5 days 7 hours ago
FEDORA-EPEL-2026-4f9779f295
Packages in this update:
- chromium-150.0.7871.114-1.el10_2
Update description:
Update to 150.0.7871.114
* CVE-2026-15112: Use after free in Ozone
* CVE-2026-15129: Use after free in Views
* CVE-2026-15132: Uninitialized Use in V8
* CVE-2026-15133: Use after free in InterestGroups
* CVE-2026-15108: Integer overflow in Extensions API
* CVE-2026-15109: Uninitialized Use in ANGLE
* CVE-2026-15110: Use after free in Extensions
* CVE-2026-15111: Use after free in Views
* CVE-2026-15113: Use after free in Autofill
* CVE-2026-15114: Out of bounds read and write in Codecs
* CVE-2026-15115: Insufficient validation of untrusted input in WebAppInstalls
* CVE-2026-15116: Use after free in Actor
* CVE-2026-15117: Use after free in Payments
* CVE-2026-15118: Use after free in Input
* CVE-2026-15119: Inappropriate implementation in GetUserMedia
* CVE-2026-15120: Use after free in Core
* CVE-2026-15121: Use after free in WebRTC
* CVE-2026-15122: Insufficient validation of untrusted input in Codecs
* CVE-2026-15123: Insufficient data validation in DOM
* CVE-2026-15124: Insufficient policy enforcement in Passwords
* CVE-2026-15125: Inappropriate implementation in Forms
* CVE-2026-15126: Use after free in Forms
* CVE-2026-15127: Inappropriate implementation in WebGL
* CVE-2026-15128: Inappropriate implementation in Forms
* CVE-2026-15130: Insufficient policy enforcement in Navigation
* CVE-2026-15107: Use after free in IndexedDB
* CVE-2026-15131: Insufficient data validation in Navigation
5 days 7 hours ago
FEDORA-2026-7e82bf89f4
Packages in this update:
- chromium-150.0.7871.114-1.fc44
Update description:
Update to 150.0.7871.114
* CVE-2026-15112: Use after free in Ozone
* CVE-2026-15129: Use after free in Views
* CVE-2026-15132: Uninitialized Use in V8
* CVE-2026-15133: Use after free in InterestGroups
* CVE-2026-15108: Integer overflow in Extensions API
* CVE-2026-15109: Uninitialized Use in ANGLE
* CVE-2026-15110: Use after free in Extensions
* CVE-2026-15111: Use after free in Views
* CVE-2026-15113: Use after free in Autofill
* CVE-2026-15114: Out of bounds read and write in Codecs
* CVE-2026-15115: Insufficient validation of untrusted input in WebAppInstalls
* CVE-2026-15116: Use after free in Actor
* CVE-2026-15117: Use after free in Payments
* CVE-2026-15118: Use after free in Input
* CVE-2026-15119: Inappropriate implementation in GetUserMedia
* CVE-2026-15120: Use after free in Core
* CVE-2026-15121: Use after free in WebRTC
* CVE-2026-15122: Insufficient validation of untrusted input in Codecs
* CVE-2026-15123: Insufficient data validation in DOM
* CVE-2026-15124: Insufficient policy enforcement in Passwords
* CVE-2026-15125: Inappropriate implementation in Forms
* CVE-2026-15126: Use after free in Forms
* CVE-2026-15127: Inappropriate implementation in WebGL
* CVE-2026-15128: Inappropriate implementation in Forms
* CVE-2026-15130: Insufficient policy enforcement in Navigation
* CVE-2026-15107: Use after free in IndexedDB
* CVE-2026-15131: Insufficient data validation in Navigation
5 days 7 hours ago
FEDORA-EPEL-2026-36fc7f58b7
Packages in this update:
- chromium-150.0.7871.114-1.el9
Update description:
Update to 150.0.7871.114
* CVE-2026-15112: Use after free in Ozone
* CVE-2026-15129: Use after free in Views
* CVE-2026-15132: Uninitialized Use in V8
* CVE-2026-15133: Use after free in InterestGroups
* CVE-2026-15108: Integer overflow in Extensions API
* CVE-2026-15109: Uninitialized Use in ANGLE
* CVE-2026-15110: Use after free in Extensions
* CVE-2026-15111: Use after free in Views
* CVE-2026-15113: Use after free in Autofill
* CVE-2026-15114: Out of bounds read and write in Codecs
* CVE-2026-15115: Insufficient validation of untrusted input in WebAppInstalls
* CVE-2026-15116: Use after free in Actor
* CVE-2026-15117: Use after free in Payments
* CVE-2026-15118: Use after free in Input
* CVE-2026-15119: Inappropriate implementation in GetUserMedia
* CVE-2026-15120: Use after free in Core
* CVE-2026-15121: Use after free in WebRTC
* CVE-2026-15122: Insufficient validation of untrusted input in Codecs
* CVE-2026-15123: Insufficient data validation in DOM
* CVE-2026-15124: Insufficient policy enforcement in Passwords
* CVE-2026-15125: Inappropriate implementation in Forms
* CVE-2026-15126: Use after free in Forms
* CVE-2026-15127: Inappropriate implementation in WebGL
* CVE-2026-15128: Inappropriate implementation in Forms
* CVE-2026-15130: Insufficient policy enforcement in Navigation
* CVE-2026-15107: Use after free in IndexedDB
* CVE-2026-15131: Insufficient data validation in Navigation
5 days 7 hours ago
FEDORA-2026-9a7d180869
Packages in this update:
- chromium-150.0.7871.114-1.fc43
Update description:
Update to 150.0.7871.114
* CVE-2026-15112: Use after free in Ozone
* CVE-2026-15129: Use after free in Views
* CVE-2026-15132: Uninitialized Use in V8
* CVE-2026-15133: Use after free in InterestGroups
* CVE-2026-15108: Integer overflow in Extensions API
* CVE-2026-15109: Uninitialized Use in ANGLE
* CVE-2026-15110: Use after free in Extensions
* CVE-2026-15111: Use after free in Views
* CVE-2026-15113: Use after free in Autofill
* CVE-2026-15114: Out of bounds read and write in Codecs
* CVE-2026-15115: Insufficient validation of untrusted input in WebAppInstalls
* CVE-2026-15116: Use after free in Actor
* CVE-2026-15117: Use after free in Payments
* CVE-2026-15118: Use after free in Input
* CVE-2026-15119: Inappropriate implementation in GetUserMedia
* CVE-2026-15120: Use after free in Core
* CVE-2026-15121: Use after free in WebRTC
* CVE-2026-15122: Insufficient validation of untrusted input in Codecs
* CVE-2026-15123: Insufficient data validation in DOM
* CVE-2026-15124: Insufficient policy enforcement in Passwords
* CVE-2026-15125: Inappropriate implementation in Forms
* CVE-2026-15126: Use after free in Forms
* CVE-2026-15127: Inappropriate implementation in WebGL
* CVE-2026-15128: Inappropriate implementation in Forms
* CVE-2026-15130: Insufficient policy enforcement in Navigation
* CVE-2026-15107: Use after free in IndexedDB
* CVE-2026-15131: Insufficient data validation in Navigation
5 days 7 hours ago
FEDORA-EPEL-2026-df92eb1a58
Packages in this update:
- chromium-150.0.7871.114-1.el10_3
Update description:
Update to 150.0.7871.114
* CVE-2026-15112: Use after free in Ozone
* CVE-2026-15129: Use after free in Views
* CVE-2026-15132: Uninitialized Use in V8
* CVE-2026-15133: Use after free in InterestGroups
* CVE-2026-15108: Integer overflow in Extensions API
* CVE-2026-15109: Uninitialized Use in ANGLE
* CVE-2026-15110: Use after free in Extensions
* CVE-2026-15111: Use after free in Views
* CVE-2026-15113: Use after free in Autofill
* CVE-2026-15114: Out of bounds read and write in Codecs
* CVE-2026-15115: Insufficient validation of untrusted input in WebAppInstalls
* CVE-2026-15116: Use after free in Actor
* CVE-2026-15117: Use after free in Payments
* CVE-2026-15118: Use after free in Input
* CVE-2026-15119: Inappropriate implementation in GetUserMedia
* CVE-2026-15120: Use after free in Core
* CVE-2026-15121: Use after free in WebRTC
* CVE-2026-15122: Insufficient validation of untrusted input in Codecs
* CVE-2026-15123: Insufficient data validation in DOM
* CVE-2026-15124: Insufficient policy enforcement in Passwords
* CVE-2026-15125: Inappropriate implementation in Forms
* CVE-2026-15126: Use after free in Forms
* CVE-2026-15127: Inappropriate implementation in WebGL
* CVE-2026-15128: Inappropriate implementation in Forms
* CVE-2026-15130: Insufficient policy enforcement in Navigation
* CVE-2026-15107: Use after free in IndexedDB
* CVE-2026-15131: Insufficient data validation in Navigation
5 days 7 hours ago
FEDORA-2026-adc8ddbeaa
Packages in this update:
Update description:
pam_userdb: fix password comparison timing leak
5 days 11 hours ago
5 days 19 hours ago
FEDORA-2026-7fa12630d5
Packages in this update:
Update description:
fdf6afc update to 3.7b fixes rhbz#2498485
CHANGES FROM 3.7a TO 3.7b
- Fix so that the end of a synchronized update again triggers a redraw.
CHANGES FROM 3.7 TO 3.7a
-
Fix crash in break-pane when no name is provided.
-
Scrollbar options are now cached rather than being looked up for every redraw
(issue 5298).
-
Only forbid #( in names, allow #[, empty names, : and .
5 days 19 hours ago
FEDORA-2026-f5dd9fb83f
Packages in this update:
Update description:
fdf6afc update to 3.7b fixes rhbz#2498485
CHANGES FROM 3.7a TO 3.7b
- Fix so that the end of a synchronized update again triggers a redraw.
CHANGES FROM 3.7 TO 3.7a
-
Fix crash in break-pane when no name is provided.
-
Scrollbar options are now cached rather than being looked up for every redraw
(issue 5298).
-
Only forbid #( in names, allow #[, empty names, : and .
5 days 20 hours ago
Xianrui Dong discovered that libheif had an out-of-bounds read in its
HEIF sequence track parser. An attacker could possibly use this issue
to cause a denial of service or obtain sensitive information. This issue
only affected Ubuntu 26.04 LTS. (CVE-2026-47254)
Junyi Liu discovered that libheif had a null pointer dereference in its
image tiling interface. An attacker could possibly use this issue to
cause a denial of service. (CVE-2026-47709)
Calvin Young and Enoch Chow discovered that libheif had an integer
overflow in its inline mask size calculation. An attacker could
possibly use this issue to cause a denial of service or obtain sensitive
information. (CVE-2026-47714)
Ariel Koren discovered that libheif had an integer underflow in its
grid image tile coordinate transform. An attacker could possibly use
this issue to cause a denial of service or obtain sensitive information.
(CVE-2026-48029)
It was discovered that libheif had a missing bound check in its HEIF
sequence parser, allowing unbounded heap allocation. An attacker could
possibly use this issue to cause a denial of service. (CVE-2026-50142)
5 days 20 hours ago
Harry Sintonen discovered that curl incorrectly handled credentials when
following HTTP redirects in conjunction with .netrc files. An attacker
could possibly use this issue to obtain sensitive information. This issue
only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS.
(CVE-2024-11053)
Hiroki Kurosawa discovered that curl incorrectly handled OCSP stapling
responses. A remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu
18.04 LTS. (CVE-2024-8096)
Joshua Rogers discovered that curl had a use-after-free vulnerability when
resetting and cleaning up HTTP/2 stream handles. An attacker could possibly
use this issue to cause a denial of service or execute arbitrary code. This
issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10.
(CVE-2026-10536)
Quac Tran and Ngoc Hieu discovered that curl incorrectly reused connections
when switching authentication methods to the same host. An attacker could
possibly use this issue to obtain sensitive information or perform
unauthorized actions. This issue only affected Ubuntu 20.04 LTS.
(CVE-2026-5545)
Osama Hamad discovered that curl incorrectly reused SMB connections when
the target share differed between transfers. An attacker could possibly use
this issue to obtain sensitive information. This issue only affected Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2026-5773)
Muhamad Arga Reksapati discovered that curl incorrectly forwarded Digest
proxy authentication credentials to a different proxy host. An attacker
could possibly use this issue to obtain sensitive information. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2026-7168)
It was discovered that curl incorrectly skipped SSH host verification
options when using schemeless URLs with --proto-default. An attacker could
possibly use this issue to perform machine-in-the-middle attacks. This
issue only affected Ubuntu 25.04 and Ubuntu 25.10. (CVE-2026-12064)
It was discovered that curl did not enforce an upper bound on memory
allocated for unacknowledged WebSocket PING frames. A remote attacker could
possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 25.10. (CVE-2026-11586)
It was discovered that curl could stall indefinitely when a malicious
HTTP/3 server sent a continuous stream of empty UDP datagrams. A remote
attacker could possibly use this issue to cause a denial of service. This
issue only affected Ubuntu 25.10. (CVE-2026-11352)
It was discovered that curl could incorrectly continue trusting a native
platform CA store after an application switched the handle to use custom CA
material. An attacker could possibly use this issue to obtain sensitive
information. This issue only affected Ubuntu 25.10. (CVE-2026-11564)
5 days 20 hours ago
FEDORA-2026-9ab663dcd4
Packages in this update:
Update description:
CVE fixes: CVE-2026-12610 CVE-2026-14474 CVE-2026-14476
- rhbz#2494777: CVE-2026-12610 sssd: Use-after-free crash in SSSD' 'sssd_pam' process
- rhbz#2497650: CVE-2026-14476 sssd: sssd: GPO cache path traversal via unsanitized
gPCFileSysPath allows Kerberos authentication bypass
- rhbz#2497651: CVE-2026-14474 sssd: sssd: sudo LDAP provider searches entire directory
tree for sudoRole objects by default, enabling privilege escalation
5 days 21 hours ago
FEDORA-2026-5acfb0243b
Packages in this update:
Update description:
CVE fixes: CVE-2026-12610 CVE-2026-14474 CVE-2026-14476
- rhbz#2494777: CVE-2026-12610 sssd: Use-after-free crash in SSSD' 'sssd_pam' process
- rhbz#2497650: CVE-2026-14476 sssd: sssd: GPO cache path traversal via unsanitized
gPCFileSysPath allows Kerberos authentication bypass
- rhbz#2497651: CVE-2026-14474 sssd: sssd: sudo LDAP provider searches entire directory
tree for sudoRole objects by default, enabling privilege escalation
5 days 23 hours ago
Version:next-20260709 (linux-next)
Released:2026-07-09
6 days ago
It was discovered that Python did not use sufficient entropy for Expat
hash-flooding protection in the xml.parsers.expat and xml.etree.ElementTree
modules. An attacker could use this to cause a denial of service via a
crafted XML document.
6 days 1 hour ago
Eric Su and Samuel Dainard discovered that libsoup incorrectly handled
content with zero-length resources. An attacker could possibly use this
issue to trigger a buffer over-read, resulting in information disclosure
or a denial of service. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and
Ubuntu 26.04 LTS. (CVE-2026-2369)
Kona Arctic discovered that libsoup did not properly protect sensitive
cookies when establishing HTTPS tunnels through an HTTP proxy. An
attacker could possibly use this issue to intercept session cookies,
resulting in session hijacking or user impersonation. (CVE-2026-5119)
6 days 2 hours ago
FEDORA-2026-7b7c2b373e
Packages in this update:
Update description:
Ruby 3.4.10 is released. This new version contains severay security bug fixes in zlib, net-imap and erb..
6 days 2 hours ago
It was discovered that LibRaw incorrectly handled certain Nikon RAW image
files. An attacker could possibly use this issue to cause LibRaw to crash,
resulting in a denial of service. (CVE-2026-5342)
It was discovered that LibRaw had an integer overflow in its DNG image
loader. An attacker could possibly use this issue to cause LibRaw to
crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2026-20884)
It was discovered that LibRaw incorrectly handled certain X3F thumbnail
data. An attacker could possibly use this issue to cause LibRaw to crash,
resulting in a denial of service, or execute arbitrary code.
(CVE-2026-20889)
It was discovered that LibRaw had a heap-based buffer overflow in its
lossless JPEG image loader. An attacker could possibly use this issue to
cause LibRaw to crash, resulting in a denial of service, or execute
arbitrary code. (CVE-2026-21413)
It was discovered that LibRaw had an integer overflow in its uncompressed
floating-point DNG image loader. An attacker could possibly use this issue
to cause LibRaw to crash, resulting in a denial of service, or execute
arbitrary code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.04.
(CVE-2026-24450)
It was discovered that LibRaw had a heap-based buffer overflow in its X3F
Huffman decoder. An attacker could possibly use this issue to cause LibRaw
to crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2026-24660)
6 days 2 hours ago
It was discovered that Libidn incorrectly handled certain internationalized
domain name strings. An attacker could possibly use this issue to obtain
sensitive information or cause a denial of service.
6 days 3 hours ago
It was discovered that Expat used insufficient entropy when generating
hash salt values for its internal hash table. An attacker could use this
to craft an XML document that triggers hash flooding, leading to a
denial of service.