15 hours 36 minutes ago
FEDORA-2026-26bb3fe2c6
Packages in this update:
- perl-Sereal-5.005-1.fc44
- perl-Sereal-Decoder-5.005-1.fc44
- perl-Sereal-Encoder-5.005-1.fc44
Update description:
This update includes a security fix to make sure that COPY tags cannot be used to read past end of the buffer.
16 hours 2 minutes ago
FEDORA-2026-ac9d9c87c8
Packages in this update:
Update description:
Automatic update for cockpit-362-1.fc44.
Changelog for cockpit
* Wed May 20 2026 Packit <
hello@packit.dev> - 362-1
- Bug fixes and translation updates
- Fix arbitrary code execution via specially crafted logs page link (CVE-2026-4802)
16 hours 4 minutes ago
FEDORA-2026-58cee40a55
Packages in this update:
Update description:
Automatic update for cockpit-362-1.fc43.
Changelog for cockpit
* Wed May 20 2026 Packit <
hello@packit.dev> - 362-1
- Bug fixes and translation updates
- Fix arbitrary code execution via specially crafted logs page link (CVE-2026-4802)
16 hours 57 minutes ago
Guannan Wang, Zhanpeng Liu, Guancheng Li, and Emma Reuter
discovered that OpenVPN incorrectly handled suitably malformed
packets with valid tls-crypt-v2 keys. An attacker could possibly use
this issue to cause OpenVPN to crash, resulting in a denial of
service. (CVE-2026-35058)
Guannan Wang, Zhanpeng Liu, and Guancheng Li discovered that
OpenVPN had a race condition in the TLS handshake process that could
leak packet data from a previous handshake under certain
circumstances. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2026-40215)
17 hours ago
FEDORA-2026-49f37e16aa
Packages in this update:
Update description:
Update to 1.25.1 (rhbz#2480119)
- Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report.
- Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report.
- Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report.
- Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Swapped sources signature source number with systemd unit to have them
close.
Update to 1.25.0 (rhbz#2463781)
Feature changes:
- Improved TTL 0 handling
- Reload also certificates on reload if they have changed
- Allow control-interface specification also of port.
- Added new tls-protocols option. Can disable TLS 1.2 explicitly.
And bug fixes.
Remove merged patches.
Source: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-0
17 hours 1 minute ago
FEDORA-2026-3223ded15e
Packages in this update:
Update description:
Update to 1.25.1 (rhbz#2480119)
- Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report.
- Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report.
- Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report.
- Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Swapped sources signature source number with systemd unit to have them
close.
17 hours 9 minutes ago
It was discovered that GStreamer Good Plugins incorrectly handled certain
MOV/MP4 media files. A remote attacker could use this issue to cause
GStreamer Good Plugins to crash, resulting in a denial of service, or
possibly execute arbitrary code.
17 hours 16 minutes ago
Joshua Rogers discovered that GnuTLS did not properly handle malformed
DTLS handshake fragments in certain cases. A remote attacker could
possibly use this issue to obtain sensitive information, or cause a
denial of service. (CVE-2026-33845)
Haruto Kimura, Oscar Reparaz, and Zou Dikai discovered that GnuTLS did
not properly validate DTLS handshake fragment lengths in certain cases. A
remote attacker could possibly use this issue to cause GnuTLS to crash,
resulting in a denial of service, or execute arbitrary code.
(CVE-2026-33846)
Oleh Konko and Joshua Rogers discovered that GnuTLS did not properly
validate OCSP responses in certain cases. A remote attacker could
possibly use this issue to bypass certificate revocation checks, leading
to a machine-in-the-middle attack. (CVE-2026-3832)
Oleh Konko and Joshua Rogers discovered that GnuTLS did not properly
handle case-insensitive name constraints in certain cases. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-3833)
Joshua Rogers discovered that GnuTLS did not properly order DTLS packets
with duplicate sequence numbers in certain cases. A remote attacker could
possibly use this issue to cause GnuTLS to crash, resulting in a denial
of service. (CVE-2026-42009)
Joshua Rogers discovered that GnuTLS did not properly handle usernames
containing NUL characters in certain RSA-PSK configurations. A remote
attacker could possibly use this issue to bypass authentication and gain
unintended access to services. (CVE-2026-42010)
Haruto Kimura discovered that GnuTLS did not properly apply permitted
name constraints in certain certificate validation paths. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-42011)
Oleh Konko discovered that GnuTLS incorrectly fell back to Common Name
checks for certain URI and SRV subject alternative names. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-42012)
Haruto Kimura and Joshua Rogers discovered that GnuTLS incorrectly fell
back to Common Name checks when subject alternative names were oversized.
A remote attacker could possibly use this issue to bypass certificate
validation, leading to a machine-in-the-middle attack. (CVE-2026-42013)
Luigino Camastra and Joshua Rogers discovered that GnuTLS had a
use-after-free issue when changing PKCS#11 token security officer PINs in
certain cases. An attacker could possibly use this issue to cause GnuTLS
to crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2026-42014)
Zou Dikai discovered that GnuTLS did not properly validate PKCS#12 bag
sizes in certain cases. An attacker could possibly use this issue to
cause GnuTLS to crash, resulting in a denial of service, or execute
arbitrary code. (CVE-2026-42015)
Joshua Rogers discovered that GnuTLS did not properly handle very short
premaster secrets in certain RSA key exchange cases with PKCS#11-backed
server keys. A remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2026-5260)
Doria Tang discovered that GnuTLS did not perform PKCS#7 padding checks
in constant time in certain cases. A remote attacker could possibly use
this issue to obtain sensitive information. This issue only affected
Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-5419)
17 hours 31 minutes ago
Calum Hutton discovered that rsync contained a heap-based out-of-bounds
read when handling file transfers. A remote attacker with read access
to an rsync server could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,
and Ubuntu 25.10. (CVE-2025-10158)
Batuhan Sancak, Damien Neil, and Michael Stapelberg discovered that
rsync daemons configured without chroot protection were exposed to a
race condition on parent path components. A local attacker with write
access to a module could possibly use this issue to overwrite files,
obtain sensitive information, or escalate privileges.
(CVE-2026-29518)
It was discovered that rsync did not properly validate a length value
while sorting extended attributes. An attacker could possibly use this
issue to cause a denial of service. (CVE-2026-41035)
It was discovered that rsync performed reverse-DNS lookups after
chrooting in some daemon configurations. A remote attacker could
possibly use this issue to bypass hostname-based access controls and
access network services. (CVE-2026-43617)
Omar Elsayed discovered that rsync did not properly check for integer
overflows while decoding compressed tokens. A remote attacker could
possibly use this issue to obtain sensitive information.
(CVE-2026-43618)
Andrew Tridgell discovered that rsync did not fully fix a symlink race
condition in path-based system calls for daemons configured without
chroot protection. A local attacker could possibly use this issue to
overwrite files, obtain sensitive information, or escalate privileges.
(CVE-2026-43619)
Pratham Gupta discovered that rsync did not properly validate an index
while processing file lists. A remote attacker could possibly use this
issue to cause rsync to crash, resulting in a denial of service.
(CVE-2026-43620)
Michal Ruprich discovered that rsync contained an off-by-one error
while handling HTTP proxy responses. An attacker able to intercept network
communications or a malicious proxy server could possibly use this issue to
cause a denial of service. (CVE-2026-45232)
17 hours 52 minutes ago
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278)
Qifan Zhang discovered that Unbound incorrectly handled certain ghost
domain name records. A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-40622)
Qifan Zhang discovered that Unbound did not properly limit processing of
long EDNS option lists. A remote attacker could possibly use this issue to
cause Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-41292)
Qifan Zhang discovered that Unbound incorrectly handled jostle logic under
certain circumstances. A remote attacker could possibly use this issue to
cause Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-42534)
Qifan Zhang discovered that Unbound did not properly bound NSEC3 hash
calculations. A remote attacker could possibly use this issue to cause
Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-42923)
Qifan Zhang discovered that Unbound incorrectly handled multiple EDNS
options in certain situations. A remote attacker could possibly use this
issue to cause Unbound to crash, resulting in a denial of service, or
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-42944)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
of malicious content. A remote attacker could possibly use this issue to
cause Unbound to crash, resulting in a denial of service.
(CVE-2026-42959)
TaoFei Guo, Yang Luo, and JianJun Chen discovered that Unbound
incorrectly handled delegation processing in certain situations. A remote
attacker could possibly use this issue to poison the DNS cache and obtain
sensitive information. (CVE-2026-42960)
Qifan Zhang discovered that Unbound did not properly bound name
compression in certain cases. A remote attacker could possibly use this
issue to cause Unbound to use excessive resources, leading to a denial of
service. (CVE-2026-44390)
Qifan Zhang discovered that Unbound had a use-after-free issue in RPZ
handling. A remote attacker could possibly use this issue to cause Unbound
to crash, resulting in a denial of service, or execute arbitrary code.
This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04
LTS. (CVE-2026-44608)
17 hours 57 minutes ago
Version:next-20260520 (linux-next)
Released:2026-05-20
20 hours 42 minutes ago
FEDORA-2026-86596f9cbc
Packages in this update:
- CImg-3.7.6-2.fc43
- gmic-3.7.6-3.fc43
Update description:
bump version + fix two cves
21 hours 39 minutes ago
FEDORA-2026-703a749924
Packages in this update:
- perl-HTTP-Tiny-0.094-1.fc44
Update description:
0.094 - fix to prevent invalid characters in all headers, and prevent header smuggling (CVE-2026-7010)
1 day ago
FEDORA-2026-f3409cf313
Packages in this update:
Update description:
Updated to latest upstream (151.0)
1 day 2 hours ago
1 day 2 hours ago
1 day 2 hours ago
1 day 2 hours ago
1 day 5 hours ago
FEDORA-2026-43e2722e8f
Packages in this update:
Update description:
Backport fix for CVE-2026-41054: privilege escalation via command socket
1 day 5 hours ago
FEDORA-2026-12643837bd
Packages in this update:
Update description:
Backport fix for CVE-2026-41054: privilege escalation via command socket
