USN-8404-1: Transmission vulnerability
It was discovered that Transmission had a clickjacking weakness in the
browser-facing WebUI and RPC response paths. An attacker could possibly use
this issue to trick users into performing unintended actions.
Aggregator
nextcloud-33.0.5-1.el10_2
FEDORA-EPEL-2026-02d92ea412
Packages in this update:
- nextcloud-33.0.5-1.el10_2
33.0.5 Release
nextcloud-33.0.5-1.el10_3
FEDORA-EPEL-2026-988ec151d8
Packages in this update:
- nextcloud-33.0.5-1.el10_3
33.0.5 Release
nextcloud-33.0.5-1.fc43
FEDORA-2026-cb3feafe41
Packages in this update:
- nextcloud-33.0.5-1.fc43
33.0.5 Release
nextcloud-33.0.5-1.fc44
FEDORA-2026-86fab2703b
Packages in this update:
- nextcloud-33.0.5-1.fc44
33.0.5 Release
next-20260608: linux-next
Version:next-20260608 (linux-next)
Released:2026-06-08
USN-8403-1: Kea DHCP vulnerability
Ali Norouzi discovered that Kea DHCP did not properly handle maliciously
crafted messages over configured API sockets and HA listeners. A remote
attacker could possibly use this issue to cause Kea DHCP to crash,
resulting in a denial of service.
USN-8401-1: Netty vulnerabilities
It was discovered that Netty's HTTP proxy handler did not properly
validate headers when constructing CONNECT requests. An
attacker could possibly use this issue to inject arbitrary HTTP
headers into CONNECT requests. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,
and Ubuntu 26.04 LTS. (CVE-2026-42578)
It was discovered that Netty's DNS codec did not properly enforce
domain name constraints. An attacker could possibly use this issue to
bypass domain name validation, or cause Netty to consume resources,
leading to a denial of service. This issue only affected Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS.
(CVE-2026-42579)
It was discovered that Netty did not correctly handle HTTP/1.0
requests containing both a Transfer-Encoding and Content-Length
header. A remote attacker could possibly use this issue to perform
HTTP request smuggling attacks. (CVE-2026-42581)
Violeta Georgieva discovered that Netty incorrectly paired responses with
requests when handling informational HTTP responses. A remote attacker
could possibly use this issue to perform HTTP request smuggling attacks.
(CVE-2026-42584)
Violeta Georgieva discovered that Netty incorrectly parsed malformed
Transfer-Encoding headers. A remote attacker could possibly use this
issue to perform HTTP request smuggling attacks. (CVE-2026-42585)
It was discovered that Netty's Redis encoder did not validate CRLF
characters. An attacker could possibly use this issue to inject arbitrary
Redis commands. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS.
(CVE-2026-42586)
USN-8402-1: systemd vulnerabilities
It was discovered that systemd-nspawn incorrectly handled certain optional
configuration files. A local attacker could possibly use this issue to
escape to the host system and execute arbitrary code. (CVE-2026-40226)
It was discovered that systemd-resolved incorrectly validated DNSSEC
records for signed domains. An attacker could possibly use this issue to
manipulate DNS records. This issue only affected Ubuntu 22.04 LTS.
(CVE-2023-7008)
USN-8400-1: poppler vulnerability
It was discovered that poppler incorrectly handled certain malformed PDF
tiling patterns in the Splash backend. An attacker could possibly use this
issue to execute arbitrary code, obtain sensitive information, or cause a
denial of service.
USN-8399-1: Pillow vulnerabilities
It was discovered that Pillow incorrectly handled large glyph advance
values in fonts. An attacker could possibly use this issue to cause Pillow
to crash, resulting in a denial of service. (CVE-2026-42308)
It was discovered that Pillow incorrectly handled nested coordinate lists
in certain APIs. An attacker could possibly use this issue to cause Pillow
to crash, resulting in a denial of service. This issue only affected Ubuntu
25.10 and Ubuntu 26.04 LTS. (CVE-2026-42309)
It was discovered that Pillow incorrectly handled certain malformed PDF
files. An attacker could possibly use this issue to cause Pillow to use
excessive resources, leading to a denial of service. (CVE-2026-42310)
It was discovered that Pillow incorrectly handled certain malformed PSD
files. An attacker could possibly use this issue to cause Pillow to crash,
resulting in a denial of service, or to execute arbitrary code. This issue
only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-42311)
USN-8398-1: nginx vulnerability
It was discovered that nginx incorrectly handled certain cookie headers in
the HTTP/2 implementation. A remote attacker could possibly use this issue
to cause nginx to consume excessive resources, resulting in a denial of
service.
USN-8397-1: libjxl vulnerability
It was discovered that libjxl did not properly handle certain crafted PBM
images. An attacker could possibly use this issue to cause libjxl to crash,
resulting in a denial of service, or execute arbitrary code.
openslide-3.4.1-20.el8
FEDORA-EPEL-2026-ad8e45665d
Packages in this update:
- openslide-3.4.1-20.el8
Fix arbitrary memory write with crafted Ventana BIF file (CVE-2026-48977).
openslide-3.4.1-20.el9
FEDORA-EPEL-2026-ec3d774387
Packages in this update:
- openslide-3.4.1-20.el9
Fix arbitrary memory write with crafted Ventana BIF file (CVE-2026-48977).
openslide-4.0.0-8.el10_3
FEDORA-EPEL-2026-1ee658d973
Packages in this update:
- openslide-4.0.0-8.el10_3
Fix arbitrary memory write with crafted Ventana BIF file (CVE-2026-48977).
openslide-4.0.0-14.fc43
FEDORA-2026-3c93ea23b5
Packages in this update:
- openslide-4.0.0-14.fc43
Fix arbitrary memory write with crafted Ventana BIF file (CVE-2026-48977).
openslide-4.0.0-14.fc44
FEDORA-2026-e31dda6e44
Packages in this update:
- openslide-4.0.0-14.fc44
Fix arbitrary memory write with crafted Ventana BIF file (CVE-2026-48977).