Fedora Security Advisories

• openslide-3.4.1-20.el8

Fix arbitrary memory write with crafted Ventana BIF file (CVE-2026-48977).

• openslide-3.4.1-20.el9

Fix arbitrary memory write with crafted Ventana BIF file (CVE-2026-48977).

• openslide-4.0.0-8.el10_3

Fix arbitrary memory write with crafted Ventana BIF file (CVE-2026-48977).

• openslide-4.0.0-14.fc43

Fix arbitrary memory write with crafted Ventana BIF file (CVE-2026-48977).

• openslide-4.0.0-14.fc44

Fix arbitrary memory write with crafted Ventana BIF file (CVE-2026-48977).

• ack-3.10.0-1.fc43

Update to version 3.10.0

• ack-3.10.0-1.fc44

Update to version 3.10.0

• hugo-0.162.1-1.fc43

Update to 0.162.1 (rhbz#2455512)

• hugo-0.162.1-1.fc44

Update to 0.162.1 (rhbz#2455512)

• perl-Mojo-JWT-1.02-1.fc44

This release of Mojo::JWT Improves the security of decode to prevent timing side-channel attacks in symmetric signatures

• perl-Mojo-JWT-1.02-1.fc43

This release of Mojo::JWT Improves the security of decode to prevent timing side-channel attacks in symmetric signatures

• python-django4.2-4.2.30-2.el9

• Backport fix for CVE-2026-35192 (low): Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
• Django 4.2.30 fixes one security issue with severity “moderate” and four security issues with severity “low” in 4.2.29
• CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload [moderate]
• CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
• CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
• CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
• CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
• Django 4.2.29 fixes a security issue with severity “moderate” and a security issue with severity “low” in 4.2.28
• CVE-2026-25673: Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows [moderate]
• CVE-2026-25674: Potential incorrect permissions on newly created file system objects

• chromium-149.0.7827.53-1.el10_2

Update to 149.0.7827.53

• fix 429 CVEs ( CVE-2026-10881 through CVE-2026-11309)

• chromium-149.0.7827.53-1.fc43

Update to 149.0.7827.53

• fix 429 CVEs ( CVE-2026-10881 through CVE-2026-11309)

• chromium-149.0.7827.53-1.el10_3

Update to 149.0.7827.53

• fix 429 CVEs ( CVE-2026-10881 through CVE-2026-11309)

• chromium-149.0.7827.53-1.el9

Update to 149.0.7827.53

• fix 429 CVEs ( CVE-2026-10881 through CVE-2026-11309)

• chromium-149.0.7827.53-1.fc44

Update to 149.0.7827.53

• fix 429 CVEs ( CVE-2026-10881 through CVE-2026-11309)

• transmission-flatpak-4.1.2-2

4.1.2

• dnsdist-2.0.6-1.el10_2

Bug Fixes:

CVE-2026-33254: An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default

CVE-2026-33257: An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The web server is disabled and restricted by an ACL by default

CVE-2026-33260: An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The web server is disabled and restricted by an ACL by default

CVE-2026-33593: A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query

CVE-2026-33595: A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection. DOQ and DoH3 are disabled by default

CVE-2026-33596: A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend

CVE-2026-33597: A crafted query containing an invalid DNS label can prevent the PRSD detection algorithm executed via DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI from being executed

CVE-2026-33598: A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache

CVE-2026-33599: A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default

CVE-2026-33602: A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service

CVE-2026-33594: A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection. Outgoing DoH is disabled by default

• python-django5-5.2.15-1.fc44

Fixes five low-severity CVEs

• CVE-2026-6873: Signed cookie salt namespace collision
• CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
• CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives
• CVE-2026-35193: Potential exposure of private data via missing Vary: Authorization
• CVE-2026-48587: Potential exposure of private data via whitespace padding in Vary header