Aggregator

FEDORA-2026-0a82e80353 Packages in this update:

• perl-Cpanel-JSON-XS-4.41-1.fc44

Update description:

This update addresses a number of bugs including these security issues:

• Fix BOM-shift PV-corruption SIGABRT (CVE-2026-9516)
• Fix dupkeys_as_arrayref type confusion (CVE-2026-9334)

Duc Anh Nguyen discovered that LibreOffice incorrectly handled mismatched encryption salt parameters in crafted OOXML documents. An attacker could use this issue to cause LibreOffice to crash, resulting in a denial of service, or possibly execute arbitrary code.

It was discovered that Apache HTTP Server incorrectly handled certain response headers. An attacker could possibly use this issue to perform HTTP response splitting attacks. This issue only affected Ubuntu 14.04 LTS. (CVE-2023-38709) Will Dormann and David Warren discovered that Apache HTTP Server's HTTP/2 implementation did not properly reclaim memory when streams were reset by clients. A remote attacker could possibly use this issue to cause Apache HTTP Server to consume resources, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2023-45802) Keran Mu and Jianjun Chen discovered that Apache HTTP Server incorrectly handled certain response headers. An attacker could possibly use this issue to perform HTTP response splitting attacks. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-24795) Orange Tsai discovered that Apache HTTP Server mod_proxy incorrectly handled URL encoding. A remote attacker could possibly use this issue to bypass authentication via crafted requests. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-38473) Orange Tsai discovered that Apache HTTP Server could be caused to perform server-side request forgery (SSRF) via malicious backend response headers. A remote attacker could possibly use this issue to conduct SSRF attacks or disclose sensitive information. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-38476) Orange Tsai discovered that Apache HTTP Server mod_proxy did not properly handle certain null pointer conditions. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-38477) Orange Tsai discovered that Apache HTTP Server mod_rewrite could be made to perform server-side request forgery (SSRF) via unsafe RewriteRules. A remote attacker could possibly use this issue to conduct SSRF attacks. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-39573) It was discovered that Apache HTTP Server incorrectly handled certain response headers. An attacker could possibly use this issue to perform HTTP response splitting attacks. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-42516) It was discovered that Apache HTTP Server could be caused to perform server-side request forgery (SSRF) via mod_headers modifying Content-Type headers. A remote attacker could possibly use this issue to conduct SSRF attacks. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-43204) John Runyon discovered that Apache HTTP Server mod_ssl did not properly escape user-supplied data before writing log entries. A remote attacker could possibly use this issue to insert escape sequences into log files. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-47252) Robert Merget discovered that Apache HTTP Server with SSLEngine optional was vulnerable to HTTP desynchronisation attacks. An attacker in a privileged network position could possibly use this issue to hijack HTTP sessions. This issue only affected Ubuntu 14.04 LTS. (CVE-2025-49812) It was discovered that Apache HTTP Server mod_md had an integer overflow in the ACME certificate renewal backoff timer. An attacker could possibly use this issue to cause excessive certificate renewal requests. This issue only affected Ubuntu 20.04 LTS. (CVE-2025-55753) Anthony Parfenov discovered that Apache HTTP Server with SSI enabled and mod_cgid passed shell-escaped query strings to #exec cmd directives. A remote attacker could possibly use this issue to perform command injection. (CVE-2025-58098) Mattias Åsander discovered that Apache HTTP Server incorrectly gave precedence to environment variables from HTTP headers over server-calculated CGI variables. A remote attacker could possibly use this issue to influence the environment of CGI programs. (CVE-2025-65082) Mattias Åsander discovered that Apache HTTP Server mod_userdir with suexec could be caused to run CGI scripts under an unexpected user ID via RequestHeader directives in .htaccess files. An attacker with .htaccess write access could possibly use this issue to bypass suexec user restrictions. (CVE-2025-66200)

It was discovered that QtSvg incorrectly handled certain SVG images. An attacker could possibly use this issue to cause QtSvg to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2018-19869) It was discovered that QtSvg incorrectly handled certain SVG images. An attacker could use this issue to cause QtSvg to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-3481, CVE-2021-28025, CVE-2021-45930) It was discovered that QtSvg incorrectly handled certain SVG images. An attacker could use this issue to cause QtSvg to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-32573)

Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An attacker could possibly use this issue to perform SQL injection attacks. (CVE-2025-14179) It was discovered that PHP incorrectly handled certain encoding names in mbstring. An attacker could possibly use this issue to obtain sensitive information or cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-6104) It was discovered that PHP incorrectly handled object references while parsing crafted SOAP requests. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-6722) It was discovered that PHP incorrectly sanitized certain data in the PHP-FPM status page. A remote attacker could possibly use this issue to inject arbitrary JavaScript code. (CVE-2026-6735) It was discovered that PHP had an encoding mismatch in mbstring. An attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2026-7259) It was discovered that PHP incorrectly handled SOAP session persistence after errors. A remote attacker could possibly use this issue to obtain sensitive information or cause PHP to crash, resulting in a denial of service. (CVE-2026-7261) It was discovered that PHP incorrectly handled missing values in SOAP typemap decoding. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2026-7262) It was discovered that PHP incorrectly handled XML canonicalization in DOMNode::C14N(). An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-7263) It was discovered that PHP incorrectly handled very long input in metaphone(). An attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2026-7568)

It was discovered that pyOpenSSL incorrectly handled exceptions in the tlsext_servername callback. This could result in connections being accepted after an exception, contrary to expectations.

Thomas Beckers discovered that the JAXP component of CRaC JDK 25 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. (CVE-2026-22016) It was discovered that the Networking component of CRaC JDK 25 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-34282) It was discovered that the JSSE component of CRaC JDK 25 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22021) It was discovered that the JGSS component of CRaC JDK 25 did not correctly authenticate certain APIs. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-22013) It was discovered that the 2D component of CRaC JDK 25 did not correctly handle certain integer arithmetic. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to leak sensitive information. (CVE-2026-23865) It was discovered that the Libraries component of CRaC JDK 25 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service or gain unauthorized modification of data privileges. (CVE-2026-22008, CVE-2026-22018) Ken Pyle discovered that the Security component of CRaC JDK 25 did not correctly authenticate certain APIs. A local attacker could possibly use this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-04-21

Thomas Beckers discovered that the JAXP component of CRaC JDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. (CVE-2026-22016) It was discovered that the Networking component of CRaC JDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-34282) It was discovered that the JSSE component of CRaC JDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22021) It was discovered that the JGSS component of CRaC JDK 21 did not correctly authenticate certain APIs. A remote attacker could possibly use this issue to obtain sensitive information.(CVE-2026-22013) It was discovered that the 2D component of CRaC JDK 21 did not correctly handle certain integer arithmetic. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to leak sensitive information. (CVE-2026-23865) It was discovered that the Libraries component of CRaC JDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22018) Ken Pyle discovered that the Security component of CRaC JDK 21 did not correctly authenticate certain APIs. A local attacker could possibly use this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-04-21

Thomas Beckers discovered that the JAXP component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. (CVE-2026-22016) It was discovered that the Networking component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-34282) It was discovered that the JSSE component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22021) It was discovered that the JGSS component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-22013) It was discovered that the 2D component of CRaC JDK 17 did not correctly handle certain integer arithmetic. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to leak sensitive information. (CVE-2026-23865) It was discovered that the Libraries component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22018) Ken Pyle discovered that the Security component of CRaC JDK 17 did not correctly authenticate certain APIs. A local attacker could possibly use this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-04-21

Thomas Beckers discovered that the JAXP component of OpenJDK 11 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. (CVE-2026-22016) It was discovered that the Networking component of OpenJDK 11 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-34282) It was discovered that the JSSE component of OpenJDK 11 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22021) It was discovered that the JGSS component of OpenJDK 11 did not correctly authenticate certain APIs. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-22013) It was discovered that the 2D component of OpenJDK 11 did not correctly handle certain integer arithmetic. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to leak sensitive information. (CVE-2026-23865) It was discovered that the Libraries component of OpenJDK 11 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22018) Ken Pyle discovered that the Security component of OpenJDK 11 did not correctly authenticate certain APIs. A local attacker could possibly use this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-04-21

Thomas Beckers discovered that the JAXP component of OpenJDK 8 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. (CVE-2026-22016) It was discovered that the JSSE component of OpenJDK 8 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22021) It was discovered that the JGSS component of OpenJDK 8 did not correctly authenticate certain APIs. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-22013) It was discovered that the 2D component of OpenJDK 8 did not correctly handle certain integer arithmetic. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to leak sensitive information. (CVE-2026-23865) It was discovered that the Libraries component of OpenJDK 8 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22018) Ken Pyle discovered that the Security component of OpenJDK 8 did not correctly authenticate certain APIs. A local attacker could possibly use this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-04-21

FEDORA-2026-2d0a32ddc0 Packages in this update:

• rubygem-yard-0.9.37-5.fc43

Update description:

Backport 0.9.41 / 0.9.44 fixes for possible path traversal issues

FEDORA-2026-acefc1fe48 Packages in this update:

• rubygem-yard-0.9.40-2.fc44

Update description:

Backport 0.9.41 / 0.9.44 fixes for possible path traversal issues

It was discovered that the FFmpeg CAF decoder incorrectly handled certain file size calculations. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service.

Thomas Beckers discovered that the JAXP component of OpenJDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. (CVE-2026-22016) It was discovered that the Networking component of OpenJDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-34282) It was discovered that the JSSE component of OpenJDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22021) It was discovered that the JGSS component of OpenJDK 21 did not correctly authenticate certain APIs. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-22013) It was discovered that the 2D component of OpenJDK 21 did not correctly handle certain integer arithmetic. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to leak sensitive information. (CVE-2026-23865) It was discovered that the Libraries component of OpenJDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2026-22018) Ken Pyle discovered that the Security component of OpenJDK 21 did not correctly authenticate certain APIs. A local attacker could possibly use this issue to leak sensitive information. (CVE-2026-22007, CVE-2026-34268) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-04-21

FEDORA-EPEL-2026-ea9af18b11 Packages in this update:

• strongswan-6.0.6-1.el9

Update description:

Update to 6.0.6 to fix CVE-2026-35328, CVE-2026-35329, CVE-2026-35330, CVE-2026-35331, CVE-2026-35332, CVE-2026-35333, CVE-2026-35334, CVE-2026-25075, CVE-2025-9615, CVE-2025-62291