Fedora Security Advisories

perl-Mojolicious-9.48-1.fc43

19 minutes 13 seconds ago
FEDORA-2026-6f12b08313 Packages in this update:
  • perl-Mojolicious-9.48-1.fc43
Update description:

Mojolicious 9.48 fixes a security issue where CSRF tokens were vulnerable to BREACH attacks. Tokens are now masked with a fresh random value on every request, instead of being reused for the whole lifetime of a session.

perl-Mojolicious-9.48-1.fc44

19 minutes 14 seconds ago
FEDORA-2026-4334fd85bc Packages in this update:
  • perl-Mojolicious-9.48-1.fc44
Update description:

Mojolicious 9.48 fixes a security issue where CSRF tokens were vulnerable to BREACH attacks. Tokens are now masked with a fresh random value on every request, instead of being reused for the whole lifetime of a session.

trafficserver-10.1.3-1.fc43

8 hours 28 minutes ago
FEDORA-2026-ddaabe38ab Packages in this update:
  • trafficserver-10.1.3-1.fc43
Update description:

Resolves CVE-2026-59173 - DoS vulnerability in HTTP/2 via stalled flow-control

Additional Changes with Apache Traffic Server 9.2.14 #12910 - Fix connection-level window mismatch causing 408/504 timeouts #13266 - Add Claude Code project guide for the 9.2.x branch #13267 - [9.2.x] Backport format scripts fixes #13377 - 9.2.x: http2: Track scheduled events

Additional Changes with Apache Traffic Server 10.1.3 #12192 - Return a 400 on chunk parse errors #12733 - Fix retry logic for TSHttpTxnServerAddrSet (issue #12611) #12854 - Fix LoadedPlugins::remove crash during static destruction #12855 - Fix header_rewrite run-plugin relative path resolution #12857 - Fix autest compatibility with Fedora 43 / Python 3.14 #12943 - Address incompatibility with BoringSSL #12959 - Fix crash in HttpSM::tunnel_handler on unhandled VC events #12972 - Fix cache retry assert on ServerAddrSet #12990 - Update to Proxy Verifier v3.0.0 #13008 - cmake: limit GENERAL_NAME bssl probe #13020 - Align AuTests with latest proxy-verifier checks (#12986) #13025 - hrw: Refix loading geodb files #13033 - tests/gold_tests/headers tests: use ATSReplayTest #13113 - slice: Fix crash caused by use-after-free #13114 - Fix bg fill teardown crash in update_size_and_time_stats #13138 - Remove cache alternate vector detach #13144 - Fix XPACK relative index underflow #13162 - hrw: Fix an index bug in run plugin operator #13177 - Correct records.yaml record drift #13178 - 10.1.x: proxy.config.dns.search_default_domains: allow 2 #13182 - Stabilize parallel AuTest helpers #13192 - yaml-cpp-0.9.0 #13193 - GCC 16: Regex header integer includes #13198 - Fedora 44 test fixes #13200 - Single source of truth for Proxy Verifier metadata #13217 - Proxy Verifier v3.1.3 #13218 - Fix hdrHeap/hdrStrHeap allocator inuse metric underflow #13220 - Fix flaky Fedora 44 AuTest helpers #13223 - Fix mismatched sINT/dINT log field types #13252 - cache: apply per-volume settings on first start after clear #13256 - Fix mismatched log field types more #13261 - header_rewrite: Improve URL Error messages #13263 - Fix bounds check in CacheVC::scanObject #13264 - Handle OpenSSL without dynamic ENGINE #13280 - Enable probes in Fedora C++20 CI #13293 - ProxyProtocol: free pp_info heap on NetVConnection recycle #13294 - Fix pending HostDB DNS queue removal race #13295 - Fix server entry cleanup after request tunnel setup #13297 - 10.1.x: Add sni.yaml session ticket overrides (#13006) #13303 - header_rewrite: Fix a leak and truncation in set-body-from #13307 - dns: destruct HostEnt on free to fix SRV vector leak #13318 - TLS: Fix memory leaks in cert load and OCSP stapling #13325 - HttpSM.cc: fix cache read end milestone order #13336 - 10.1.x: Fix redirected cache write without write VC #13365 - 10.1.x: USDT: normalize names for STATE_ENTER #13366 - 10.1.x: Fix set-status crash inside if/endif at remap time #13387 - Hard-enforce max_active_streams_in at HTTP/2 stream creation

trafficserver-10.1.3-1.fc44

8 hours 28 minutes ago
FEDORA-2026-bb8dc1e5b6 Packages in this update:
  • trafficserver-10.1.3-1.fc44
Update description:

Resolves CVE-2026-59173 - DoS vulnerability in HTTP/2 via stalled flow-control

Additional Changes with Apache Traffic Server 9.2.14 #12910 - Fix connection-level window mismatch causing 408/504 timeouts #13266 - Add Claude Code project guide for the 9.2.x branch #13267 - [9.2.x] Backport format scripts fixes #13377 - 9.2.x: http2: Track scheduled events

Additional Changes with Apache Traffic Server 10.1.3 #12192 - Return a 400 on chunk parse errors #12733 - Fix retry logic for TSHttpTxnServerAddrSet (issue #12611) #12854 - Fix LoadedPlugins::remove crash during static destruction #12855 - Fix header_rewrite run-plugin relative path resolution #12857 - Fix autest compatibility with Fedora 43 / Python 3.14 #12943 - Address incompatibility with BoringSSL #12959 - Fix crash in HttpSM::tunnel_handler on unhandled VC events #12972 - Fix cache retry assert on ServerAddrSet #12990 - Update to Proxy Verifier v3.0.0 #13008 - cmake: limit GENERAL_NAME bssl probe #13020 - Align AuTests with latest proxy-verifier checks (#12986) #13025 - hrw: Refix loading geodb files #13033 - tests/gold_tests/headers tests: use ATSReplayTest #13113 - slice: Fix crash caused by use-after-free #13114 - Fix bg fill teardown crash in update_size_and_time_stats #13138 - Remove cache alternate vector detach #13144 - Fix XPACK relative index underflow #13162 - hrw: Fix an index bug in run plugin operator #13177 - Correct records.yaml record drift #13178 - 10.1.x: proxy.config.dns.search_default_domains: allow 2 #13182 - Stabilize parallel AuTest helpers #13192 - yaml-cpp-0.9.0 #13193 - GCC 16: Regex header integer includes #13198 - Fedora 44 test fixes #13200 - Single source of truth for Proxy Verifier metadata #13217 - Proxy Verifier v3.1.3 #13218 - Fix hdrHeap/hdrStrHeap allocator inuse metric underflow #13220 - Fix flaky Fedora 44 AuTest helpers #13223 - Fix mismatched sINT/dINT log field types #13252 - cache: apply per-volume settings on first start after clear #13256 - Fix mismatched log field types more #13261 - header_rewrite: Improve URL Error messages #13263 - Fix bounds check in CacheVC::scanObject #13264 - Handle OpenSSL without dynamic ENGINE #13280 - Enable probes in Fedora C++20 CI #13293 - ProxyProtocol: free pp_info heap on NetVConnection recycle #13294 - Fix pending HostDB DNS queue removal race #13295 - Fix server entry cleanup after request tunnel setup #13297 - 10.1.x: Add sni.yaml session ticket overrides (#13006) #13303 - header_rewrite: Fix a leak and truncation in set-body-from #13307 - dns: destruct HostEnt on free to fix SRV vector leak #13318 - TLS: Fix memory leaks in cert load and OCSP stapling #13325 - HttpSM.cc: fix cache read end milestone order #13336 - 10.1.x: Fix redirected cache write without write VC #13365 - 10.1.x: USDT: normalize names for STATE_ENTER #13366 - 10.1.x: Fix set-status crash inside if/endif at remap time #13387 - Hard-enforce max_active_streams_in at HTTP/2 stream creation

trafficserver-9.2.14-1.el9

8 hours 28 minutes ago
FEDORA-EPEL-2026-5bcb271bee Packages in this update:
  • trafficserver-9.2.14-1.el9
Update description:

Resolves CVE-2026-59173 - DoS vulnerability in HTTP/2 via stalled flow-control

Additional Changes with Apache Traffic Server 9.2.14 #12910 - Fix connection-level window mismatch causing 408/504 timeouts #13266 - Add Claude Code project guide for the 9.2.x branch #13267 - [9.2.x] Backport format scripts fixes #13377 - 9.2.x: http2: Track scheduled events

Additional Changes with Apache Traffic Server 10.1.3 #12192 - Return a 400 on chunk parse errors #12733 - Fix retry logic for TSHttpTxnServerAddrSet (issue #12611) #12854 - Fix LoadedPlugins::remove crash during static destruction #12855 - Fix header_rewrite run-plugin relative path resolution #12857 - Fix autest compatibility with Fedora 43 / Python 3.14 #12943 - Address incompatibility with BoringSSL #12959 - Fix crash in HttpSM::tunnel_handler on unhandled VC events #12972 - Fix cache retry assert on ServerAddrSet #12990 - Update to Proxy Verifier v3.0.0 #13008 - cmake: limit GENERAL_NAME bssl probe #13020 - Align AuTests with latest proxy-verifier checks (#12986) #13025 - hrw: Refix loading geodb files #13033 - tests/gold_tests/headers tests: use ATSReplayTest #13113 - slice: Fix crash caused by use-after-free #13114 - Fix bg fill teardown crash in update_size_and_time_stats #13138 - Remove cache alternate vector detach #13144 - Fix XPACK relative index underflow #13162 - hrw: Fix an index bug in run plugin operator #13177 - Correct records.yaml record drift #13178 - 10.1.x: proxy.config.dns.search_default_domains: allow 2 #13182 - Stabilize parallel AuTest helpers #13192 - yaml-cpp-0.9.0 #13193 - GCC 16: Regex header integer includes #13198 - Fedora 44 test fixes #13200 - Single source of truth for Proxy Verifier metadata #13217 - Proxy Verifier v3.1.3 #13218 - Fix hdrHeap/hdrStrHeap allocator inuse metric underflow #13220 - Fix flaky Fedora 44 AuTest helpers #13223 - Fix mismatched sINT/dINT log field types #13252 - cache: apply per-volume settings on first start after clear #13256 - Fix mismatched log field types more #13261 - header_rewrite: Improve URL Error messages #13263 - Fix bounds check in CacheVC::scanObject #13264 - Handle OpenSSL without dynamic ENGINE #13280 - Enable probes in Fedora C++20 CI #13293 - ProxyProtocol: free pp_info heap on NetVConnection recycle #13294 - Fix pending HostDB DNS queue removal race #13295 - Fix server entry cleanup after request tunnel setup #13297 - 10.1.x: Add sni.yaml session ticket overrides (#13006) #13303 - header_rewrite: Fix a leak and truncation in set-body-from #13307 - dns: destruct HostEnt on free to fix SRV vector leak #13318 - TLS: Fix memory leaks in cert load and OCSP stapling #13325 - HttpSM.cc: fix cache read end milestone order #13336 - 10.1.x: Fix redirected cache write without write VC #13365 - 10.1.x: USDT: normalize names for STATE_ENTER #13366 - 10.1.x: Fix set-status crash inside if/endif at remap time #13387 - Hard-enforce max_active_streams_in at HTTP/2 stream creation

trafficserver-9.2.14-1.el8

8 hours 28 minutes ago
FEDORA-EPEL-2026-6b5cec4a03 Packages in this update:
  • trafficserver-9.2.14-1.el8
Update description:

Resolves CVE-2026-59173 - DoS vulnerability in HTTP/2 via stalled flow-control

Additional Changes with Apache Traffic Server 9.2.14 #12910 - Fix connection-level window mismatch causing 408/504 timeouts #13266 - Add Claude Code project guide for the 9.2.x branch #13267 - [9.2.x] Backport format scripts fixes #13377 - 9.2.x: http2: Track scheduled events

Additional Changes with Apache Traffic Server 10.1.3 #12192 - Return a 400 on chunk parse errors #12733 - Fix retry logic for TSHttpTxnServerAddrSet (issue #12611) #12854 - Fix LoadedPlugins::remove crash during static destruction #12855 - Fix header_rewrite run-plugin relative path resolution #12857 - Fix autest compatibility with Fedora 43 / Python 3.14 #12943 - Address incompatibility with BoringSSL #12959 - Fix crash in HttpSM::tunnel_handler on unhandled VC events #12972 - Fix cache retry assert on ServerAddrSet #12990 - Update to Proxy Verifier v3.0.0 #13008 - cmake: limit GENERAL_NAME bssl probe #13020 - Align AuTests with latest proxy-verifier checks (#12986) #13025 - hrw: Refix loading geodb files #13033 - tests/gold_tests/headers tests: use ATSReplayTest #13113 - slice: Fix crash caused by use-after-free #13114 - Fix bg fill teardown crash in update_size_and_time_stats #13138 - Remove cache alternate vector detach #13144 - Fix XPACK relative index underflow #13162 - hrw: Fix an index bug in run plugin operator #13177 - Correct records.yaml record drift #13178 - 10.1.x: proxy.config.dns.search_default_domains: allow 2 #13182 - Stabilize parallel AuTest helpers #13192 - yaml-cpp-0.9.0 #13193 - GCC 16: Regex header integer includes #13198 - Fedora 44 test fixes #13200 - Single source of truth for Proxy Verifier metadata #13217 - Proxy Verifier v3.1.3 #13218 - Fix hdrHeap/hdrStrHeap allocator inuse metric underflow #13220 - Fix flaky Fedora 44 AuTest helpers #13223 - Fix mismatched sINT/dINT log field types #13252 - cache: apply per-volume settings on first start after clear #13256 - Fix mismatched log field types more #13261 - header_rewrite: Improve URL Error messages #13263 - Fix bounds check in CacheVC::scanObject #13264 - Handle OpenSSL without dynamic ENGINE #13280 - Enable probes in Fedora C++20 CI #13293 - ProxyProtocol: free pp_info heap on NetVConnection recycle #13294 - Fix pending HostDB DNS queue removal race #13295 - Fix server entry cleanup after request tunnel setup #13297 - 10.1.x: Add sni.yaml session ticket overrides (#13006) #13303 - header_rewrite: Fix a leak and truncation in set-body-from #13307 - dns: destruct HostEnt on free to fix SRV vector leak #13318 - TLS: Fix memory leaks in cert load and OCSP stapling #13325 - HttpSM.cc: fix cache read end milestone order #13336 - 10.1.x: Fix redirected cache write without write VC #13365 - 10.1.x: USDT: normalize names for STATE_ENTER #13366 - 10.1.x: Fix set-status crash inside if/endif at remap time #13387 - Hard-enforce max_active_streams_in at HTTP/2 stream creation

libseccomp-2.6.1-2.fc43

13 hours 50 minutes ago
FEDORA-2026-9afc6b6bb3 Packages in this update:
  • libseccomp-2.6.1-2.fc43
Update description: libseccomp 2.6.1 packaging changes
  • Enable Python bindings on Fedora 44+
upstream changes - July 1, 2026
  • Update the syscall table for Linux v7.1.0-rc4
  • Fix incorrect 64-bit comparison merge that can weaken libseccomp filters. See GitHub Advisory GHSA-4q85-33p6-j5g6
  • Fix issue where oversized libseccomp filters can trigger a double free. See GitHub Advisory GHSA-46fr-jh49-xvhx
  • Fix issue where oversized libseccomp filters can trigger a heap corruption. See GitHub Advisory GHSA-2hqh-5c36-grrm
  • Fix struct aliasing undefined behavior in the internal libseccomp hash algorithm
  • Fix issue where extraneous bytes were being copied to the destination buffer in seccomp_export_bpf_mem()
  • Fix a bug where merged libseccomp filters failed to merge the notify_used flag, leading to no listener file descriptor being generated
  • Update python shebang to point to python3
  • Add documentation for seccomp_transaction_start()
  • Since support for s390 has been removed from the upstream Linux kernel, freeze libseccomp's s390 syscall table at Linux v6.18

libseccomp-2.6.1-2.fc44

13 hours 51 minutes ago
FEDORA-2026-752186819e Packages in this update:
  • libseccomp-2.6.1-2.fc44
Update description: libseccomp 2.6.1 packaging changes
  • Enable Python bindings on Fedora 44+
upstream changes - July 1, 2026
  • Update the syscall table for Linux v7.1.0-rc4
  • Fix incorrect 64-bit comparison merge that can weaken libseccomp filters. See GitHub Advisory GHSA-4q85-33p6-j5g6
  • Fix issue where oversized libseccomp filters can trigger a double free. See GitHub Advisory GHSA-46fr-jh49-xvhx
  • Fix issue where oversized libseccomp filters can trigger a heap corruption. See GitHub Advisory GHSA-2hqh-5c36-grrm
  • Fix struct aliasing undefined behavior in the internal libseccomp hash algorithm
  • Fix issue where extraneous bytes were being copied to the destination buffer in seccomp_export_bpf_mem()
  • Fix a bug where merged libseccomp filters failed to merge the notify_used flag, leading to no listener file descriptor being generated
  • Update python shebang to point to python3
  • Add documentation for seccomp_transaction_start()
  • Since support for s390 has been removed from the upstream Linux kernel, freeze libseccomp's s390 syscall table at Linux v6.18

openssh-10.2p1-13.fc44

1 day 17 hours ago
FEDORA-2026-c9d8542bb3 Packages in this update:
  • openssh-10.2p1-13.fc44
Update description:
  • CVE-2026-59996: Fix remote glob result of ".." causing files to be placed in unintended parent directories when scp performs remote-to-remote copy via the local host
  • CVE-2026-60002: Fix use-after-free in cached hostkey during key re-exchange

openssh-10.0p1-11.fc43

1 day 17 hours ago
FEDORA-2026-169fd93089 Packages in this update:
  • openssh-10.0p1-11.fc43
Update description:
  • CVE-2026-59996: Fix remote glob result of ".." causing files to be placed in unintended parent directories when scp performs remote-to-remote copy via the local host
  • CVE-2026-60002: Fix use-after-free in cached hostkey during key re-exchange

moby-engine-29.6.2-1.fc43

1 day 17 hours ago
FEDORA-2026-64ca3441c3 Packages in this update:
  • moby-engine-29.6.2-1.fc43
Update description:
  • Update to release v29.6.2
  • Resolves: rhbz#2496437
  • Upstream security fixes
    • GHSA-hw3h-2gp9-cxpv
    • GHSA-qx3x-mv6r-52p6
    • GHSA-32pv-7hq5-qhwq
    • GHSA-g2h8-426c-7976
    • GHSA-388v-wmr2-g2v2
Checked
10 minutes 35 seconds ago