Aggregator

FEDORA-EPEL-2026-c83d48204a Packages in this update:

• mongo-c-driver-1.30.7-2.el10_1

Update description:

• Fix handling in HTTP response parser CVE-2026-4359

FEDORA-2026-c5273647fa Packages in this update:

• mongo-c-driver-1.30.7-2.fc42

Update description:

• Fix handling in HTTP response parser CVE-2026-4359

FEDORA-2026-9d5b9f45ec Packages in this update:

• kryoptic-1.5.0-2.fc43
• pyOpenSSL-26.0.0-1.fc43
• python-cryptography-46.0.5-1.fc43
• rust-asn1-0.22.0-1.fc43
• rust-asn1_derive-0.22.0-1.fc43
• rust-cryptoki-0.12.0-2.fc43
• rust-cryptoki-sys-0.5.0-2.fc43
• rust-wycheproof-0.6.0-1.fc43

Update description:

• Update pyOpenSSL to v26.0.0 (security update)
• Update python-cryptography to v46.0.5 (dependency of pyOpenSSL 26)
• Update rust-asn1 to 0.22 (dependency of python-cryptography)
• Update kryoptic to v1.5 (required for rust-asn1 bump to 0.22)

The security status of this update is only for pyOpenSSL.

FEDORA-2026-ba6641558a Packages in this update:

• localsearch-3.10.2-2.fc43

Update description:

Add a patch for several CVEs:

• CVE-2026-1764 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor
• CVE-2026-1765 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor (TXXX Tags)
• CVE-2026-1766 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor (ID3v2.3 COMM Tags)
• CVE-2026-1767 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor

FEDORA-EPEL-2026-ddb2f23dfa Packages in this update:

• bcftools-1.23.1-1.el10_2
• htslib-1.23.1-1.el10_2
• samtools-1.23.1-1.el10_2

Update description:

Update to 1.23.1

FEDORA-2026-c383d4a134 Packages in this update:

• bcftools-1.23.1-1.fc45
• htslib-1.23.1-1.fc45
• samtools-1.23.1-1.fc45

Update description:

Update to 1.23.1

FEDORA-2026-5637749c07 Packages in this update:

• glib2-2.86.4-2.fc43

Update description:

Add patch for CVE-2026-0988 (Integer overflow in g_buffered_input_stream_peek() leads to segmentation fault)

FEDORA-EPEL-2026-5de58e7341 Packages in this update:

• suricata-8.0.3-1.el10_2

Update description:

Upstream security/bugfix release

USN-8103-1 fixed vulnerabilities in Exiv2. The update caused a regression for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Exiv2 did not correctly handle reading certain buffers. An attacker could possibly use this issue to leak sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-18771) Wen Cheng discovered that Exiv2 did not correctly handle certain memory allocation. If a user or system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-18899) It was discovered that Exiv2 did not correctly handle writing certain metadata. If a user or system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2025-54080) It was discovered that Exiv2 did not correctly handle parsing certain metadata. If a user or system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-55304) It was discovered that Exiv2 did not correctly handle parsing certain images. If a user or system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2026-25884) It was discovered that Exiv2 did not correctly handle previewing certain images. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-27596) It was discovered that Exiv2 did not correctly handle certain integer arithmetic. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-27631)

FEDORA-2026-9b0f520716 Packages in this update:

• roundcubemail-1.7~rc5-1.fc44

Update description:

Version 1.7-rc5

• Password: Add nt-binary hashing method (#10096)
• Fix URL matching for domain names with port numbers (#10105)
• Fix PHP fatal error when using IMAP cache (#10102)
• Fix Postgres connection using IPv6 address (#10104)
• Fix bug where rel=stylesheet part of a <link> could get removed
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

FEDORA-EPEL-2026-95071cd05c Packages in this update:

• roundcubemail-1.6.14-1.el10_2

Update description:

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

FEDORA-2026-c283cce7fd Packages in this update:

• roundcubemail-1.6.14-1.fc42

Update description:

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

FEDORA-2026-2decd38070 Packages in this update:

• roundcubemail-1.6.14-1.fc43

Update description:

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

FEDORA-EPEL-2026-31c7836113 Packages in this update:

• roundcubemail-1.6.14-1.el10_1

Update description:

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

FEDORA-EPEL-2026-b318120749 Packages in this update:

• roundcubemail-1.6.14-1.el10_3

Update description:

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

FEDORA-EPEL-2026-34a0375273 Packages in this update:

• roundcubemail-1.5.14-1.el9

Update description:

Version 1.5.14

• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview

USN-8018-1 fixed CVE-2025-12084, CVE-2025-15282, CVE-2026-0672, CVE-2026-0865 for python3. This update provides the corresponding updates for python2.7. Original advisory details: Denis Ledoux discovered that Python incorrectly parsed email message headers. An attacker could possibly use this issue to inject arbitrary headers into email messages. This issue only affected python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and python3.14 packages. (CVE-2025-11468) Jacob Walls, Shai Berger, and Natalia Bidart discovered that Python inefficiently parsed XML input with quadratic complexity. An attacker could possibly use this issue to cause a denial of service. (CVE-2025-12084) It was discovered that Python incorrectly parsed malicious plist files. An attacker could possibly use this issue to cause Python to use excessive resources, leading to a denial of service. This issue only affected python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and python3.14 packages. (CVE-2025-13837) Omar Hasan discovered that Python incorrectly parsed URL mediatypes. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2025-15282) Omar Hasan discovered that Python incorrectly parsed malicious IMAP inputs. An attacker could possibly use this issue to inject arbitrary IMAP commands. (CVE-2025-15366) Omar Hasan discovered that Python incorrectly parsed malicious POP3 inputs. An attacker could possibly use this issue to inject arbitrary POP3 commands. (CVE-2025-15367) Omar Hasan discovered that Python incorrectly parsed malicious HTTP cookie headers. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2026-0672) Omar Hasan discovered that Python incorrectly parsed malicious HTTP header names and values. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2026-0865)

FEDORA-2026-03583f302f Packages in this update:

• suricata-7.0.15-1.fc43

Update description:

Upstream security/bugfix release