Fedora Security Advisories

roundcubemail-1.7.2-1.fc44

3 days 14 hours ago
FEDORA-2026-517daa8d64 Packages in this update:
  • roundcubemail-1.7.2-1.fc44
Update description: Release 1.7.2
  • Add HEAD request handler to the static.php
  • Fix so the oauth_password_claim claim is retrieved via token or userinfo request (#9631)
  • Fix bug where static.php would return a 416 error on a specific Range request (#10194)
  • Fix bug where configured skin logo wasn't loaded via static.php resulting in 404 error (#10191)
  • Fix bug where installto.sh would fail if public_html folder does not exist in the target directory (#10202)
  • Revert "Prefer 8bit over quoted-printable for HTML parts, when force_7bit is disabled (#8477)" (#10198)
  • Fix incorrect unfolding of folded lines when importing vCard 2.1 contacts (#9647)
  • Fix bug where Imagick could leave large temporary files on failure (#10230)
  • Fix bug where redis/memcache session could have been updated more often than needed
  • Fix support for untyped tokens in OIDC backchannel logout, require unset nonce (#10097)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

roundcubemail-1.6.17-1.fc43

3 days 14 hours ago
FEDORA-2026-c3351f4ae4 Packages in this update:
  • roundcubemail-1.6.17-1.fc43
Update description: Release 1.6.17
  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Enigma: Kolab WOAT Support (#8626)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

roundcubemail-1.6.17-1.el10_2

3 days 14 hours ago
FEDORA-EPEL-2026-a54f17adc3 Packages in this update:
  • roundcubemail-1.6.17-1.el10_2
Update description: Release 1.6.17
  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Enigma: Kolab WOAT Support (#8626)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

roundcubemail-1.6.17-1.el10_3

3 days 14 hours ago
FEDORA-EPEL-2026-44b1dd565d Packages in this update:
  • roundcubemail-1.6.17-1.el10_3
Update description: Release 1.6.17
  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Enigma: Kolab WOAT Support (#8626)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

cifs-utils-7.6-2.fc45

3 days 21 hours ago
FEDORA-2026-90dbff48ca Packages in this update:
  • cifs-utils-7.6-2.fc45
Update description:

Automatic update for cifs-utils-7.6-2.fc45.

Changelog * Mon Jul 6 2026 Paulo Alcantara <paalcant@redhat.com> - 7.6-2 - cifs.upcall: fix regression with kerberos mounts - Resolves: rhbz#2497446 - Resolves: rhbz#2496963 - Resolves: rhbz#2489808 - CVE-2026-12505

syncthing-2.1.1-1.el10_2

5 days 4 hours ago
FEDORA-EPEL-2026-2c3b9215e1 Packages in this update:
  • syncthing-2.1.1-1.el10_2
Update description:

Update to version 2.1.1.

The major change in v2 is migration of the database backend from LevelDB to SQLite. This is handled transparently on startup by syncthing like any other database migration - the only change should be that the first startup takes a bit longer than usual.

This update also includes fixes for various security issues by compiling with updated dependencies and / or newer versions of the Go compiler and standard library.

Please refer to the upstream release notes for other changes since 1.30.0: https://github.com/syncthing/syncthing/releases

Approved EPEL incompatible upgrade request: https://forge.fedoraproject.org/epel/steering/issues/368

syncthing-2.1.1-1.el10_3

5 days 4 hours ago
FEDORA-EPEL-2026-ddefa409e2 Packages in this update:
  • syncthing-2.1.1-1.el10_3
Update description:

Update to version 2.1.1.

The major change in v2 is migration of the database backend from LevelDB to SQLite. This is handled transparently on startup by syncthing like any other database migration - the only change should be that the first startup takes a bit longer than usual.

This update also includes fixes for various security issues by compiling with updated dependencies and / or newer versions of the Go compiler and standard library.

Please refer to the upstream release notes for other changes since 1.30.0: https://github.com/syncthing/syncthing/releases

Approved EPEL incompatible upgrade request: https://forge.fedoraproject.org/epel/steering/issues/368

python-llvmlite-0.48.0-1.fc45

5 days 13 hours ago
FEDORA-2026-ebbaee3606 Packages in this update:
  • python-llvmlite-0.48.0-1.fc45
Update description:

Automatic update for python-llvmlite-0.48.0-1.fc45.

Changelog * Fri Jul 3 2026 Benjamin A. Beasley <code@musicinmybrain.net> - 0.48.0-1 - Update to 0.48.0 - Closes RHBZ#2453491; fixes RHBZ#2495139; fixes RHBZ#2496401

breezy-3.3.21-2.fc44

5 days 14 hours ago
FEDORA-2026-c872d91489 Packages in this update:
  • breezy-3.3.21-2.fc44
Update description:

Allow PyO3 0.29, which fixes RUSTSEC-2026-0194 and RUSTSEC-2026-0195.

Update to 3.3.21, including upstream fixes for compatibility with dulwich 0.25 and later.

kernel-7.1.3-200.fc44 kernel-headers-7.1.3-200.fc44

5 days 16 hours ago
FEDORA-2026-75653cf1c2 Packages in this update:
  • kernel-7.1.3-200.fc44
  • kernel-headers-7.1.3-200.fc44
Update description:

The 7.1.3 stable kernel rebase contains new features, improved hardware support, and a number of important fixes across the tree. This also has a fix for CVE-2026-53359

kernel-7.1.3-100.fc43 kernel-headers-7.1.3-100.fc43

5 days 17 hours ago
FEDORA-2026-c3e2e91b4d Packages in this update:
  • kernel-7.1.3-100.fc43
  • kernel-headers-7.1.3-100.fc43
Update description:

The 7.1.3 stable kernel rebase contains new features, improved hardware support, and a number of important fixes across the tree. This also has a fix for CVE-2026-53359

kryoptic-1.5.2-2.fc45 mir-2.28.0-2.fc45 rust-ashpd-0.13.12-2.fc45 rust-busd-0.5.0-3.fc45 rust-gtk4-macros-0.11.4-3.fc45 rust-inferno-0.12.6-3.fc45 rust-quick-xml-0.41.0-1.fc45 rust-reqsign-aws-v4-3.0.1-4.fc45 rust-wayland-scanner-0.31.10-5.fc45 sandogasa…

6 days 10 hours ago
FEDORA-2026-bc3a541ebd Packages in this update:
  • kryoptic-1.5.2-2.fc45
  • mir-2.28.0-2.fc45
  • rust-ashpd-0.13.12-2.fc45
  • rust-busd-0.5.0-3.fc45
  • rust-gtk4-macros-0.11.4-3.fc45
  • rust-inferno-0.12.6-3.fc45
  • rust-quick-xml-0.41.0-1.fc45
  • rust-reqsign-aws-v4-3.0.1-4.fc45
  • rust-wayland-scanner-0.31.10-5.fc45
  • sandogasa-0.15.3-2.fc45
Update description:

Update quick-xml for two security advisories, rebuild dependents, and update sandogasa to the latest

sandogasa v0.15.3
  • ebranch base-distro guard — resolve/file-requests now know EPEL must not replace RHEL/CentOS Stream packages: deps present in the base at a too-old version are blocked with clear options (alternate package via --override, or lower the requirement) instead of becoming CANTFIX branch requests; file-requests re-checks the base before filing
  • New sandogasa-sourcehut crate — sr.ht GraphQL client; sandogasa-report gains a Sourcehut section (patches, tickets, commits split yours vs third-party, git_emails attribution)
  • ebranch check-crate — human report on stderr alongside --koji/--copr machine output, so build scripts stay pipeable
  • dbranch rebuild — creates debian/gbp.conf when the Debian branch has none and handles the modern single-line salsa-ci.yml
  • Robustness: 120s HTTP timeout on every client; --version on every tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
  • sandogasa-report: consistent commit detail levels across forges

Full details: https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153

v0.15.2
  • New sandogasa-review crate — shared keep/explain/remove resolution for reviewer-curated findings; adopted by fedora-review-digest, ebranch check-update, and fedora-cve-triage
  • New sandogasa-forgejo crate — Forgejo/Gitea REST API client (PR activity
  • issue filing); powers sandogasa-report's Forgejo accounting
  • ebranch check-update overhaul — condensed output (counts + version grouping), reviewer curation of blocking findings before karma, branch inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus fixes for stale-side-tag and rich-dep installability false positives and large-update performance
  • fedora-cve-triage — per-bug keep/explain/remove review before closing detected false positives
  • sandogasa-report — Forgejo PR-merge and issue accounting

Full details: https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152

rust-quick-xml-0.41.0-1.el9 rust-wayland-scanner-0.31.10-3.el9 sandogasa-0.15.3-2.el9

6 days 10 hours ago
FEDORA-EPEL-2026-8bec43f801 Packages in this update:
  • rust-quick-xml-0.41.0-1.el9
  • rust-wayland-scanner-0.31.10-3.el9
  • sandogasa-0.15.3-2.el9
Update description:

Update quick-xml for two security advisories, rebuild dependents, and update sandogasa to the latest

sandogasa v0.15.3
  • ebranch base-distro guard — resolve/file-requests now know EPEL must not replace RHEL/CentOS Stream packages: deps present in the base at a too-old version are blocked with clear options (alternate package via --override, or lower the requirement) instead of becoming CANTFIX branch requests; file-requests re-checks the base before filing
  • New sandogasa-sourcehut crate — sr.ht GraphQL client; sandogasa-report gains a Sourcehut section (patches, tickets, commits split yours vs third-party, git_emails attribution)
  • ebranch check-crate — human report on stderr alongside --koji/--copr machine output, so build scripts stay pipeable
  • dbranch rebuild — creates debian/gbp.conf when the Debian branch has none and handles the modern single-line salsa-ci.yml
  • Robustness: 120s HTTP timeout on every client; --version on every tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
  • sandogasa-report: consistent commit detail levels across forges

Full details: https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153

v0.15.2
  • New sandogasa-review crate — shared keep/explain/remove resolution for reviewer-curated findings; adopted by fedora-review-digest, ebranch check-update, and fedora-cve-triage
  • New sandogasa-forgejo crate — Forgejo/Gitea REST API client (PR activity
  • issue filing); powers sandogasa-report's Forgejo accounting
  • ebranch check-update overhaul — condensed output (counts + version grouping), reviewer curation of blocking findings before karma, branch inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus fixes for stale-side-tag and rich-dep installability false positives and large-update performance
  • fedora-cve-triage — per-bug keep/explain/remove review before closing detected false positives
  • sandogasa-report — Forgejo PR-merge and issue accounting

Full details: https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152

Checked
58 minutes 8 seconds ago