Fedora Security Advisories

xrdp-0.10.6.1-1.fc43

35 minutes 29 seconds ago
FEDORA-2026-bd0a75766f Packages in this update:
  • xrdp-0.10.6.1-1.fc43
Update description: Release notes for xrdp v0.10.6.1 (2026/07/06) General announcements

This release fixes 10 vulnerabilities and 1 regression introduced by a vulnerability fix in the previous release.

If you like xrdp, please consider sponsoring or donating to the project. We accept financial contributions through Open Collective, and direct donations to individual developers via GitHub Sponsors are also welcome.

Security fixes
  • CVE-2026-41252
  • CVE-2026-41521
  • CVE-2026-44178
  • CVE-2026-42218
  • CVE-2026-44978
  • CVE-2026-54538
  • CVE-2026-55238
  • CVE-2026-55626
  • CVE-2026-55639
  • CVE-2026-55645
New features
  • None
Bug fixes
  • regression: Fix SEGV in xrdp when running over TLS (#3793)

xrdp-0.10.6.1-1.fc44

35 minutes 29 seconds ago
FEDORA-2026-05c06fa0a8 Packages in this update:
  • xrdp-0.10.6.1-1.fc44
Update description: Release notes for xrdp v0.10.6.1 (2026/07/06) General announcements

This release fixes 10 vulnerabilities and 1 regression introduced by a vulnerability fix in the previous release.

If you like xrdp, please consider sponsoring or donating to the project. We accept financial contributions through Open Collective, and direct donations to individual developers via GitHub Sponsors are also welcome.

Security fixes
  • CVE-2026-41252
  • CVE-2026-41521
  • CVE-2026-44178
  • CVE-2026-42218
  • CVE-2026-44978
  • CVE-2026-54538
  • CVE-2026-55238
  • CVE-2026-55626
  • CVE-2026-55639
  • CVE-2026-55645
New features
  • None
Bug fixes
  • regression: Fix SEGV in xrdp when running over TLS (#3793)

xrdp-0.10.6.1-1.el9

35 minutes 29 seconds ago
FEDORA-EPEL-2026-329eff5f4b Packages in this update:
  • xrdp-0.10.6.1-1.el9
Update description: Release notes for xrdp v0.10.6.1 (2026/07/06) General announcements

This release fixes 10 vulnerabilities and 1 regression introduced by a vulnerability fix in the previous release.

If you like xrdp, please consider sponsoring or donating to the project. We accept financial contributions through Open Collective, and direct donations to individual developers via GitHub Sponsors are also welcome.

Security fixes
  • CVE-2026-41252
  • CVE-2026-41521
  • CVE-2026-44178
  • CVE-2026-42218
  • CVE-2026-44978
  • CVE-2026-54538
  • CVE-2026-55238
  • CVE-2026-55626
  • CVE-2026-55639
  • CVE-2026-55645
New features
  • None
Bug fixes
  • regression: Fix SEGV in xrdp when running over TLS (#3793)

xrdp-0.10.6.1-1.el8

35 minutes 30 seconds ago
FEDORA-EPEL-2026-85c16c2007 Packages in this update:
  • xrdp-0.10.6.1-1.el8
Update description: Release notes for xrdp v0.10.6.1 (2026/07/06) General announcements

This release fixes 10 vulnerabilities and 1 regression introduced by a vulnerability fix in the previous release.

If you like xrdp, please consider sponsoring or donating to the project. We accept financial contributions through Open Collective, and direct donations to individual developers via GitHub Sponsors are also welcome.

Security fixes
  • CVE-2026-41252
  • CVE-2026-41521
  • CVE-2026-44178
  • CVE-2026-42218
  • CVE-2026-44978
  • CVE-2026-54538
  • CVE-2026-55238
  • CVE-2026-55626
  • CVE-2026-55639
  • CVE-2026-55645
New features
  • None
Bug fixes
  • regression: Fix SEGV in xrdp when running over TLS (#3793)

upower-1.91.3-2.fc43

1 hour 36 minutes ago
FEDORA-2026-ce80ea7afe Packages in this update:
  • upower-1.91.3-2.fc43
Update description:

upower 1.91.3:

  • Feature: up-device-battery: Prefer "Standard" over "Fast" charging (!316 (merged), #344 (closed))
  • Fix: Resolve potential leaks (!327 (merged))
  • Fix: Potential out-of-bound access (!328 (merged))
  • Fix: Improve access control (!326 (merged))
  • Fix: Remove unused codes (!329 (merged))
  • Fix: Fix for Asus Battery Charge Threshold Detection (!330 (merged), #347 (closed))

upower-1.91.3-1.fc44

1 hour 36 minutes ago
FEDORA-2026-e5305cffc2 Packages in this update:
  • upower-1.91.3-1.fc44
Update description:

upower 1.91.3:

  • Feature: up-device-battery: Prefer "Standard" over "Fast" charging (!316 (merged), #344 (closed))
  • Fix: Resolve potential leaks (!327 (merged))
  • Fix: Potential out-of-bound access (!328 (merged))
  • Fix: Improve access control (!326 (merged))
  • Fix: Remove unused codes (!329 (merged))
  • Fix: Fix for Asus Battery Charge Threshold Detection (!330 (merged), #347 (closed))

roundcubemail-1.7.2-1.fc44

5 hours 51 minutes ago
FEDORA-2026-517daa8d64 Packages in this update:
  • roundcubemail-1.7.2-1.fc44
Update description: Release 1.7.2
  • Add HEAD request handler to the static.php
  • Fix so the oauth_password_claim claim is retrieved via token or userinfo request (#9631)
  • Fix bug where static.php would return a 416 error on a specific Range request (#10194)
  • Fix bug where configured skin logo wasn't loaded via static.php resulting in 404 error (#10191)
  • Fix bug where installto.sh would fail if public_html folder does not exist in the target directory (#10202)
  • Revert "Prefer 8bit over quoted-printable for HTML parts, when force_7bit is disabled (#8477)" (#10198)
  • Fix incorrect unfolding of folded lines when importing vCard 2.1 contacts (#9647)
  • Fix bug where Imagick could leave large temporary files on failure (#10230)
  • Fix bug where redis/memcache session could have been updated more often than needed
  • Fix support for untyped tokens in OIDC backchannel logout, require unset nonce (#10097)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

roundcubemail-1.6.17-1.fc43

5 hours 52 minutes ago
FEDORA-2026-c3351f4ae4 Packages in this update:
  • roundcubemail-1.6.17-1.fc43
Update description: Release 1.6.17
  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Enigma: Kolab WOAT Support (#8626)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

roundcubemail-1.6.17-1.el10_2

5 hours 52 minutes ago
FEDORA-EPEL-2026-a54f17adc3 Packages in this update:
  • roundcubemail-1.6.17-1.el10_2
Update description: Release 1.6.17
  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Enigma: Kolab WOAT Support (#8626)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

roundcubemail-1.6.17-1.el10_3

5 hours 52 minutes ago
FEDORA-EPEL-2026-44b1dd565d Packages in this update:
  • roundcubemail-1.6.17-1.el10_3
Update description: Release 1.6.17
  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Enigma: Kolab WOAT Support (#8626)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

cifs-utils-7.6-2.fc45

12 hours 53 minutes ago
FEDORA-2026-90dbff48ca Packages in this update:
  • cifs-utils-7.6-2.fc45
Update description:

Automatic update for cifs-utils-7.6-2.fc45.

Changelog * Mon Jul 6 2026 Paulo Alcantara <paalcant@redhat.com> - 7.6-2 - cifs.upcall: fix regression with kerberos mounts - Resolves: rhbz#2497446 - Resolves: rhbz#2496963 - Resolves: rhbz#2489808 - CVE-2026-12505

syncthing-2.1.1-1.el10_2

1 day 20 hours ago
FEDORA-EPEL-2026-2c3b9215e1 Packages in this update:
  • syncthing-2.1.1-1.el10_2
Update description:

Update to version 2.1.1.

The major change in v2 is migration of the database backend from LevelDB to SQLite. This is handled transparently on startup by syncthing like any other database migration - the only change should be that the first startup takes a bit longer than usual.

This update also includes fixes for various security issues by compiling with updated dependencies and / or newer versions of the Go compiler and standard library.

Please refer to the upstream release notes for other changes since 1.30.0: https://github.com/syncthing/syncthing/releases

Approved EPEL incompatible upgrade request: https://forge.fedoraproject.org/epel/steering/issues/368

Checked
15 minutes 56 seconds ago