Chromium, Firefox, NSS, Perl Libraries, and System Tools updates for Fedora

Fedora Linux 9390 Published by

Fedora administrators should immediately apply a comprehensive batch of security patches to both Fedora 43 and Fedora 44 systems. The updates address dozens of critical vulnerabilities across essential software including Chromium, Firefox, NSS, SingularityCE, Restic, and several Perl modules. Developers patched dangerous flaws ranging from memory corruption errors and heap overflows to command injection and path traversal exploits that could allow remote attackers to execute arbitrary code or bypass authentication mechanisms. You can install these necessary fixes quickly by running the standard dnf upgrade command with the provided advisory identifiers in your terminal.

Fedora 43 Update: nss-3.124.0-1.fc43
Fedora 43 Update: firefox-152.0-1.fc43
Fedora 43 Update: chromium-149.0.7827.114-1.fc43
Fedora 43 Update: ongres-stringprep-2.4-1.fc43
Fedora 43 Update: restic-0.19.0-1.fc43
Fedora 43 Update: ongres-scram-3.3-1.fc43
Fedora 43 Update: singularity-ce-4.4.2-1.fc43
Fedora 43 Update: perl-GD-2.86-1.fc43
Fedora 43 Update: perl-HTTP-Daemon-6.17-1.fc43
Fedora 43 Update: perl-Net-Statsd-0.13-1.fc43
Fedora 43 Update: vorbis-tools-1.4.3-4.fc43
Fedora 43 Update: perl-Archive-Tar-3.04-522.fc43
Fedora 44 Update: util-linux-2.41.5-1.fc44
Fedora 44 Update: ocserv-1.5.0-2.fc44
Fedora 44 Update: singularity-ce-4.4.2-1.fc44
Fedora 44 Update: restic-0.19.0-1.fc44
Fedora 44 Update: perl-GD-2.86-1.fc44
Fedora 44 Update: perl-HTTP-Daemon-6.17-1.fc44
Fedora 44 Update: perl-Net-Statsd-0.13-1.fc44





[SECURITY] Fedora 43 Update: nss-3.124.0-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1c873954fa
2026-06-19 01:08:57.989203+00:00
--------------------------------------------------------------------------------

Name : nss
Product : Fedora 43
Version : 3.124.0
Release : 1.fc43
URL : http://www.mozilla.org/projects/security/pki/nss/
Summary : Network Security Services
Description :
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.

--------------------------------------------------------------------------------
Update Information:

Update NSS to 3.124.0
Update to Firefox 152.0
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jun 1 2026 Frantisek Krenzelok [fkrenzel@redhat.com] - 3.124.0-1
- Update NSS to 3.124.0
- Remove libcrmf as it is being deprecated and we don't use it.
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1c873954fa' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: firefox-152.0-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1c873954fa
2026-06-19 01:08:57.989203+00:00
--------------------------------------------------------------------------------

Name : firefox
Product : Fedora 43
Version : 152.0
Release : 1.fc43
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

--------------------------------------------------------------------------------
Update Information:

Update NSS to 3.124.0
Update to Firefox 152.0
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jun 11 2026 Martin Stransky [stransky@redhat.com] - 152.0-1
- Update to latest upstream (152.0)
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1c873954fa' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: chromium-149.0.7827.114-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-40cf884ac9
2026-06-19 01:08:57.989201+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 43
Version : 149.0.7827.114
Release : 1.fc43
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 149.0.7827.114
CVE-2026-12007: Use after free Core
CVE-2026-12008: Use after free DigitalCredentials
CVE-2026-12009: Insufficient validation of untrusted input Accessibility
CVE-2026-12010: Heap buffer overflow GPU
CVE-2026-12011: Use after free WebMIDI
CVE-2026-12012: Use after free Network
CVE-2026-12013: Use after free Media
CVE-2026-12014: Use after free Cast
CVE-2026-12015: Use after free Autofill
CVE-2026-12016: Insufficient validation of untrusted input DevTools
CVE-2026-12017: Insufficient validation of untrusted input Extensions
CVE-2026-12018: Inappropriate implementation Mojo
CVE-2026-12019: Out of bounds write Codecs
CVE-2026-12020: Use after free Autofill
CVE-2026-12022: Race Safe Browsing
CVE-2026-12023: Use after free GPU
CVE-2026-12024: Insufficient policy enforcement DevTools
CVE-2026-12025: Insufficient validation of untrusted input Network
CVE-2026-12026: Out of bounds read Video
CVE-2026-12027: Insufficient policy enforcement Headless
CVE-2026-12028: Use after free GPU
CVE-2026-12029: Use after free Video
CVE-2026-12030: Heap buffer overflow GPU
CVE-2026-12031: Inappropriate implementation Views
CVE-2026-12032: Inappropriate implementation Passwords
CVE-2026-12033: Out of bounds read VideoCapture
CVE-2026-12034: Insufficient validation of untrusted input Linux Toolkit
Theming
CVE-2026-12035: Use after free Views
Disable AI Mode settings
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jun 12 2026 Than Ngo [than@redhat.com] - 149.0.7827.114-1
- Update to 149.0.7827.114
* CVE-2026-12007: Use after free Core
* CVE-2026-12008: Use after free DigitalCredentials
* CVE-2026-12009: Insufficient validation of untrusted input Accessibility
* CVE-2026-12010: Heap buffer overflow GPU
* CVE-2026-12011: Use after free WebMIDI
* CVE-2026-12012: Use after free Network
* CVE-2026-12013: Use after free Media
* CVE-2026-12014: Use after free Cast
* CVE-2026-12015: Use after free Autofill
* CVE-2026-12016: Insufficient validation of untrusted input DevTools
* CVE-2026-12017: Insufficient validation of untrusted input Extensions
* CVE-2026-12018: Inappropriate implementation Mojo
* CVE-2026-12019: Out of bounds write Codecs
* CVE-2026-12020: Use after free Autofill
* CVE-2026-12022: Race Safe Browsing
* CVE-2026-12023: Use after free GPU
* CVE-2026-12024: Insufficient policy enforcement DevTools
* CVE-2026-12025: Insufficient validation of untrusted input Network
* CVE-2026-12026: Out of bounds read Video
* CVE-2026-12027: Insufficient policy enforcement Headless
* CVE-2026-12028: Use after free GPU
* CVE-2026-12029: Use after free Video
* CVE-2026-12030: Heap buffer overflow GPU
* CVE-2026-12031: Inappropriate implementation Views
* CVE-2026-12032: Inappropriate implementation Passwords
* CVE-2026-12033: Out of bounds read VideoCapture
* CVE-2026-12034: Insufficient validation of untrusted input Linux Toolkit Theming
* CVE-2026-12035: Use after free Views
- Disable AI Mode settings
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-40cf884ac9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: ongres-stringprep-2.4-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3fd14ce272
2026-06-19 01:08:57.989172+00:00
--------------------------------------------------------------------------------

Name : ongres-stringprep
Product : Fedora 43
Version : 2.4
Release : 1.fc43
URL : https://github.com/ongres/stringprep
Summary : RFC 3454 Preparation of Internationalized Strings in pure Java
Description :
The stringprep protocol does not stand on its own; it has to be used by other
protocols at precisely-defined places in those other protocols.

--------------------------------------------------------------------------------
Update Information:

Ongres Scram update and security fix.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 10 2026 Marian Koncek [mkoncek@redhat.com] - 2.4-1
- Update to upstream version 2.4
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2487527 - Silent channel-binding authentication downgrade via unsupported certificate algorithms
https://bugzilla.redhat.com/show_bug.cgi?id=2487527
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3fd14ce272' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: restic-0.19.0-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-e6094447f0
2026-06-19 01:08:57.989170+00:00
--------------------------------------------------------------------------------

Name : restic
Product : Fedora 43
Version : 0.19.0
Release : 1.fc43
URL : https://github.com/restic/restic
Summary : Fast, secure, efficient backup program
Description :
Fast, secure, efficient backup program.

restic supports the following backends for storing backups natively:

* Local directory
* sftp server (via SSH)
* HTTP REST server (protocol, rest-server)
* Amazon S3 (either from Amazon or using the Minio server)
* OpenStack Swift
* BackBlaze B2
* Microsoft Azure Blob Storage
* Google Cloud Storage
* And many other services via the rclone Backend

--------------------------------------------------------------------------------
Update Information:

Update to 0.19.0
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 10 2026 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 0.19.0-1
- Update to 0.19.0 - Closes rhbz#2487290
* Tue Feb 3 2026 Maxwell G [maxwell@gtmx.me] - 0.18.1-3
- Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 0.18.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2455673 - CVE-2026-34986 restic: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455673
[ 2 ] Bug #2464136 - CVE-2026-41179 restic: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2464136
[ 3 ] Bug #2464140 - CVE-2026-41176 restic: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2464140
[ 4 ] Bug #2486238 - CVE-2026-45287 restic: OpenTelemetry-Go: Denial of Service due to file descriptor leak [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486238
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-e6094447f0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: ongres-scram-3.3-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3fd14ce272
2026-06-19 01:08:57.989172+00:00
--------------------------------------------------------------------------------

Name : ongres-scram
Product : Fedora 43
Version : 3.3
Release : 1.fc43
URL : https://github.com/ongres/scram
Summary : Salted Challenge Response Authentication Mechanism (SCRAM) - Java Implementation
Description :
This is a Java implementation of SCRAM (Salted Challenge Response
Authentication Mechanism) which is part of the family of Simple
Authentication and Security Layer (SASL, RFC 4422) authentication
mechanisms. It is described as part of RFC 5802 and RFC7677.

--------------------------------------------------------------------------------
Update Information:

Ongres Scram update and security fix.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 10 2026 Marian Koncek [mkoncek@redhat.com] - 3.3-1
- Update to upstream version 3.3
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2487527 - Silent channel-binding authentication downgrade via unsupported certificate algorithms
https://bugzilla.redhat.com/show_bug.cgi?id=2487527
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3fd14ce272' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: singularity-ce-4.4.2-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5358fb95a0
2026-06-19 01:08:57.989167+00:00
--------------------------------------------------------------------------------

Name : singularity-ce
Product : Fedora 43
Version : 4.4.2
Release : 1.fc43
URL : https://www.sylabs.io/singularity/
Summary : Application and environment virtualization
Description :
SingularityCE is the Community Edition of Singularity, an open source
container platform designed to be simple, fast, and secure.

--------------------------------------------------------------------------------
Update Information:

Upgrade to 4.4.2 upstream version.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 10 2026 David Trudgian [dtrudg@sylabs.io] - 4.4.2-1
- Upgrade to 4.4.2 upstream version.
- Fix rhbz#2453093
- Fix rhbz#2458933
- Fix rhbz#2455674
- Fix rhbz#2456379
- Fix CVE-2026-47215
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2453093 - CVE-2026-33748 singularity-ce: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453093
[ 2 ] Bug #2455674 - CVE-2026-34986 singularity-ce: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455674
[ 3 ] Bug #2456379 - CVE-2026-39395 singularity-ce: Cosign: Incorrect attestation verification due to malformed payloads or mismatched predicate types [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2456379
[ 4 ] Bug #2458933 - CVE-2026-39984 singularity-ce: improper certificate validation in verifier [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458933
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5358fb95a0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: perl-GD-2.86-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-63831abaee
2026-06-19 01:08:57.989164+00:00
--------------------------------------------------------------------------------

Name : perl-GD
Product : Fedora 43
Version : 2.86
Release : 1.fc43
URL : https://metacpan.org/release/GD
Summary : Perl interface to the GD graphics library
Description :
This is a auto-loadable interface module for GD, a popular library
for creating and manipulating PNG files. With this library you can
create PNG images on the fly or modify existing files.

--------------------------------------------------------------------------------
Update Information:

This update fixes a command injection issue resulting from the use of the
2-argument form of open (CVE-2026-11526).
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 9 2026 Paul Howarth - 2.86-1
- Update to 2.86
- Fix command injection via 2-arg open() in _make_filehandle (CVE-2026-11526)
* Tue Jun 2 2026 Paul Howarth - 2.85-1
- Update to 2.85
- Tolerate runtime TIFF decode failures in autodetect (GH#62)
- Replace cpm with cpanm in github actions
- Fixed a minor precedence bug in t/z_manifest.t
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 2.84-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Mon Jan 5 2026 Paul Howarth - 2.84-1
- Update to 2.84
- Added Makefile.PL --with and --without options to bypass autodetection
errors or upstream libgd or subsequent library errors (GH#55)
- Better support MSWin32 without gdlib.pc (requires manual --options and
--lib_gd_path)
- Work around broken ExtUtils::PkgConfig->find (GH#61)
- Fixed snprintf for newer MSVC (>= VS 2015)
- Added GD::Image::supported() image types method
- Added newFromTiffData() method
- Fixed t/GD.t for unsupported image types
- Add GIFANIM to the default since 2.0.33 (GH#56)
- Honor PKG_CONFIG_PATH for finding gdlib.pc (GH#57)
- Add demos/png2jpeg.pl
- Don't disable XPM support if GD config doesn't explicitly require -lX11
- Use %{make_build} and %{make_install}
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-63831abaee' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: perl-HTTP-Daemon-6.17-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f276b2154e
2026-06-19 01:08:57.989142+00:00
--------------------------------------------------------------------------------

Name : perl-HTTP-Daemon
Product : Fedora 43
Version : 6.17
Release : 1.fc43
URL : https://metacpan.org/release/HTTP-Daemon
Summary : Simple HTTP server class
Description :
Instances of the HTTP::Daemon class are HTTP/1.1 servers that listen on a
socket for incoming requests. The HTTP::Daemon is a subclass of
IO::Socket::IP, so you can perform socket operations directly on it too.

--------------------------------------------------------------------------------
Update Information:

Changes:
6.17 2026-05-19 23:11:06Z
Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in
send_file() enabled RCE / arbitrary file write / response-body
exfiltration when a string argument was derived from attacker-
influenced input. send_file() now uses 3-arg open() with an
explicit ' path', etc.) are no longer interpreted. send_file() now also
returns '0E0' (true zero) on a successful zero-byte transfer so
callers can distinguish empty file from open failure (undef). See
https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory.
Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist,
Olaf Alders)
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 20 2026 Michal Josef ??pa??ek [mspacek@redhat.com] - 6.17-1
- 6.17 bump
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2480076 - perl-HTTP-Daemon-6.17 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2480076
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f276b2154e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: perl-Net-Statsd-0.13-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9a8f233b8f
2026-06-19 01:08:57.989086+00:00
--------------------------------------------------------------------------------

Name : perl-Net-Statsd
Product : Fedora 43
Version : 0.13
Release : 1.fc43
URL : https://metacpan.org/release/Net-Statsd
Summary : Sends statistics to the stats daemon over UDP
Description :
This module implements a client for a statsd statistics collection server, such
as the one in use at Etsy.com.

You want to use this module to track statistics in your Perl application, such
as how many times a certain event occurs (user logins in a web application, or
database queries issued), or you want to time and then graph how long certain
events take, like database queries execution time or time to download a certain
file, etc.

--------------------------------------------------------------------------------
Update Information:

Metric names and values are now validated to ensure they do not contain
characters below ASCII 32 (including newlines), colon (":") or pipe ("|")
characters that might allow metric injection. Offending calls now croak.
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jun 7 2026 Emmanuel Seyman [emmanuel@seyman.fr] - 0.13-1
- Update to 0.13 (fixes CVE-2026-46739)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2486960 - CVE-2026-46739 perl-Net-Statsd: perl-Net-Statsd: Metric injection via unchecked metric names and values [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486960
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9a8f233b8f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: vorbis-tools-1.4.3-4.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-cbf4cd18d1
2026-06-19 01:08:57.989075+00:00
--------------------------------------------------------------------------------

Name : vorbis-tools
Product : Fedora 43
Version : 1.4.3
Release : 4.fc43
URL : https://www.xiph.org/
Summary : The Vorbis General Audio Compression Codec tools
Description :
Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free,
general-purpose compressed audio format for audio and music at fixed
and variable bitrates from 16 to 128 kbps/channel.

The vorbis package contains an encoder, a decoder, a playback tool, and a
comment editor.

--------------------------------------------------------------------------------
Update Information:

CVE-2026-34253 - fix arbitrary code execution via buffer underflow
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 9 2026 Luk???? Zaoral [lzaoral@redhat.com] - 1:1.4.3-4
- CVE-2026-34253 - fix arbitrary code execution via buffer underflow (rhbz#2479549)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2479549 - CVE-2026-34253 vorbis-tools: vorbis-tools ogg123: Arbitrary code execution via buffer underflow in remote control functionality [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2479549
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-cbf4cd18d1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: perl-Archive-Tar-3.04-522.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-6988e8f652
2026-06-19 01:08:57.989060+00:00
--------------------------------------------------------------------------------

Name : perl-Archive-Tar
Product : Fedora 43
Version : 3.04
Release : 522.fc43
URL : https://metacpan.org/release/Archive-Tar
Summary : A module for Perl manipulation of .tar files
Description :
Archive::Tar provides an object oriented mechanism for handling tar
files. It provides class methods for quick and easy files handling
while also allowing for the creation of tar file objects for custom
manipulation. If you have the IO::Zlib module installed, Archive::Tar
will also support compressed or gzipped tar files.

--------------------------------------------------------------------------------
Update Information:

Fixed CVE-2026-42496 - Path traversal via crafted symlinks allows arbitrary
file access
Backported from 3.08
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 3 2026 Jitka Plesnikova [jplesnik@redhat.com] - 3.04-522
- Fix CVE-2026-42496 (rhbz#2484320)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2484320 - CVE-2026-42496 perl-Archive-Tar: perl-archive-tar: Path traversal via crafted symlinks allows arbitrary file access [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2484320
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-6988e8f652' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: util-linux-2.41.5-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c70cb96ff1
2026-06-19 00:59:07.048660+00:00
--------------------------------------------------------------------------------

Name : util-linux
Product : Fedora 44
Version : 2.41.5
Release : 1.fc44
URL : https://en.wikipedia.org/wiki/Util-linux
Summary : Collection of basic system utilities
Description :
The util-linux package contains a large variety of low-level system
utilities that are necessary for a Linux system to function. Among
others, util-linux contains the fdisk configuration tool and the login
program.

--------------------------------------------------------------------------------
Update Information:

upstream upgrade with security fixes:
CVE-2026-53612 - libmount: TOCTOU attack via ancestor directory swap during
mount
CVE-2026-53613 - libmount: SUID bypass via LIBMOUNT_FORCE_MOUNT2 and legacy
mount path
CVE-2026-53614 - libmount: fd_target TOCTOU prevention
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 16 2026 Karel Zak [kzak@redhat.com] - 2.41.5-1
- upgrade to upstream release v2.41.5
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c70cb96ff1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: ocserv-1.5.0-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-28036f36d5
2026-06-19 00:59:07.048653+00:00
--------------------------------------------------------------------------------

Name : ocserv
Product : Fedora 44
Version : 1.5.0
Release : 2.fc44
URL : https://ocserv.openconnect-vpn.net/
Summary : OpenConnect SSL VPN server
Description :
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a
secure, small, fast and configurable VPN server. It implements the OpenConnect
SSL VPN protocol, and has also (currently experimental) compatibility with
clients using the AnyConnect SSL VPN protocol. The OpenConnect VPN protocol
uses the standard IETF security protocols such as TLS 1.2, and Datagram TLS
to provide the secure VPN service.

--------------------------------------------------------------------------------
Update Information:

fix pam-guard-page test
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 10 2026 Nikos Mavrogiannopoulos [n.mavrogiannopoulos@gmail.com] - 1.5.0-2
- fix pam-guard-page test
* Sun Jun 7 2026 Packit [hello@packit.dev] - 1.5.0-1
- Update to 1.5.0 upstream release
- Resolves: rhbz#2459071
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-28036f36d5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: singularity-ce-4.4.2-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-63ae478575
2026-06-19 00:59:07.048635+00:00
--------------------------------------------------------------------------------

Name : singularity-ce
Product : Fedora 44
Version : 4.4.2
Release : 1.fc44
URL : https://www.sylabs.io/singularity/
Summary : Application and environment virtualization
Description :
SingularityCE is the Community Edition of Singularity, an open source
container platform designed to be simple, fast, and secure.

--------------------------------------------------------------------------------
Update Information:

Upgrade to 4.4.2 upstream version.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 10 2026 David Trudgian [dtrudg@sylabs.io] - 4.4.2-1
- Upgrade to 4.4.2 upstream version.
- Fix rhbz#2453093
- Fix rhbz#2458933
- Fix rhbz#2455674
- Fix CVE-2026-47215
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2453093 - CVE-2026-33748 singularity-ce: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453093
[ 2 ] Bug #2455674 - CVE-2026-34986 singularity-ce: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455674
[ 3 ] Bug #2458933 - CVE-2026-39984 singularity-ce: improper certificate validation in verifier [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458933
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-63ae478575' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: restic-0.19.0-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2290b9a9ad
2026-06-19 00:59:07.048638+00:00
--------------------------------------------------------------------------------

Name : restic
Product : Fedora 44
Version : 0.19.0
Release : 1.fc44
URL : https://github.com/restic/restic
Summary : Fast, secure, efficient backup program
Description :
Fast, secure, efficient backup program.

restic supports the following backends for storing backups natively:

* Local directory
* sftp server (via SSH)
* HTTP REST server (protocol, rest-server)
* Amazon S3 (either from Amazon or using the Minio server)
* OpenStack Swift
* BackBlaze B2
* Microsoft Azure Blob Storage
* Google Cloud Storage
* And many other services via the rclone Backend

--------------------------------------------------------------------------------
Update Information:

Update to 0.19.0
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 10 2026 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 0.19.0-1
- Update to 0.19.0 - Closes rhbz#2487290
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2455673 - CVE-2026-34986 restic: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455673
[ 2 ] Bug #2464136 - CVE-2026-41179 restic: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2464136
[ 3 ] Bug #2464140 - CVE-2026-41176 restic: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2464140
[ 4 ] Bug #2486238 - CVE-2026-45287 restic: OpenTelemetry-Go: Denial of Service due to file descriptor leak [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486238
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2290b9a9ad' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: perl-GD-2.86-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-263adf0222
2026-06-19 00:59:07.048628+00:00
--------------------------------------------------------------------------------

Name : perl-GD
Product : Fedora 44
Version : 2.86
Release : 1.fc44
URL : https://metacpan.org/release/GD
Summary : Perl interface to the GD graphics library
Description :
This is a auto-loadable interface module for GD, a popular library
for creating and manipulating PNG files. With this library you can
create PNG images on the fly or modify existing files.

--------------------------------------------------------------------------------
Update Information:

This update fixes a command injection issue resulting from the use of the
2-argument form of open (CVE-2026-11526).
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 9 2026 Paul Howarth - 2.86-1
- Update to 2.86
- Fix command injection via 2-arg open() in _make_filehandle (CVE-2026-11526)
* Tue Jun 2 2026 Paul Howarth - 2.85-1
- Update to 2.85
- Tolerate runtime TIFF decode failures in autodetect (GH#62)
- Replace cpm with cpanm in github actions
- Fixed a minor precedence bug in t/z_manifest.t
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-263adf0222' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: perl-HTTP-Daemon-6.17-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8982379b5c
2026-06-19 00:59:07.048604+00:00
--------------------------------------------------------------------------------

Name : perl-HTTP-Daemon
Product : Fedora 44
Version : 6.17
Release : 1.fc44
URL : https://metacpan.org/release/HTTP-Daemon
Summary : Simple HTTP server class
Description :
Instances of the HTTP::Daemon class are HTTP/1.1 servers that listen on a
socket for incoming requests. The HTTP::Daemon is a subclass of
IO::Socket::IP, so you can perform socket operations directly on it too.

--------------------------------------------------------------------------------
Update Information:

Changes:
6.17 2026-05-19 23:11:06Z
Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in
send_file() enabled RCE / arbitrary file write / response-body
exfiltration when a string argument was derived from attacker-
influenced input. send_file() now uses 3-arg open() with an
explicit ' path', etc.) are no longer interpreted. send_file() now also
returns '0E0' (true zero) on a successful zero-byte transfer so
callers can distinguish empty file from open failure (undef). See
https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory.
Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist,
Olaf Alders)
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 20 2026 Michal Josef ??pa??ek [mspacek@redhat.com] - 6.17-1
- 6.17 bump
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2480076 - perl-HTTP-Daemon-6.17 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2480076
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8982379b5c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: perl-Net-Statsd-0.13-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9c71664439
2026-06-19 00:59:07.048575+00:00
--------------------------------------------------------------------------------

Name : perl-Net-Statsd
Product : Fedora 44
Version : 0.13
Release : 1.fc44
URL : https://metacpan.org/release/Net-Statsd
Summary : Sends statistics to the stats daemon over UDP
Description :
This module implements a client for a statsd statistics collection server, such
as the one in use at Etsy.com.

You want to use this module to track statistics in your Perl application, such
as how many times a certain event occurs (user logins in a web application, or
database queries issued), or you want to time and then graph how long certain
events take, like database queries execution time or time to download a certain
file, etc.

--------------------------------------------------------------------------------
Update Information:

Metric names and values are now validated to ensure they do not contain
characters below ASCII 32 (including newlines), colon (":") or pipe ("|")
characters that might allow metric injection. Offending calls now croak.
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jun 7 2026 Emmanuel Seyman [emmanuel@seyman.fr] - 0.13-1
- Update to 0.13 (fixes CVE-2026-46739)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2486960 - CVE-2026-46739 perl-Net-Statsd: perl-Net-Statsd: Metric injection via unchecked metric names and values [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486960
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9c71664439' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new


Thunderbird, Chromium, Kernel updates for Debian

Kernel, Firefox, Apache HTTPD, OpenSSL, and Core System Packages updates for Oracle Linux

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...