Fedora Security Advisories

• roundcubemail-1.6.14-1.fc43

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

• roundcubemail-1.6.14-1.el10_1

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

• roundcubemail-1.6.14-1.el10_3

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

• roundcubemail-1.5.14-1.el9

Version 1.5.14

• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview

• suricata-7.0.15-1.fc43

Upstream security/bugfix release

• suricata-8.0.4-1.fc44

Upstream security/bugfix release.

• xen-4.19.4-3.fc42

Use after free of paging structures in EPT [XSA-480, CVE-2026-23554] Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]

• xen-4.20.2-4.fc43

Use after free of paging structures in EPT [XSA-480, CVE-2026-23554] Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]

• pyOpenSSL-26.0.0-1.fc44

Update to version 26.0.0

• Added support for using aws-lc instead of OpenSSL.
• Properly raise an error if a DTLS cookie callback returned a cookie longer than DTLS1_COOKIE_LENGTH bytes. Previously this would result in a buffer-overflow. Credit to dark_haxor for reporting the issue. CVE-2026-27459
• Added OpenSSL.SSL.Connection.get_group_name to determine which group name was negotiated.
• Context.set_tlsext_servername_callback now handles exceptions raised in the callback by calling sys.excepthook and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. Credit to Leury Castillo for reporting this issue. CVE-2026-27448

• headscale-0.28.0-1.fc44

update to 0.28.0

• headscale-0.28.0-1.fc43

update to 0.28.0

• openssh-10.2p1-6.fc44

• CVE-2026-3497: Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex

• openssh-9.9p1-13.fc42

• CVE-2026-3497: Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex

• openssh-10.0p1-7.fc43

• CVE-2026-3497: Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex

• fontforge-20230101-20.fc43

Resolves: CVE-2025-15270

• fontforge-20230101-19.fc42

Resolves: CVE-2025-15270

• vtk-9.2.6-44.fc43

Add patch to fix integer overflow on 32-bit in KissFFT (CVE-2025-34297)

• vtk-9.2.6-38.fc42

Add patch to fix integer overflow on 32-bit in KissFFT (CVE-2025-34297)

• xen-4.21.0-5.fc44

Use after free of paging structures in EPT [XSA-480, CVE-2026-23554] Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]

• dotnet8.0-8.0.125-1.fc42

This is the March 2026 release of .NET 8

Release Notes:

• SDK: https://github.com/dotnet/core/blob/main/release-notes/8.0/8.0.25/8.0.125.md
• Runtime: https://github.com/dotnet/core/blob/main/release-notes/8.0/8.0.25/8.0.25.md