Fedora Security Advisories

FEDORA-2026-75b5ddf8c3 Packages in this update:

• vim-9.2.530-1.fc43

Update description:

keep GTK4 in rawhide for now

switch to GTK4 for GVim

Fix CVE-2026-46483

FEDORA-2026-f3e466ea26 Packages in this update:

• bind-9.18.49-1.fc42
• bind-dyndb-ldap-11.11-12.fc42

Update description: Update to 9.18.49 (rhbz#2480121) Security Fixes:

• Limit resolver server list size. (CVE-2026-3592)
• Fix GSS-API resource leak. (CVE-2026-3039)
• Disable recursion, UPDATE, and NOTIFY for non-IN views. (CVE-2026-5946)
• Avoid unbounded recursion loop. (CVE-2026-5950)
• Fix outgoing zone transfers' quota issue.

Feature Changes:

• Fix CPU spikes and slow queries when cache approaches memory limit.

Bug Fixes:

• Fix named crash when processing SIG records in dynamic updates.
• Fix rndc modzone behavior for a zone in named.conf.
• Fix zone verification of NSEC3 signed zones.
• Prevent a crash when using both dns64 and filter-aaaa.
• Fixed an assertion failure when processing catalog zones.
• Prevent malicious DNSSEC zones from exhausting validator CPU.
• Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits.
• Prevent crafted queries from degrading RRL performance.
• Fix a bug in allow-query/allow-transfer catalog zone custom properties.
• Fix a memory leak issue in catalog zones.
• Fix suppressed missing-glue check in named-checkzone.
• Reject record sets too large to serve in DNS.

Source: https://downloads.isc.org/isc/bind9/9.18.49/doc/arm/html/notes.html#notes-for-bind-9-18-49

FEDORA-EPEL-2026-7158896891 Packages in this update:

• python-wsgidav-4.3.4-1.el10_3

Update description: 4.3.4 / 2026-05-24

• Resolve security advisory CVE-2026-48099

FEDORA-2026-7d942b469f Packages in this update:

• python-wsgidav-4.3.4-1.fc43

Update description: 4.3.4 / 2026-05-24

• Resolve security advisory CVE-2026-48099

FEDORA-2026-b2212b4742 Packages in this update:

• python-wsgidav-4.3.4-1.fc44

Update description: 4.3.4 / 2026-05-24

• Resolve security advisory CVE-2026-48099

FEDORA-EPEL-2026-c185cd6f77 Packages in this update:

• nix-2.31.5-1.el10_2

Update description:

• Rebase nix to 2.31.5
• fixes https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368

FEDORA-2026-2b956d89d3 Packages in this update:

• roundcubemail-1.7.1-1.fc44

Update description: Release 1.7.1

• Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
• Managesieve: Fix error when a mail message contains duplicate List-Id header (#10186)
• Clarified Elastic installation instructions (#10163)
• Added HTMLFormElement.requestSubmit() polyfill for older browsers (#10179)
• Fix so "has:attachment" search uses $HasAttachment/$HasNoAttachment keywords (#10168)
• Fix potential too long value in IMAP ID command (#10136)
• Fix redis/memcache disconnection in rcube::sleep() (#10127)
• Fix so static resources, e.g. skin_logo can be put inside the public_html directory (#10160)
• Fix so REQUEST_URI is used as a fallback if PATH_INFO is not set in static.php (#10181)
• Fix assets_path feature and remove dependency on PATH_INFO (#10185)
• Fix MySQL upgrade on MySQL < 8.0 and MariaDB < 10.5.3 (#10188)
• Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
• Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
• Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
• Security: Fix SSRF bypass via specific local address URLs
• Security: Fix bypass of remote image blocking via CSS var()
• Security: Fix local/private URL fetch bypass when remote resources were not allowed
• Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
• Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

FEDORA-2026-af4f5feae8 Packages in this update:

• perl-Catalyst-Plugin-Authentication-0.10026-1.fc43

Update description:

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks since these versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password. Version 0.10026 of the module fixes this issue.

FEDORA-2026-26666575ae Packages in this update:

• perl-Catalyst-Plugin-Authentication-0.10026-1.fc44

Update description:

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks since these versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password. Version 0.10026 of the module fixes this issue.

FEDORA-2026-0a2c98c91f Packages in this update:

• perl-Catalyst-Plugin-Authentication-0.10026-1.fc42

Update description:

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks since these versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password. Version 0.10026 of the module fixes this issue.

FEDORA-EPEL-2026-a57474dbd8 Packages in this update:

• suricata-7.0.15-1.el8

Update description:

upstream bugfix/security release

FEDORA-EPEL-2026-0e5b0277cf Packages in this update:

• suricata-7.0.15-1.el9

Update description:

upstream bugfix/security release

FEDORA-EPEL-2026-8d6263d15f Packages in this update:

• suricata-8.0.4-1.el10_2

Update description:

upstream bugfix/security release

FEDORA-2026-4ec2ec78d6 Packages in this update:

• suricata-7.0.16-1.fc43

Update description:

Upstream bugfix/security release

FEDORA-2026-53a00bb643 Packages in this update:

• suricata-8.0.5-1.fc44

Update description:

Upstream bugfix/security release

FEDORA-2026-67762cee82 Packages in this update:

• mingw-objfw-1.5.4-1.fc43

Update description:

Update to 1.5.4. Fixes a buffer overflow caused by integer promotion rules in OFBMPImageFormatHandler and OFQOIImageFormatHandler.

Update to 1.5.3

FEDORA-2026-513552060a Packages in this update:

• mingw-objfw-1.5.4-1.fc42

Update description:

Update to 1.5.4. Fixes a buffer overflow caused by integer promotion rules in OFBMPImageFormatHandler and OFQOIImageFormatHandler.

Update to 1.5.3

FEDORA-2026-59c21cd48b Packages in this update:

• mingw-objfw-1.5.4-1.fc44

Update description:

Update to 1.5.4. Fixes a buffer overflow caused by integer promotion rules in OFBMPImageFormatHandler and OFQOIImageFormatHandler.

Update to 1.5.3

FEDORA-2026-f9938a84c7 Packages in this update:

• objfw-1.5.4-1.fc44

Update description:

Update to 1.5.4. Fixes a buffer overflow caused by integer promotion rules in OFBMPImageFormatHandler and OFQOIImageFormatHandler.

Update to 1.5.3

FEDORA-EPEL-2026-bd1cc59137 Packages in this update:

• objfw-1.5.4-1.el10_2

Update description:

Update to 1.5.4. Fixes a buffer overflow caused by integer promotion rules in OFBMPImageFormatHandler and OFQOIImageFormatHandler.