Fedora Security Advisories

FEDORA-2026-d7d99f08ff Packages in this update:

• docker-distribution-3.1.1-1.fc45

Update description:

Automatic update for docker-distribution-3.1.1-1.fc45.

Changelog * Fri May 1 2026 Bradley G Smith <bradley.g.smith@gmail.com> - 3.1.1-1 - Update to release v3.1.1 - Resolves: rhbz#2455529 - Fixes CVE-2026-41888 - Upstream fixes and updates - Temporary annocheck skip test for broken branch protection test on aarch64 * Mon Apr 6 2026 Bradley G Smith <bradley.g.smith@gmail.com> - 3.1.0-1 - Update to release v3.1.0 - Resolves: rhbz#2455529, rhbz#2455654 - Resolves CVE-2026-35172 - Resolves CVE-2026-33540 - Upstream fixes * Sun Feb 8 2026 Bradley G Smith <bradley.g.smith@gmail.com> - 3.0.0-5 - Remove duplicate lines * Mon Feb 2 2026 Maxwell G <maxwell@gtmx.me> - 3.0.0-4 - Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26

FEDORA-EPEL-2026-2ff5743a9c Packages in this update:

• prosody-13.0.5-1.el9

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-2026-1efa008794 Packages in this update:

• prosody-13.0.5-1.fc42

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-2026-2947986ad6 Packages in this update:

• prosody-13.0.5-1.fc44

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-EPEL-2026-369d4c77a1 Packages in this update:

• prosody-13.0.5-1.el8

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-EPEL-2026-8354f60941 Packages in this update:

• prosody-13.0.5-1.el10_1

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-EPEL-2026-c907654c37 Packages in this update:

• prosody-13.0.5-1.el10_2

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-EPEL-2026-a400430763 Packages in this update:

• prosody-13.0.5-1.el10_3

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-2026-36c53b9ca8 Packages in this update:

• prosody-13.0.5-1.fc43

Update description: Prosody 13.0.5

Upstream is pleased to announce a new minor release from their stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in upstream's security advisory. Upstream encourages all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• net.http.parser: Fix handling of chunked request
• MUC: Advertise hats feature on room JID
• moduleapi: Use multitable add/remove instead of set (fixes memory leak)
• mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
• Improve federation with servers using only IP addresses
• prosody: Prevent loading local code when installed system-wide
• mod_http_file_share: Improve handling of Range requests
• mod_carbons: Fix some carbons decision-making bugs

Minor changes

• net.resolvers: Fix to avoid SRV lookups for IP addresses
• prosody: Abort earlier on incompatible Lua version
• mod_turn_external: hand out credentials for type == turns too
• mod_s2s: Fully validate stream addressing
• prosodyctl check features: Warn if http file sharing enabled on both host and component
• util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
• util.startup: Improve error message when failing to load config file
• util.x509: Add support for iPAddress certs
• prosodyctl: Trim any trailing newline from password entry
• mod_admin_shell: Make cert index search path relative to config file
• mod_admin_shell: Improve multi-host command handling
• mod_admin_shell: Show help listing when specifying only a section name
• mod_admin_shell: Ensure password validity when setting passwords for new/existing users
• mod_account_activity: Handle authentication provider returning no user info
• config: Use default value when enum option has incorrect value
• mod_http: “Handle” streaming requests to avoid invoking redirect handler

FEDORA-2026-4b7780802c Packages in this update:

• glibc-2.42-12.fc43

Update description:

This update provides various security fixes.

• Buffer overflow in scanf %mc (CVE-2026-5450)
• ns_sprintrrf buffer overreads (CVE-2026-6238)
• ns_sprintrrf buffer overflow in TSIG record processing (CVE-2026-5435)
• Memory corruption in ungetwc (CVE-2026-5928)
• Assertion failure in iconv with IBM1390, IBM1399 charsets (CVE-2026-4046)

FEDORA-2026-ced72ab158 Packages in this update:

• glibc-2.43-4.fc44

Update description:

This update provides various security fixes.

• Buffer overflow in scanf %mc (CVE-2026-5450)
• ns_sprintrrf buffer overreads (CVE-2026-6238)
• ns_sprintrrf buffer overflow in TSIG record processing (CVE-2026-5435)
• Memory corruption in ungetwc (CVE-2026-5928)
• Assertion failure in iconv with IBM1390, IBM1399 charsets (CVE-2026-4046)

FEDORA-2026-593d463bbf Packages in this update:

• uriparser-1.0.1-1.fc42

Update description:

Update to uriparser-1.0.1.

FEDORA-2026-57515ed8b1 Packages in this update:

• uriparser-1.0.1-1.fc44

Update description:

Update to uriparser-1.0.1.

FEDORA-2026-6b0a579131 Packages in this update:

• uriparser-1.0.1-1.fc43

Update description:

Update to uriparser-1.0.1.

FEDORA-EPEL-2026-c2b734f274 Packages in this update:

• chromium-147.0.7727.137-1.el10_3

Update description:

The updates include fixes for:

• Critical CVE-2026-7363: Use after free in Canvas
• Critical CVE-2026-7361: Use after free in iOS
• Critical CVE-2026-7344: Use after free in Accessibility
• Critical CVE-2026-7343: Use after free in Views
• High CVE-2026-7333: Use after free in GPU
• High CVE-2026-7360: Insufficient validation of untrusted input in Compositing
• High CVE-2026-7359: Use after free in ANGLE
• High CVE-2026-7358: Use after free in Animation
• High CVE-2026-7334: Use after free in Views
• High CVE-2026-7357: Use after free in GPU
• High CVE-2026-7356: Use after free in Navigation
• High CVE-2026-7354: Out of bounds read and write in Angle
• High CVE-2026-7353: Heap buffer overflow in Skia
• High CVE-2026-7352: Use after free in Media
• High CVE-2026-7351: Race in MHTML
• High CVE-2026-7350: Use after free in WebMIDI
• High CVE-2026-7349: Use after free in Cast
• High CVE-2026-7348: Use after free in Codecs
• High CVE-2026-7335: Use after free in media
• High CVE-2026-7336: Use after free in WebRTC
• High CVE-2026-7337: Type Confusion in V8
• High CVE-2026-7347: Use after free in Chromoting
• High CVE-2026-7346: Inappropriate implementation in Tint
• High CVE-2026-7345: Insufficient validation of untrusted input in Feedback
• High CVE-2026-7338: Use after free in Cast
• High CVE-2026-7342: Use after free in WebView
• High CVE-2026-7341: Use after free in WebRTC
• Medium CVE-2026-7339: Heap buffer overflow in WebRTC
• Medium CVE-2026-7340: Integer overflow in ANGLE
• Medium CVE-2026-7355: Use after free in Media

FEDORA-EPEL-2026-1a398e4f20 Packages in this update:

• chromium-147.0.7727.137-1.el10_1

Update description:

The updates include fixes for:

• Critical CVE-2026-7363: Use after free in Canvas
• Critical CVE-2026-7361: Use after free in iOS
• Critical CVE-2026-7344: Use after free in Accessibility
• Critical CVE-2026-7343: Use after free in Views
• High CVE-2026-7333: Use after free in GPU
• High CVE-2026-7360: Insufficient validation of untrusted input in Compositing
• High CVE-2026-7359: Use after free in ANGLE
• High CVE-2026-7358: Use after free in Animation
• High CVE-2026-7334: Use after free in Views
• High CVE-2026-7357: Use after free in GPU
• High CVE-2026-7356: Use after free in Navigation
• High CVE-2026-7354: Out of bounds read and write in Angle
• High CVE-2026-7353: Heap buffer overflow in Skia
• High CVE-2026-7352: Use after free in Media
• High CVE-2026-7351: Race in MHTML
• High CVE-2026-7350: Use after free in WebMIDI
• High CVE-2026-7349: Use after free in Cast
• High CVE-2026-7348: Use after free in Codecs
• High CVE-2026-7335: Use after free in media
• High CVE-2026-7336: Use after free in WebRTC
• High CVE-2026-7337: Type Confusion in V8
• High CVE-2026-7347: Use after free in Chromoting
• High CVE-2026-7346: Inappropriate implementation in Tint
• High CVE-2026-7345: Insufficient validation of untrusted input in Feedback
• High CVE-2026-7338: Use after free in Cast
• High CVE-2026-7342: Use after free in WebView
• High CVE-2026-7341: Use after free in WebRTC
• Medium CVE-2026-7339: Heap buffer overflow in WebRTC
• Medium CVE-2026-7340: Integer overflow in ANGLE
• Medium CVE-2026-7355: Use after free in Media

FEDORA-EPEL-2026-eaa2514539 Packages in this update:

• chromium-147.0.7727.137-1.el9

Update description:

The updates include fixes for:

• Critical CVE-2026-7363: Use after free in Canvas
• Critical CVE-2026-7361: Use after free in iOS
• Critical CVE-2026-7344: Use after free in Accessibility
• Critical CVE-2026-7343: Use after free in Views
• High CVE-2026-7333: Use after free in GPU
• High CVE-2026-7360: Insufficient validation of untrusted input in Compositing
• High CVE-2026-7359: Use after free in ANGLE
• High CVE-2026-7358: Use after free in Animation
• High CVE-2026-7334: Use after free in Views
• High CVE-2026-7357: Use after free in GPU
• High CVE-2026-7356: Use after free in Navigation
• High CVE-2026-7354: Out of bounds read and write in Angle
• High CVE-2026-7353: Heap buffer overflow in Skia
• High CVE-2026-7352: Use after free in Media
• High CVE-2026-7351: Race in MHTML
• High CVE-2026-7350: Use after free in WebMIDI
• High CVE-2026-7349: Use after free in Cast
• High CVE-2026-7348: Use after free in Codecs
• High CVE-2026-7335: Use after free in media
• High CVE-2026-7336: Use after free in WebRTC
• High CVE-2026-7337: Type Confusion in V8
• High CVE-2026-7347: Use after free in Chromoting
• High CVE-2026-7346: Inappropriate implementation in Tint
• High CVE-2026-7345: Insufficient validation of untrusted input in Feedback
• High CVE-2026-7338: Use after free in Cast
• High CVE-2026-7342: Use after free in WebView
• High CVE-2026-7341: Use after free in WebRTC
• Medium CVE-2026-7339: Heap buffer overflow in WebRTC
• Medium CVE-2026-7340: Integer overflow in ANGLE
• Medium CVE-2026-7355: Use after free in Media

FEDORA-EPEL-2026-70912890f2 Packages in this update:

• chromium-147.0.7727.137-1.el10_2

Update description:

The updates include fixes for:

• Critical CVE-2026-7363: Use after free in Canvas
• Critical CVE-2026-7361: Use after free in iOS
• Critical CVE-2026-7344: Use after free in Accessibility
• Critical CVE-2026-7343: Use after free in Views
• High CVE-2026-7333: Use after free in GPU
• High CVE-2026-7360: Insufficient validation of untrusted input in Compositing
• High CVE-2026-7359: Use after free in ANGLE
• High CVE-2026-7358: Use after free in Animation
• High CVE-2026-7334: Use after free in Views
• High CVE-2026-7357: Use after free in GPU
• High CVE-2026-7356: Use after free in Navigation
• High CVE-2026-7354: Out of bounds read and write in Angle
• High CVE-2026-7353: Heap buffer overflow in Skia
• High CVE-2026-7352: Use after free in Media
• High CVE-2026-7351: Race in MHTML
• High CVE-2026-7350: Use after free in WebMIDI
• High CVE-2026-7349: Use after free in Cast
• High CVE-2026-7348: Use after free in Codecs
• High CVE-2026-7335: Use after free in media
• High CVE-2026-7336: Use after free in WebRTC
• High CVE-2026-7337: Type Confusion in V8
• High CVE-2026-7347: Use after free in Chromoting
• High CVE-2026-7346: Inappropriate implementation in Tint
• High CVE-2026-7345: Insufficient validation of untrusted input in Feedback
• High CVE-2026-7338: Use after free in Cast
• High CVE-2026-7342: Use after free in WebView
• High CVE-2026-7341: Use after free in WebRTC
• Medium CVE-2026-7339: Heap buffer overflow in WebRTC
• Medium CVE-2026-7340: Integer overflow in ANGLE
• Medium CVE-2026-7355: Use after free in Media

FEDORA-2026-549ee32ea1 Packages in this update:

• proftpd-1.3.9a-1.fc44

Update description:

Cumulative bug-fix release from upstream. Includes fix for a possible SQL-injection issue via mod_sql (CVE-2026-42167). Note that mod_sql is not enabled by default.

FEDORA-EPEL-2026-bae7252e3a Packages in this update:

• proftpd-1.3.9a-1.el10_3

Update description:

Cumulative bug-fix release from upstream. Includes fix for a possible SQL-injection issue via mod_sql (CVE-2026-42167). Note that mod_sql is not enabled by default.