Aggregator

It was discovered that BuildKit, contained within Docker, incorrectly handled file path validation when processing frontend API messages. An attacker could possibly use this issue to write files outside of the intended state directory. (CVE-2026-33747) It was discovered that BuildKit, contained within Docker, incorrectly validated the subdir component of Git URL fragments. An attacker could possibly use this issue to access files outside of the checked-out repository root. (CVE-2026-33748)

It was discovered that Mako incorrectly handled URIs with double-slash prefixes in TemplateLookup. A remote attacker could possibly use this issue to obtain sensitive information.

FEDORA-2026-65ce3da435 Packages in this update:

• nix-2.34.7-2.fc44

Update description:

• update to 2.34.7: fixes high GHSA-vh5x-56v6-4368 and moderate GHSA-gr92-w2r5-qw5p
• https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
• https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368

Andrew MacPherson discovered that nghttp2 did not properly validate internal state when the session termination API was called. A remote attacker could possibly use this issue to cause nghttp2 to crash, resulting in a denial of service.

FEDORA-EPEL-2026-3faabe7ef7 Packages in this update:

• python-click-8.0.3-2.el9

Update description:

Security fix for CVE-2026-7246

FEDORA-EPEL-2026-f98849630c Packages in this update:

• python-click-8.1.7-7.el10_2

Update description:

Security fix for CVE-2026-7246

FEDORA-EPEL-2026-a0e68dfa17 Packages in this update:

• python-click-8.1.7-7.el10_3

Update description:

Security fix for CVE-2026-7246

It was discovered that Django did not vary cached response headers on cookies when sessions were not modified while SESSION_SAVE_EVERY_REQUEST was enabled. A remote attacker could possibly use this issue to steal a user's session. (CVE-2026-35192) Kyle Agronick and Jacob Walls discovered that Django incorrectly handled ASGI requests with missing or understated Content-Length header values. A remote attacker could possibly use this issue to cause Django to use excessive resources, leading to a denial of service. (CVE-2026-5766) Ahmad Sadeddin discovered that Django UpdateCacheMiddleware incorrectly cached requests where the Vary header contained an asterisk. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-6907)

FEDORA-2026-599dafe4ae Packages in this update:

• python-click-8.1.7-12.fc43

Update description:

Security fix for CVE-2026-7246

FEDORA-EPEL-2026-66ed147b70 Packages in this update:

• gh-2.92.0-1.el10_3

Update description:

Update to 2.92.0 and make telemetry sending opt in.

FEDORA-2026-5df889949e Packages in this update:

• gh-2.92.0-1.fc44

Update description:

Update to 2.92.0 and make telemetry sending opt in.

Version:next-20260505 (linux-next) Released:2026-05-05

FEDORA-EPEL-2026-76e7234279 Packages in this update:

• rust-astral-tokio-tar-0.6.1-1.el9

Update description:

Update the astral-tokio-tar Rust crate to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-fp55-jw48-c537.

FEDORA-EPEL-2026-4b95f570ed Packages in this update:

• rust-astral-tokio-tar-0.6.1-1.el10_3
• uv-0.11.9-1.el10_3

Update description:

Update uv to 0.11.9. Update the astral-tokio-tar Rust crate to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-fp55-jw48-c537.

FEDORA-2026-8d8aee6aaf Packages in this update:

• python-uv-build-0.11.9-1.fc42
• rust-astral-tokio-tar-0.6.1-1.fc42
• uv-0.11.9-1.fc42

Update description:

Update uv and python-uv-build to 0.11.9. Update the astral-tokio-tar Rust crate to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-fp55-jw48-c537.

FEDORA-2026-a8100094df Packages in this update:

• python-uv-build-0.11.9-1.fc43
• rust-astral-tokio-tar-0.6.1-1.fc43
• uv-0.11.9-1.fc43

Update description:

Update uv and python-uv-build to 0.11.9. Update the astral-tokio-tar Rust crate to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-fp55-jw48-c537.

FEDORA-2026-7aacc8ea7d Packages in this update:

• python-uv-build-0.11.9-1.fc44
• rust-astral-tokio-tar-0.6.1-1.fc44
• uv-0.11.9-1.fc44

Update description:

Update uv and python-uv-build to 0.11.9. Update the astral-tokio-tar Rust crate to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-fp55-jw48-c537.

FEDORA-2026-145c8d1a93 Packages in this update:

• python-uv-build-0.11.9-1.fc45
• rust-astral-tokio-tar-0.6.1-1.fc45
• uv-0.11.9-1.fc45

Update description:

Update uv and python-uv-build to 0.11.9. Update the astral-tokio-tar Rust crate to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-fp55-jw48-c537.

FEDORA-2026-1273c7855d Packages in this update:

• opencryptoki-3.26.0-3.fc44

Update description:

Fix CVE-2026-23893, Privilege Escalation or Data Exposure via Symlink Following

FEDORA-2026-6c3b6ec624 Packages in this update:

• opencryptoki-3.26.0-3.fc43

Update description:

Fix CVE-2026-23893, Privilege Escalation or Data Exposure via Symlink Following