Aggregator

FEDORA-2026-d2806ddffc Packages in this update:

• materialx-1.39.5-1.fc44

Update description:

New release version 1.39.5.

See the change log.

FEDORA-2026-85d5d5f493 Packages in this update:

• materialx-1.39.5-1.fc43

Update description:

New release version 1.39.5.

See the change log.

FEDORA-2026-284c049f7f Packages in this update:

• strongswan-6.0.7-1.fc44

Update description:

Addresses CVE-2026-47895 which is a theoretical RCE

FEDORA-2026-e5118f1777 Packages in this update:

• lighttpd-1.4.83-1.fc44

Update description:

1.4.83

https://wiki.lighttpd.net/Release-1_4_83

FEDORA-2026-265fb84974 Packages in this update:

• lighttpd-1.4.83-1.fc43

Update description:

1.4.83

https://wiki.lighttpd.net/Release-1_4_83

FEDORA-EPEL-2026-52d18d8d5a Packages in this update:

• 7zip-26.01-1.el10_3

Update description:

• Fixes CVE-2026-48092: Information disclosure in 32-bit builds
• Fixes CVE-2026-48095: Arbitrary code execution in NTFS handler
• Fixes CVE-2026-48101: Information disclosure in UEFI capsule parser
• Fixes CVE-2026-48102: Information disclosure and DOS via crafted UDF image
• Fixes CVE-2026-48103: Off-by-one buffer over-read in WIM archive handler
• Fixes CVE-2026-48104: Uninitialized heap read in SquashFS archive handler
• Fixes CVE-2026-48111: Off-by-one OOB read in UEFI firmware image parser
• Fixes CVE-2026-48112: Heap-based buffer over-read in Ar handler BSD SYMDEF parser

FEDORA-EPEL-2026-8d909527ba Packages in this update:

• 7zip-26.01-1.el10_2

Update description:

• Fixes CVE-2026-48092: Information disclosure in 32-bit builds
• Fixes CVE-2026-48095: Arbitrary code execution in NTFS handler
• Fixes CVE-2026-48101: Information disclosure in UEFI capsule parser
• Fixes CVE-2026-48102: Information disclosure and DOS via crafted UDF image
• Fixes CVE-2026-48103: Off-by-one buffer over-read in WIM archive handler
• Fixes CVE-2026-48104: Uninitialized heap read in SquashFS archive handler
• Fixes CVE-2026-48111: Off-by-one OOB read in UEFI firmware image parser
• Fixes CVE-2026-48112: Heap-based buffer over-read in Ar handler BSD SYMDEF parser

FEDORA-2026-f36864b408 Packages in this update:

• 7zip-26.01-1.fc43

Update description:

• Fixes CVE-2026-48092: Information disclosure in 32-bit builds
• Fixes CVE-2026-48095: Arbitrary code execution in NTFS handler
• Fixes CVE-2026-48101: Information disclosure in UEFI capsule parser
• Fixes CVE-2026-48102: Information disclosure and DOS via crafted UDF image
• Fixes CVE-2026-48103: Off-by-one buffer over-read in WIM archive handler
• Fixes CVE-2026-48104: Uninitialized heap read in SquashFS archive handler
• Fixes CVE-2026-48111: Off-by-one OOB read in UEFI firmware image parser
• Fixes CVE-2026-48112: Heap-based buffer over-read in Ar handler BSD SYMDEF parser

FEDORA-2026-4be7569210 Packages in this update:

• 7zip-26.01-1.fc44

Update description:

• Fixes CVE-2026-48092: Information disclosure in 32-bit builds
• Fixes CVE-2026-48095: Arbitrary code execution in NTFS handler
• Fixes CVE-2026-48101: Information disclosure in UEFI capsule parser
• Fixes CVE-2026-48102: Information disclosure and DOS via crafted UDF image
• Fixes CVE-2026-48103: Off-by-one buffer over-read in WIM archive handler
• Fixes CVE-2026-48104: Uninitialized heap read in SquashFS archive handler
• Fixes CVE-2026-48111: Off-by-one OOB read in UEFI firmware image parser
• Fixes CVE-2026-48112: Heap-based buffer over-read in Ar handler BSD SYMDEF parser

It was discovered that Ruby's Net::IMAP library did not properly verify that Transport Layer Security (TLS) encryption was started after issuing a STARTTLS command. A remote attacker could possibly use this issue to perform a machine-in-the-middle attack and silently bypass TLS encryption. (CVE-2026-42246) It was also discovered that Ruby's Net::IMAP library did not validate string arguments passed to certain commands. A remote attacker could possibly use this issue to inject arbitrary IMAP commands. (CVE-2026-42257)

Version:next-20260615 (linux-next) Released:2026-06-15

It was discovered that ADSys did not properly handle certain HTTP/2 frames. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-27141) It was discovered that ADSys did not properly handle certain HTTP/2 SETTINGS frames. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2026-33814)

FEDORA-2026-2419096432 Packages in this update:

• buildah-1.44.0-1.fc45
• containers-common-0.68.0-1.fc45
• podman-6.0.0~rc1-1.fc45
• skopeo-1.23.0-1.fc45

Update description:

Automatic update for buildah-1.44.0-1.fc45, podman-6.0.0~rc1-1.fc45, skopeo-1.23.0-1.fc45, containers-common-0.68.0-1.fc45.

Changelog for buildah * Wed May 27 2026 Packit <hello@packit.dev> - 2:1.44.0-1 - Update to 1.44.0 upstream release Changelog for podman * Mon Jun 15 2026 Packit <hello@packit.dev> - 5:6.0.0~rc1-1 - Update to 6.0.0-rc1 upstream release * Fri Jun 12 2026 Yaakov Selkowitz <yselkowi@redhat.com> - 5:5.8.2-2 - Rebuilt for openssl 4.0 Changelog for skopeo * Tue May 26 2026 Packit <hello@packit.dev> - 1:1.23.0-1 - Update to 1.23.0 upstream release Changelog for containers-common * Thu May 21 2026 Packit <hello@packit.dev> - 5:0.68.0-1 - Update to 0.68.0 upstream release

FEDORA-2026-41453e7fa4 Packages in this update:

• sudo-1.9.17-13.p2.fc45

Update description:

Automatic update for sudo-1.9.17-13.p2.fc45.

Changelog * Mon Jun 15 2026 Alejandro López <allopez@redhat.com> - 1.9.17-12.p2 - Removed some unneeded build-time dependencies * Mon Jun 15 2026 Alejandro López <allopez@redhat.com> - 1.9.17-11.p2 - Resolves: rhbz#2379016 - don't recommend sudo-python-plugins

FEDORA-2026-28df92c223 Packages in this update:

• tig-2.6.1-1.fc43

Update description:

• Fix editor command injection vulnerability (only affectsversion 2.6.0). (#1432)
• https://github.com/jonas/tig/issues/1432

FEDORA-2026-5cb64cc909 Packages in this update:

• tig-2.6.1-1.fc44

Update description:

• Fix editor command injection vulnerability (only affectsversion 2.6.0). (#1432)
• https://github.com/jonas/tig/issues/1432

It was discovered that tmux incorrectly handled image cleanup, leading to a use-after-free vulnerability. A local attacker could possibly use this issue to cause tmux to crash, resulting in a denial of service.

USN-8398-1 fixed a vulnerability in nginx. The update caused a regression and was temporarily reverted in USN-8398-2. This update introduces a complete fix for CVE-2026-49975. We apologize for the inconvenience. Original advisory details: It was discovered that nginx incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nginx to consume excessive resources, resulting in a denial of service.

USN-8405-1 fixed vulnerabilities in CUPS. The update introduced a regression that cause CUPS to crash when parsing certain large printer PPD files. This update fixes the problem. Original advisory details: Ariel Silver discovered that CUPS incorrectly handled username comparisons during authorization checks. A local attacker could possibly use this issue to gain unauthorized access to restricted operations. (CVE-2026-27447) Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled notify-recipient-uri values in the RSS notifier. A remote attacker could possibly use this issue to overwrite lp-writable files and cause a denial of service. (CVE-2026-34978) Jacob Newman discovered that CUPS incorrectly handled filter option strings when processing job attributes. An attacker could use this issue to cause CUPS to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-34979) Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled page-border values in shared PostScript queues. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-34980) Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled localhost authentication to attacker-controlled IPP services. A local attacker could possibly use this issue to overwrite arbitrary files and execute arbitrary code. (CVE-2026-34990) Tomer Fichman discovered that CUPS incorrectly handled negative job-password-supported values. A local attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service. (CVE-2026-39314) Tomer Fichman discovered that CUPS incorrectly handled temporary printer deletion. An attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service, or to execute arbitrary code. (CVE-2026-39316) Tomer Fichman discovered that CUPS incorrectly handled certain malformed SNMP responses. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-41079)

It was discovered that Mesa did not properly validate memory allocation sizes in WebGPU under certain circumstances. An attacker could use this issue to cause Mesa to crash, resulting in a denial of service, or possibly execute arbitrary code.