Aggregator

It was discovered that Filelock incorrectly handled symlinks in temp files. A local attacker could possibly use this issue to cause lock operations to fail or behave unexpectedly. (CVE-2026-22701) It was discovered that the file locking implementation in the Filelock package contained a race condition. A local attacker could possibly use this to cause a denial of service or corrupt arbitrary user files. (CVE-2025-68146)

It was discovered that the RMI component of CRaC JDK 17 would establish RMI TCP endpoint connections to a remote host without setting an endpoint identification algorithm. An unauthenticated remote attacker could possibly use this issue to steal sensitive information. (CVE-2026-21925) Mingijung discovered that the AWT and JavaFX componenets of CRaC JDK 17 could run programs if Desktop.browse() was supplied a filename as a URI. An unauthenticated remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-21932) Zhihui Chen discovered that the Networking component of CRaC JDK 17 was suceptible to a CRLF injection vulnerability via the HttpServer class. An unauthenticated remote attacker could possibly use this issue to modify files or leak sensitive information. (CVE-2026-21933) Ireneusz Pastusiak discovered that the Security component of CRaC JDK 17 failed to verify provided URIs point to a legitimate source when AIA is enabled. An unauthenticated remote attacker could possibly use this issue to redirect users to malicious hosts. (CVE-2026-21945) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-01-20

It was discovered that the RMI component of CRaC JDK 25 would establish RMI TCP endpoint connections to a remote host without setting an endpoint identification algorithm. An unauthenticated remote attacker could possibly use this issue to steal sensitive information. (CVE-2026-21925) Mingijung discovered that the AWT and JavaFX componenets of CRaC JDK 25 could run programs if Desktop.browse() was supplied a filename as a URI. An unauthenticated remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-21932) Zhihui Chen discovered that the Networking component of CRaC JDK 25 was suceptible to a CRLF injection vulnerability via the HttpServer class. An unauthenticated remote attacker could possibly use this issue to modify files or leak sensitive information. (CVE-2026-21933) Ireneusz Pastusiak discovered that the Security component of CRaC JDK 25 failed to verify provided URIs point to a legitimate source when AIA is enabled. An unauthenticated remote attacker could possibly use this issue to redirect users to malicious hosts. (CVE-2026-21945) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-01-20

It was discovered that the RMI component of OpenJDK 25 would establish RMI TCP endpoint connections to a remote host without setting an endpoint identification algorithm. An unauthenticated remote attacker could possibly use this issue to steal sensitive information. (CVE-2026-21925) Mingijung discovered that the AWT and JavaFX componenets of OpenJDK 25 could run programs if Desktop.browse() was supplied a filename as a URI. An unauthenticated remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-21932) Zhihui Chen discovered that the Networking component of OpenJDK 25 was suceptible to a CRLF injection vulnerability via the HttpServer class. An unauthenticated remote attacker could possibly use this issue to modify files or leak sensitive information. (CVE-2026-21933) Ireneusz Pastusiak discovered that the Security component of OpenJDK 25 failed to verify provided URIs point to a legitimate source when AIA is enabled. An unauthenticated remote attacker could possibly use this issue to redirect users to malicious hosts. (CVE-2026-21945) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-01-20

Version:next-20260202 (linux-next) Released:2026-02-02

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.45 in Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. Ubuntu 25.10 has been updated to MySQL 8.4.8. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-45.html https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-8.html https://www.oracle.com/security-alerts/cpujan2026.html

It was discovered that libpng incorrectly handled memory when processing certain malformed PNG files. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service.

Kyu Neushwaistein discovered that telnetd in Inetutils incorrectly handled certain environment variables. A remote attacker could use this issue to bypass authentication and open a session as an administrator.

FEDORA-2026-55bb6efd14 Packages in this update:

• open-vm-tools-13.0.10-2.fc43

Update description:

Update to 13.0.10.

FEDORA-2026-33c6aa1881 Packages in this update:

• open-vm-tools-13.0.10-2.fc42

Update description:

Update to 13.0.10.

Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code.

FEDORA-EPEL-2026-96a07a6444 Packages in this update:

• openssl3-3.5.5-1.1.el8

Update description:

Rebased openssl3 to the latest c9s openssl for the latest round of CVEs

Version:6.19-rc8 (mainline) Released:2026-02-01 Source:linux-6.19-rc8.tar.gz Patch:full (incremental)

FEDORA-2026-792b1b7bbd Packages in this update:

• cef-144.0.11^chromium144.0.7559.109-2.fc43

Update description:

Update to Chromium 144.0.7559.109

• CVE-2026-1504: Inappropriate implementation in Background Fetch API

FEDORA-2026-24ed079b30 Packages in this update:

• cef-144.0.11^chromium144.0.7559.109-2.fc42

Update description:

Update to Chromium 144.0.7559.109

• CVE-2026-1504: Inappropriate implementation in Background Fetch API

FEDORA-EPEL-2026-58b60068fc Packages in this update:

• node-exporter-1.10.2-3.el9

Update description:

Update to 1.10.2

Update was blocked by a ppc64 issue, but a workaround has been found.

FEDORA-EPEL-2026-c702846a3a Packages in this update:

• node-exporter-1.10.2-3.el10_1

Update description:

Update to 1.10.2

Update was blocked by a ppc64 issue, but a workaround has been found.

FEDORA-EPEL-2026-16236dd947 Packages in this update:

• node-exporter-1.10.2-3.el10_2

Update description:

Update to 1.10.2

Update was blocked by a ppc64 issue, but a workaround has been found.

FEDORA-2026-126cd91d11 Packages in this update:

• node-exporter-1.10.2-3.fc42

Update description:

Update to 1.10.2

Update was blocked by a ppc64 issue, but a workaround has been found.

FEDORA-2026-9ba46f22d5 Packages in this update:

• node-exporter-1.10.2-3.fc43

Update description:

Update to 1.10.2

Update was blocked by a ppc64 issue, but a workaround has been found.