Aggregator

FEDORA-EPEL-2026-ed01d65b2f Packages in this update:

• chromium-145.0.7632.109-1.el10_2

Update description:

Update to 145.0.7632.109

* CVE-2026-2648: Heap buffer overflow in PDFium * CVE-2026-2649: Integer overflow in V8 * CVE-2026-2650: Heap buffer overflow in Media

FEDORA-EPEL-2026-f118c69a67 Packages in this update:

• chromium-145.0.7632.109-1.el10_1

Update description:

Update to 145.0.7632.109

* CVE-2026-2648: Heap buffer overflow in PDFium * CVE-2026-2649: Integer overflow in V8 * CVE-2026-2650: Heap buffer overflow in Media

FEDORA-2026-f9edb96182 Packages in this update:

• chromium-145.0.7632.109-1.fc44

Update description:

Update to 145.0.7632.109

* CVE-2026-2648: Heap buffer overflow in PDFium * CVE-2026-2649: Integer overflow in V8 * CVE-2026-2650: Heap buffer overflow in Media

FEDORA-EPEL-2026-6587a55db1 Packages in this update:

• valkey-8.0.7-1.el8

Update description:

Valkey 8.0.7 - Released Mon 23 February 2026

Upgrade urgency SECURITY: This release includes security fixes we recommend you apply as soon as possible.

Security fixes

• (CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message
• (CVE-2025-67733) RESP Protocol Injection via Lua error_reply

Bug fixes

• Fix ltrim should not call signalModifiedKey when no elements are removed (#2787)
• Fix chained replica crash when doing dual channel replication (#2983)
• Fix used_memory_dataset underflow due to miscalculated used_memory_overhead (#3005)
• Avoids crash during MODULE UNLOAD when ACL rules reference a module command and subcommand (#3160)
• Fix server assert on ACL LOAD and resetchannels (#3182)
• Fix bug causing no response flush sometimes when IO threads are busy (#3205)

FEDORA-2026-1d05f1d152 Packages in this update:

• valkey-8.0.7-1.fc42

Update description:

Valkey 8.0.7 - Released Mon 23 February 2026

Upgrade urgency SECURITY: This release includes security fixes we recommend you apply as soon as possible.

Security fixes

• (CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message
• (CVE-2025-67733) RESP Protocol Injection via Lua error_reply

Bug fixes

• Fix ltrim should not call signalModifiedKey when no elements are removed (#2787)
• Fix chained replica crash when doing dual channel replication (#2983)
• Fix used_memory_dataset underflow due to miscalculated used_memory_overhead (#3005)
• Avoids crash during MODULE UNLOAD when ACL rules reference a module command and subcommand (#3160)
• Fix server assert on ACL LOAD and resetchannels (#3182)
• Fix bug causing no response flush sometimes when IO threads are busy (#3205)

FEDORA-2026-ca1077dd2e Packages in this update:

• valkey-9.0.3-1.fc44

Update description:

Valkey 9.0.3 - February 23, 2026

Upgrade urgency SECURITY: This release includes security fixes we recommend you apply as soon as possible.

Security fixes

• (CVE-2025-67733) RESP Protocol Injection via Lua error_reply
• (CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message
• (CVE-2026-27623) Reset request type after handling empty requests

Bug fixes

• Avoids crash during MODULE UNLOAD when ACL rules reference a module command and subcommand (#3160)
• Fix server assert on ACL LOAD when current user loses permission to channels (#3182)
• Fix bug causing no response flush sometimes when IO threads are busy (#3205)

FEDORA-2026-8d275f4438 Packages in this update:

• valkey-8.1.6-1.fc43

Update description:

Valkey 8.1.6 - Released Mon 23 February 2026

Upgrade urgency SECURITY: This release includes security fixes we recommend you apply as soon as possible.

Security fixes

• (CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message
• (CVE-2025-67733) RESP Protocol Injection via Lua error_reply

Bug fixes

• Restrict ttl from being negative and avoid crash in import-mode (#2944)
• Fix chained replica crash when doing dual channel replication (#2983)
• Fix used_memory_dataset underflow due to miscalculated used_memory_overhead (#3005)
• Fix crashing while MODULE UNLOAD when ACL rules reference a module command or subcommand (#3160)
• Fix server assert on ACL LOAD and resetchannels (#3182)
• Fix bug causing no response flush sometimes when IO threads are busy (#3205)

FEDORA-2026-ce5f5c292d Packages in this update:

• php-zumba-json-serializer-3.2.4-1.fc44

Update description:

Version 3.2.4

• Fix serialization of parent class private properties by @Copilot in #71
• Fix fatal error when serializing objects with uninitialized typed properties by @Copilot in #68

Version 3.2.3

[Security] Added method to restrict which classes can be unserialized. Security Advisory GHSA-v7m3-fpcr-h7m2

FEDORA-2026-5ff99e948e Packages in this update:

• php-zumba-json-serializer-3.2.4-1.fc43

Update description:

Version 3.2.4

• Fix serialization of parent class private properties by @Copilot in #71
• Fix fatal error when serializing objects with uninitialized typed properties by @Copilot in #68

Version 3.2.3

[Security] Added method to restrict which classes can be unserialized. Security Advisory GHSA-v7m3-fpcr-h7m2

FEDORA-2026-d781fd2f6b Packages in this update:

• php-zumba-json-serializer-3.2.4-1.fc42

Update description:

Version 3.2.4

• Fix serialization of parent class private properties by @Copilot in #71
• Fix fatal error when serializing objects with uninitialized typed properties by @Copilot in #68

Version 3.2.3

[Security] Added method to restrict which classes can be unserialized. Security Advisory GHSA-v7m3-fpcr-h7m2

Version:next-20260223 (linux-next) Released:2026-02-23

Hanno Böck discovered that GIMP allocated FLI images using only the information present in the file header, which allowed for a maliciously- crafted file to cause out-of-bounds writes. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-17785) Michael Randrianantenaina discovered that that opening a maliciously crafted FLI file could cause GIMP to index out-of-bounds. An attacker could possibly use this issue to cause a denial or service or execute arbitrary code. (CVE-2025-2761) It was discovered that opening a maliciously-crafted DCM file could cause GIMP to index out-of-bounds. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2025-10922) It was discovered that GIMP's JP2 parser did not account for precision when allocating an image buffer. An attacker could possibly use this to cause a denial of service or execute arbitrary code when a maliciously crafted file is opened. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2025-14425) It was discovered that GIMP's PSP parser erroneously queried the color channels of a greyscale image, which resulted in an invalid memory pointer. An attacker could possibly use this to cause a denial of service or execute arbitrary code when a maliciously-crafted file is opened. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-15059)

USN-8051-1 fixed vulnerabilities in libssh. This update provides the corresponding updates for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that libssh clients incorrectly handled the key exchange process. A remote attacker could possibly use this issue to cause libssh clients to crash, resulting in a denial of service. (CVE-2025-8277) It was discovered that the libssh SCP client incorrectly sanitized paths received from servers. A remote attacker could use this issue to cause libssh SCP clients to overwrite files outside of the working directory and possibly execute arbitrary code. (CVE-2026-0964) It was discovered that libssh incorrectly handled parsing configuration files. A local attacker could possibly use this issue to cause libssh to access non-regular files, resulting in a denial of service. (CVE-2026-0965) It was discovered that libssh incorrectly handled the ssh_get_hexa() function. A remote attacker could possibly use this issue to cause libssh to crash, resulting in a denial of service. (CVE-2026-0966) It was discovered that libssh incorrectly handled certain regular expressions. A local attacker could possibly use this issue to cause libssh to consume resources, resulting in a denial of service. (CVE-2026-0967) It was discovered that the libssh SFTP client incorrectly handled certain malformed longname fields. A remote attacker could use this issue to cause libssh SFTP clients to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-0968)

FEDORA-2026-b0bf6e9c9b Packages in this update:

• perl-Crypt-URandom-0.55-1.fc42

Update description:

This release fixes CVE-2026-2474 (a heap buffer overflow) and handling failed read syscalls.

FEDORA-2026-88f1155b8b Packages in this update:

• perl-Crypt-URandom-0.55-1.fc43

Update description:

This release fixes CVE-2026-2474 (a heap buffer overflow) and handling failed read syscalls.

FEDORA-2026-eb6b1039eb Packages in this update:

• perl-Crypt-URandom-0.55-1.fc44

Update description:

This release fixes CVE-2026-2474 (a heap buffer overflow) and handling failed read syscalls.

Simon Diepold discovered that U-Boot incorrectly handled certain DHCP responses. An attacker on the local network could possibly use this issue to obtain sensitive memory contents. (CVE-2024-42040) It was discovered that U-Boot incorrectly handled symlink size calculations in squashfs file systems. An attacker could use this issue with a specially crafted squashfs file system to cause U-Boot to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2024-57254) It was discovered that U-Boot incorrectly handled inode size calculations in squashfs file systems. An attacker could use this issue with a specially crafted squashfs file system to cause U-Boot to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2024-57255) It was discovered that U-Boot incorrectly handled inode size calculations in EXT4 file systems. An attacker could use this issue with a specially crafted EXT4 file system to cause U-Boot to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2024-57256) It was discovered that U-Boot incorrectly handled deep symlink nesting in squashfs file systems. An attacker could possibly use this issue with a specially crafted squashfs file system to cause U-Boot to crash, resulting in a denial of service. (CVE-2024-57257) It was discovered that U-Boot incorrectly handled memory allocation in squashfs file systems. An attacker could use this issue with a specially crafted squashfs file system to cause U-Boot to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2024-57258)

It was discovered that Evolution Data Server incorrectly handled removing local cache files. An attacker could possibly use this issue to cause Evolution Data Server to remove arbitrary files.

It was discovered that DjVuLibre could be forced to execute a division by zero in certain instances. A remote attacker could possibly use this issue to cause applications to stop responding or crash, resulting in a denial of service. (CVE-2021-46312) It was discovered that DjVuLibre incorrectly handled certain memory operations. If a user or automated system were tricked into processing a specially crafted DjVu file, a remote attacker could cause applications to stop responding or crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2025-53367)

FEDORA-2026-10cccbf560 Packages in this update:

• avr-binutils-2.45-4.fc43.1

Update description:

• fix CVE-2025-11083: heap-based overflow
• fix CVE-2025-11082: heap-based overflow
• fix CVE-2025-11081: out-of-bounds read