Fedora Security Advisories

kernel-7.0.10-201.fc44

Fedora Security Advisories
3 hours 10 minutes ago
FEDORA-2026-bc20b091a8 Packages in this update:
  • kernel-7.0.10-201.fc44
Update description:

The 7.0.10-101/201 stable kernel updates contain a number of important fixes across the tree.

kernel-7.0.10-101.fc43

Fedora Security Advisories
3 hours 10 minutes ago
FEDORA-2026-146d86eefc Packages in this update:
  • kernel-7.0.10-101.fc43
Update description:

The 7.0.10-101/201 stable kernel updates contain a number of important fixes across the tree.

pie-1.4.5-1.fc44

Fedora Security Advisories
1 day 3 hours ago
FEDORA-2026-e5d5fc359d Packages in this update:
  • pie-1.4.5-1.fc44
Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

  • GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
  • GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
  • GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
  • GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
  • GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
  • GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

pie-1.4.5-1.el10_2

Fedora Security Advisories
1 day 3 hours ago
FEDORA-EPEL-2026-4114f4323c Packages in this update:
  • pie-1.4.5-1.el10_2
Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

  • GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
  • GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
  • GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
  • GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
  • GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
  • GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

pie-1.4.5-1.el10_3

Fedora Security Advisories
1 day 3 hours ago
FEDORA-EPEL-2026-e9a72cc7ed Packages in this update:
  • pie-1.4.5-1.el10_3
Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

  • GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
  • GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
  • GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
  • GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
  • GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
  • GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

pie-1.4.5-1.fc43

Fedora Security Advisories
1 day 3 hours ago
FEDORA-2026-b2fe14ec86 Packages in this update:
  • pie-1.4.5-1.fc43
Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

  • GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
  • GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
  • GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
  • GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
  • GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
  • GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

libpng-1.6.58-1.fc43

Fedora Security Advisories
1 day 13 hours ago
FEDORA-2026-a109a9ac2c Packages in this update:
  • libpng-1.6.58-1.fc43
Update description:
  • updated to 1.6.58
  • 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
  • 1.6.57 is released with fixes for the following security vulnerability:
  • CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

libpng-1.6.58-1.fc42

Fedora Security Advisories
1 day 13 hours ago
FEDORA-2026-9a678a08c8 Packages in this update:
  • libpng-1.6.58-1.fc42
Update description:
  • updated to 1.6.58
  • 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
  • 1.6.57 is released with fixes for the following security vulnerability:
  • CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

libpng-1.6.58-1.fc44

Fedora Security Advisories
1 day 13 hours ago
FEDORA-2026-67c1138ed2 Packages in this update:
  • libpng-1.6.58-1.fc44
Update description:
  • updated to 1.6.58
  • 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
  • 1.6.57 is released with fixes for the following security vulnerability:
  • CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

roundcubemail-1.6.16-1.el10_3

Fedora Security Advisories
1 day 14 hours ago
FEDORA-EPEL-2026-05f02b89ad Packages in this update:
  • roundcubemail-1.6.16-1.el10_3
Update description: Release 1.6.16
  • Fix potential too long value in IMAP ID command (#10136)
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

roundcubemail-1.6.16-1.fc43

Fedora Security Advisories
1 day 14 hours ago
FEDORA-2026-07ee097ffe Packages in this update:
  • roundcubemail-1.6.16-1.fc43
Update description: Release 1.6.16
  • Fix potential too long value in IMAP ID command (#10136)
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

roundcubemail-1.6.16-1.el10_2

Fedora Security Advisories
1 day 14 hours ago
FEDORA-EPEL-2026-aa33047e8e Packages in this update:
  • roundcubemail-1.6.16-1.el10_2
Update description: Release 1.6.16
  • Fix potential too long value in IMAP ID command (#10136)
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

vim-9.2.530-1.fc43

Fedora Security Advisories
2 days 8 hours ago
FEDORA-2026-75b5ddf8c3 Packages in this update:
  • vim-9.2.530-1.fc43
Update description:

keep GTK4 in rawhide for now

switch to GTK4 for GVim

Fix CVE-2026-46483

Checked
1 minute 22 seconds ago
URL
https://bodhi.fedoraproject.org/rss/updates/?type=security