Fedora Security Advisories

mariadb11.8-11.8.8-1.fc43

Fedora Security Advisories
6 hours 56 minutes ago
FEDORA-2026-c39d84e105 Packages in this update:
  • mariadb11.8-11.8.8-1.fc43
Update description:

MariaDB 11.8.8

Upstream Release notes: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.8 Upstream Changelog: https://mariadb.com/docs/release-notes/community-server/changelogs/11.8/11.8.8 Fixes CVEs: CVE-2026-49261 CVE-2026-48165 CVE-2026-48163 CVE-2026-44173 CVE-2026-44172 CVE-2026-44171 CVE-2026-44170 CVE-2026-44169 CVE-2026-44168

mariadb11.8-11.8.8-3.fc44

Fedora Security Advisories
6 hours 56 minutes ago
FEDORA-2026-3fdd0e930d Packages in this update:
  • mariadb11.8-11.8.8-3.fc44
Update description:

MariaDB 11.8.8

Upstream Release notes: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.8 Upstream Changelog: https://mariadb.com/docs/release-notes/community-server/changelogs/11.8/11.8.8 Fixes CVEs: CVE-2026-49261 CVE-2026-48165 CVE-2026-48163 CVE-2026-44173 CVE-2026-44172 CVE-2026-44171 CVE-2026-44170 CVE-2026-44169 CVE-2026-44168

nsd-4.14.3-1.fc43

Fedora Security Advisories
7 hours 30 minutes ago
FEDORA-2026-2843bb1cc8 Packages in this update:
  • nsd-4.14.3-1.fc43
Update description:
  • Fix for CVE-2026-12244: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. Thanks to Qifan Zhang, Palo Alto Networks for the report https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt
  • Fix for CVE-2026-12245: If NSD is configured with DNS over TLS, a client that performs a TLS action, closing the connection early, causes a crash and restart of the server process. An attacker can keep all children in a crash-restart loop denying DoT service. Thanks to Qifan Zhang, Palo Alto Networks for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt
  • Fix for CVE-2026-12246: The RR type APL rdata address, if too large, causes out of bounds write on the stack, when the zonefile is written out. Thanks to Qifan Zhang from Palo Alto Networks, Haruki Oyama from Waseda University and zhangph for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt
  • Fix for CVE-2026-12490: Secondaries authenticated by a client certificate to transfer a zone over TLS, can bypass verification by transferring over TCP. Thanks to Qifan Zhang, Palo Alto Networks for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt

nsd-4.14.3-1.fc44

Fedora Security Advisories
7 hours 30 minutes ago
FEDORA-2026-dd3a7926a3 Packages in this update:
  • nsd-4.14.3-1.fc44
Update description:
  • Fix for CVE-2026-12244: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. Thanks to Qifan Zhang, Palo Alto Networks for the report https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt
  • Fix for CVE-2026-12245: If NSD is configured with DNS over TLS, a client that performs a TLS action, closing the connection early, causes a crash and restart of the server process. An attacker can keep all children in a crash-restart loop denying DoT service. Thanks to Qifan Zhang, Palo Alto Networks for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt
  • Fix for CVE-2026-12246: The RR type APL rdata address, if too large, causes out of bounds write on the stack, when the zonefile is written out. Thanks to Qifan Zhang from Palo Alto Networks, Haruki Oyama from Waseda University and zhangph for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt
  • Fix for CVE-2026-12490: Secondaries authenticated by a client certificate to transfer a zone over TLS, can bypass verification by transferring over TCP. Thanks to Qifan Zhang, Palo Alto Networks for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt

python-streamlink-8.4.0-1.fc43

Fedora Security Advisories
7 hours 33 minutes ago
FEDORA-2026-4d6aae2d33 Packages in this update:
  • python-streamlink-8.4.0-1.fc43
Update description: streamlink 8.4.0 (2026-05-06)
  • SECURITY: fixed arbitrary local file read via file:// URI in HLS and DASH (CVE-2026-44353 / GHSA-hgqw-6m45-hw5f)
  • Added: --stream-passthrough-encrypted for passing through encrypted HLS/DASH segments to the output stream without any checks (#6896)
  • Fixed: --interface selection by name on macOS (#6908)
  • Fixed: --interface not being applied to adapters mounted after session init (#6915)
  • Updated plugins:
  • goltelevision: rewritten and fixed plugin (#6916)
  • twitcasting: improved ad segment filtering (#6910)

Full changelog

streamlink 8.3.0 (2026-04-10)
  • Added: support for choosing the --interface by name on non-Windows systems, with optional prefixes, similar to curl (#6862)
  • Added: support for also checking stream segments in HLSStream.parse_variant_playlist() by setting check_streams="segments" (#6878)
  • Fixed: stdout/stderr streams in ProcessOutput not being fully line-buffered (#6868)
  • Updated plugins:
  • cdnbg: rewritten and fixed plugin (#6890)
  • nicolive: added websocket reconnect attempts on HLS decryption key retrieval failure (#6871)
  • soop: migrated to sooplive.com (#6876)
  • telefe: rewritten and fixed plugin (#6891)

Full changelog

python-streamlink-8.4.0-1.fc44

Fedora Security Advisories
7 hours 33 minutes ago
FEDORA-2026-b9232006bb Packages in this update:
  • python-streamlink-8.4.0-1.fc44
Update description: streamlink 8.4.0 (2026-05-06)
  • SECURITY: fixed arbitrary local file read via file:// URI in HLS and DASH (CVE-2026-44353 / GHSA-hgqw-6m45-hw5f)
  • Added: --stream-passthrough-encrypted for passing through encrypted HLS/DASH segments to the output stream without any checks (#6896)
  • Fixed: --interface selection by name on macOS (#6908)
  • Fixed: --interface not being applied to adapters mounted after session init (#6915)
  • Updated plugins:
  • goltelevision: rewritten and fixed plugin (#6916)
  • twitcasting: improved ad segment filtering (#6910)

Full changelog

streamlink 8.3.0 (2026-04-10)
  • Added: support for choosing the --interface by name on non-Windows systems, with optional prefixes, similar to curl (#6862)
  • Added: support for also checking stream segments in HLSStream.parse_variant_playlist() by setting check_streams="segments" (#6878)
  • Fixed: stdout/stderr streams in ProcessOutput not being fully line-buffered (#6868)
  • Updated plugins:
  • cdnbg: rewritten and fixed plugin (#6890)
  • nicolive: added websocket reconnect attempts on HLS decryption key retrieval failure (#6871)
  • soop: migrated to sooplive.com (#6876)
  • telefe: rewritten and fixed plugin (#6891)

Full changelog

chromium-149.0.7827.196-1.el10_3

Fedora Security Advisories
19 hours 41 minutes ago
FEDORA-EPEL-2026-b2d0fa716d Packages in this update:
  • chromium-149.0.7827.196-1.el10_3
Update description:

149.0.7827.196 security release

* CVE-2026-13028: Use after free in WebGL * CVE-2026-13032: Use after free in WebGL * CVE-2026-13033: Out of bounds read in Blink>InterestGroups * CVE-2026-13038: Use after free in Autofill * CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials * CVE-2026-13022: Inappropriate implementation in Autofill * CVE-2026-13023: Uninitialized Use in GPU * CVE-2026-13024: Insufficient validation of untrusted input in Navigation * CVE-2026-13025: Insufficient validation of untrusted input in DevTools * CVE-2026-13026: Use after free in Digital Credentials * CVE-2026-13027: Use after free in FileSystem * CVE-2026-13029: Use after free in Web Authentication * CVE-2026-13030: Uninitialized Use in GPU * CVE-2026-13031: Use after free in Blink * CVE-2026-13034: Inappropriate implementation in Passwords * CVE-2026-13035: Use after free in Bluetooth * CVE-2026-13036: Use after free in Blink * CVE-2026-13037: Use after free in WebView

chromium-149.0.7827.196-1.el9

Fedora Security Advisories
19 hours 41 minutes ago
FEDORA-EPEL-2026-262f68b5b5 Packages in this update:
  • chromium-149.0.7827.196-1.el9
Update description:

149.0.7827.196 security release

* CVE-2026-13028: Use after free in WebGL * CVE-2026-13032: Use after free in WebGL * CVE-2026-13033: Out of bounds read in Blink>InterestGroups * CVE-2026-13038: Use after free in Autofill * CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials * CVE-2026-13022: Inappropriate implementation in Autofill * CVE-2026-13023: Uninitialized Use in GPU * CVE-2026-13024: Insufficient validation of untrusted input in Navigation * CVE-2026-13025: Insufficient validation of untrusted input in DevTools * CVE-2026-13026: Use after free in Digital Credentials * CVE-2026-13027: Use after free in FileSystem * CVE-2026-13029: Use after free in Web Authentication * CVE-2026-13030: Uninitialized Use in GPU * CVE-2026-13031: Use after free in Blink * CVE-2026-13034: Inappropriate implementation in Passwords * CVE-2026-13035: Use after free in Bluetooth * CVE-2026-13036: Use after free in Blink * CVE-2026-13037: Use after free in WebView

chromium-149.0.7827.196-1.el10_2

Fedora Security Advisories
19 hours 41 minutes ago
FEDORA-EPEL-2026-b9cf5268bd Packages in this update:
  • chromium-149.0.7827.196-1.el10_2
Update description:

149.0.7827.196 security release

* CVE-2026-13028: Use after free in WebGL * CVE-2026-13032: Use after free in WebGL * CVE-2026-13033: Out of bounds read in Blink>InterestGroups * CVE-2026-13038: Use after free in Autofill * CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials * CVE-2026-13022: Inappropriate implementation in Autofill * CVE-2026-13023: Uninitialized Use in GPU * CVE-2026-13024: Insufficient validation of untrusted input in Navigation * CVE-2026-13025: Insufficient validation of untrusted input in DevTools * CVE-2026-13026: Use after free in Digital Credentials * CVE-2026-13027: Use after free in FileSystem * CVE-2026-13029: Use after free in Web Authentication * CVE-2026-13030: Uninitialized Use in GPU * CVE-2026-13031: Use after free in Blink * CVE-2026-13034: Inappropriate implementation in Passwords * CVE-2026-13035: Use after free in Bluetooth * CVE-2026-13036: Use after free in Blink * CVE-2026-13037: Use after free in WebView

cpp-httplib-0.48.0-1.el9

Fedora Security Advisories
1 day 4 hours ago
FEDORA-EPEL-2026-a7b8aa88eb Packages in this update:
  • cpp-httplib-0.48.0-1.el9
Update description: Update to 0.48.0 (rhbz#2481109) Security fixes
  • Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated only via a matching iPAddress SAN, never via the certificate's Common Name (RFC 9110) — matching what the OpenSSL backend already enforces through X509_check_ip. Previously these backends fell back to the CN when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte) iPAddress SANs are matched as well, and the CN fallback is skipped for both IPv4 and IPv6 literal hosts (#2476)
Improvements
  • Replace the strtod-based from_chars for double with a hand-written, locale-independent parser. The only double parsed by the library is the HTTP quality value; strtod reads the decimal separator from the global C locale, so an embedder calling setlocale(LC_ALL, "") into a comma-decimal locale would mis-parse q-values. The new parser always treats . as the decimal separator and is allocation-free (Fix #2475)
  • Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry() instead of the deprecated X509_STORE_get0_objects() and X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2, and 3.0
Behavior changes
  • decode_query_component() now uses strict hex parsing for percent-escapes, consistent with decode_uri_component() and decode_path_component(). A % followed by non-hex characters (e.g. a sign or whitespace such as %-1, %+5, % 5) is passed through literally instead of being accepted as a valid escape (#2472)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0

Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352) Security fixes
  • Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed TLS and wolfSSL backends: with server certificate verification enabled, SSLClient skipped chain validation entirely (any untrusted certificate with a matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped verification altogether. Chain verification now stays enabled for IP hosts, and certificate identity is verified post-handshake against IP SANs on all backends. SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066 (CVE-2026-54919)
New features
  • Add Server::set_start_handler(): a callback invoked when the server is ready to accept connections, useful when running the server in a background thread (#2467)
  • Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading system CA certificates alongside a custom CA. The default is unchanged: a custom CA remains exclusive. The setting carries over to clients created for HTTPS redirects (#2471)
  • Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address while keeping the original hostname for the handshake and certificate verification (#2463)
Behavior changes
  • The request body is now read after route matching and the pre-request handler, so both the regular handler and ContentReader paths behave the same: route matching → pre-request handler → body read → handler. A request rejected by the pre-request handler (e.g. failed per-route authentication via req.matched_route) no longer buffers the body at all. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body; inspect headers, path, query parameters, or matched_route instead
  • WebSocketClient with a custom CA no longer merges system CA certificates (it previously always merged them). This matches SSLClient behavior; call enable_system_ca(true) to load system CA certificates alongside the custom CA
  • Range request headers are now ignored for streaming responses of unknown length instead of producing an invalid response (#2465)
Bug fixes
  • Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA certificates were silently merged into the user-provided store, broadening the trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates over to clients created for HTTPS redirects
  • Fix WebSocketClient dropping the query string from the URL during the upgrade handshake, so query parameters (e.g. auth tokens) are sent (#2468)
  • Fix a use-after-free when reconnecting a WebSocketClient after set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL set_ca_cert_store() backends
  • Fix MSVC warning C4309 (truncation of constant value) in SHA padding code (#2464)
  • Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid undefined behavior with negative char values (#2469)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0

cpp-httplib-0.48.0-1.el10_3

Fedora Security Advisories
1 day 4 hours ago
FEDORA-EPEL-2026-4d48176243 Packages in this update:
  • cpp-httplib-0.48.0-1.el10_3
Update description: Update to 0.48.0 (rhbz#2481109) Security fixes
  • Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated only via a matching iPAddress SAN, never via the certificate's Common Name (RFC 9110) — matching what the OpenSSL backend already enforces through X509_check_ip. Previously these backends fell back to the CN when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte) iPAddress SANs are matched as well, and the CN fallback is skipped for both IPv4 and IPv6 literal hosts (#2476)
Improvements
  • Replace the strtod-based from_chars for double with a hand-written, locale-independent parser. The only double parsed by the library is the HTTP quality value; strtod reads the decimal separator from the global C locale, so an embedder calling setlocale(LC_ALL, "") into a comma-decimal locale would mis-parse q-values. The new parser always treats . as the decimal separator and is allocation-free (Fix #2475)
  • Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry() instead of the deprecated X509_STORE_get0_objects() and X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2, and 3.0
Behavior changes
  • decode_query_component() now uses strict hex parsing for percent-escapes, consistent with decode_uri_component() and decode_path_component(). A % followed by non-hex characters (e.g. a sign or whitespace such as %-1, %+5, % 5) is passed through literally instead of being accepted as a valid escape (#2472)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0

Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352) Security fixes
  • Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed TLS and wolfSSL backends: with server certificate verification enabled, SSLClient skipped chain validation entirely (any untrusted certificate with a matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped verification altogether. Chain verification now stays enabled for IP hosts, and certificate identity is verified post-handshake against IP SANs on all backends. SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066 (CVE-2026-54919)
New features
  • Add Server::set_start_handler(): a callback invoked when the server is ready to accept connections, useful when running the server in a background thread (#2467)
  • Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading system CA certificates alongside a custom CA. The default is unchanged: a custom CA remains exclusive. The setting carries over to clients created for HTTPS redirects (#2471)
  • Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address while keeping the original hostname for the handshake and certificate verification (#2463)
Behavior changes
  • The request body is now read after route matching and the pre-request handler, so both the regular handler and ContentReader paths behave the same: route matching → pre-request handler → body read → handler. A request rejected by the pre-request handler (e.g. failed per-route authentication via req.matched_route) no longer buffers the body at all. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body; inspect headers, path, query parameters, or matched_route instead
  • WebSocketClient with a custom CA no longer merges system CA certificates (it previously always merged them). This matches SSLClient behavior; call enable_system_ca(true) to load system CA certificates alongside the custom CA
  • Range request headers are now ignored for streaming responses of unknown length instead of producing an invalid response (#2465)
Bug fixes
  • Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA certificates were silently merged into the user-provided store, broadening the trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates over to clients created for HTTPS redirects
  • Fix WebSocketClient dropping the query string from the URL during the upgrade handshake, so query parameters (e.g. auth tokens) are sent (#2468)
  • Fix a use-after-free when reconnecting a WebSocketClient after set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL set_ca_cert_store() backends
  • Fix MSVC warning C4309 (truncation of constant value) in SHA padding code (#2464)
  • Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid undefined behavior with negative char values (#2469)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0

Checked
11 minutes 34 seconds ago
URL
https://bodhi.fedoraproject.org/rss/updates/?type=security