Aggregator

FEDORA-2026-1b15ac058b Packages in this update:

• cpp-httplib-0.48.0-1.fc44

Update description: Update to 0.48.0 (rhbz#2481109) Security fixes

• Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated only via a matching iPAddress SAN, never via the certificate's Common Name (RFC 9110) — matching what the OpenSSL backend already enforces through X509_check_ip. Previously these backends fell back to the CN when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte) iPAddress SANs are matched as well, and the CN fallback is skipped for both IPv4 and IPv6 literal hosts (#2476)

Improvements

• Replace the strtod-based from_chars for double with a hand-written, locale-independent parser. The only double parsed by the library is the HTTP quality value; strtod reads the decimal separator from the global C locale, so an embedder calling setlocale(LC_ALL, "") into a comma-decimal locale would mis-parse q-values. The new parser always treats . as the decimal separator and is allocation-free (Fix #2475)
• Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry() instead of the deprecated X509_STORE_get0_objects() and X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2, and 3.0

Behavior changes

• decode_query_component() now uses strict hex parsing for percent-escapes, consistent with decode_uri_component() and decode_path_component(). A % followed by non-hex characters (e.g. a sign or whitespace such as %-1, %+5, % 5) is passed through literally instead of being accepted as a valid escape (#2472)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0

Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352) Security fixes

• Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed TLS and wolfSSL backends: with server certificate verification enabled, SSLClient skipped chain validation entirely (any untrusted certificate with a matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped verification altogether. Chain verification now stays enabled for IP hosts, and certificate identity is verified post-handshake against IP SANs on all backends. SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066 (CVE-2026-54919)

New features

• Add Server::set_start_handler(): a callback invoked when the server is ready to accept connections, useful when running the server in a background thread (#2467)
• Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading system CA certificates alongside a custom CA. The default is unchanged: a custom CA remains exclusive. The setting carries over to clients created for HTTPS redirects (#2471)
• Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address while keeping the original hostname for the handshake and certificate verification (#2463)

Behavior changes

• The request body is now read after route matching and the pre-request handler, so both the regular handler and ContentReader paths behave the same: route matching → pre-request handler → body read → handler. A request rejected by the pre-request handler (e.g. failed per-route authentication via req.matched_route) no longer buffers the body at all. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body; inspect headers, path, query parameters, or matched_route instead
• WebSocketClient with a custom CA no longer merges system CA certificates (it previously always merged them). This matches SSLClient behavior; call enable_system_ca(true) to load system CA certificates alongside the custom CA
• Range request headers are now ignored for streaming responses of unknown length instead of producing an invalid response (#2465)

Bug fixes

• Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA certificates were silently merged into the user-provided store, broadening the trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates over to clients created for HTTPS redirects
• Fix WebSocketClient dropping the query string from the URL during the upgrade handshake, so query parameters (e.g. auth tokens) are sent (#2468)
• Fix a use-after-free when reconnecting a WebSocketClient after set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL set_ca_cert_store() backends
• Fix MSVC warning C4309 (truncation of constant value) in SHA padding code (#2464)
• Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid undefined behavior with negative char values (#2469)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0

FEDORA-2026-1d4bd0354a Packages in this update:

• cpp-httplib-0.48.0-1.fc43

Update description: Update to 0.48.0 (rhbz#2481109) Security fixes

• Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated only via a matching iPAddress SAN, never via the certificate's Common Name (RFC 9110) — matching what the OpenSSL backend already enforces through X509_check_ip. Previously these backends fell back to the CN when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte) iPAddress SANs are matched as well, and the CN fallback is skipped for both IPv4 and IPv6 literal hosts (#2476)

Improvements

• Replace the strtod-based from_chars for double with a hand-written, locale-independent parser. The only double parsed by the library is the HTTP quality value; strtod reads the decimal separator from the global C locale, so an embedder calling setlocale(LC_ALL, "") into a comma-decimal locale would mis-parse q-values. The new parser always treats . as the decimal separator and is allocation-free (Fix #2475)
• Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry() instead of the deprecated X509_STORE_get0_objects() and X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2, and 3.0

Behavior changes

• decode_query_component() now uses strict hex parsing for percent-escapes, consistent with decode_uri_component() and decode_path_component(). A % followed by non-hex characters (e.g. a sign or whitespace such as %-1, %+5, % 5) is passed through literally instead of being accepted as a valid escape (#2472)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0

Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352) Security fixes

• Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed TLS and wolfSSL backends: with server certificate verification enabled, SSLClient skipped chain validation entirely (any untrusted certificate with a matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped verification altogether. Chain verification now stays enabled for IP hosts, and certificate identity is verified post-handshake against IP SANs on all backends. SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066 (CVE-2026-54919)

New features

• Add Server::set_start_handler(): a callback invoked when the server is ready to accept connections, useful when running the server in a background thread (#2467)
• Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading system CA certificates alongside a custom CA. The default is unchanged: a custom CA remains exclusive. The setting carries over to clients created for HTTPS redirects (#2471)
• Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address while keeping the original hostname for the handshake and certificate verification (#2463)

Behavior changes

• The request body is now read after route matching and the pre-request handler, so both the regular handler and ContentReader paths behave the same: route matching → pre-request handler → body read → handler. A request rejected by the pre-request handler (e.g. failed per-route authentication via req.matched_route) no longer buffers the body at all. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body; inspect headers, path, query parameters, or matched_route instead
• WebSocketClient with a custom CA no longer merges system CA certificates (it previously always merged them). This matches SSLClient behavior; call enable_system_ca(true) to load system CA certificates alongside the custom CA
• Range request headers are now ignored for streaming responses of unknown length instead of producing an invalid response (#2465)

Bug fixes

• Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA certificates were silently merged into the user-provided store, broadening the trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates over to clients created for HTTPS redirects
• Fix WebSocketClient dropping the query string from the URL during the upgrade handshake, so query parameters (e.g. auth tokens) are sent (#2468)
• Fix a use-after-free when reconnecting a WebSocketClient after set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL set_ca_cert_store() backends
• Fix MSVC warning C4309 (truncation of constant value) in SHA padding code (#2464)
• Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid undefined behavior with negative char values (#2469)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0

It was discovered that Perl's Archive::Tar module incorrectly handled symlink and hardlink targets during extraction. An attacker could use this issue to read or overwrite arbitrary files outside the extraction directory. (CVE-2026-42496) It was discovered that Perl had a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2026-8376)

FEDORA-2026-cda0c20ce0 Packages in this update:

• thunderbird-152.0-1.fc44

Update description:

Update to latest upstream version

FEDORA-2026-2fb5ca48a2 Packages in this update:

• thunderbird-152.0-2.fc43

Update description:

Update to latest upstream version

Update to latest upstream version.

It was discovered that the Perl DBI module incorrectly handled certain error messages. An attacker could use this issue to cause applications using the Perl DBI module to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-9698) It was discovered that the Perl DBI module incorrectly handled memory when preparsing SQL statements that included more than nine binders. An attacker could use this issue to cause applications using the Perl DBI module to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-10879)

FEDORA-2026-8c7f5e32c5 Packages in this update:

• mysql8.4-8.4.10-1.fc44

Update description:

MySQL 8.4.10

Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-10.html Upstream changelog: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/ Oracle Critical Security Patch Update - June 2026: https://www.oracle.com/security-alerts/cspujun2026.html#AppendixMSQL CVE-2026-46863 (CVSS 7.5) - Server: Connection Handling The only CVE from the June 2026 CPU affecting the 'mysql8.4' package. Remotely exploitable without authentication (DoS). The remaining 7 CVEs affect MySQL Shell (VS Code extension), MySQL Router, and NDB Cluster Operator — none of which are built or shipped by this package.

FEDORA-2026-280245e2ea Packages in this update:

• mysql8.4-8.4.10-1.fc43

Update description:

MySQL 8.4.10

Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-10.html Upstream changelog: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/ Oracle Critical Security Patch Update - June 2026: https://www.oracle.com/security-alerts/cspujun2026.html#AppendixMSQL CVE-2026-46863 (CVSS 7.5) - Server: Connection Handling The only CVE from the June 2026 CPU affecting the 'mysql8.4' package. Remotely exploitable without authentication (DoS). The remaining 7 CVEs affect MySQL Shell (VS Code extension), MySQL Router, and NDB Cluster Operator — none of which are built or shipped by this package.

FEDORA-EPEL-2026-4245f60523 Packages in this update:

• haveged-1.9.26-1.el9

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-e6d245c837 Packages in this update:

• haveged-1.9.26-1.el10_3

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-e15fb7f042 Packages in this update:

• haveged-1.9.26-1.el10_2

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-2026-5ddd0941a8 Packages in this update:

• haveged-1.9.26-1.fc43

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-2026-28f26f5294 Packages in this update:

• haveged-1.9.26-1.fc44

Update description:

Update to 1.9.26. Fixes two regressions introduced in 1.9.24:

• Fix 100% CPU spin when --no-command is used (BZ#2492029): socket_fd was uninitialized (defaulting to 0), causing the daemon loop to call accept4() on stdin in a tight loop.

• Fix initramfs switch-root failure caused by --no-command (BZ#2491739): add a separate haveged-initramfs.service for use inside the initramfs, so the switch-root mechanism works. Prevents emergency mode on systems where haveged was started but not enabled.

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-6f59aff531 Packages in this update:

• caddy-2.10.2-9.el10_3

Update description:

Security update resolving 22 CVEs across both caddy itself and its vendored libraries.

FEDORA-EPEL-2026-74f2be0676 Packages in this update:

• haveged-1.9.25-1.el9

Update description:

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-40258434d5 Packages in this update:

• haveged-1.9.25-1.el10_3

Update description:

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-504948f7d0 Packages in this update:

• haveged-1.9.25-1.el10_2

Update description:

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-2026-6a17c7864b Packages in this update:

• haveged-1.9.25-1.fc43

Update description:

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-2026-cf1b1b3d16 Packages in this update:

• haveged-1.9.25-1.fc44

Update description:

Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).

The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.

Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).

Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)

Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive

Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-2026-3dc324bd9a Packages in this update:

• caddy-2.10.2-9.fc43

Update description:

Security update resolving 22 CVEs across both caddy itself and its vendored libraries.