Fedora Security Advisories

pie-1.4.5-1.fc44

Fedora Security Advisories
3 hours 3 minutes ago
FEDORA-2026-e5d5fc359d Packages in this update:
  • pie-1.4.5-1.fc44
Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

  • GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
  • GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
  • GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
  • GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
  • GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
  • GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

pie-1.4.5-1.el10_2

Fedora Security Advisories
3 hours 3 minutes ago
FEDORA-EPEL-2026-4114f4323c Packages in this update:
  • pie-1.4.5-1.el10_2
Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

  • GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
  • GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
  • GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
  • GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
  • GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
  • GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

pie-1.4.5-1.el10_3

Fedora Security Advisories
3 hours 3 minutes ago
FEDORA-EPEL-2026-e9a72cc7ed Packages in this update:
  • pie-1.4.5-1.el10_3
Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

  • GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
  • GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
  • GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
  • GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
  • GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
  • GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

pie-1.4.5-1.fc43

Fedora Security Advisories
3 hours 3 minutes ago
FEDORA-2026-b2fe14ec86 Packages in this update:
  • pie-1.4.5-1.fc43
Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

  • GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
  • GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
  • GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
  • GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
  • GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
  • GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

libpng-1.6.58-1.fc43

Fedora Security Advisories
12 hours 49 minutes ago
FEDORA-2026-a109a9ac2c Packages in this update:
  • libpng-1.6.58-1.fc43
Update description:
  • updated to 1.6.58
  • 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
  • 1.6.57 is released with fixes for the following security vulnerability:
  • CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

libpng-1.6.58-1.fc42

Fedora Security Advisories
12 hours 49 minutes ago
FEDORA-2026-9a678a08c8 Packages in this update:
  • libpng-1.6.58-1.fc42
Update description:
  • updated to 1.6.58
  • 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
  • 1.6.57 is released with fixes for the following security vulnerability:
  • CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

libpng-1.6.58-1.fc44

Fedora Security Advisories
12 hours 49 minutes ago
FEDORA-2026-67c1138ed2 Packages in this update:
  • libpng-1.6.58-1.fc44
Update description:
  • updated to 1.6.58
  • 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
  • 1.6.57 is released with fixes for the following security vulnerability:
  • CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

roundcubemail-1.6.16-1.el10_3

Fedora Security Advisories
14 hours 5 minutes ago
FEDORA-EPEL-2026-05f02b89ad Packages in this update:
  • roundcubemail-1.6.16-1.el10_3
Update description: Release 1.6.16
  • Fix potential too long value in IMAP ID command (#10136)
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

roundcubemail-1.6.16-1.fc43

Fedora Security Advisories
14 hours 5 minutes ago
FEDORA-2026-07ee097ffe Packages in this update:
  • roundcubemail-1.6.16-1.fc43
Update description: Release 1.6.16
  • Fix potential too long value in IMAP ID command (#10136)
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

roundcubemail-1.6.16-1.el10_2

Fedora Security Advisories
14 hours 5 minutes ago
FEDORA-EPEL-2026-aa33047e8e Packages in this update:
  • roundcubemail-1.6.16-1.el10_2
Update description: Release 1.6.16
  • Fix potential too long value in IMAP ID command (#10136)
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

vim-9.2.530-1.fc43

Fedora Security Advisories
1 day 7 hours ago
FEDORA-2026-75b5ddf8c3 Packages in this update:
  • vim-9.2.530-1.fc43
Update description:

keep GTK4 in rawhide for now

switch to GTK4 for GVim

Fix CVE-2026-46483

bind-9.18.49-1.fc42 bind-dyndb-ldap-11.11-12.fc42

Fedora Security Advisories
1 day 8 hours ago
FEDORA-2026-f3e466ea26 Packages in this update:
  • bind-9.18.49-1.fc42
  • bind-dyndb-ldap-11.11-12.fc42
Update description: Update to 9.18.49 (rhbz#2480121) Security Fixes: Feature Changes:
  • Fix CPU spikes and slow queries when cache approaches memory limit.
Bug Fixes:
  • Fix named crash when processing SIG records in dynamic updates.
  • Fix rndc modzone behavior for a zone in named.conf.
  • Fix zone verification of NSEC3 signed zones.
  • Prevent a crash when using both dns64 and filter-aaaa.
  • Fixed an assertion failure when processing catalog zones.
  • Prevent malicious DNSSEC zones from exhausting validator CPU.
  • Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits.
  • Prevent crafted queries from degrading RRL performance.
  • Fix a bug in allow-query/allow-transfer catalog zone custom properties.
  • Fix a memory leak issue in catalog zones.
  • Fix suppressed missing-glue check in named-checkzone.
  • Reject record sets too large to serve in DNS.

Source: https://downloads.isc.org/isc/bind9/9.18.49/doc/arm/html/notes.html#notes-for-bind-9-18-49

roundcubemail-1.7.1-1.fc44

Fedora Security Advisories
1 day 12 hours ago
FEDORA-2026-2b956d89d3 Packages in this update:
  • roundcubemail-1.7.1-1.fc44
Update description: Release 1.7.1
  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Managesieve: Fix error when a mail message contains duplicate List-Id header (#10186)
  • Clarified Elastic installation instructions (#10163)
  • Added HTMLFormElement.requestSubmit() polyfill for older browsers (#10179)
  • Fix so "has:attachment" search uses $HasAttachment/$HasNoAttachment keywords (#10168)
  • Fix potential too long value in IMAP ID command (#10136)
  • Fix redis/memcache disconnection in rcube::sleep() (#10127)
  • Fix so static resources, e.g. skin_logo can be put inside the public_html directory (#10160)
  • Fix so REQUEST_URI is used as a fallback if PATH_INFO is not set in static.php (#10181)
  • Fix assets_path feature and remove dependency on PATH_INFO (#10185)
  • Fix MySQL upgrade on MySQL < 8.0 and MariaDB < 10.5.3 (#10188)
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option
Checked
40 minutes 41 seconds ago
URL
https://bodhi.fedoraproject.org/rss/updates/?type=security