Fedora Security Advisories

FEDORA-2026-cda0c20ce0 Packages in this update:

• thunderbird-152.0-1.fc44

Update description:

Update to latest upstream version

FEDORA-2026-2fb5ca48a2 Packages in this update:

• thunderbird-152.0-2.fc43

Update description:

Update to latest upstream version

Update to latest upstream version.

FEDORA-2026-8c7f5e32c5 Packages in this update:

• mysql8.4-8.4.10-1.fc44

Update description:

MySQL 8.4.10

Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-10.html Upstream changelog: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/ Oracle Critical Security Patch Update - June 2026: https://www.oracle.com/security-alerts/cspujun2026.html#AppendixMSQL CVE-2026-46863 (CVSS 7.5) - Server: Connection Handling The only CVE from the June 2026 CPU affecting the 'mysql8.4' package. Remotely exploitable without authentication (DoS). The remaining 7 CVEs affect MySQL Shell (VS Code extension), MySQL Router, and NDB Cluster Operator — none of which are built or shipped by this package.

FEDORA-2026-280245e2ea Packages in this update:

• mysql8.4-8.4.10-1.fc43

Update description:

MySQL 8.4.10

Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-10.html Upstream changelog: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/ Oracle Critical Security Patch Update - June 2026: https://www.oracle.com/security-alerts/cspujun2026.html#AppendixMSQL CVE-2026-46863 (CVSS 7.5) - Server: Connection Handling The only CVE from the June 2026 CPU affecting the 'mysql8.4' package. Remotely exploitable without authentication (DoS). The remaining 7 CVEs affect MySQL Shell (VS Code extension), MySQL Router, and NDB Cluster Operator — none of which are built or shipped by this package.

FEDORA-EPEL-2026-4245f60523 Packages in this update:

• haveged-1.9.26-1.el9

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-e6d245c837 Packages in this update:

• haveged-1.9.26-1.el10_3

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-e15fb7f042 Packages in this update:

• haveged-1.9.26-1.el10_2

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-2026-5ddd0941a8 Packages in this update:

• haveged-1.9.26-1.fc43

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-2026-28f26f5294 Packages in this update:

• haveged-1.9.26-1.fc44

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-6f59aff531 Packages in this update:

• caddy-2.10.2-9.el10_3

Update description:

Security update resolving 22 CVEs across both caddy itself and its vendored libraries.

FEDORA-EPEL-2026-74f2be0676 Packages in this update:

• haveged-1.9.25-1.el9

Update description:

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-40258434d5 Packages in this update:

• haveged-1.9.25-1.el10_3

Update description:

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-504948f7d0 Packages in this update:

• haveged-1.9.25-1.el10_2

Update description:

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-2026-6a17c7864b Packages in this update:

• haveged-1.9.25-1.fc43

Update description:

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-2026-cf1b1b3d16 Packages in this update:

• haveged-1.9.25-1.fc44

Update description:

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-2026-3dc324bd9a Packages in this update:

• caddy-2.10.2-9.fc43

Update description:

Security update resolving 22 CVEs across both caddy itself and its vendored libraries.

FEDORA-2026-950cac64f2 Packages in this update:

• caddy-2.10.2-9.fc44

Update description:

Security update resolving 17 CVEs across both caddy itself and its vendored libraries.

FEDORA-EPEL-2026-bbf13172b4 Packages in this update:

• rclone-1.74.3-1.el9

Update description:

Update to 1.74.3

FEDORA-EPEL-2026-81e83a9344 Packages in this update:

• rclone-1.74.3-1.el10_3

Update description:

Update to 1.74.3

FEDORA-EPEL-2026-46833e1dcc Packages in this update:

• rclone-1.74.3-1.el10_2

Update description:

Update to 1.74.3