Fedora Security Advisories

FEDORA-2026-e5118f1777 Packages in this update:

• lighttpd-1.4.83-1.fc44

Update description:

1.4.83

https://wiki.lighttpd.net/Release-1_4_83

FEDORA-2026-265fb84974 Packages in this update:

• lighttpd-1.4.83-1.fc43

Update description:

1.4.83

https://wiki.lighttpd.net/Release-1_4_83

FEDORA-EPEL-2026-52d18d8d5a Packages in this update:

• 7zip-26.01-1.el10_3

Update description:

• Fixes CVE-2026-48092: Information disclosure in 32-bit builds
• Fixes CVE-2026-48095: Arbitrary code execution in NTFS handler
• Fixes CVE-2026-48101: Information disclosure in UEFI capsule parser
• Fixes CVE-2026-48102: Information disclosure and DOS via crafted UDF image
• Fixes CVE-2026-48103: Off-by-one buffer over-read in WIM archive handler
• Fixes CVE-2026-48104: Uninitialized heap read in SquashFS archive handler
• Fixes CVE-2026-48111: Off-by-one OOB read in UEFI firmware image parser
• Fixes CVE-2026-48112: Heap-based buffer over-read in Ar handler BSD SYMDEF parser

FEDORA-EPEL-2026-8d909527ba Packages in this update:

• 7zip-26.01-1.el10_2

Update description:

• Fixes CVE-2026-48092: Information disclosure in 32-bit builds
• Fixes CVE-2026-48095: Arbitrary code execution in NTFS handler
• Fixes CVE-2026-48101: Information disclosure in UEFI capsule parser
• Fixes CVE-2026-48102: Information disclosure and DOS via crafted UDF image
• Fixes CVE-2026-48103: Off-by-one buffer over-read in WIM archive handler
• Fixes CVE-2026-48104: Uninitialized heap read in SquashFS archive handler
• Fixes CVE-2026-48111: Off-by-one OOB read in UEFI firmware image parser
• Fixes CVE-2026-48112: Heap-based buffer over-read in Ar handler BSD SYMDEF parser

FEDORA-2026-f36864b408 Packages in this update:

• 7zip-26.01-1.fc43

Update description:

• Fixes CVE-2026-48092: Information disclosure in 32-bit builds
• Fixes CVE-2026-48095: Arbitrary code execution in NTFS handler
• Fixes CVE-2026-48101: Information disclosure in UEFI capsule parser
• Fixes CVE-2026-48102: Information disclosure and DOS via crafted UDF image
• Fixes CVE-2026-48103: Off-by-one buffer over-read in WIM archive handler
• Fixes CVE-2026-48104: Uninitialized heap read in SquashFS archive handler
• Fixes CVE-2026-48111: Off-by-one OOB read in UEFI firmware image parser
• Fixes CVE-2026-48112: Heap-based buffer over-read in Ar handler BSD SYMDEF parser

FEDORA-2026-4be7569210 Packages in this update:

• 7zip-26.01-1.fc44

Update description:

• Fixes CVE-2026-48092: Information disclosure in 32-bit builds
• Fixes CVE-2026-48095: Arbitrary code execution in NTFS handler
• Fixes CVE-2026-48101: Information disclosure in UEFI capsule parser
• Fixes CVE-2026-48102: Information disclosure and DOS via crafted UDF image
• Fixes CVE-2026-48103: Off-by-one buffer over-read in WIM archive handler
• Fixes CVE-2026-48104: Uninitialized heap read in SquashFS archive handler
• Fixes CVE-2026-48111: Off-by-one OOB read in UEFI firmware image parser
• Fixes CVE-2026-48112: Heap-based buffer over-read in Ar handler BSD SYMDEF parser

FEDORA-2026-2419096432 Packages in this update:

• buildah-1.44.0-1.fc45
• containers-common-0.68.0-1.fc45
• podman-6.0.0~rc1-1.fc45
• skopeo-1.23.0-1.fc45

Update description:

Automatic update for buildah-1.44.0-1.fc45, podman-6.0.0~rc1-1.fc45, skopeo-1.23.0-1.fc45, containers-common-0.68.0-1.fc45.

Changelog for buildah * Wed May 27 2026 Packit <hello@packit.dev> - 2:1.44.0-1 - Update to 1.44.0 upstream release Changelog for podman * Mon Jun 15 2026 Packit <hello@packit.dev> - 5:6.0.0~rc1-1 - Update to 6.0.0-rc1 upstream release * Fri Jun 12 2026 Yaakov Selkowitz <yselkowi@redhat.com> - 5:5.8.2-2 - Rebuilt for openssl 4.0 Changelog for skopeo * Tue May 26 2026 Packit <hello@packit.dev> - 1:1.23.0-1 - Update to 1.23.0 upstream release Changelog for containers-common * Thu May 21 2026 Packit <hello@packit.dev> - 5:0.68.0-1 - Update to 0.68.0 upstream release

FEDORA-2026-41453e7fa4 Packages in this update:

• sudo-1.9.17-13.p2.fc45

Update description:

Automatic update for sudo-1.9.17-13.p2.fc45.

Changelog * Mon Jun 15 2026 Alejandro López <allopez@redhat.com> - 1.9.17-12.p2 - Removed some unneeded build-time dependencies * Mon Jun 15 2026 Alejandro López <allopez@redhat.com> - 1.9.17-11.p2 - Resolves: rhbz#2379016 - don't recommend sudo-python-plugins

FEDORA-2026-28df92c223 Packages in this update:

• tig-2.6.1-1.fc43

Update description:

• Fix editor command injection vulnerability (only affectsversion 2.6.0). (#1432)
• https://github.com/jonas/tig/issues/1432

FEDORA-2026-5cb64cc909 Packages in this update:

• tig-2.6.1-1.fc44

Update description:

• Fix editor command injection vulnerability (only affectsversion 2.6.0). (#1432)
• https://github.com/jonas/tig/issues/1432

FEDORA-EPEL-2026-abb2a8237d Packages in this update:

• perl-Crypt-DSA-1.17-30.el9

Update description:

This update prevents key material reuse for multiple signing events (CVE-2026-12205, CWE-323).

FEDORA-EPEL-2026-18f1bb66c7 Packages in this update:

• perl-Crypt-DSA-1.17-30.el8

Update description:

This update prevents key material reuse for multiple signing events (CVE-2026-12205, CWE-323).

FEDORA-2026-f4a6b0c635 Packages in this update:

• perl-Crypt-DSA-1.21-1.fc44

Update description:

This update, to the current upstream release, prevents key material reuse for multiple signing events (CVE-2026-12205, CWE-323).

FEDORA-EPEL-2026-954ec464c6 Packages in this update:

• perl-Crypt-DSA-1.21-1.el10_3

Update description:

This update, to the current upstream release, prevents key material reuse for multiple signing events (CVE-2026-12205, CWE-323).

FEDORA-EPEL-2026-027ffba596 Packages in this update:

• perl-Crypt-DSA-1.21-1.el10_2

Update description:

This update, to the current upstream release, prevents key material reuse for multiple signing events (CVE-2026-12205, CWE-323).

FEDORA-2026-5cf57e43e3 Packages in this update:

• perl-Crypt-DSA-1.21-1.fc43

Update description:

This update, to the current upstream release, prevents key material reuse for multiple signing events (CVE-2026-12205, CWE-323).

FEDORA-2026-cf622b92d7 Packages in this update:

• perl-Crypt-DSA-1.21-1.fc45

Update description:

Automatic update for perl-Crypt-DSA-1.21-1.fc45.

Changelog * Mon Jun 15 2026 Paul Howarth <paul@city-fan.org> - 1.21-1 - Update to 1.21 - Fixed key material reuse for multiple signing events (CVE-2026-12205, CWE-323) - sign() reused the DSA nonce k across signatures (r and k^-1 were cached on the key and not regenerated), allowing private-key recovery from two signatures over different messages - Now generates a fresh nonce per signature - Keys used to sign more than once with an affected version should be considered compromised * Fri Jun 12 2026 Yaakov Selkowitz <yselkowi@redhat.com> - 1.20-2 - Rebuilt for openssl 4.0

FEDORA-2026-59f46c195f Packages in this update:

• chromium-149.0.7827.114-1.fc44

Update description:

Update to 149.0.7827.114

• CVE-2026-12007: Use after free Core
• CVE-2026-12008: Use after free DigitalCredentials
• CVE-2026-12009: Insufficient validation of untrusted input Accessibility
• CVE-2026-12010: Heap buffer overflow GPU
• CVE-2026-12011: Use after free WebMIDI
• CVE-2026-12012: Use after free Network
• CVE-2026-12013: Use after free Media
• CVE-2026-12014: Use after free Cast
• CVE-2026-12015: Use after free Autofill
• CVE-2026-12016: Insufficient validation of untrusted input DevTools
• CVE-2026-12017: Insufficient validation of untrusted input Extensions
• CVE-2026-12018: Inappropriate implementation Mojo
• CVE-2026-12019: Out of bounds write Codecs
• CVE-2026-12020: Use after free Autofill
• CVE-2026-12022: Race Safe Browsing
• CVE-2026-12023: Use after free GPU
• CVE-2026-12024: Insufficient policy enforcement DevTools
• CVE-2026-12025: Insufficient validation of untrusted input Network
• CVE-2026-12026: Out of bounds read Video
• CVE-2026-12027: Insufficient policy enforcement Headless
• CVE-2026-12028: Use after free GPU
• CVE-2026-12029: Use after free Video
• CVE-2026-12030: Heap buffer overflow GPU
• CVE-2026-12031: Inappropriate implementation Views
• CVE-2026-12032: Inappropriate implementation Passwords
• CVE-2026-12033: Out of bounds read VideoCapture
• CVE-2026-12034: Insufficient validation of untrusted input Linux Toolkit Theming
• CVE-2026-12035: Use after free Views
• Disable AI Mode settings

FEDORA-EPEL-2026-dfe06d2851 Packages in this update:

• chromium-149.0.7827.114-1.el9

Update description:

Update to 149.0.7827.114

• CVE-2026-12007: Use after free Core
• CVE-2026-12008: Use after free DigitalCredentials
• CVE-2026-12009: Insufficient validation of untrusted input Accessibility
• CVE-2026-12010: Heap buffer overflow GPU
• CVE-2026-12011: Use after free WebMIDI
• CVE-2026-12012: Use after free Network
• CVE-2026-12013: Use after free Media
• CVE-2026-12014: Use after free Cast
• CVE-2026-12015: Use after free Autofill
• CVE-2026-12016: Insufficient validation of untrusted input DevTools
• CVE-2026-12017: Insufficient validation of untrusted input Extensions
• CVE-2026-12018: Inappropriate implementation Mojo
• CVE-2026-12019: Out of bounds write Codecs
• CVE-2026-12020: Use after free Autofill
• CVE-2026-12022: Race Safe Browsing
• CVE-2026-12023: Use after free GPU
• CVE-2026-12024: Insufficient policy enforcement DevTools
• CVE-2026-12025: Insufficient validation of untrusted input Network
• CVE-2026-12026: Out of bounds read Video
• CVE-2026-12027: Insufficient policy enforcement Headless
• CVE-2026-12028: Use after free GPU
• CVE-2026-12029: Use after free Video
• CVE-2026-12030: Heap buffer overflow GPU
• CVE-2026-12031: Inappropriate implementation Views
• CVE-2026-12032: Inappropriate implementation Passwords
• CVE-2026-12033: Out of bounds read VideoCapture
• CVE-2026-12034: Insufficient validation of untrusted input Linux Toolkit Theming
• CVE-2026-12035: Use after free Views
• Disable AI Mode settings

FEDORA-EPEL-2026-5aeb8c1179 Packages in this update:

• chromium-149.0.7827.114-1.el10_3

Update description:

Update to 149.0.7827.114

• CVE-2026-12007: Use after free Core
• CVE-2026-12008: Use after free DigitalCredentials
• CVE-2026-12009: Insufficient validation of untrusted input Accessibility
• CVE-2026-12010: Heap buffer overflow GPU
• CVE-2026-12011: Use after free WebMIDI
• CVE-2026-12012: Use after free Network
• CVE-2026-12013: Use after free Media
• CVE-2026-12014: Use after free Cast
• CVE-2026-12015: Use after free Autofill
• CVE-2026-12016: Insufficient validation of untrusted input DevTools
• CVE-2026-12017: Insufficient validation of untrusted input Extensions
• CVE-2026-12018: Inappropriate implementation Mojo
• CVE-2026-12019: Out of bounds write Codecs
• CVE-2026-12020: Use after free Autofill
• CVE-2026-12022: Race Safe Browsing
• CVE-2026-12023: Use after free GPU
• CVE-2026-12024: Insufficient policy enforcement DevTools
• CVE-2026-12025: Insufficient validation of untrusted input Network
• CVE-2026-12026: Out of bounds read Video
• CVE-2026-12027: Insufficient policy enforcement Headless
• CVE-2026-12028: Use after free GPU
• CVE-2026-12029: Use after free Video
• CVE-2026-12030: Heap buffer overflow GPU
• CVE-2026-12031: Inappropriate implementation Views
• CVE-2026-12032: Inappropriate implementation Passwords
• CVE-2026-12033: Out of bounds read VideoCapture
• CVE-2026-12034: Insufficient validation of untrusted input Linux Toolkit Theming
• CVE-2026-12035: Use after free Views
• Disable AI Mode settings