1 hour 36 minutes ago
USN-8398-1 fixed a vulnerability in nginx. The update introduced a
regression causing nginx to crash when being used with external modules.
This update reverts the fix for CVE-2026-49975 pending further
investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that nginx incorrectly handled certain cookie headers in
the HTTP/2 implementation. A remote attacker could possibly use this issue
to cause nginx to consume excessive resources, resulting in a denial of
service.
2 hours 5 minutes ago
FEDORA-EPEL-2026-204e38b37f
Packages in this update:
Update description:
Backport fix for CVE-2026-44660
4 hours 51 minutes ago
4 hours 54 minutes ago
4 hours 58 minutes ago
6 hours ago
USN-8044-1 fixed a vulnerability in alsa-lib. This update provides the
corresponding fix for alsa-lib on Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that alsa-lib incorrectly handled the topology mixer
control decoder. A local attacker could use a specially crafted topology
file to cause alsa-lib to crash, resulting in a denial of service, or
possibly execute arbitrary code.
6 hours 35 minutes ago
FEDORA-2026-884a9f0fc3
Packages in this update:
- vorbis-tools-1.4.3-5.fc44
Update description:
CVE-2026-34253 - fix arbitrary code execution via buffer underflow
6 hours 35 minutes ago
FEDORA-2026-cbf4cd18d1
Packages in this update:
- vorbis-tools-1.4.3-4.fc43
Update description:
CVE-2026-34253 - fix arbitrary code execution via buffer underflow
6 hours 46 minutes ago
Akshat Sinha discovered that shell-quote improperly validated object-token
inputs. An attacker could possibly use this issue to cause shell-quote to
crash, resulting in a denial of service, or execute arbitrary code.
6 hours 49 minutes ago
FEDORA-2026-9c00940406
Packages in this update:
- vorbis-tools-1.4.3-5.fc45
Update description:
Automatic update for vorbis-tools-1.4.3-5.fc45.
Changelog
* Tue Jun 9 2026 Lukáš Zaoral <
lzaoral@redhat.com> - 1:1.4.3-5
- CVE-2026-34253 - fix arbitrary code execution via buffer underflow (rhbz#2479549)
19 hours 47 minutes ago
It was discovered that Twig did not properly validate PHP callables when
using a source policy. An authenticated user could possibly use this issue
to execute arbitrary code.
21 hours 55 minutes ago
Elliott Childre discovered that strongSwan incorrectly handled the cloning
of certain identities. A remote attacker could use this issue to cause
strongSwan to crash, resulting in a denial of service, or possibly execute
arbitrary code.
22 hours 43 minutes ago
USN-8349-1 fixed vulnerabilities in rsync. The update introduced multiple
regressions in rsync functionality. This update fixes the problem.
Original advisory details:
Calum Hutton discovered that rsync contained a heap-based out-of-bounds
read when handling file transfers. A remote attacker with read access
to an rsync server could possibly use this issue to cause a denial of
service. (CVE-2025-10158)
Batuhan Sancak, Damien Neil, and Michael Stapelberg discovered that
rsync daemons configured without chroot protection were exposed to a
race condition on parent path components. A local attacker with write
access to a module could possibly use this issue to overwrite files,
obtain sensitive information, or escalate privileges.
(CVE-2026-29518)
It was discovered that rsync did not properly validate a length value
while sorting extended attributes. An attacker could possibly use this
issue to cause a denial of service. (CVE-2026-41035)
It was discovered that rsync performed reverse-DNS lookups after
chrooting in some daemon configurations. A remote attacker could
possibly use this issue to bypass hostname-based access controls and
access network services. (CVE-2026-43617)
Omar Elsayed discovered that rsync did not properly check for integer
overflows while decoding compressed tokens. A remote attacker could
possibly use this issue to obtain sensitive information.
(CVE-2026-43618)
Andrew Tridgell discovered that rsync did not fully fix a symlink race
condition in path-based system calls for daemons configured without
chroot protection. A local attacker could possibly use this issue to
overwrite files, obtain sensitive information, or escalate privileges.
(CVE-2026-43619)
Pratham Gupta discovered that rsync did not properly validate an index
while processing file lists. A remote attacker could possibly use this
issue to cause rsync to crash, resulting in a denial of service.
(CVE-2026-43620)
Michal Ruprich discovered that rsync contained an off-by-one error
while handling HTTP proxy responses. An attacker able to intercept network
communications or a malicious proxy server could possibly use this issue to
cause a denial of service. (CVE-2026-45232)
23 hours 17 minutes ago
Dave Rolsky discovered that Net::CIDR::Lite did not properly handle
extraneous zero characters at the beginning of an IP address string. A
remote attacker could possibly use this issue to bypass access controls
that are based on IP addresses. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 18.04 LTS. (CVE-2021-47154)
It was discovered that Net::CIDR::Lite did not properly validate the IPv6
group count when handling uncompressed IPv6 addresses. A remote attacker
could possibly use this issue to bypass access controls. (CVE-2026-40198)
It was discovered that Net::CIDR::Lite mishandled IPv4 mapped IPv6
addresses. A remote attacker could possibly use this issue to bypass access
controls that are based on IP addresses. (CVE-2026-40199)
23 hours 32 minutes ago
Ariel Silver discovered that CUPS incorrectly handled username comparisons
during authorization checks. A local attacker could possibly use this issue
to gain unauthorized access to restricted operations. (CVE-2026-27447)
Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled
notify-recipient-uri values in the RSS notifier. A remote attacker could
possibly use this issue to overwrite lp-writable files and cause a denial
of service. (CVE-2026-34978)
Jacob Newman discovered that CUPS incorrectly handled filter option strings
when processing job attributes. An attacker could use this issue to cause
CUPS to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2026-34979)
Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled
page-border values in shared PostScript queues. A remote attacker could
possibly use this issue to execute arbitrary code. (CVE-2026-34980)
Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled
localhost authentication to attacker-controlled IPP services. A local
attacker could possibly use this issue to overwrite arbitrary files
and execute arbitrary code. (CVE-2026-34990)
Tomer Fichman discovered that CUPS incorrectly handled negative
job-password-supported values. A local attacker could possibly use this
issue to cause CUPS to crash, resulting in a denial of service.
(CVE-2026-39314)
Tomer Fichman discovered that CUPS incorrectly handled temporary printer
deletion. An attacker could possibly use this issue to cause CUPS to crash,
resulting in a denial of service, or to execute arbitrary code.
(CVE-2026-39316)
Tomer Fichman discovered that CUPS incorrectly handled certain malformed
SNMP responses. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2026-41079)
1 day ago
It was discovered that Transmission had a clickjacking weakness in the
browser-facing WebUI and RPC response paths. An attacker could possibly use
this issue to trick users into performing unintended actions.
1 day ago
FEDORA-EPEL-2026-02d92ea412
Packages in this update:
- nextcloud-33.0.5-1.el10_2
Update description:
33.0.5 Release
1 day ago
FEDORA-EPEL-2026-988ec151d8
Packages in this update:
- nextcloud-33.0.5-1.el10_3
Update description:
33.0.5 Release
1 day ago
FEDORA-2026-cb3feafe41
Packages in this update:
Update description:
33.0.5 Release
1 day ago
FEDORA-2026-86fab2703b
Packages in this update:
Update description:
33.0.5 Release
