Fedora Security Advisories

• perl-5.40.4-520.fc42
• perl-Devel-Cover-1.44-7.fc42
• perl-PAR-Packer-1.064-3.fc42
• polymake-4.15-3.fc42

Update for Perl 5.40.4

• libcgif-0.5.2-2.fc44

fix potential undefined behavior in cgif_addframe CVE-2026-4985

• libcgif-0.5.2-2.fc43

fix potential undefined behavior in cgif_addframe CVE-2026-4985

• libcgif-0.5.2-2.fc42

fix potential undefined behavior in cgif_addframe CVE-2026-4985

• python-pydicom-3.0.2-1.fc43

Patch release for security advisory CVE-2026-32711. A crafted DICOMDIR could create a path traversal by setting ReferencedFileID to a path outside the File-set root.

• python-pydicom-3.0.2-1.fc44

Patch release for security advisory CVE-2026-32711. A crafted DICOMDIR could create a path traversal by setting ReferencedFileID to a path outside the File-set root.

• roundcubemail-1.7~rc6-1.fc44

Version 1.7-rc6

This is hopefully the last release candidate for the next major version 1.7 of Roundcube Webmail. It provides a fix to recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don't forget to backup your data before installing it!

CHANGELOG

• Added support for arrays in smtp_user and smtp_pass config options (#10083)
• Added system health checker CLI script (#10106)
• Stricter recognition of an Ajax request (#10118)
• Password: Added Stalwart driver (#10114)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

• roundcubemail-1.6.15-1.el10_2

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

• roundcubemail-1.6.15-1.fc42

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

• roundcubemail-1.6.15-1.el10_1

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

• roundcubemail-1.6.15-1.el10_3

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

• roundcubemail-1.6.15-1.fc43

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

• roundcubemail-1.5.15-1.el9

Version 1.5.15

This is a security update to the stable version 1.5 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

CHANGELOG

• Fix so distribution packages (and composer.json) don't include development dependencies
• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

• pspp-2.1.1-5.fc43

Fix several low-priority CVEs

Build with new Gnulib

• pspp-2.1.1-5.fc44

Fix several low-priority CVEs

Build with new Gnulib

• gst-devtools-1.26.11-1.fc42
• gst-editing-services-1.26.11-1.fc42
• gstreamer1-1.26.11-1.fc42
• gstreamer1-doc-1.26.11-1.fc42
• gstreamer1-plugin-libav-1.26.11-1.fc42
• gstreamer1-plugins-bad-free-1.26.11-1.fc42
• gstreamer1-plugins-base-1.26.11-1.fc42
• gstreamer1-plugins-good-1.26.11-1.fc42
• gstreamer1-plugins-ugly-free-1.26.11-1.fc42
• gstreamer1-rtsp-server-1.26.11-1.fc42
• gstreamer1-vaapi-1.26.11-1.fc42
• python-gstreamer1-1.26.11-1.fc42

1.26.11

• goose-1.23.2-8.fc44

Update goose to fix fedora#2449678

• goose-1.23.2-7.fc43

Update goose to fix fedora#2449678

• rauc-1.15.2-1.fc43

version bumped from 1.15.1 to 1.15.2

• rauc-1.15.2-1.fc44

version bumped from 1.15.1 to 1.15.2