Fedora Security Advisories

FEDORA-EPEL-2026-8e98566767 Packages in this update:

• ruff-0.15.4-2.el10_2

Update description:

Rebuilt with thin-vec>=0.2.16; fixes GHSA-xphw-cqx3-667j

FEDORA-2026-32952baba5 Packages in this update:

• dotnet10.0-10.0.107-1.fc44

Update description:

Update to .NET SDK 10.0.107 and Runtime 10.0.7

Fixes: CVE-2026-40372

Release Notes:

• SDK: https://github.com/dotnet/core/blob/main/release-notes/10.0/10.0.7/10.0.107.md
• Runtime: https://github.com/dotnet/core/blob/main/release-notes/10.0/10.0.7/10.0.7.md

FEDORA-2026-018d6721a0 Packages in this update:

• dotnet10.0-10.0.107-1.fc43

Update description:

Update to .NET SDK 10.0.107 and Runtime 10.0.7

Fixes: CVE-2026-40372

Release Notes:

• SDK: https://github.com/dotnet/core/blob/main/release-notes/10.0/10.0.7/10.0.107.md
• Runtime: https://github.com/dotnet/core/blob/main/release-notes/10.0/10.0.7/10.0.7.md

FEDORA-2026-be6ea464d0 Packages in this update:

• dotnet10.0-10.0.107-1.fc42

Update description:

Update to .NET SDK 10.0.107 and Runtime 10.0.7

Fixes: CVE-2026-40372

Release Notes:

• SDK: https://github.com/dotnet/core/blob/main/release-notes/10.0/10.0.7/10.0.107.md
• Runtime: https://github.com/dotnet/core/blob/main/release-notes/10.0/10.0.7/10.0.7.md

FEDORA-EPEL-2026-3d4a538cd1 Packages in this update:

• exim-4.99.2-1.el9

Update description:

This is new version of exim fixing some security bugs.

FEDORA-EPEL-2026-ab4a45e76a Packages in this update:

• exim-4.99.2-1.el8

Update description:

This is new version of exim fixing some security bugs.

FEDORA-EPEL-2026-a1984d4493 Packages in this update:

• exim-4.99.2-1.el10_3

Update description:

This is new version of exim fixing some security bugs.

FEDORA-2026-fff37fe569 Packages in this update:

• exim-4.99.2-1.fc42

Update description:

This is new version of exim fixing some security bugs.

FEDORA-2026-c23e1d19d2 Packages in this update:

• exim-4.99.2-1.fc43

Update description:

This is new version of exim fixing some security bugs.

FEDORA-2026-7f7b8d957f Packages in this update:

• exim-4.99.2-1.fc44

Update description:

This is new version of exim fixing some security bugs.

FEDORA-2026-d7d99f08ff Packages in this update:

• docker-distribution-3.1.1-1.fc45

Update description:

Automatic update for docker-distribution-3.1.1-1.fc45.

Changelog * Fri May 1 2026 Bradley G Smith <bradley.g.smith@gmail.com> - 3.1.1-1 - Update to release v3.1.1 - Resolves: rhbz#2455529 - Fixes CVE-2026-41888 - Upstream fixes and updates - Temporary annocheck skip test for broken branch protection test on aarch64 * Mon Apr 6 2026 Bradley G Smith <bradley.g.smith@gmail.com> - 3.1.0-1 - Update to release v3.1.0 - Resolves: rhbz#2455529, rhbz#2455654 - Resolves CVE-2026-35172 - Resolves CVE-2026-33540 - Upstream fixes * Sun Feb 8 2026 Bradley G Smith <bradley.g.smith@gmail.com> - 3.0.0-5 - Remove duplicate lines * Mon Feb 2 2026 Maxwell G <maxwell@gtmx.me> - 3.0.0-4 - Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26

FEDORA-EPEL-2026-2ff5743a9c Packages in this update:

• prosody-13.0.5-1.el9

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-2026-1efa008794 Packages in this update:

• prosody-13.0.5-1.fc42

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-2026-2947986ad6 Packages in this update:

• prosody-13.0.5-1.fc44

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-EPEL-2026-369d4c77a1 Packages in this update:

• prosody-13.0.5-1.el8

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-EPEL-2026-8354f60941 Packages in this update:

• prosody-13.0.5-1.el10_1

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-EPEL-2026-c907654c37 Packages in this update:

• prosody-13.0.5-1.el10_2

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-EPEL-2026-a400430763 Packages in this update:

• prosody-13.0.5-1.el10_3

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-2026-36c53b9ca8 Packages in this update:

• prosody-13.0.5-1.fc43

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-2026-4b7780802c Packages in this update:

• glibc-2.42-12.fc43

Update description:

This update provides various security fixes.

• Buffer overflow in scanf %mc (CVE-2026-5450)
• ns_sprintrrf buffer overreads (CVE-2026-6238)
• ns_sprintrrf buffer overflow in TSIG record processing (CVE-2026-5435)
• Memory corruption in ungetwc (CVE-2026-5928)
• Assertion failure in iconv with IBM1390, IBM1399 charsets (CVE-2026-4046)