Fedora Security Advisories

perl-HTTP-Daemon-6.17-1.fc43

1 hour 6 minutes ago
FEDORA-2026-f276b2154e Packages in this update:
  • perl-HTTP-Daemon-6.17-1.fc43
Update description:

Changes:

6.17 2026-05-19 23:11:06Z

  • Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when a string argument was derived from attacker- influenced input. send_file() now uses 3-arg open() with an explicit '<' read mode, so the path is always treated as a literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |', '> path', etc.) are no longer interpreted. send_file() now also returns '0E0' (true zero) on a successful zero-byte transfer so callers can distinguish empty file from open failure (undef). See https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory. Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist, Olaf Alders)

perl-HTTP-Daemon-6.17-1.fc44

1 hour 7 minutes ago
FEDORA-2026-8982379b5c Packages in this update:
  • perl-HTTP-Daemon-6.17-1.fc44
Update description:

Changes:

6.17 2026-05-19 23:11:06Z

  • Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when a string argument was derived from attacker- influenced input. send_file() now uses 3-arg open() with an explicit '<' read mode, so the path is always treated as a literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |', '> path', etc.) are no longer interpreted. send_file() now also returns '0E0' (true zero) on a successful zero-byte transfer so callers can distinguish empty file from open failure (undef). See https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory. Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist, Olaf Alders)

perl-Net-Statsd-0.13-1.fc44

4 hours 1 minute ago
FEDORA-2026-9c71664439 Packages in this update:
  • perl-Net-Statsd-0.13-1.fc44
Update description:

Metric names and values are now validated to ensure they do not contain characters below ASCII 32 (including newlines), colon (":") or pipe ("|") characters that might allow metric injection. Offending calls now croak.

perl-Net-Statsd-0.13-1.fc43

4 hours 1 minute ago
FEDORA-2026-9a8f233b8f Packages in this update:
  • perl-Net-Statsd-0.13-1.fc43
Update description:

Metric names and values are now validated to ensure they do not contain characters below ASCII 32 (including newlines), colon (":") or pipe ("|") characters that might allow metric injection. Offending calls now croak.

ImageMagick-6.9.13.49-1.el9

4 hours 43 minutes ago
FEDORA-EPEL-2026-2d971fc3b0 Packages in this update:
  • ImageMagick-6.9.13.49-1.el9
Update description: Summary

This update fixes several security vulnerabilities, including multiple high-severity CVEs: Security fixes

  • CVE-2026-33901 (High) — Heap buffer overflow in the MVG decoder that could result in an out-of-bounds write when processing a crafted image.
  • CVE-2026-33908 (High) — Recursive DestroyXMLTree() call with no depth limit causes stack exhaustion when processing deeply nested XML structures, resulting in a Denial of Service (DoS).
  • CVE-2026-40310 (High) — Heap out-of-bounds write in the JP2 encoder triggered when a user specifies an invalid sampling index.

Additional security and bug fixes are included in the upstream releases between 6.9.13.25 and 6.9.13.49. See the upstream release history at: https://github.com/ImageMagick/ImageMagick6/releases

ImageMagick-6.9.13.49-1.el8

4 hours 43 minutes ago
FEDORA-EPEL-2026-fb9a9ab1e9 Packages in this update:
  • ImageMagick-6.9.13.49-1.el8
Update description: Summary

This update fixes several security vulnerabilities, including multiple high-severity CVEs: Security fixes

  • CVE-2026-33901 (High) — Heap buffer overflow in the MVG decoder that could result in an out-of-bounds write when processing a crafted image.
  • CVE-2026-33908 (High) — Recursive DestroyXMLTree() call with no depth limit causes stack exhaustion when processing deeply nested XML structures, resulting in a Denial of Service (DoS).
  • CVE-2026-40310 (High) — Heap out-of-bounds write in the JP2 encoder triggered when a user specifies an invalid sampling index.

Additional security and bug fixes are included in the upstream releases between 6.9.13.25 and 6.9.13.49. See the upstream release history at: https://github.com/ImageMagick/ImageMagick6/releases

vorbis-tools-1.4.3-5.fc45

11 hours 39 minutes ago
FEDORA-2026-9c00940406 Packages in this update:
  • vorbis-tools-1.4.3-5.fc45
Update description:

Automatic update for vorbis-tools-1.4.3-5.fc45.

Changelog * Tue Jun 9 2026 Lukáš Zaoral <lzaoral@redhat.com> - 1:1.4.3-5 - CVE-2026-34253 - fix arbitrary code execution via buffer underflow (rhbz#2479549)
Checked
40 minutes 55 seconds ago