openbao-2.5.4-1.el8
FEDORA-EPEL-2026-7c82182eba
Packages in this update:
- openbao-2.5.4-1.el8
Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808
Aggregator
openbao-2.5.4-1.el9
FEDORA-EPEL-2026-89a3c4993d
Packages in this update:
- openbao-2.5.4-1.el9
Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808
openbao-2.5.4-1.fc44
FEDORA-2026-bf7889aec6
Packages in this update:
- openbao-2.5.4-1.fc44
Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808
openbao-2.5.4-1.fc42
FEDORA-2026-b7d009831a
Packages in this update:
- openbao-2.5.4-1.fc42
Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808
openbao-2.5.4-1.el10_3
FEDORA-EPEL-2026-cec027b6af
Packages in this update:
- openbao-2.5.4-1.el10_3
Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808
openbao-2.5.4-1.fc43
FEDORA-2026-d4e8f0a731
Packages in this update:
- openbao-2.5.4-1.fc43
Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808
openbao-2.5.4-1.el10_2
FEDORA-EPEL-2026-cc6a962bcc
Packages in this update:
- openbao-2.5.4-1.el10_2
Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808
USN-8288-1: Bubblewrap vulnerability
It was discovered that Bubblewrap incorrectly handled the sandbox
setup phase when installed in setuid mode. A local attacker could
possibly use this issue to bypass sandbox restrictions.
USN-8287-1: XDG Desktop Portal vulnerability
It was discovered that XDG Desktop Portal incorrectly handled
trashing files. A local attacker could possibly use this issue to
delete arbitrary files on the host file system via a symlink attack.
libsoup3-3.6.6-8.fc44
FEDORA-2026-ce6cab40ac
Packages in this update:
- libsoup3-3.6.6-8.fc44
Patch for CVE-2026-5119
perl-HTTP-Tiny-0.094-1.fc43
FEDORA-2026-3bfb774625
Packages in this update:
- perl-HTTP-Tiny-0.094-1.fc43
0.094 - fix to prevent invalid characters in all headers, and prevent header smuggling (CVE-2026-7010)
perl-Sereal-5.005-1.fc43 perl-Sereal-Decoder-5.005-1.fc43 perl-Sereal-Encoder-5.005-1.fc43
FEDORA-2026-49c4be8260
Packages in this update:
- perl-Sereal-5.005-1.fc43
- perl-Sereal-Decoder-5.005-1.fc43
- perl-Sereal-Encoder-5.005-1.fc43
This update includes a security fix to make sure that COPY tags cannot be used to read past end of the buffer.
perl-Sereal-5.005-1.fc44 perl-Sereal-Decoder-5.005-1.fc44 perl-Sereal-Encoder-5.005-1.fc44
FEDORA-2026-26bb3fe2c6
Packages in this update:
- perl-Sereal-5.005-1.fc44
- perl-Sereal-Decoder-5.005-1.fc44
- perl-Sereal-Encoder-5.005-1.fc44
This update includes a security fix to make sure that COPY tags cannot be used to read past end of the buffer.
cockpit-362-1.fc44
FEDORA-2026-ac9d9c87c8
Packages in this update:
- cockpit-362-1.fc44
Automatic update for cockpit-362-1.fc44.
Changelog for cockpit * Wed May 20 2026 Packit <hello@packit.dev> - 362-1 - Bug fixes and translation updates - Fix arbitrary code execution via specially crafted logs page link (CVE-2026-4802)cockpit-362-1.fc43
FEDORA-2026-58cee40a55
Packages in this update:
- cockpit-362-1.fc43
Automatic update for cockpit-362-1.fc43.
Changelog for cockpit * Wed May 20 2026 Packit <hello@packit.dev> - 362-1 - Bug fixes and translation updates - Fix arbitrary code execution via specially crafted logs page link (CVE-2026-4802)USN-8286-1: OpenVPN vulnerabilities
Guannan Wang, Zhanpeng Liu, Guancheng Li, and Emma Reuter
discovered that OpenVPN incorrectly handled suitably malformed
packets with valid tls-crypt-v2 keys. An attacker could possibly use
this issue to cause OpenVPN to crash, resulting in a denial of
service. (CVE-2026-35058)
Guannan Wang, Zhanpeng Liu, and Guancheng Li discovered that
OpenVPN had a race condition in the TLS handshake process that could
leak packet data from a previous handshake under certain
circumstances. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2026-40215)
unbound-1.25.1-1.fc44
FEDORA-2026-49f37e16aa
Packages in this update:
- unbound-1.25.1-1.fc44
- Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report.
- Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report.
- Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report.
- Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Swapped sources signature source number with systemd unit to have them close.
Update to 1.25.0 (rhbz#2463781) Feature changes:- Improved TTL 0 handling
- Reload also certificates on reload if they have changed
- Allow control-interface specification also of port.
- Added new tls-protocols option. Can disable TLS 1.2 explicitly.
And bug fixes.
Remove merged patches.
Source: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-0
unbound-1.25.1-1.fc43
FEDORA-2026-3223ded15e
Packages in this update:
- unbound-1.25.1-1.fc43
- Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report.
- Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report.
- Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report.
- Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Swapped sources signature source number with systemd unit to have them close.
USN-8285-1: GStreamer Good Plugins vulnerability
It was discovered that GStreamer Good Plugins incorrectly handled certain
MOV/MP4 media files. A remote attacker could use this issue to cause
GStreamer Good Plugins to crash, resulting in a denial of service, or
possibly execute arbitrary code.
USN-8284-1: GnuTLS vulnerabilities
Joshua Rogers discovered that GnuTLS did not properly handle malformed
DTLS handshake fragments in certain cases. A remote attacker could
possibly use this issue to obtain sensitive information, or cause a
denial of service. (CVE-2026-33845)
Haruto Kimura, Oscar Reparaz, and Zou Dikai discovered that GnuTLS did
not properly validate DTLS handshake fragment lengths in certain cases. A
remote attacker could possibly use this issue to cause GnuTLS to crash,
resulting in a denial of service, or execute arbitrary code.
(CVE-2026-33846)
Oleh Konko and Joshua Rogers discovered that GnuTLS did not properly
validate OCSP responses in certain cases. A remote attacker could
possibly use this issue to bypass certificate revocation checks, leading
to a machine-in-the-middle attack. (CVE-2026-3832)
Oleh Konko and Joshua Rogers discovered that GnuTLS did not properly
handle case-insensitive name constraints in certain cases. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-3833)
Joshua Rogers discovered that GnuTLS did not properly order DTLS packets
with duplicate sequence numbers in certain cases. A remote attacker could
possibly use this issue to cause GnuTLS to crash, resulting in a denial
of service. (CVE-2026-42009)
Joshua Rogers discovered that GnuTLS did not properly handle usernames
containing NUL characters in certain RSA-PSK configurations. A remote
attacker could possibly use this issue to bypass authentication and gain
unintended access to services. (CVE-2026-42010)
Haruto Kimura discovered that GnuTLS did not properly apply permitted
name constraints in certain certificate validation paths. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-42011)
Oleh Konko discovered that GnuTLS incorrectly fell back to Common Name
checks for certain URI and SRV subject alternative names. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-42012)
Haruto Kimura and Joshua Rogers discovered that GnuTLS incorrectly fell
back to Common Name checks when subject alternative names were oversized.
A remote attacker could possibly use this issue to bypass certificate
validation, leading to a machine-in-the-middle attack. (CVE-2026-42013)
Luigino Camastra and Joshua Rogers discovered that GnuTLS had a
use-after-free issue when changing PKCS#11 token security officer PINs in
certain cases. An attacker could possibly use this issue to cause GnuTLS
to crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2026-42014)
Zou Dikai discovered that GnuTLS did not properly validate PKCS#12 bag
sizes in certain cases. An attacker could possibly use this issue to
cause GnuTLS to crash, resulting in a denial of service, or execute
arbitrary code. (CVE-2026-42015)
Joshua Rogers discovered that GnuTLS did not properly handle very short
premaster secrets in certain RSA key exchange cases with PKCS#11-backed
server keys. A remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2026-5260)
Doria Tang discovered that GnuTLS did not perform PKCS#7 padding checks
in constant time in certain cases. A remote attacker could possibly use
this issue to obtain sensitive information. This issue only affected
Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-5419)