Aggregator

upower-1.91.3-2.fc43

4 days 5 hours ago
FEDORA-2026-ce80ea7afe Packages in this update:
  • upower-1.91.3-2.fc43
Update description:

upower 1.91.3:

  • Feature: up-device-battery: Prefer "Standard" over "Fast" charging (!316 (merged), #344 (closed))
  • Fix: Resolve potential leaks (!327 (merged))
  • Fix: Potential out-of-bound access (!328 (merged))
  • Fix: Improve access control (!326 (merged))
  • Fix: Remove unused codes (!329 (merged))
  • Fix: Fix for Asus Battery Charge Threshold Detection (!330 (merged), #347 (closed))

upower-1.91.3-1.fc44

4 days 5 hours ago
FEDORA-2026-e5305cffc2 Packages in this update:
  • upower-1.91.3-1.fc44
Update description:

upower 1.91.3:

  • Feature: up-device-battery: Prefer "Standard" over "Fast" charging (!316 (merged), #344 (closed))
  • Fix: Resolve potential leaks (!327 (merged))
  • Fix: Potential out-of-bound access (!328 (merged))
  • Fix: Improve access control (!326 (merged))
  • Fix: Remove unused codes (!329 (merged))
  • Fix: Fix for Asus Battery Charge Threshold Detection (!330 (merged), #347 (closed))

roundcubemail-1.7.2-1.fc44

4 days 10 hours ago
FEDORA-2026-517daa8d64 Packages in this update:
  • roundcubemail-1.7.2-1.fc44
Update description: Release 1.7.2
  • Add HEAD request handler to the static.php
  • Fix so the oauth_password_claim claim is retrieved via token or userinfo request (#9631)
  • Fix bug where static.php would return a 416 error on a specific Range request (#10194)
  • Fix bug where configured skin logo wasn't loaded via static.php resulting in 404 error (#10191)
  • Fix bug where installto.sh would fail if public_html folder does not exist in the target directory (#10202)
  • Revert "Prefer 8bit over quoted-printable for HTML parts, when force_7bit is disabled (#8477)" (#10198)
  • Fix incorrect unfolding of folded lines when importing vCard 2.1 contacts (#9647)
  • Fix bug where Imagick could leave large temporary files on failure (#10230)
  • Fix bug where redis/memcache session could have been updated more often than needed
  • Fix support for untyped tokens in OIDC backchannel logout, require unset nonce (#10097)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

roundcubemail-1.6.17-1.fc43

4 days 10 hours ago
FEDORA-2026-c3351f4ae4 Packages in this update:
  • roundcubemail-1.6.17-1.fc43
Update description: Release 1.6.17
  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Enigma: Kolab WOAT Support (#8626)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

roundcubemail-1.6.17-1.el10_2

4 days 10 hours ago
FEDORA-EPEL-2026-a54f17adc3 Packages in this update:
  • roundcubemail-1.6.17-1.el10_2
Update description: Release 1.6.17
  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Enigma: Kolab WOAT Support (#8626)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

roundcubemail-1.6.17-1.el10_3

4 days 10 hours ago
FEDORA-EPEL-2026-44b1dd565d Packages in this update:
  • roundcubemail-1.6.17-1.el10_3
Update description: Release 1.6.17
  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Enigma: Kolab WOAT Support (#8626)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

cifs-utils-7.6-2.fc45

4 days 17 hours ago
FEDORA-2026-90dbff48ca Packages in this update:
  • cifs-utils-7.6-2.fc45
Update description:

Automatic update for cifs-utils-7.6-2.fc45.

Changelog * Mon Jul 6 2026 Paulo Alcantara <paalcant@redhat.com> - 7.6-2 - cifs.upcall: fix regression with kerberos mounts - Resolves: rhbz#2497446 - Resolves: rhbz#2496963 - Resolves: rhbz#2489808 - CVE-2026-12505

USN-8514-1: OpenSSH vulnerability

5 days ago
It was discovered that OpenSSH incorrectly handled file permissions when downloading files as root using the legacy scp protocol without the preserve-mode option. An attacker could use this to install setuid or setgid files on a system, possibly leading to privilege escalation.

USN-8502-1: GnuTLS vulnerabilities

5 days 1 hour ago
It was discovered that GnuTLS had a timing side-channel when processing malformed ciphertexts in RSA-PSK ClientKeyExchange. A remote attacker could possibly use this issue to recover sensitive information. This issue only affected Ubuntu 18.04 LTS. (CVE-2024-0553) Bing Shi discovered that GnuTLS incorrectly handled decoding certain DER-encoded certificates. A remote attacker could possibly use this issue to cause GnuTLS to consume resources, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2024-12243) Luigino Camastra discovered that GnuTLS incorrectly handled certain PKCS11 token labels. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. (CVE-2025-9820) Tim Scheckenbach discovered that GnuTLS incorrectly handled malicious certificates containing a large number of name constraints and subject alternative names. A remote attacker could possibly use this issue to cause GnuTLS to consume resources, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2025-14831) Oleh Konko and Joshua Rogers discovered that GnuTLS did not properly handle case-insensitive name constraints in certain cases. A remote attacker could possibly use this issue to bypass certificate validation, leading to a machine-in-the-middle attack. (CVE-2026-3833) Joshua Rogers discovered that GnuTLS did not properly handle very short premaster secrets in certain RSA key exchange cases with PKCS#11-backed server keys. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2026-5260) Joshua Rogers discovered that GnuTLS did not properly handle malformed DTLS handshake fragments in certain cases. A remote attacker could possibly use this issue to obtain sensitive information, or cause a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-33845) Haruto Kimura, Oscar Reparaz, and Zou Dikai discovered that GnuTLS did not properly validate DTLS handshake fragment lengths in certain cases. A remote attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-33846) Joshua Rogers discovered that GnuTLS did not properly order DTLS packets with duplicate sequence numbers in certain cases. A remote attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service. (CVE-2026-42009) Joshua Rogers discovered that GnuTLS did not properly handle usernames containing NUL characters in certain RSA-PSK configurations. A remote attacker could possibly use this issue to bypass authentication and gain unintended access to services. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-42010)