Fedora Security Advisories

FEDORA-2026-3572f7e01c Packages in this update:

• perl-YAML-Syck-1.37-1.fc43

Update description:

YAML::Syck versions up to and including 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

FEDORA-2026-a8d89d8ae2 Packages in this update:

• perl-YAML-Syck-1.37-1.fc44

Update description:

YAML::Syck versions up to and including 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

FEDORA-2026-d226775800 Packages in this update:

• perl-YAML-Syck-1.37-1.fc42

Update description:

YAML::Syck versions up to and including 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

FEDORA-2026-cb321bebb5 Packages in this update:

• bcftools-1.23.1-1.fc44
• htslib-1.23.1-1.fc44
• samtools-1.23.1-1.fc44

Update description:

Update to 1.23.1

FEDORA-2026-3b06345bf2 Packages in this update:

• bcftools-1.23.1-1.fc43
• htslib-1.23.1-1.fc43
• samtools-1.23.1-1.fc43

Update description:

Update to 1.23.1

FEDORA-2026-1fc0d39acd Packages in this update:

• bcftools-1.23.1-1.fc42
• htslib-1.23.1-1.fc42
• samtools-1.23.1-1.fc42

Update description:

Update to 1.23.1

FEDORA-2026-f029d04054 Packages in this update:

• libsoup3-3.6.6-2.fc43

Update description:

Add patch for CVE-2026-1539 (Also remove Proxy-Authorization header on cross origin redirect)

FEDORA-2026-55dabf3975 Packages in this update:

• libsoup3-3.6.6-6.fc44

Update description:

Add patch for CVE-2026-1539 (Also remove Proxy-Authorization header on cross origin redirect)

FEDORA-2026-6fb683df94 Packages in this update:

• libsoup3-3.6.6-6.fc45

Update description:

Automatic update for libsoup3-3.6.6-6.fc45.

Changelog * Thu Mar 19 2026 Milan Crha <mcrha@redhat.com> - 3.6.6-6 - Add patch for CVE-2026-1539 (Also remove Proxy-Authorization header on cross origin redirect) - Resolves: rhbz#2433867

FEDORA-2026-3a7663d43d Packages in this update:

• rubygem-json-2.19.2-1.fc44

Update description:

New version 2.19.2 is released. This fixes a format string injection vulnerability in JSON.parse, which is now assigned as CVE-2026-33210

FEDORA-EPEL-2026-ab0bf2a308 Packages in this update:

• bcftools-1.23.1-1.el10_3
• htslib-1.23.1-1.el10_3
• samtools-1.23.1-1.el10_3

Update description:

Update to 1.23.1

FEDORA-EPEL-2026-46dba9f252 Packages in this update:

• bcftools-1.23.1-1.el10_1
• htslib-1.23.1-1.el10_1
• samtools-1.23.1-1.el10_1

Update description:

Update to 1.23.1

FEDORA-2026-508009213f Packages in this update:

• mongo-c-driver-1.30.7-2.fc44

Update description:

• Fix handling in HTTP response parser CVE-2026-4359

FEDORA-EPEL-2026-9255cc4b0a Packages in this update:

• mongo-c-driver-1.30.7-2.el10_2

Update description:

• Fix handling in HTTP response parser CVE-2026-4359

FEDORA-EPEL-2026-07feda29da Packages in this update:

• mongo-c-driver-1.30.7-2.el8

Update description:

• Fix handling in HTTP response parser CVE-2026-4359

FEDORA-2026-cc129df978 Packages in this update:

• mongo-c-driver-1.30.7-2.fc43

Update description:

• Fix handling in HTTP response parser CVE-2026-4359

FEDORA-EPEL-2026-8e4a02c34d Packages in this update:

• mongo-c-driver-1.30.7-2.el9

Update description:

• Fix handling in HTTP response parser CVE-2026-4359

FEDORA-EPEL-2026-c83d48204a Packages in this update:

• mongo-c-driver-1.30.7-2.el10_1

Update description:

• Fix handling in HTTP response parser CVE-2026-4359

FEDORA-2026-c5273647fa Packages in this update:

• mongo-c-driver-1.30.7-2.fc42

Update description:

• Fix handling in HTTP response parser CVE-2026-4359

FEDORA-2026-9d5b9f45ec Packages in this update:

• kryoptic-1.5.0-2.fc43
• pyOpenSSL-26.0.0-1.fc43
• python-cryptography-46.0.5-1.fc43
• rust-asn1-0.22.0-1.fc43
• rust-asn1_derive-0.22.0-1.fc43
• rust-cryptoki-0.12.0-2.fc43
• rust-cryptoki-sys-0.5.0-2.fc43
• rust-wycheproof-0.6.0-1.fc43

Update description:

• Update pyOpenSSL to v26.0.0 (security update)
• Update python-cryptography to v46.0.5 (dependency of pyOpenSSL 26)
• Update rust-asn1 to 0.22 (dependency of python-cryptography)
• Update kryoptic to v1.5 (required for rust-asn1 bump to 0.22)

The security status of this update is only for pyOpenSSL.