Fedora Security Advisories

FEDORA-EPEL-2026-5f723f26cd Packages in this update:

• gum-0.17.0-3.el10_3

Update description:

Update from version 0.16.1 to version 0.17.0. This update also resolves CVE-2025-47906 and CVE-2026-5160.

• https://github.com/charmbracelet/gum/releases/tag/v0.16.2
• https://github.com/charmbracelet/gum/releases/tag/v0.17.0

FEDORA-2026-10cf6ce616 Packages in this update:

• gum-0.17.0-3.fc44

Update description:

Update vendored goldmark to 1.7.17 to resolve CVE-2026-5160.

FEDORA-2026-bebf3b0544 Packages in this update:

• gum-0.16.1-2.fc42

Update description:

Rebuild with latest golang to resolve CVE-2025-47906.

FEDORA-EPEL-2026-8022001aef Packages in this update:

• coturn-4.10.0-1.el10_3

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-2026-e673311164 Packages in this update:

• coturn-4.10.0-1.fc42

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-EPEL-2026-63737a3630 Packages in this update:

• coturn-4.10.0-1.el10_1

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-2026-1c11dc3e37 Packages in this update:

• coturn-4.10.0-1.fc44

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-EPEL-2026-e0c1b77ba1 Packages in this update:

• coturn-4.10.0-1.el9

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-EPEL-2026-5e71b7731b Packages in this update:

• coturn-4.10.0-1.el10_2

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-2026-1adc5f1ef8 Packages in this update:

• coturn-4.10.0-1.fc43

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-EPEL-2026-84fff0d811 Packages in this update:

• coturn-4.10.0-1.el8

Update description: Coturn 4.10.0 Performance

• Add Linux-only recvmmsg client receive path for DTLS/UDP listener
• Skip response buffer allocation for STUN indications
• Remove mutex from per-thread super_memory allocator
• Eliminate mutex and reduce copies on auth message dispatch
• Replace mutex_bps with lock-free atomics for bandwidth tracking
• Remove unused mutex from ur_map structure
• WebRTC Auth optimization path
• Improve worst case scenario - avoid memory allocation

Memory issues

• Fix null pointer dereferences in post_parse()
• Fix stack buffer overflow in OAuth token decoding
• Fix uint16_t truncation overflow in stun_get_message_len_str()
• Initialize variables before use

Security

• CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser

General Improvements

• Disable reason string in response messages to reduce amplification factor
• Keep only NEV_UDP_SOCKET_PER_THREAD network engine
• Replace perror with logging
• Extend seed corpus and add more fuzzing scenarios
• Update config and Readme files about deprecated TLSv1/1.1
• Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
• Change port identifiers to use uint16_t
• Fixes: run_tests.sh and no db
• Improve PostgreSQL.md clarity
• Add session usage reporting callback to TURN database driver
• CLI interface is disabled by default

FEDORA-2026-afe659aa4d Packages in this update:

• opam-2.5.1-1.fc44

Update description:

See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1.

FEDORA-2026-42ff51d2c7 Packages in this update:

• opam-2.5.1-1.fc43

Update description:

See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1.

FEDORA-2026-301505f38f Packages in this update:

• opam-2.5.1-1.fc42

Update description:

See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version 2.5.1.

FEDORA-2026-036e523144 Packages in this update:

• minetest-5.15.2-1.fc42

Update description:

5.15.2

FEDORA-2026-52b9116b3d Packages in this update:

• minetest-5.15.2-1.fc43

Update description:

5.15.2

FEDORA-2026-b42cf3db3b Packages in this update:

• minetest-5.15.2-1.fc44

Update description:

5.15.2

FEDORA-2026-0eb8e878b6 Packages in this update:

• jq-1.8.1-3.fc44

Update description:

Fixes CVE-2026-32316 Fixes CVE-2026-33947 Fixes CVE-2026-39956 Fixes CVE-2026-39979 Fixes CVE-2026-40164

Fixes <skipped: too deep> bug https://github.com/jqlang/jq/issues/3413

FEDORA-2026-4e57162966 Packages in this update:

• jq-1.8.1-3.fc43

Update description:

Fixes CVE-2026-32316 Fixes CVE-2026-33947 Fixes CVE-2026-39956 Fixes CVE-2026-39979 Fixes CVE-2026-40164

Fixes <skipped: too deep> bug https://github.com/jqlang/jq/issues/3413

FEDORA-2026-0b633ecc7c Packages in this update:

• tigervnc-1.16.2-2.fc42

Update description:

Update to xserver 21.1.22, CVE fix for: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003