Fedora Security Advisories

• rpki-client-9.8-1.el10_3

• Various refactoring for improved compatibility with various libcrypto implementations and in CA/BGPsec certificate handling.
• Fixed an accounting issue in HTTP gzip compression detection.
• Added a warning in extra verbose mode (-vv) about standards non-compliant Issuer and Subject ASN.1 string encodings.
• Added a check for canonical encoding of ASPA eContent in alignment with draft-ietf-sidrops-aspa-profile-22.
• Ensure that a repository timeout correctly stops repository processing.
• Fixed a defect in Canonical Cache Representation ROAIPAddressFamily sort order. As a result, rpki-client 9.8 cannot parse rpki-client 9.7's .ccr files and vice versa.
• Fixed an issue in the parser for the locally configured constraints.
• A malicious RRDP Publication Server can cause a NULL dereference.
• A malicious RPKI Publication Server can cause an incorrect error exit.

• rpki-client-9.8-1.fc42

• Various refactoring for improved compatibility with various libcrypto implementations and in CA/BGPsec certificate handling.
• Fixed an accounting issue in HTTP gzip compression detection.
• Added a warning in extra verbose mode (-vv) about standards non-compliant Issuer and Subject ASN.1 string encodings.
• Added a check for canonical encoding of ASPA eContent in alignment with draft-ietf-sidrops-aspa-profile-22.
• Ensure that a repository timeout correctly stops repository processing.
• Fixed a defect in Canonical Cache Representation ROAIPAddressFamily sort order. As a result, rpki-client 9.8 cannot parse rpki-client 9.7's .ccr files and vice versa.
• Fixed an issue in the parser for the locally configured constraints.
• A malicious RRDP Publication Server can cause a NULL dereference.
• A malicious RPKI Publication Server can cause an incorrect error exit.

• rpki-client-9.8-1.el9

• Various refactoring for improved compatibility with various libcrypto implementations and in CA/BGPsec certificate handling.
• Fixed an accounting issue in HTTP gzip compression detection.
• Added a warning in extra verbose mode (-vv) about standards non-compliant Issuer and Subject ASN.1 string encodings.
• Added a check for canonical encoding of ASPA eContent in alignment with draft-ietf-sidrops-aspa-profile-22.
• Ensure that a repository timeout correctly stops repository processing.
• Fixed a defect in Canonical Cache Representation ROAIPAddressFamily sort order. As a result, rpki-client 9.8 cannot parse rpki-client 9.7's .ccr files and vice versa.
• Fixed an issue in the parser for the locally configured constraints.
• A malicious RRDP Publication Server can cause a NULL dereference.
• A malicious RPKI Publication Server can cause an incorrect error exit.

• rpki-client-9.8-1.el8

• Various refactoring for improved compatibility with various libcrypto implementations and in CA/BGPsec certificate handling.
• Fixed an accounting issue in HTTP gzip compression detection.
• Added a warning in extra verbose mode (-vv) about standards non-compliant Issuer and Subject ASN.1 string encodings.
• Added a check for canonical encoding of ASPA eContent in alignment with draft-ietf-sidrops-aspa-profile-22.
• Ensure that a repository timeout correctly stops repository processing.
• Fixed a defect in Canonical Cache Representation ROAIPAddressFamily sort order. As a result, rpki-client 9.8 cannot parse rpki-client 9.7's .ccr files and vice versa.
• Fixed an issue in the parser for the locally configured constraints.
• A malicious RRDP Publication Server can cause a NULL dereference.
• A malicious RPKI Publication Server can cause an incorrect error exit.

• rpki-client-9.8-1.fc43

• Various refactoring for improved compatibility with various libcrypto implementations and in CA/BGPsec certificate handling.
• Fixed an accounting issue in HTTP gzip compression detection.
• Added a warning in extra verbose mode (-vv) about standards non-compliant Issuer and Subject ASN.1 string encodings.
• Added a check for canonical encoding of ASPA eContent in alignment with draft-ietf-sidrops-aspa-profile-22.
• Ensure that a repository timeout correctly stops repository processing.
• Fixed a defect in Canonical Cache Representation ROAIPAddressFamily sort order. As a result, rpki-client 9.8 cannot parse rpki-client 9.7's .ccr files and vice versa.
• Fixed an issue in the parser for the locally configured constraints.
• A malicious RRDP Publication Server can cause a NULL dereference.
• A malicious RPKI Publication Server can cause an incorrect error exit.

• rpki-client-9.8-1.el10_1

• Various refactoring for improved compatibility with various libcrypto implementations and in CA/BGPsec certificate handling.
• Fixed an accounting issue in HTTP gzip compression detection.
• Added a warning in extra verbose mode (-vv) about standards non-compliant Issuer and Subject ASN.1 string encodings.
• Added a check for canonical encoding of ASPA eContent in alignment with draft-ietf-sidrops-aspa-profile-22.
• Ensure that a repository timeout correctly stops repository processing.
• Fixed a defect in Canonical Cache Representation ROAIPAddressFamily sort order. As a result, rpki-client 9.8 cannot parse rpki-client 9.7's .ccr files and vice versa.
• Fixed an issue in the parser for the locally configured constraints.
• A malicious RRDP Publication Server can cause a NULL dereference.
• A malicious RPKI Publication Server can cause an incorrect error exit.

• rpki-client-9.8-1.el10_2

• Various refactoring for improved compatibility with various libcrypto implementations and in CA/BGPsec certificate handling.
• Fixed an accounting issue in HTTP gzip compression detection.
• Added a warning in extra verbose mode (-vv) about standards non-compliant Issuer and Subject ASN.1 string encodings.
• Added a check for canonical encoding of ASPA eContent in alignment with draft-ietf-sidrops-aspa-profile-22.
• Ensure that a repository timeout correctly stops repository processing.
• Fixed a defect in Canonical Cache Representation ROAIPAddressFamily sort order. As a result, rpki-client 9.8 cannot parse rpki-client 9.7's .ccr files and vice versa.
• Fixed an issue in the parser for the locally configured constraints.
• A malicious RRDP Publication Server can cause a NULL dereference.
• A malicious RPKI Publication Server can cause an incorrect error exit.

• rpki-client-9.8-1.fc44

• Various refactoring for improved compatibility with various libcrypto implementations and in CA/BGPsec certificate handling.
• Fixed an accounting issue in HTTP gzip compression detection.
• Added a warning in extra verbose mode (-vv) about standards non-compliant Issuer and Subject ASN.1 string encodings.
• Added a check for canonical encoding of ASPA eContent in alignment with draft-ietf-sidrops-aspa-profile-22.
• Ensure that a repository timeout correctly stops repository processing.
• Fixed a defect in Canonical Cache Representation ROAIPAddressFamily sort order. As a result, rpki-client 9.8 cannot parse rpki-client 9.7's .ccr files and vice versa.
• Fixed an issue in the parser for the locally configured constraints.
• A malicious RRDP Publication Server can cause a NULL dereference.
• A malicious RPKI Publication Server can cause an incorrect error exit.

• python-cairosvg-2.9.0-1.el10_1

Security fix for CVE-2026-31899: https://nvd.nist.gov/vuln/detail/CVE-2026-31899 / https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c

Exponential DoS via recursive <use> element amplification

• python-cairosvg-2.9.0-1.el10_3

Security fix for CVE-2026-31899: https://nvd.nist.gov/vuln/detail/CVE-2026-31899 / https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c

Exponential DoS via recursive <use> element amplification

• python-cairosvg-2.7.0-2.el9

Security fix for CVE-2026-31899: https://nvd.nist.gov/vuln/detail/CVE-2026-31899 / https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c

Exponential DoS via recursive <use> element amplification

• python-cairosvg-2.9.0-1.el10_2

Security fix for CVE-2026-31899: https://nvd.nist.gov/vuln/detail/CVE-2026-31899 / https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c

Exponential DoS via recursive <use> element amplification

• python-cairosvg-2.9.0-1.fc42

Security fix for CVE-2026-31899: https://nvd.nist.gov/vuln/detail/CVE-2026-31899 / https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c

Exponential DoS via recursive <use> element amplification

• python-cairosvg-2.9.0-1.fc44

Security fix for CVE-2026-31899: https://nvd.nist.gov/vuln/detail/CVE-2026-31899 / https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c

Exponential DoS via recursive <use> element amplification

• python-cairosvg-2.9.0-1.fc43

Security fix for CVE-2026-31899: https://nvd.nist.gov/vuln/detail/CVE-2026-31899 / https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c

Exponential DoS via recursive <use> element amplification

• xorg-x11-server-Xwayland-24.1.10-1.fc42

Update to xwayland 24.1.10, CVE fix for: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003

• xorg-x11-server-Xwayland-24.1.10-1.fc43

Update to xwayland 24.1.10, CVE fix for: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003

• xorg-x11-server-Xwayland-24.1.10-1.fc44

Update to xwayland 24.1.10, CVE fix for: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003

• xorg-x11-server-21.1.22-1.fc42

Update to xserver 21.1.22, CVE fix for: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003

• prometheus-3.11.2-1.el10_3

Update to 3.11.2

Update to 3.11.1

Update to 3.11.0