Aggregator

FEDORA-EPEL-2026-82b702d826 Packages in this update:

• roundcubemail-1.6.15-1.el10_1

Update description:

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

FEDORA-EPEL-2026-f7a0d90857 Packages in this update:

• roundcubemail-1.6.15-1.el10_3

Update description:

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

FEDORA-2026-8ba1a085a9 Packages in this update:

• roundcubemail-1.6.15-1.fc43

Update description:

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

FEDORA-EPEL-2026-bf73d904ba Packages in this update:

• roundcubemail-1.5.15-1.el9

Update description:

Version 1.5.15

This is a security update to the stable version 1.5 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

CHANGELOG

• Fix so distribution packages (and composer.json) don't include development dependencies
• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

It was discovered that Pillow did not correctly handle reading J2K files, which could lead to an out-of-bounds read vulnerability. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2021-25287, CVE-2021-25288) It was discovered that Pillow did not correctly handle certain integer arithmetic, which could lead to a buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2021-25290) It was discovered that Pillow did not correctly perform bounds checking for certain operations. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-28675, CVE-2021-28676, CVE-2021-28677) It was discovered that Pillow did not correctly handle certain memory operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-44271) It was discovered that Pillow did not correctly sanitize certain inputs. An attacker could possibly use this issue to execute arbitrary code. (CVE-2023-50447)

FEDORA-2026-7b2964fc42 Packages in this update:

• pspp-2.1.1-5.fc43

Update description:

Fix several low-priority CVEs

Build with new Gnulib

FEDORA-2026-e153173659 Packages in this update:

• pspp-2.1.1-5.fc44

Update description:

Fix several low-priority CVEs

Build with new Gnulib

It was discovered that Roundcube Webmail did not properly sanitize certain HTML elements within the e-mail body. An attacker could possibly use this issue to cause a cross-site scripting attack. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069) It was discovered that Roundcube Webmail did not properly handle certain configuration parameters. An attacker could possibly use this issue to execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2016-9920) It was discovered that Roundcube Webmail did not properly sanitize CSS styles within SVG documents. An attacker could possibly use this issue to cause a cross-site scripting attack. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2017-6820) It was discovered that Roundcube Webmail did not properly restrict exec call in certain drivers of the password plugin. An authenticated user could possibly use this issue to perform arbitrary password resets. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2017-8114) It was discovered that Roundcube Webmail did not properly set file permissions within the Enigma plugin. An attacker could possibly use this issue to exfiltrate GPG private keys via network connectivity. (CVE-2018-1000071) It was discovered that Roundcube Webmail did not properly handle GnuPG MDC integrity-protection warnings. An attacker could possibly use this issue to obtain sensitive information from encrypted communications. (CVE-2018-19205) It was discovered that Roundcube Webmail did not properly sanitize and tags within HTML attachments. An attacker could possibly use this issue to cause a cross-site scripting attack. (CVE-2018-19206) It was discovered that Roundcube Webmail did not properly handle partially encrypted multipart messages. An attacker could possibly use this issue to cause leaking of the plaintext of encrypted messages via an email reply. (CVE-2019-10740) It was discovered that Roundcube Webmail did not properly sanitize a certain parameter within the archive plugin. An attacker could possibly use this issue to perform an IMAP injection attack. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2018-9846)

Version:next-20260330 (linux-next) Released:2026-03-30

It was discovered that pyasn1 could exhaust system resources when attempting to decode a malformed certificate. An attacker could possibly use this to cause a denial of service. (CVE-2026-23490) Kevin Tu discovered that pyasn1 could exhaust system resources via uncontrolled recursion when attempting to decode malicously-crafted certificates. An attacker could possibly use this to cause a denial of service. (CVE-2026-30922)

FEDORA-2026-5e16254ca6 Packages in this update:

• gst-devtools-1.26.11-1.fc42
• gst-editing-services-1.26.11-1.fc42
• gstreamer1-1.26.11-1.fc42
• gstreamer1-doc-1.26.11-1.fc42
• gstreamer1-plugin-libav-1.26.11-1.fc42
• gstreamer1-plugins-bad-free-1.26.11-1.fc42
• gstreamer1-plugins-base-1.26.11-1.fc42
• gstreamer1-plugins-good-1.26.11-1.fc42
• gstreamer1-plugins-ugly-free-1.26.11-1.fc42
• gstreamer1-rtsp-server-1.26.11-1.fc42
• gstreamer1-vaapi-1.26.11-1.fc42
• python-gstreamer1-1.26.11-1.fc42

Update description:

1.26.11

FEDORA-2026-6ff3ef2d32 Packages in this update:

• goose-1.23.2-8.fc44

Update description:

Update goose to fix fedora#2449678

FEDORA-2026-a45f438402 Packages in this update:

• goose-1.23.2-7.fc43

Update description:

Update goose to fix fedora#2449678

FEDORA-2026-f0293b845e Packages in this update:

• rauc-1.15.2-1.fc43

Update description:

version bumped from 1.15.1 to 1.15.2

FEDORA-2026-17dbeca425 Packages in this update:

• rauc-1.15.2-1.fc44

Update description:

version bumped from 1.15.1 to 1.15.2

FEDORA-2026-e77ad9d792 Packages in this update:

• gst-devtools-1.26.11-1.fc43
• gst-editing-services-1.26.11-1.fc43
• gstreamer1-1.26.11-1.fc43
• gstreamer1-doc-1.26.11-1.fc43
• gstreamer1-plugin-libav-1.26.11-1.fc43
• gstreamer1-plugins-bad-free-1.26.11-1.fc43
• gstreamer1-plugins-base-1.26.11-1.fc43
• gstreamer1-plugins-good-1.26.11-1.fc43
• gstreamer1-plugins-ugly-free-1.26.11-1.fc43
• gstreamer1-rtsp-server-1.26.11-1.fc43
• gstreamer1-vaapi-1.26.11-1.fc43
• python-gstreamer1-1.26.11-1.fc43

Update description:

1.26.11

It was discovered that PyJWT did not validate the critical header parameter, contrary to the RFC specification expectations. A remote attacker could possibly use this issue to bypass certain authentication checks and restrictions.

FEDORA-EPEL-2026-01ea52d899 Packages in this update:

• kea-2.6.5-1.el9

Update description:

• New version 2.6.5
• Fixes CVE-2026-3608 (rhbz#2452134)