Fedora Security Advisories

FEDORA-2026-504709cab7 Packages in this update:

• chromium-149.0.7827.196-1.fc44

Update description:

chromium-149.0.7827.196 security release

* CVE-2026-13028: Use after free in WebGL * CVE-2026-13032: Use after free in WebGL * CVE-2026-13033: Out of bounds read in Blink>InterestGroups * CVE-2026-13038: Use after free in Autofill * CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials * CVE-2026-13022: Inappropriate implementation in Autofill * CVE-2026-13023: Uninitialized Use in GPU * CVE-2026-13024: Insufficient validation of untrusted input in Navigation * CVE-2026-13025: Insufficient validation of untrusted input in DevTools * CVE-2026-13026: Use after free in Digital Credentials * CVE-2026-13027: Use after free in FileSystem * CVE-2026-13029: Use after free in Web Authentication * CVE-2026-13030: Uninitialized Use in GPU * CVE-2026-13031: Use after free in Blink * CVE-2026-13034: Inappropriate implementation in Passwords * CVE-2026-13035: Use after free in Bluetooth * CVE-2026-13036: Use after free in Blink * CVE-2026-13037: Use after free in WebView

FEDORA-2026-ddd87cb1db Packages in this update:

• chromium-149.0.7827.196-1.fc43

Update description:

chromium-149.0.7827.196 security release

* CVE-2026-13028: Use after free in WebGL * CVE-2026-13032: Use after free in WebGL * CVE-2026-13033: Out of bounds read in Blink>InterestGroups * CVE-2026-13038: Use after free in Autofill * CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials * CVE-2026-13022: Inappropriate implementation in Autofill * CVE-2026-13023: Uninitialized Use in GPU * CVE-2026-13024: Insufficient validation of untrusted input in Navigation * CVE-2026-13025: Insufficient validation of untrusted input in DevTools * CVE-2026-13026: Use after free in Digital Credentials * CVE-2026-13027: Use after free in FileSystem * CVE-2026-13029: Use after free in Web Authentication * CVE-2026-13030: Uninitialized Use in GPU * CVE-2026-13031: Use after free in Blink * CVE-2026-13034: Inappropriate implementation in Passwords * CVE-2026-13035: Use after free in Bluetooth * CVE-2026-13036: Use after free in Blink * CVE-2026-13037: Use after free in WebView

FEDORA-EPEL-2026-22a2204f6e Packages in this update:

• libssh2-1.11.1-8.el9

Update description:

This update addresses a couple of security issues, one of which could plausibly result in remote code execution.

FEDORA-EPEL-2026-f70a417c22 Packages in this update:

• libssh2-1.11.1-8.el10_2

Update description:

This update addresses a couple of security issues, one of which could plausibly result in remote code execution.

FEDORA-EPEL-2026-4ba0583f78 Packages in this update:

• libssh2-1.11.1-8.el10_3

Update description:

This update addresses a couple of security issues, one of which could plausibly result in remote code execution.

FEDORA-EPEL-2026-7a183ed9a6 Packages in this update:

• caddy-2.10.2-9.el10_2

Update description:

Security update resolving 22 CVEs across both caddy itself and its vendored libraries.

FEDORA-2026-ca858b3ed8 Packages in this update:

• libssh2-1.11.1-8.fc44

Update description:

This update addresses a couple of security issues, one of which could plausibly result in remote code execution.

FEDORA-2026-eed9e67393 Packages in this update:

• libssh2-1.11.1-8.fc43

Update description:

This update addresses a couple of security issues, one of which could plausibly result in remote code execution.

FEDORA-2026-1b15ac058b Packages in this update:

• cpp-httplib-0.48.0-1.fc44

Update description: Update to 0.48.0 (rhbz#2481109) Security fixes

• Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated only via a matching iPAddress SAN, never via the certificate's Common Name (RFC 9110) — matching what the OpenSSL backend already enforces through X509_check_ip. Previously these backends fell back to the CN when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte) iPAddress SANs are matched as well, and the CN fallback is skipped for both IPv4 and IPv6 literal hosts (#2476)

Improvements

• Replace the strtod-based from_chars for double with a hand-written, locale-independent parser. The only double parsed by the library is the HTTP quality value; strtod reads the decimal separator from the global C locale, so an embedder calling setlocale(LC_ALL, "") into a comma-decimal locale would mis-parse q-values. The new parser always treats . as the decimal separator and is allocation-free (Fix #2475)
• Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry() instead of the deprecated X509_STORE_get0_objects() and X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2, and 3.0

Behavior changes

• decode_query_component() now uses strict hex parsing for percent-escapes, consistent with decode_uri_component() and decode_path_component(). A % followed by non-hex characters (e.g. a sign or whitespace such as %-1, %+5, % 5) is passed through literally instead of being accepted as a valid escape (#2472)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0

Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352) Security fixes

• Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed TLS and wolfSSL backends: with server certificate verification enabled, SSLClient skipped chain validation entirely (any untrusted certificate with a matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped verification altogether. Chain verification now stays enabled for IP hosts, and certificate identity is verified post-handshake against IP SANs on all backends. SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066 (CVE-2026-54919)

New features

• Add Server::set_start_handler(): a callback invoked when the server is ready to accept connections, useful when running the server in a background thread (#2467)
• Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading system CA certificates alongside a custom CA. The default is unchanged: a custom CA remains exclusive. The setting carries over to clients created for HTTPS redirects (#2471)
• Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address while keeping the original hostname for the handshake and certificate verification (#2463)

Behavior changes

• The request body is now read after route matching and the pre-request handler, so both the regular handler and ContentReader paths behave the same: route matching → pre-request handler → body read → handler. A request rejected by the pre-request handler (e.g. failed per-route authentication via req.matched_route) no longer buffers the body at all. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body; inspect headers, path, query parameters, or matched_route instead
• WebSocketClient with a custom CA no longer merges system CA certificates (it previously always merged them). This matches SSLClient behavior; call enable_system_ca(true) to load system CA certificates alongside the custom CA
• Range request headers are now ignored for streaming responses of unknown length instead of producing an invalid response (#2465)

Bug fixes

• Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA certificates were silently merged into the user-provided store, broadening the trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates over to clients created for HTTPS redirects
• Fix WebSocketClient dropping the query string from the URL during the upgrade handshake, so query parameters (e.g. auth tokens) are sent (#2468)
• Fix a use-after-free when reconnecting a WebSocketClient after set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL set_ca_cert_store() backends
• Fix MSVC warning C4309 (truncation of constant value) in SHA padding code (#2464)
• Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid undefined behavior with negative char values (#2469)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0

FEDORA-2026-1d4bd0354a Packages in this update:

• cpp-httplib-0.48.0-1.fc43

Update description: Update to 0.48.0 (rhbz#2481109) Security fixes

• Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated only via a matching iPAddress SAN, never via the certificate's Common Name (RFC 9110) — matching what the OpenSSL backend already enforces through X509_check_ip. Previously these backends fell back to the CN when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte) iPAddress SANs are matched as well, and the CN fallback is skipped for both IPv4 and IPv6 literal hosts (#2476)

Improvements

• Replace the strtod-based from_chars for double with a hand-written, locale-independent parser. The only double parsed by the library is the HTTP quality value; strtod reads the decimal separator from the global C locale, so an embedder calling setlocale(LC_ALL, "") into a comma-decimal locale would mis-parse q-values. The new parser always treats . as the decimal separator and is allocation-free (Fix #2475)
• Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry() instead of the deprecated X509_STORE_get0_objects() and X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2, and 3.0

Behavior changes

• decode_query_component() now uses strict hex parsing for percent-escapes, consistent with decode_uri_component() and decode_path_component(). A % followed by non-hex characters (e.g. a sign or whitespace such as %-1, %+5, % 5) is passed through literally instead of being accepted as a valid escape (#2472)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0

Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352) Security fixes

• Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed TLS and wolfSSL backends: with server certificate verification enabled, SSLClient skipped chain validation entirely (any untrusted certificate with a matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped verification altogether. Chain verification now stays enabled for IP hosts, and certificate identity is verified post-handshake against IP SANs on all backends. SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066 (CVE-2026-54919)

New features

• Add Server::set_start_handler(): a callback invoked when the server is ready to accept connections, useful when running the server in a background thread (#2467)
• Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading system CA certificates alongside a custom CA. The default is unchanged: a custom CA remains exclusive. The setting carries over to clients created for HTTPS redirects (#2471)
• Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address while keeping the original hostname for the handshake and certificate verification (#2463)

Behavior changes

• The request body is now read after route matching and the pre-request handler, so both the regular handler and ContentReader paths behave the same: route matching → pre-request handler → body read → handler. A request rejected by the pre-request handler (e.g. failed per-route authentication via req.matched_route) no longer buffers the body at all. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body; inspect headers, path, query parameters, or matched_route instead
• WebSocketClient with a custom CA no longer merges system CA certificates (it previously always merged them). This matches SSLClient behavior; call enable_system_ca(true) to load system CA certificates alongside the custom CA
• Range request headers are now ignored for streaming responses of unknown length instead of producing an invalid response (#2465)

Bug fixes

• Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA certificates were silently merged into the user-provided store, broadening the trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates over to clients created for HTTPS redirects
• Fix WebSocketClient dropping the query string from the URL during the upgrade handshake, so query parameters (e.g. auth tokens) are sent (#2468)
• Fix a use-after-free when reconnecting a WebSocketClient after set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL set_ca_cert_store() backends
• Fix MSVC warning C4309 (truncation of constant value) in SHA padding code (#2464)
• Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid undefined behavior with negative char values (#2469)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0

FEDORA-2026-cda0c20ce0 Packages in this update:

• thunderbird-152.0-1.fc44

Update description:

Update to latest upstream version

FEDORA-2026-2fb5ca48a2 Packages in this update:

• thunderbird-152.0-2.fc43

Update description:

Update to latest upstream version

Update to latest upstream version.

FEDORA-2026-8c7f5e32c5 Packages in this update:

• mysql8.4-8.4.10-1.fc44

Update description:

MySQL 8.4.10

Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-10.html Upstream changelog: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/ Oracle Critical Security Patch Update - June 2026: https://www.oracle.com/security-alerts/cspujun2026.html#AppendixMSQL CVE-2026-46863 (CVSS 7.5) - Server: Connection Handling The only CVE from the June 2026 CPU affecting the 'mysql8.4' package. Remotely exploitable without authentication (DoS). The remaining 7 CVEs affect MySQL Shell (VS Code extension), MySQL Router, and NDB Cluster Operator — none of which are built or shipped by this package.

FEDORA-2026-280245e2ea Packages in this update:

• mysql8.4-8.4.10-1.fc43

Update description:

MySQL 8.4.10

Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-10.html Upstream changelog: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/ Oracle Critical Security Patch Update - June 2026: https://www.oracle.com/security-alerts/cspujun2026.html#AppendixMSQL CVE-2026-46863 (CVSS 7.5) - Server: Connection Handling The only CVE from the June 2026 CPU affecting the 'mysql8.4' package. Remotely exploitable without authentication (DoS). The remaining 7 CVEs affect MySQL Shell (VS Code extension), MySQL Router, and NDB Cluster Operator — none of which are built or shipped by this package.

FEDORA-EPEL-2026-4245f60523 Packages in this update:

• haveged-1.9.26-1.el9

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-e6d245c837 Packages in this update:

• haveged-1.9.26-1.el10_3

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-e15fb7f042 Packages in this update:

• haveged-1.9.26-1.el10_2

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-2026-5ddd0941a8 Packages in this update:

• haveged-1.9.26-1.fc43

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-2026-28f26f5294 Packages in this update:

• haveged-1.9.26-1.fc44

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-6f59aff531 Packages in this update:

• caddy-2.10.2-9.el10_3

Update description:

Security update resolving 22 CVEs across both caddy itself and its vendored libraries.