container checkpoints. An attacker could
possibly use this issue to read arbitrary files on the host, resulting in
information disclosure. This issue only affected Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-53489)
Robert Prast discovered that containerd incorrectly trusted device
interface annotations when restoring container checkpoints. An attacker
could possibly use this issue to bypass resource allocation restrictions
and inject devices or host mounts into a container. This issue only
affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10 and Ubuntu
26.04 LTS. (CVE-2026-53492)
21 hours 27 minutes ago
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. This issue
only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Robert Prast discovered that containerd incorrectly propagated labels
from image configurations to containers. An attacker could possibly use
this issue to execute arbitrary code on the host. This issue only affected
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS
and Ubuntu 26.04 LTS. (CVE-2026-53488)
