Aggregator

FEDORA-EPEL-2026-fb9a9ab1e9 Packages in this update:

• ImageMagick-6.9.13.49-1.el8

Update description: Summary

This update fixes several security vulnerabilities, including multiple high-severity CVEs: Security fixes

• CVE-2026-33901 (High) — Heap buffer overflow in the MVG decoder that could result in an out-of-bounds write when processing a crafted image.
• CVE-2026-33908 (High) — Recursive DestroyXMLTree() call with no depth limit causes stack exhaustion when processing deeply nested XML structures, resulting in a Denial of Service (DoS).
• CVE-2026-40310 (High) — Heap out-of-bounds write in the JP2 encoder triggered when a user specifies an invalid sampling index.

Additional security and bug fixes are included in the upstream releases between 6.9.13.25 and 6.9.13.49. See the upstream release history at: https://github.com/ImageMagick/ImageMagick6/releases

It was discovered that Lodash was vulnerable to a prototype pollution issue in the zipObjectDeep function. An attacker could possibly use this issue to modify application behavior. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8203) Liyuan Chen discovered that Lodash was vulnerable to a regular expression denial of service issue in the toNumber, trim, and trimEnd functions. An attacker could possibly use this issue to consume excessive system resources, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28500) Marc Hassan discovered that Lodash did not properly sanitize input to the template function. An attacker could possibly use this issue to inject and execute arbitrary commands. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-23337) It was discovered that Lodash was vulnerable to a prototype pollution issue in the unset and omit functions. An attacker could possibly use this issue to delete properties from global prototypes, resulting in security restrictions being bypassed. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2025-13465) It was discovered that Lodash was vulnerable to a prototype pollution issue in the unset and omit functions. An attacker could possibly use this issue to delete properties from built-in prototypes, resulting in security restrictions being bypassed. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-2950) It was discovered that Lodash did not properly validate certain inputs to the template function. An attacker could possibly use this issue to inject malicious code during template processing, resulting in arbitrary code execution. (CVE-2026-4800)

FEDORA-2026-37947358ea Packages in this update:

• httpd-2.4.68-1.fc43

Update description:

• new version 2.4.68
• fixes various security issues

FEDORA-2026-d4136fe979 Packages in this update:

• httpd-2.4.68-1.fc44

Update description:

• new version 2.4.68
• fixes various security issues

USN-8398-1 fixed a vulnerability in nginx. The update introduced a regression causing nginx to crash when being used with external modules. This update reverts the fix for CVE-2026-49975 pending further investigation. We apologize for the inconvenience. Original advisory details: It was discovered that nginx incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nginx to consume excessive resources, resulting in a denial of service.

FEDORA-EPEL-2026-204e38b37f Packages in this update:

• python-ujson-5.8.0-5.el9

Update description:

Backport fix for CVE-2026-44660

Version:7.0.12 (stable) Released:2026-06-09 Source:linux-7.0.12.tar.xz PGP Signature:linux-7.0.12.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-7.0.12

Version:6.18.35 (longterm) Released:2026-06-09 Source:linux-6.18.35.tar.xz PGP Signature:linux-6.18.35.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.18.35

Version:6.12.93 (longterm) Released:2026-06-09 Source:linux-6.12.93.tar.xz PGP Signature:linux-6.12.93.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.12.93

USN-8044-1 fixed a vulnerability in alsa-lib. This update provides the corresponding fix for alsa-lib on Ubuntu 20.04 LTS. Original advisory details: It was discovered that alsa-lib incorrectly handled the topology mixer control decoder. A local attacker could use a specially crafted topology file to cause alsa-lib to crash, resulting in a denial of service, or possibly execute arbitrary code.

FEDORA-2026-884a9f0fc3 Packages in this update:

• vorbis-tools-1.4.3-5.fc44

Update description:

CVE-2026-34253 - fix arbitrary code execution via buffer underflow

FEDORA-2026-cbf4cd18d1 Packages in this update:

• vorbis-tools-1.4.3-4.fc43

Update description:

CVE-2026-34253 - fix arbitrary code execution via buffer underflow

Akshat Sinha discovered that shell-quote improperly validated object-token inputs. An attacker could possibly use this issue to cause shell-quote to crash, resulting in a denial of service, or execute arbitrary code.

FEDORA-2026-9c00940406 Packages in this update:

• vorbis-tools-1.4.3-5.fc45

Update description:

Automatic update for vorbis-tools-1.4.3-5.fc45.

Changelog * Tue Jun 9 2026 Lukáš Zaoral <lzaoral@redhat.com> - 1:1.4.3-5 - CVE-2026-34253 - fix arbitrary code execution via buffer underflow (rhbz#2479549)

It was discovered that Twig did not properly validate PHP callables when using a source policy. An authenticated user could possibly use this issue to execute arbitrary code.

Elliott Childre discovered that strongSwan incorrectly handled the cloning of certain identities. A remote attacker could use this issue to cause strongSwan to crash, resulting in a denial of service, or possibly execute arbitrary code.