Fedora Security Advisories

libpng-1.6.58-1.fc43

Fedora Security Advisories
3 minutes 47 seconds ago
FEDORA-2026-a109a9ac2c Packages in this update:
  • libpng-1.6.58-1.fc43
Update description:
  • updated to 1.6.58
  • 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
  • 1.6.57 is released with fixes for the following security vulnerability:
  • CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

libpng-1.6.58-1.fc42

Fedora Security Advisories
3 minutes 49 seconds ago
FEDORA-2026-9a678a08c8 Packages in this update:
  • libpng-1.6.58-1.fc42
Update description:
  • updated to 1.6.58
  • 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
  • 1.6.57 is released with fixes for the following security vulnerability:
  • CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

libpng-1.6.58-1.fc44

Fedora Security Advisories
3 minutes 51 seconds ago
FEDORA-2026-67c1138ed2 Packages in this update:
  • libpng-1.6.58-1.fc44
Update description:
  • updated to 1.6.58
  • 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
  • 1.6.57 is released with fixes for the following security vulnerability:
  • CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

roundcubemail-1.6.16-1.el10_3

Fedora Security Advisories
1 hour 19 minutes ago
FEDORA-EPEL-2026-05f02b89ad Packages in this update:
  • roundcubemail-1.6.16-1.el10_3
Update description: Release 1.6.16
  • Fix potential too long value in IMAP ID command (#10136)
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

roundcubemail-1.6.16-1.fc43

Fedora Security Advisories
1 hour 19 minutes ago
FEDORA-2026-07ee097ffe Packages in this update:
  • roundcubemail-1.6.16-1.fc43
Update description: Release 1.6.16
  • Fix potential too long value in IMAP ID command (#10136)
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

roundcubemail-1.6.16-1.el10_2

Fedora Security Advisories
1 hour 19 minutes ago
FEDORA-EPEL-2026-aa33047e8e Packages in this update:
  • roundcubemail-1.6.16-1.el10_2
Update description: Release 1.6.16
  • Fix potential too long value in IMAP ID command (#10136)
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

vim-9.2.530-1.fc43

Fedora Security Advisories
19 hours 3 minutes ago
FEDORA-2026-75b5ddf8c3 Packages in this update:
  • vim-9.2.530-1.fc43
Update description:

keep GTK4 in rawhide for now

switch to GTK4 for GVim

Fix CVE-2026-46483

bind-9.18.49-1.fc42 bind-dyndb-ldap-11.11-12.fc42

Fedora Security Advisories
20 hours 3 minutes ago
FEDORA-2026-f3e466ea26 Packages in this update:
  • bind-9.18.49-1.fc42
  • bind-dyndb-ldap-11.11-12.fc42
Update description: Update to 9.18.49 (rhbz#2480121) Security Fixes: Feature Changes:
  • Fix CPU spikes and slow queries when cache approaches memory limit.
Bug Fixes:
  • Fix named crash when processing SIG records in dynamic updates.
  • Fix rndc modzone behavior for a zone in named.conf.
  • Fix zone verification of NSEC3 signed zones.
  • Prevent a crash when using both dns64 and filter-aaaa.
  • Fixed an assertion failure when processing catalog zones.
  • Prevent malicious DNSSEC zones from exhausting validator CPU.
  • Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits.
  • Prevent crafted queries from degrading RRL performance.
  • Fix a bug in allow-query/allow-transfer catalog zone custom properties.
  • Fix a memory leak issue in catalog zones.
  • Fix suppressed missing-glue check in named-checkzone.
  • Reject record sets too large to serve in DNS.

Source: https://downloads.isc.org/isc/bind9/9.18.49/doc/arm/html/notes.html#notes-for-bind-9-18-49

roundcubemail-1.7.1-1.fc44

Fedora Security Advisories
1 day ago
FEDORA-2026-2b956d89d3 Packages in this update:
  • roundcubemail-1.7.1-1.fc44
Update description: Release 1.7.1
  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Managesieve: Fix error when a mail message contains duplicate List-Id header (#10186)
  • Clarified Elastic installation instructions (#10163)
  • Added HTMLFormElement.requestSubmit() polyfill for older browsers (#10179)
  • Fix so "has:attachment" search uses $HasAttachment/$HasNoAttachment keywords (#10168)
  • Fix potential too long value in IMAP ID command (#10136)
  • Fix redis/memcache disconnection in rcube::sleep() (#10127)
  • Fix so static resources, e.g. skin_logo can be put inside the public_html directory (#10160)
  • Fix so REQUEST_URI is used as a fallback if PATH_INFO is not set in static.php (#10181)
  • Fix assets_path feature and remove dependency on PATH_INFO (#10185)
  • Fix MySQL upgrade on MySQL < 8.0 and MariaDB < 10.5.3 (#10188)
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

perl-Catalyst-Plugin-Authentication-0.10026-1.fc43

Fedora Security Advisories
1 day 13 hours ago
FEDORA-2026-af4f5feae8 Packages in this update:
  • perl-Catalyst-Plugin-Authentication-0.10026-1.fc43
Update description:

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks since these versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password. Version 0.10026 of the module fixes this issue.

perl-Catalyst-Plugin-Authentication-0.10026-1.fc44

Fedora Security Advisories
1 day 13 hours ago
FEDORA-2026-26666575ae Packages in this update:
  • perl-Catalyst-Plugin-Authentication-0.10026-1.fc44
Update description:

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks since these versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password. Version 0.10026 of the module fixes this issue.

perl-Catalyst-Plugin-Authentication-0.10026-1.fc42

Fedora Security Advisories
1 day 13 hours ago
FEDORA-2026-0a2c98c91f Packages in this update:
  • perl-Catalyst-Plugin-Authentication-0.10026-1.fc42
Update description:

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks since these versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password. Version 0.10026 of the module fixes this issue.

Checked
2 minutes 52 seconds ago
URL
https://bodhi.fedoraproject.org/rss/updates/?type=security