Fedora Security Advisories

• firefox-148.0-1.fc43

• New upstream release (148.0)

• freerdp-3.23.0-1.fc43

Update to 3.23.0 to fix CVE-2026-26965, CVE-2026-26955, CVE-2026-26271, CVE-2026-25997, CVE-2026-25959, CVE-2026-25955, CVE-2026-25954, CVE-2026-25953, CVE-2026-25952, CVE-2026-25942, CVE-2026-25941

• freerdp-3.23.0-1.fc44

Update to 3.23.0 to fix CVE-2026-26965, CVE-2026-26955, CVE-2026-26271, CVE-2026-25997, CVE-2026-25959, CVE-2026-25955, CVE-2026-25954, CVE-2026-25953, CVE-2026-25952, CVE-2026-25942, CVE-2026-25941

• freerdp-3.23.0-1.fc42

Update to 3.23.0 to fix CVE-2026-26965, CVE-2026-26955, CVE-2026-26271, CVE-2026-25997, CVE-2026-25959, CVE-2026-25955, CVE-2026-25954, CVE-2026-25953, CVE-2026-25952, CVE-2026-25942, CVE-2026-25941

• firefox-148.0-1.fc44
• nss-3.120.1-1.fc44

Update NSS to 3.120.1 Update to Firefox 148.0

• libsixel-1.10.5-5.fc42

Apply fix for CVE-2025-61146

• libsixel-1.10.5-5.fc43

Apply fix for CVE-2025-61146

• libsixel-1.10.5-6.fc44

Apply fix for CVE-2025-61146

• libmaxminddb-1.13.1-1.fc43

• Re-release for Ubuntu PPA, no code changes.

• MMDB_get_entry_data_list() now validates that the claimed array/map size is plausible given the remaining bytes in the data section. A crafted database could previously claim millions of array elements while only having a few bytes of data, causing disproportionate memory allocation (memory amplification DoS).
• Fixed integer overflow in MMDB_read_node() and find_ipv4_start_node() pointer arithmetic. The node_number * record_length multiplication was performed in uint32_t, which could overflow for very large databases. Now cast to uint64_t before multiplying, matching the pattern already used in find_address_in_search_tree().
• Fixed printf format specifier mismatches in mmdblookup's metadata dump. %i was used for unsigned types and %llu for uint64_t, which is technically undefined behavior. Now uses the portable PRIu32, PRIu16, and PRIu64 macros from <inttypes.h>.
• Fixed an integer overflow in the search tree bounds check in find_address_in_search_tree(). The addition of node_count and data_section_size was performed in uint32_t arithmetic, which could wrap on very large databases, causing valid lookups to be incorrectly rejected as corrupt.
• Fixed a NULL pointer dereference in mmdblookup when displaying metadata for a database with an out-of-range build_epoch. The gmtime() return value is now checked before passing to strftime().
• MMDB_close() now NULLs the file_content, data_section, and metadata_section pointers and zeroes file_size, data_section_size, and metadata_section_size after unmapping. Previously, calling MMDB_close() twice on the same struct (or calling it after a failed MMDB_open() that succeeded at mapping) would double-munmap the file content, which is undefined behavior.
• Fixed a stack buffer overflow in print_indentation() when MMDB_dump_entry_data_list() was called with a negative indent value. The negative integer was cast to size_t, producing a massive value passed to memset(). Negative indent values are now clamped to 0.
• MMDB_lookup_string() now sets *mmdb_error to MMDB_SUCCESS when getaddrinfo fails (non-zero *gai_error). Previously, *mmdb_error was left uninitialized in this case, which could cause callers to read an indeterminate value.
• Added a recursion depth limit to skip_map_or_array(), matching the existing MAXIMUM_DATA_STRUCTURE_DEPTH (512) limit already used by get_entry_data_list(). A crafted MMDB file with deeply nested maps or arrays could previously cause a stack overflow via unbounded recursion in the MMDB_aget_value / MMDB_get_value code path.
• Fixed an off-by-one error in MMDB_read_node() that allowed reading one node past the end of the search tree when called with node_number == node_count. This caused the function to read from the data section separator and return an invalid record with an underflowed data offset. The check now correctly rejects node_number >= node_count.
• The handling of float and double types was rewritten to fix compiler errors and to eliminate the use of volatile.
• Improved endian preprocessor check if MMDB_LITTLE_ENDIAN is not set.

• libmaxminddb-1.13.1-1.fc42

• Re-release for Ubuntu PPA, no code changes.

• MMDB_get_entry_data_list() now validates that the claimed array/map size is plausible given the remaining bytes in the data section. A crafted database could previously claim millions of array elements while only having a few bytes of data, causing disproportionate memory allocation (memory amplification DoS).
• Fixed integer overflow in MMDB_read_node() and find_ipv4_start_node() pointer arithmetic. The node_number * record_length multiplication was performed in uint32_t, which could overflow for very large databases. Now cast to uint64_t before multiplying, matching the pattern already used in find_address_in_search_tree().
• Fixed printf format specifier mismatches in mmdblookup's metadata dump. %i was used for unsigned types and %llu for uint64_t, which is technically undefined behavior. Now uses the portable PRIu32, PRIu16, and PRIu64 macros from <inttypes.h>.
• Fixed an integer overflow in the search tree bounds check in find_address_in_search_tree(). The addition of node_count and data_section_size was performed in uint32_t arithmetic, which could wrap on very large databases, causing valid lookups to be incorrectly rejected as corrupt.
• Fixed a NULL pointer dereference in mmdblookup when displaying metadata for a database with an out-of-range build_epoch. The gmtime() return value is now checked before passing to strftime().
• MMDB_close() now NULLs the file_content, data_section, and metadata_section pointers and zeroes file_size, data_section_size, and metadata_section_size after unmapping. Previously, calling MMDB_close() twice on the same struct (or calling it after a failed MMDB_open() that succeeded at mapping) would double-munmap the file content, which is undefined behavior.
• Fixed a stack buffer overflow in print_indentation() when MMDB_dump_entry_data_list() was called with a negative indent value. The negative integer was cast to size_t, producing a massive value passed to memset(). Negative indent values are now clamped to 0.
• MMDB_lookup_string() now sets *mmdb_error to MMDB_SUCCESS when getaddrinfo fails (non-zero *gai_error). Previously, *mmdb_error was left uninitialized in this case, which could cause callers to read an indeterminate value.
• Added a recursion depth limit to skip_map_or_array(), matching the existing MAXIMUM_DATA_STRUCTURE_DEPTH (512) limit already used by get_entry_data_list(). A crafted MMDB file with deeply nested maps or arrays could previously cause a stack overflow via unbounded recursion in the MMDB_aget_value / MMDB_get_value code path.
• Fixed an off-by-one error in MMDB_read_node() that allowed reading one node past the end of the search tree when called with node_number == node_count. This caused the function to read from the data section separator and return an invalid record with an underflowed data offset. The check now correctly rejects node_number >= node_count.
• The handling of float and double types was rewritten to fix compiler errors and to eliminate the use of volatile.
• Improved endian preprocessor check if MMDB_LITTLE_ENDIAN is not set.

• libmaxminddb-1.13.1-1.fc44

• Re-release for Ubuntu PPA, no code changes.

• MMDB_get_entry_data_list() now validates that the claimed array/map size is plausible given the remaining bytes in the data section. A crafted database could previously claim millions of array elements while only having a few bytes of data, causing disproportionate memory allocation (memory amplification DoS).
• Fixed integer overflow in MMDB_read_node() and find_ipv4_start_node() pointer arithmetic. The node_number * record_length multiplication was performed in uint32_t, which could overflow for very large databases. Now cast to uint64_t before multiplying, matching the pattern already used in find_address_in_search_tree().
• Fixed printf format specifier mismatches in mmdblookup's metadata dump. %i was used for unsigned types and %llu for uint64_t, which is technically undefined behavior. Now uses the portable PRIu32, PRIu16, and PRIu64 macros from <inttypes.h>.
• Fixed an integer overflow in the search tree bounds check in find_address_in_search_tree(). The addition of node_count and data_section_size was performed in uint32_t arithmetic, which could wrap on very large databases, causing valid lookups to be incorrectly rejected as corrupt.
• Fixed a NULL pointer dereference in mmdblookup when displaying metadata for a database with an out-of-range build_epoch. The gmtime() return value is now checked before passing to strftime().
• MMDB_close() now NULLs the file_content, data_section, and metadata_section pointers and zeroes file_size, data_section_size, and metadata_section_size after unmapping. Previously, calling MMDB_close() twice on the same struct (or calling it after a failed MMDB_open() that succeeded at mapping) would double-munmap the file content, which is undefined behavior.
• Fixed a stack buffer overflow in print_indentation() when MMDB_dump_entry_data_list() was called with a negative indent value. The negative integer was cast to size_t, producing a massive value passed to memset(). Negative indent values are now clamped to 0.
• MMDB_lookup_string() now sets *mmdb_error to MMDB_SUCCESS when getaddrinfo fails (non-zero *gai_error). Previously, *mmdb_error was left uninitialized in this case, which could cause callers to read an indeterminate value.
• Added a recursion depth limit to skip_map_or_array(), matching the existing MAXIMUM_DATA_STRUCTURE_DEPTH (512) limit already used by get_entry_data_list(). A crafted MMDB file with deeply nested maps or arrays could previously cause a stack overflow via unbounded recursion in the MMDB_aget_value / MMDB_get_value code path.
• Fixed an off-by-one error in MMDB_read_node() that allowed reading one node past the end of the search tree when called with node_number == node_count. This caused the function to read from the data section separator and return an invalid record with an underflowed data offset. The check now correctly rejects node_number >= node_count.
• The handling of float and double types was rewritten to fix compiler errors and to eliminate the use of volatile.
• Improved endian preprocessor check if MMDB_LITTLE_ENDIAN is not set.

• coturn-4.9.0-1.el10_2

• Multiple security fixes
• Fix to Web Admin password check
• Cleanup of deprecated OpenSSL APIs
• Fix for CVE-2026-27624: Bypass localhost and IP range block using IPv4-mapped IPv6

• coturn-4.9.0-1.el10_3

• Multiple security fixes
• Fix to Web Admin password check
• Cleanup of deprecated OpenSSL APIs
• Fix for CVE-2026-27624: Bypass localhost and IP range block using IPv4-mapped IPv6

• coturn-4.9.0-1.fc42

• Multiple security fixes
• Fix to Web Admin password check
• Cleanup of deprecated OpenSSL APIs
• Fix for CVE-2026-27624: Bypass localhost and IP range block using IPv4-mapped IPv6

• coturn-4.9.0-1.fc44

• Multiple security fixes
• Fix to Web Admin password check
• Cleanup of deprecated OpenSSL APIs
• Fix for CVE-2026-27624: Bypass localhost and IP range block using IPv4-mapped IPv6

• coturn-4.9.0-1.el8

• Multiple security fixes
• Fix to Web Admin password check
• Cleanup of deprecated OpenSSL APIs
• Fix for CVE-2026-27624: Bypass localhost and IP range block using IPv4-mapped IPv6

• coturn-4.9.0-1.el10_1

• Multiple security fixes
• Fix to Web Admin password check
• Cleanup of deprecated OpenSSL APIs
• Fix for CVE-2026-27624: Bypass localhost and IP range block using IPv4-mapped IPv6

• coturn-4.9.0-1.el9

• Multiple security fixes
• Fix to Web Admin password check
• Cleanup of deprecated OpenSSL APIs
• Fix for CVE-2026-27624: Bypass localhost and IP range block using IPv4-mapped IPv6

• coturn-4.9.0-1.fc43

• Multiple security fixes
• Fix to Web Admin password check
• Cleanup of deprecated OpenSSL APIs
• Fix for CVE-2026-27624: Bypass localhost and IP range block using IPv4-mapped IPv6

• openbao-2.5.1-1.el8

Update to upstream 2.5.1 Also fixes CVE-2025-58189, CVE-2025-61723, CVE-2025-61725, CVE-2025-58183, CVE-2025-58185, CVE-2025-58188 on epel-8.