Aggregator

It was discovered that Dnsmasq incorrectly handled BOOTREPLY packets when configured with the --dhcp-split-relay option. A remote attacker could use this issue to cause Dnsmasq to crash, resulting in a denial of service, or possibly execute arbitrary code.

It was discovered that ONNX did not properly validate paths when extracting tar archives during model downloads. An attacker could possibly use this issue to overwrite arbitrary files on the system.

FEDORA-2026-e5d5fc359d Packages in this update:

• pie-1.4.5-1.fc44

Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

• GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
• GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
• GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
• GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
• GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
• GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

FEDORA-EPEL-2026-4114f4323c Packages in this update:

• pie-1.4.5-1.el10_2

Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

• GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
• GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
• GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
• GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
• GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
• GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

FEDORA-EPEL-2026-e9a72cc7ed Packages in this update:

• pie-1.4.5-1.el10_3

Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

• GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
• GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
• GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
• GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
• GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
• GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

FEDORA-2026-b2fe14ec86 Packages in this update:

• pie-1.4.5-1.fc43

Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

• GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
• GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
• GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
• GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
• GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
• GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

Version:next-20260526 (linux-next) Released:2026-05-26

FEDORA-2026-1151ae6bdf Packages in this update:

• libcaca-0.99-0.83.beta20.fc45

Update description:

Automatic update for libcaca-0.99-0.83.beta20.fc45.

Changelog * Tue May 26 2026 Xavier Bachelot <xavier@bachelot.org> - 0.99-0.83.beta20 - Fix CVE-2026-42046 (RHBZ#2475408)

Asim Viladi Oglu Manizada discovered that Samba incorrectly handled access checks on reparse point operations. An attacker could possibly use this issue to modify reparse point extended attributes on files that should have been read-only. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-1933) Pavel Kohout discovered that Samba's vfs_worm module did not properly block file overwrites. An attacker could possibly use this issue to overwrite files that should have remained immutable. (CVE-2026-2340) Arad Inbar, Nir Somech, and Ben Grinberg discovered that Samba incorrectly handled certificate auto-enrolment group policies over HTTP without verification. A machine-in-the-middle attacker could possibly use this issue to install a malicious CA certificate. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-3012) Arad Inbar, Erez Cohen, Nir Somech, and Ben Grinberg discovered that Samba's Active Directory Domain Controller WINS server could be made to crash under certain circumstances. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2026-3238) Ron Ben Yizhak discovered that Samba's DCE/RPC SAMR server incorrectly handled a non-default password check script configuration. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-4408) Ron Ben Yizhak discovered that Samba's printing subsystem incorrectly handled a non-default print command configuration. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-4480)

FEDORA-2026-3e75b379d4 Packages in this update:

• jpegxl-0.11.2-1.fc43

Update description:

Update to version 0.11.2. Resolves CVE-2025-12474 and CVE-2026-1837.

Release notes: https://github.com/libjxl/libjxl/releases/tag/v0.11.2

FEDORA-2026-aa2e960a9f Packages in this update:

• jpegxl-0.11.2-1.fc44

Update description:

Update to version 0.11.2. Resolves CVE-2025-12474 and CVE-2026-1837.

Release notes: https://github.com/libjxl/libjxl/releases/tag/v0.11.2

FEDORA-2026-28afc9a105 Packages in this update:

• hplip-3.26.4-2.fc43

Update description:

Update to 3.26.4, fixes CVE-2026-8631, CVE-2026-8632

FEDORA-2026-a109a9ac2c Packages in this update:

• libpng-1.6.58-1.fc43

Update description:

• updated to 1.6.58
• 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
• 1.6.57 is released with fixes for the following security vulnerability:
• CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

FEDORA-2026-9a678a08c8 Packages in this update:

• libpng-1.6.58-1.fc42

Update description:

• updated to 1.6.58
• 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
• 1.6.57 is released with fixes for the following security vulnerability:
• CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

FEDORA-2026-67c1138ed2 Packages in this update:

• libpng-1.6.58-1.fc44

Update description:

• updated to 1.6.58
• 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
• 1.6.57 is released with fixes for the following security vulnerability:
• CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

FEDORA-EPEL-2026-05f02b89ad Packages in this update:

• roundcubemail-1.6.16-1.el10_3

Update description: Release 1.6.16

• Fix potential too long value in IMAP ID command (#10136)
• Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
• Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
• Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
• Security: Fix SSRF bypass via specific local address URLs
• Security: Fix bypass of remote image blocking via CSS var()
• Security: Fix local/private URL fetch bypass when remote resources were not allowed
• Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
• Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

FEDORA-2026-07ee097ffe Packages in this update:

• roundcubemail-1.6.16-1.fc43

Update description: Release 1.6.16

• Fix potential too long value in IMAP ID command (#10136)
• Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
• Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
• Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
• Security: Fix SSRF bypass via specific local address URLs
• Security: Fix bypass of remote image blocking via CSS var()
• Security: Fix local/private URL fetch bypass when remote resources were not allowed
• Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
• Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

FEDORA-EPEL-2026-aa33047e8e Packages in this update:

• roundcubemail-1.6.16-1.el10_2

Update description: Release 1.6.16

• Fix potential too long value in IMAP ID command (#10136)
• Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
• Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
• Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
• Security: Fix SSRF bypass via specific local address URLs
• Security: Fix bypass of remote image blocking via CSS var()
• Security: Fix local/private URL fetch bypass when remote resources were not allowed
• Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
• Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option