Fedora Security Advisories

FEDORA-2026-38d71393c1 Packages in this update:

• asterisk-18.26.4-1.fc44

Update description:

Update to Asterisk 18.26.4, addressing numerous security vulnerabilities accumulated since the long-stale 18.12.1 package. The following CVEs are fixed in this update:

• CVE-2022-26498 (fixed in 18.13.0): use-after-free in chan_ooh323
• CVE-2022-42705 (fixed in 18.15.0): use-after-free in res_pjsip_pubsub
• CVE-2022-37325 (fixed in 18.15.1): crash in H323 channel via malformed IE
• CVE-2023-37457 (fixed in 18.20.0): buffer overflow in PJSIP_HEADER function
• CVE-2023-49294 (fixed in 18.20.1): arbitrary file read via AMI GetConfig
• CVE-2023-49786 (fixed in 18.20.1): DTLS race condition causing DoS
• CVE-2024-35190 (fixed in 18.23.1): unauthorized SIP requests matched as endpoint
• CVE-2024-42365 (fixed in 18.24.2): Write=originate allows code execution
• CVE-2024-42491 (fixed in 18.25.0): crash via malformed Contact/Record-Route URI
• CVE-2025-49832 (fixed in 18.26.3): DoS/RCE in res_stir_shaken
• CVE-2025-47779 (fixed in 18.26.2): identity forging via malformed From header
• CVE-2025-1131 (fixed in 18.26.3): local privilege escalation via safe_asterisk
• CVE-2025-54995 (fixed in 18.26.4): resource exhaustion via RTP port leak

Also fixes F44FailsToInstall for asterisk-snmp (BZ#2433748).

FEDORA-2026-80b21debe7 Packages in this update:

• asterisk-18.26.4-1.fc43

Update description:

Update to Asterisk 18.26.4, addressing numerous security vulnerabilities accumulated since the long-stale 18.12.1 package. The following CVEs are fixed in this update:

• CVE-2022-26498 (fixed in 18.13.0): use-after-free in chan_ooh323
• CVE-2022-42705 (fixed in 18.15.0): use-after-free in res_pjsip_pubsub
• CVE-2022-37325 (fixed in 18.15.1): crash in H323 channel via malformed IE
• CVE-2023-37457 (fixed in 18.20.0): buffer overflow in PJSIP_HEADER function
• CVE-2023-49294 (fixed in 18.20.1): arbitrary file read via AMI GetConfig
• CVE-2023-49786 (fixed in 18.20.1): DTLS race condition causing DoS
• CVE-2024-35190 (fixed in 18.23.1): unauthorized SIP requests matched as endpoint
• CVE-2024-42365 (fixed in 18.24.2): Write=originate allows code execution
• CVE-2024-42491 (fixed in 18.25.0): crash via malformed Contact/Record-Route URI
• CVE-2025-49832 (fixed in 18.26.3): DoS/RCE in res_stir_shaken
• CVE-2025-47779 (fixed in 18.26.2): identity forging via malformed From header
• CVE-2025-1131 (fixed in 18.26.3): local privilege escalation via safe_asterisk
• CVE-2025-54995 (fixed in 18.26.4): resource exhaustion via RTP port leak

Also fixes F44FailsToInstall for asterisk-snmp (BZ#2433748).

FEDORA-2026-98decbde87 Packages in this update:

• asterisk-18.26.4-1.fc42

Update description:

Update to Asterisk 18.26.4, addressing numerous security vulnerabilities accumulated since the long-stale 18.12.1 package. The following CVEs are fixed in this update:

• CVE-2022-26498 (fixed in 18.13.0): use-after-free in chan_ooh323
• CVE-2022-42705 (fixed in 18.15.0): use-after-free in res_pjsip_pubsub
• CVE-2022-37325 (fixed in 18.15.1): crash in H323 channel via malformed IE
• CVE-2023-37457 (fixed in 18.20.0): buffer overflow in PJSIP_HEADER function
• CVE-2023-49294 (fixed in 18.20.1): arbitrary file read via AMI GetConfig
• CVE-2023-49786 (fixed in 18.20.1): DTLS race condition causing DoS
• CVE-2024-35190 (fixed in 18.23.1): unauthorized SIP requests matched as endpoint
• CVE-2024-42365 (fixed in 18.24.2): Write=originate allows code execution
• CVE-2024-42491 (fixed in 18.25.0): crash via malformed Contact/Record-Route URI
• CVE-2025-49832 (fixed in 18.26.3): DoS/RCE in res_stir_shaken
• CVE-2025-47779 (fixed in 18.26.2): identity forging via malformed From header
• CVE-2025-1131 (fixed in 18.26.3): local privilege escalation via safe_asterisk
• CVE-2025-54995 (fixed in 18.26.4): resource exhaustion via RTP port leak

Also fixes F44FailsToInstall for asterisk-snmp (BZ#2433748).

FEDORA-2026-29f4f47ade Packages in this update:

• micropython-1.28.0-1.fc43

Update description:

Update to 1.28.0

FEDORA-2026-52a9a687f0 Packages in this update:

• micropython-1.28.0-1.fc44

Update description:

Update to 1.28.0

FEDORA-2026-d619d8d077 Packages in this update:

• micropython-1.28.0-1.fc45

Update description:

Automatic update for micropython-1.28.0-1.fc45.

Changelog * Mon Apr 6 2026 Lumír Balhar <lbalhar@redhat.com> - 1.28.0-1 - Update to 1.28.0 - Security fix for CVE-2026-1998 - Update mbedtls submodule to 3.6.6 - mbedtls security fixes for CVE-2026-25834, CVE-2026-34871, CVE-2026-25833 - CVE-2025-52496, CVE-2025-52497, CVE-2025-49087, CVE-2025-54764, CVE-2025-59438 Resolves: rhbz#2455368, rhbz#2376688, rhbz#2376701, rhbz#2382261, rhbz#2405245, rhbz#2405374, rhbz#2437327, rhbz#2454032, rhbz#2454086, rhbz#2454213

FEDORA-2026-4b112416d8 Packages in this update:

• perl-Net-CIDR-Lite-0.23-1.fc42

Update description:

This update addresses two security issues regarding incorrect handling of malformed IPv6 addresses:

• Fix IPv4 mapped IPv6 packed length (CVE-2026-40199)
• Reject invalid uncompressed IPv6 (CVE-2026-40198)

FEDORA-2026-0a7ed21996 Packages in this update:

• perl-Net-CIDR-Lite-0.23-1.fc43

Update description:

This update addresses two security issues regarding incorrect handling of malformed IPv6 addresses:

• Fix IPv4 mapped IPv6 packed length (CVE-2026-40199)
• Reject invalid uncompressed IPv6 (CVE-2026-40198)

FEDORA-EPEL-2026-b1230525c8 Packages in this update:

• perl-Net-CIDR-Lite-0.23-1.el10_3

Update description:

This update addresses two security issues regarding incorrect handling of malformed IPv6 addresses:

• Fix IPv4 mapped IPv6 packed length (CVE-2026-40199)
• Reject invalid uncompressed IPv6 (CVE-2026-40198)

FEDORA-2026-fe487aa625 Packages in this update:

• perl-Net-CIDR-Lite-0.23-1.fc44

Update description:

This update addresses two security issues regarding incorrect handling of malformed IPv6 addresses:

• Fix IPv4 mapped IPv6 packed length (CVE-2026-40199)
• Reject invalid uncompressed IPv6 (CVE-2026-40198)

FEDORA-EPEL-2026-a41029a8e0 Packages in this update:

• perl-Net-CIDR-Lite-0.23-1.el10_2

Update description:

This update addresses two security issues regarding incorrect handling of malformed IPv6 addresses:

• Fix IPv4 mapped IPv6 packed length (CVE-2026-40199)
• Reject invalid uncompressed IPv6 (CVE-2026-40198)

FEDORA-EPEL-2026-2db32adfde Packages in this update:

• perl-Net-CIDR-Lite-0.23-1.el10_1

Update description:

This update addresses two security issues regarding incorrect handling of malformed IPv6 addresses:

• Fix IPv4 mapped IPv6 packed length (CVE-2026-40199)
• Reject invalid uncompressed IPv6 (CVE-2026-40198)

FEDORA-EPEL-2026-019655b9ea Packages in this update:

• perl-Net-CIDR-Lite-0.23-1.el8

Update description:

This update addresses two security issues regarding incorrect handling of malformed IPv6 addresses:

• Fix IPv4 mapped IPv6 packed length (CVE-2026-40199)
• Reject invalid uncompressed IPv6 (CVE-2026-40198)

FEDORA-2026-fe3d8d4767 Packages in this update:

• aurorae-6.6.4-1.fc44
• bluedevil-6.6.4-1.fc44
• breeze-gtk-6.6.4-1.fc44
• extra-cmake-modules-6.25.0-1.fc44
• flatpak-kcm-6.6.4-1.fc44
• grub2-breeze-theme-6.6.4-1.fc44
• kactivitymanagerd-6.6.4-1.fc44
• kcm_wacomtablet-6.6.4-1.fc44
• kde-cli-tools-6.6.4-1.fc44
• kdecoration-6.6.4-1.fc44
• kde-gtk-config-6.6.4-1.fc44
• kdeplasma-addons-6.6.4-1.fc44
• kf6-6.25.0-1.fc44
• kf6-attica-6.25.0-1.fc44
• kf6-baloo-6.25.0-1.fc44
• kf6-bluez-qt-6.25.0-1.fc44
• kf6-breeze-icons-6.25.0-1.fc44
• kf6-frameworkintegration-6.25.0-1.fc44
• kf6-kapidox-6.25.0-1.fc44
• kf6-karchive-6.25.0-1.fc44
• kf6-kauth-6.25.0-1.fc44
• kf6-kbookmarks-6.25.0-1.fc44
• kf6-kcalendarcore-6.25.0-1.fc44
• kf6-kcmutils-6.25.0-1.fc44
• kf6-kcodecs-6.25.0-1.fc44
• kf6-kcolorscheme-6.25.0-1.fc44
• kf6-kcompletion-6.25.0-1.fc44
• kf6-kconfig-6.25.0-1.fc44
• kf6-kconfigwidgets-6.25.0-1.fc44
• kf6-kcontacts-6.25.0-1.fc44
• kf6-kcoreaddons-6.25.0-1.fc44
• kf6-kcrash-6.25.0-1.fc44
• kf6-kdav-6.25.0-1.fc44
• kf6-kdbusaddons-6.25.0-1.fc44
• kf6-kdeclarative-6.25.0-1.fc44
• kf6-kded-6.25.0-1.fc44
• kf6-kdesu-6.25.0-1.fc44
• kf6-kdnssd-6.25.0-1.fc44
• kf6-kdoctools-6.25.0-1.fc44
• kf6-kfilemetadata-6.25.0-1.fc44
• kf6-kglobalaccel-6.25.0-1.fc44
• kf6-kguiaddons-6.25.0-1.fc44
• kf6-kholidays-6.25.0-1.fc44
• kf6-ki18n-6.25.0-1.fc44
• kf6-kiconthemes-6.25.0-1.fc44
• kf6-kidletime-6.25.0-1.fc44
• kf6-kimageformats-6.25.0-2.fc44
• kf6-kio-6.25.0-1.fc44
• kf6-kirigami-6.25.0-1.fc44
• kf6-kitemmodels-6.25.0-1.fc44
• kf6-kitemviews-6.25.0-1.fc44
• kf6-kjobwidgets-6.25.0-1.fc44
• kf6-knewstuff-6.25.0-1.fc44
• kf6-knotifications-6.25.0-1.fc44
• kf6-knotifyconfig-6.25.0-1.fc44
• kf6-kpackage-6.25.0-1.fc44
• kf6-kparts-6.25.0-1.fc44
• kf6-kpeople-6.25.0-1.fc44
• kf6-kplotting-6.25.0-1.fc44
• kf6-kpty-6.25.0-1.fc44
• kf6-kquickcharts-6.25.0-1.fc44
• kf6-krunner-6.25.0-1.fc44
• kf6-kservice-6.25.0-1.fc44
• kf6-kstatusnotifieritem-6.25.0-1.fc44
• kf6-ksvg-6.25.0-1.fc44
• kf6-ktexteditor-6.25.0-1.fc44
• kf6-ktexttemplate-6.25.0-1.fc44
• kf6-ktextwidgets-6.25.0-1.fc44
• kf6-kunitconversion-6.25.0-1.fc44
• kf6-kuserfeedback-6.25.0-1.fc44
• kf6-kwallet-6.25.0-1.fc44
• kf6-kwidgetsaddons-6.25.0-1.fc44
• kf6-kwindowsystem-6.25.0-1.fc44
• kf6-kxmlgui-6.25.0-1.fc44
• kf6-modemmanager-qt-6.25.0-1.fc44
• kf6-networkmanager-qt-6.25.0-1.fc44
• kf6-prison-6.25.0-1.fc44
• kf6-purpose-6.25.0-1.fc44
• kf6-qqc2-desktop-style-6.25.0-1.fc44
• kf6-solid-6.25.0-1.fc44
• kf6-sonnet-6.25.0-1.fc44
• kf6-syndication-6.25.0-1.fc44
• kf6-syntax-highlighting-6.25.0-1.fc44
• kf6-threadweaver-6.25.0-1.fc44
• kgamma-6.6.4-1.fc44
• kglobalacceld-6.6.4-1.fc44
• kinfocenter-6.6.4-1.fc44
• kmenuedit-6.6.4-1.fc44
• knighttime-6.6.4-1.fc44
• kpipewire-6.6.4-1.fc44
• krdp-6.6.4-1.fc44
• kscreen-6.6.4-1.fc44
• kscreenlocker-6.6.4-1.fc44
• ksshaskpass-6.6.4-1.fc44
• ksystemstats-6.6.4-1.fc44
• kwayland-6.6.4-1.fc44
• kwayland-integration-6.6.4-1.fc44
• kwin-6.6.4-1.fc44
• kwin-x11-6.6.4-1.fc44
• kwrited-6.6.4-1.fc44
• layer-shell-qt-6.6.4-1.fc44
• libkscreen-6.6.4-1.fc44
• libksysguard-6.6.4-1.fc44
• libplasma-6.6.4-1.fc44
• ocean-sound-theme-6.6.4-1.fc44
• oxygen-sounds-6.6.4-1.fc44
• pam-kwallet-6.6.4-1.fc44
• plasma5support-6.6.4-1.fc44
• plasma-activities-6.6.4-1.fc44
• plasma-activities-stats-6.6.4-1.fc44
• plasma-breeze-6.6.4-1.fc44
• plasma-browser-integration-6.6.4-1.fc44
• plasma-desktop-6.6.4-1.fc44
• plasma-dialer-6.6.4-1.fc44
• plasma-discover-6.6.4-1.fc44
• plasma-disks-6.6.4-1.fc44
• plasma-drkonqi-6.6.4-1.fc44
• plasma-firewall-6.6.4-1.fc44
• plasma-integration-6.6.4-1.fc44
• plasma-keyboard-6.6.4-1.fc44
• plasma-login-manager-6.6.4-1.fc44
• plasma-milou-6.6.4-1.fc44
• plasma-mobile-6.6.4-1.fc44
• plasma-nano-6.6.4-1.fc44
• plasma-nm-6.6.4-1.fc44
• plasma-oxygen-6.6.4-1.fc44
• plasma-pa-6.6.4-1.fc44
• plasma-print-manager-6.6.4-1.fc44
• plasma-sdk-6.6.4-1.fc44
• plasma-setup-6.6.4-1.fc44
• plasma-systemmonitor-6.6.4-1.fc44
• plasma-systemsettings-6.6.4-1.fc44
• plasma-thunderbolt-6.6.4-1.fc44
• plasma-vault-6.6.4-1.fc44
• plasma-welcome-6.6.4-1.fc44
• plasma-workspace-6.6.4-1.fc44
• plasma-workspace-wallpapers-6.6.4-1.fc44
• plasma-workspace-x11-6.6.4-1.fc44
• plymouth-kcm-6.6.4-1.fc44
• plymouth-theme-breeze-6.6.4-1.fc44
• polkit-kde-6.6.4-1.fc44
• powerdevil-6.6.4-1.fc44
• qqc2-breeze-style-6.6.4-1.fc44
• sddm-kcm-6.6.4-1.fc44
• spacebar-6.6.4-1.fc44
• spectacle-6.6.4-1.fc44
• xdg-desktop-portal-kde-6.6.4-1.fc44

Update description:

Frameworks 6.25.0 + KDE Plasma 6.6.4

FEDORA-EPEL-2026-42f84f0596 Packages in this update:

• opkssh-0.13.0-8.el10_3

Update description:

Fix CVE-2026-34986 in bundled go-jose

FEDORA-2026-48994e5a45 Packages in this update:

• opkssh-0.13.0-8.fc43

Update description:

Fix CVE-2026-34986 in bundled go-jose

FEDORA-2026-245867ac28 Packages in this update:

• opkssh-0.13.0-8.fc42

Update description:

Fix CVE-2026-34986 in bundled go-jose

FEDORA-EPEL-2026-b2e3cc4bbf Packages in this update:

• opkssh-0.13.0-8.el10_1

Update description:

Fix CVE-2026-34986 in bundled go-jose

FEDORA-2026-af08c3b44f Packages in this update:

• opkssh-0.13.0-8.fc44

Update description:

Fix CVE-2026-34986 in bundled go-jose

FEDORA-EPEL-2026-ef0f106b2d Packages in this update:

• tinyproxy-1.11.2-7.el10_1

Update description:

Backport upstream fixes for CVE-2026-3945 and CVE-2026-31842.