Fedora Security Advisories

FEDORA-2026-b67348bd21 Packages in this update:

• maradns-3.5.0037-1.fc45

Update description:

Automatic update for maradns-3.5.0037-1.fc45.

Changelog * Mon Jun 15 2026 Tomasz Torcz <ttorcz@fedoraproject.org> - 3.5.0037-1 - update to 3.5.0037, fixing DNS-over-TCP bug (rhbz#2488786)

FEDORA-2026-79d9e34e36 Packages in this update:

• liferea-1.16.12-1.fc44

Update description:

Update to 1.16.12

Update to 1.16.11

FEDORA-2026-458669c813 Packages in this update:

• python-jupyter-server-2.19.0-2.fc44

Update description:

New version of jupyter-server fixing various security vulnerabilities.

FEDORA-2026-9536c7cb79 Packages in this update:

• python-jupyter-server-2.19.0-2.fc43

Update description:

New version of jupyter-server fixing various security vulnerabilities.

FEDORA-2026-4084e20f7e Packages in this update:

• krita-6.0.2.1-1.fc45

Update description:

Automatic update for krita-6.0.2.1-1.fc45.

Changelog * Wed Jun 17 2026 Than Ngo <than@redhat.com> - 6.0.2.1-1 - Fix rhbz#2481429, Update to 6.0.2.1 - Fix rhbz#2476570, CVE-2026-42144: integer overflow in PNM size check bypasses memory guard

FEDORA-EPEL-2026-f33139a01c Packages in this update:

• coturn-4.13.1-1.el10_2

Update description: Coturn 4.13.1 What's in this release

• Security fixes

What's Changed

• Null-terminate server_name in stun_is_challenge_response_str
• Canonicalize all IPv4-in-IPv6 encodings before peer-IP checks
• Auto-deny coturn's own database backend endpoints as relay peers
• Deny link-local / ULA / site-local relay peers by default

Coturn 4.13.0 What's in this release

• More performance improvements for --udp-recvmmsg and --multiplex-peer. If your system does not rely on TURN unique ports give multiplexing a try - it has capacity to dramatically increase performance.
• Security fixes

What's Changed

• Wrap atomic everywhere
• Fix sendmmsg stride bug in multiplex-peer UDP batch flush
• Reap TURN permissions/channels via a per-thread sweep instead of per-object timers
• Add --udp-sendmmsg-log to observe egress sendmmsg/UDP-GSO batching
• Expose recvmmsg/sendmmsg UDP batch sizes as Prometheus metrics
• Restrict recvmmsg fast path to shared fan-in sockets (make --udp-recvmmsg useful standalone)
• Enable --udp-recvmmsg by default on Linux
• Security hardening: port parsing, admin brute-force throttle, credential log redaction, constant-time compare, OAuth bounds checks, permission cap
• Add continuous latency mode to stunclient
• Fix test_redis_format link failure
• Fix configure MANPREFIX typo
• Fix missing sqlite3 dependendcy
• Fix UDP receive buffer ownership

FEDORA-EPEL-2026-5fb0ce4f22 Packages in this update:

• coturn-4.13.1-1.el8

Update description: Coturn 4.13.1 What's in this release

• Security fixes

What's Changed

• Null-terminate server_name in stun_is_challenge_response_str
• Canonicalize all IPv4-in-IPv6 encodings before peer-IP checks
• Auto-deny coturn's own database backend endpoints as relay peers
• Deny link-local / ULA / site-local relay peers by default

Coturn 4.13.0 What's in this release

• More performance improvements for --udp-recvmmsg and --multiplex-peer. If your system does not rely on TURN unique ports give multiplexing a try - it has capacity to dramatically increase performance.
• Security fixes

What's Changed

• Wrap atomic everywhere
• Fix sendmmsg stride bug in multiplex-peer UDP batch flush
• Reap TURN permissions/channels via a per-thread sweep instead of per-object timers
• Add --udp-sendmmsg-log to observe egress sendmmsg/UDP-GSO batching
• Expose recvmmsg/sendmmsg UDP batch sizes as Prometheus metrics
• Restrict recvmmsg fast path to shared fan-in sockets (make --udp-recvmmsg useful standalone)
• Enable --udp-recvmmsg by default on Linux
• Security hardening: port parsing, admin brute-force throttle, credential log redaction, constant-time compare, OAuth bounds checks, permission cap
• Add continuous latency mode to stunclient
• Fix test_redis_format link failure
• Fix configure MANPREFIX typo
• Fix missing sqlite3 dependendcy
• Fix UDP receive buffer ownership

FEDORA-2026-c42d951aad Packages in this update:

• coturn-4.13.1-1.fc43

Update description: Coturn 4.13.1 What's in this release

• Security fixes

What's Changed

• Null-terminate server_name in stun_is_challenge_response_str
• Canonicalize all IPv4-in-IPv6 encodings before peer-IP checks
• Auto-deny coturn's own database backend endpoints as relay peers
• Deny link-local / ULA / site-local relay peers by default

Coturn 4.13.0 What's in this release

• More performance improvements for --udp-recvmmsg and --multiplex-peer. If your system does not rely on TURN unique ports give multiplexing a try - it has capacity to dramatically increase performance.
• Security fixes

What's Changed

• Wrap atomic everywhere
• Fix sendmmsg stride bug in multiplex-peer UDP batch flush
• Reap TURN permissions/channels via a per-thread sweep instead of per-object timers
• Add --udp-sendmmsg-log to observe egress sendmmsg/UDP-GSO batching
• Expose recvmmsg/sendmmsg UDP batch sizes as Prometheus metrics
• Restrict recvmmsg fast path to shared fan-in sockets (make --udp-recvmmsg useful standalone)
• Enable --udp-recvmmsg by default on Linux
• Security hardening: port parsing, admin brute-force throttle, credential log redaction, constant-time compare, OAuth bounds checks, permission cap
• Add continuous latency mode to stunclient
• Fix test_redis_format link failure
• Fix configure MANPREFIX typo
• Fix missing sqlite3 dependendcy
• Fix UDP receive buffer ownership

FEDORA-2026-dda1360c18 Packages in this update:

• coturn-4.13.1-1.fc44

Update description: Coturn 4.13.1 What's in this release

• Security fixes

What's Changed

• Null-terminate server_name in stun_is_challenge_response_str
• Canonicalize all IPv4-in-IPv6 encodings before peer-IP checks
• Auto-deny coturn's own database backend endpoints as relay peers
• Deny link-local / ULA / site-local relay peers by default

Coturn 4.13.0 What's in this release

• More performance improvements for --udp-recvmmsg and --multiplex-peer. If your system does not rely on TURN unique ports give multiplexing a try - it has capacity to dramatically increase performance.
• Security fixes

What's Changed

• Wrap atomic everywhere
• Fix sendmmsg stride bug in multiplex-peer UDP batch flush
• Reap TURN permissions/channels via a per-thread sweep instead of per-object timers
• Add --udp-sendmmsg-log to observe egress sendmmsg/UDP-GSO batching
• Expose recvmmsg/sendmmsg UDP batch sizes as Prometheus metrics
• Restrict recvmmsg fast path to shared fan-in sockets (make --udp-recvmmsg useful standalone)
• Enable --udp-recvmmsg by default on Linux
• Security hardening: port parsing, admin brute-force throttle, credential log redaction, constant-time compare, OAuth bounds checks, permission cap
• Add continuous latency mode to stunclient
• Fix test_redis_format link failure
• Fix configure MANPREFIX typo
• Fix missing sqlite3 dependendcy
• Fix UDP receive buffer ownership

FEDORA-EPEL-2026-69da7ab3e5 Packages in this update:

• coturn-4.13.1-1.el10_3

Update description: Coturn 4.13.1 What's in this release

• Security fixes

What's Changed

• Null-terminate server_name in stun_is_challenge_response_str
• Canonicalize all IPv4-in-IPv6 encodings before peer-IP checks
• Auto-deny coturn's own database backend endpoints as relay peers
• Deny link-local / ULA / site-local relay peers by default

Coturn 4.13.0 What's in this release

• More performance improvements for --udp-recvmmsg and --multiplex-peer. If your system does not rely on TURN unique ports give multiplexing a try - it has capacity to dramatically increase performance.
• Security fixes

What's Changed

• Wrap atomic everywhere
• Fix sendmmsg stride bug in multiplex-peer UDP batch flush
• Reap TURN permissions/channels via a per-thread sweep instead of per-object timers
• Add --udp-sendmmsg-log to observe egress sendmmsg/UDP-GSO batching
• Expose recvmmsg/sendmmsg UDP batch sizes as Prometheus metrics
• Restrict recvmmsg fast path to shared fan-in sockets (make --udp-recvmmsg useful standalone)
• Enable --udp-recvmmsg by default on Linux
• Security hardening: port parsing, admin brute-force throttle, credential log redaction, constant-time compare, OAuth bounds checks, permission cap
• Add continuous latency mode to stunclient
• Fix test_redis_format link failure
• Fix configure MANPREFIX typo
• Fix missing sqlite3 dependendcy
• Fix UDP receive buffer ownership

FEDORA-EPEL-2026-48a6ee99c9 Packages in this update:

• coturn-4.13.1-1.el9

Update description: Coturn 4.13.1 What's in this release

• Security fixes

What's Changed

• Null-terminate server_name in stun_is_challenge_response_str
• Canonicalize all IPv4-in-IPv6 encodings before peer-IP checks
• Auto-deny coturn's own database backend endpoints as relay peers
• Deny link-local / ULA / site-local relay peers by default

Coturn 4.13.0 What's in this release

• More performance improvements for --udp-recvmmsg and --multiplex-peer. If your system does not rely on TURN unique ports give multiplexing a try - it has capacity to dramatically increase performance.
• Security fixes

What's Changed

• Wrap atomic everywhere
• Fix sendmmsg stride bug in multiplex-peer UDP batch flush
• Reap TURN permissions/channels via a per-thread sweep instead of per-object timers
• Add --udp-sendmmsg-log to observe egress sendmmsg/UDP-GSO batching
• Expose recvmmsg/sendmmsg UDP batch sizes as Prometheus metrics
• Restrict recvmmsg fast path to shared fan-in sockets (make --udp-recvmmsg useful standalone)
• Enable --udp-recvmmsg by default on Linux
• Security hardening: port parsing, admin brute-force throttle, credential log redaction, constant-time compare, OAuth bounds checks, permission cap
• Add continuous latency mode to stunclient
• Fix test_redis_format link failure
• Fix configure MANPREFIX typo
• Fix missing sqlite3 dependendcy
• Fix UDP receive buffer ownership

FEDORA-2026-2c5cde060d Packages in this update:

• python-django-allauth-65.18.0-1.fc44

Update description:

Update to the latest django-allauth

Fixes CVE-2026-27982

FEDORA-2026-67a9805962 Packages in this update:

• strongswan-6.0.7-2.fc43

Update description:

Addresses CVE-2026-47895 which is a theoretical RCE

Fixes CVE-2026-25075, CVE-2026-35328, CVE-2026-35329, CVE-2026-35330, CVE-2026-35331, CVE-2026-35332, CVE-2026-35333, CVE-2026-35334

Update to address CVE-2025-9615 and CVE-2025-62291

FEDORA-2026-a7ff7017ee Packages in this update:

• util-linux-2.41.5-1.fc43

Update description:

upstream upgrade with security fixes:

• CVE-2026-53612 - libmount: TOCTOU attack via ancestor directory swap during mount
• CVE-2026-53613 - libmount: SUID bypass via LIBMOUNT_FORCE_MOUNT2 and legacy mount path
• CVE-2026-53614 - libmount: fd_target TOCTOU prevention

FEDORA-2026-c70cb96ff1 Packages in this update:

• util-linux-2.41.5-1.fc44

Update description:

upstream upgrade with security fixes:

• CVE-2026-53612 - libmount: TOCTOU attack via ancestor directory swap during mount
• CVE-2026-53613 - libmount: SUID bypass via LIBMOUNT_FORCE_MOUNT2 and legacy mount path
• CVE-2026-53614 - libmount: fd_target TOCTOU prevention

FEDORA-2026-d2806ddffc Packages in this update:

• materialx-1.39.5-1.fc44

Update description:

New release version 1.39.5.

See the change log.

FEDORA-2026-85d5d5f493 Packages in this update:

• materialx-1.39.5-1.fc43

Update description:

New release version 1.39.5.

See the change log.

FEDORA-2026-284c049f7f Packages in this update:

• strongswan-6.0.7-1.fc44

Update description:

Addresses CVE-2026-47895 which is a theoretical RCE

FEDORA-2026-e5118f1777 Packages in this update:

• lighttpd-1.4.83-1.fc44

Update description:

1.4.83

https://wiki.lighttpd.net/Release-1_4_83

FEDORA-2026-265fb84974 Packages in this update:

• lighttpd-1.4.83-1.fc43

Update description:

1.4.83

https://wiki.lighttpd.net/Release-1_4_83