Fedora Linux 9421 Published by

Fedora 43 and 44 release security updates resolving multiple high-severity flaws in Chromium, Ruby, ProFTPD, and related tools. The Chromium update resolves fifteen CVEs ranging from use-after-free memory corruption to heap buffer overflows, while Ruby 3.4.10 and 4.0.6 address deserialization bypasses and IMAP command injection flaws. Additional patches fix ProFTPD stack buffer overflows, Django header injection, yq cross-site scripting, and libtiff processing errors that could lead to code execution.

Fedora 43 Update: chromium-150.0.7871.124-1.fc43
Fedora 43 Update: node-exporter-1.12.1-1.fc43
Fedora 43 Update: spoofdpi-1.5.3-2.fc43
Fedora 43 Update: yq-4.53.3-1.fc43
Fedora 43 Update: ruby-3.4.10-31.fc43
Fedora 43 Update: proftpd-1.3.9c-1.fc43
Fedora 43 Update: log4cxx-1.7.0-2.fc43
Fedora 44 Update: chromium-150.0.7871.124-1.fc44
Fedora 44 Update: python-django5-5.2.16-1.fc44
Fedora 44 Update: libtiff-4.7.2-1.fc44
Fedora 44 Update: ruby-4.0.6-36.fc44
Fedora 44 Update: spoofdpi-1.5.3-1.fc44
Fedora 44 Update: yq-4.53.3-1.fc44
Fedora 44 Update: proftpd-1.3.9c-1.fc44
Fedora 44 Update: python-libcst-1.8.6-4.fc44



[SECURITY] Fedora 43 Update: chromium-150.0.7871.124-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-32e3e23696
2026-07-18 00:27:50.464608+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 43
Version : 150.0.7871.124
Release : 1.fc43
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 150.0.7871.124
* CVE-2026-15764: Use after free in Ozone
* CVE-2026-15765: Use after free in Ozone
* CVE-2026-15766: Uninitialized Use in Skia
* CVE-2026-15767: Heap buffer overflow in libyuv
* CVE-2026-15768: Insufficient policy enforcement in HTML-in-Canvas
* CVE-2026-15769: Insufficient validation of untrusted input in Linux Toolkit
Theming
* CVE-2026-15770: Uninitialized Use in V8
* CVE-2026-15771: Insufficient validation of untrusted input in Media
* CVE-2026-15772: Use after free in GPU
* CVE-2026-15773: Use after free in Core
* CVE-2026-15774: Use after free in Skia
* CVE-2026-15775: Insufficient policy enforcement in V8
* CVE-2026-15776: Type Confusion in V8
* CVE-2026-15777: Use after free in UI
* CVE-2026-15778: Insufficient validation of untrusted input in Navigation
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jul 15 2026 Than Ngo [than@redhat.com] - 150.0.7871.124-1
- Update to 150.0.7871.124
* CVE-2026-15764: Use after free in Ozone
* CVE-2026-15765: Use after free in Ozone
* CVE-2026-15766: Uninitialized Use in Skia
* CVE-2026-15767: Heap buffer overflow in libyuv
* CVE-2026-15768: Insufficient policy enforcement in HTML-in-Canvas
* CVE-2026-15769: Insufficient validation of untrusted input in Linux Toolkit Theming
* CVE-2026-15770: Uninitialized Use in V8
* CVE-2026-15771: Insufficient validation of untrusted input in Media
* CVE-2026-15772: Use after free in GPU
* CVE-2026-15773: Use after free in Core
* CVE-2026-15774: Use after free in Skia
* CVE-2026-15775: Insufficient policy enforcement in V8
* CVE-2026-15776: Type Confusion in V8
* CVE-2026-15777: Use after free in UI
* CVE-2026-15778: Insufficient validation of untrusted input in Navigation
- Backport patches to improve auto darkmode
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-32e3e23696' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: node-exporter-1.12.1-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5924722657
2026-07-18 00:27:50.464606+00:00
--------------------------------------------------------------------------------

Name : node-exporter
Product : Fedora 43
Version : 1.12.1
Release : 1.fc43
URL : https://github.com/prometheus/node_exporter
Summary : Exporter for machine metrics
Description :
Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written
in Go with pluggable metric collectors.

--------------------------------------------------------------------------------
Update Information:

Update to 1.12.1
Update to 1.12.0
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 14 2026 Packit [hello@packit.dev] - 1.12.1-1
- Update to 1.12.1 upstream release
- Resolves: rhbz#2500038
* Sat Jul 11 2026 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 1.12.0-1
- Update to 1.12.0 - Closes rhbz#2499355
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494365 - CVE-2026-27145 node-exporter: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494365
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5924722657' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: spoofdpi-1.5.3-2.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-77f23c0bc4
2026-07-18 00:27:50.464594+00:00
--------------------------------------------------------------------------------

Name : spoofdpi
Product : Fedora 43
Version : 1.5.3
Release : 2.fc43
URL : https://github.com/xvzc/SpoofDPI
Summary : Simple and fast anti-censorship tool written in Go
Description :
Simple and fast anti-censorship tool written in Go.

--------------------------------------------------------------------------------
Update Information:

Fix Go version requirement for F43 build compatibility
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 14 2026 Emir Akdag [infraw.linux@proton.me] - 1.5.3-2
- Fix Go version requirement for F43 build compatibility
* Tue Jul 14 2026 Emir Akdag [infraw.linux@proton.me] - 1.5.3-1
- Update spoofdpi to 1.5.3
- Update to 1.5.3 to fix CVE-2026-27145
- Add missing license for go-localereader
- Fix build directory case sensitivity issue
- Resolves: rhbz#2494220, rhbz#2494389
* Tue Feb 3 2026 Maxwell G [maxwell@gtmx.me] - 1.2.1-3
- Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.2.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-77f23c0bc4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: yq-4.53.3-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-990cdd8329
2026-07-18 00:27:50.464596+00:00
--------------------------------------------------------------------------------

Name : yq
Product : Fedora 43
Version : 4.53.3
Release : 1.fc43
URL : https://github.com/mikefarah/yq
Summary : Yq is a portable command-line YAML, JSON, XML, CSV, TOML, HCL and properties processor
Description :
Yq is a portable command-line YAML, JSON, XML, CSV, TOML, HCL and properties
processor.

--------------------------------------------------------------------------------
Update Information:

Update to 4.53.3
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 14 2026 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 4.53.3-1
- Update to 4.53.3 and add packit integration
* Tue Feb 3 2026 Maxwell G [maxwell@gtmx.me] - 4.47.1-5
- Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.47.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Oct 10 2025 Alejandro S??ez [asm@redhat.com] - 4.47.1-3
- rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2495328 - CVE-2026-25681 yq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2495328
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-990cdd8329' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: ruby-3.4.10-31.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7b7c2b373e
2026-07-18 00:27:50.464563+00:00
--------------------------------------------------------------------------------

Name : ruby
Product : Fedora 43
Version : 3.4.10
Release : 31.fc43
URL : https://www.ruby-lang.org/
Summary : An interpreter of object-oriented scripting language
Description :
Ruby is the interpreted scripting language for quick and easy
object-oriented programming. It has many features to process text
files and to do system management tasks (as in Perl). It is simple,
straight-forward, and extensible.

--------------------------------------------------------------------------------
Update Information:

Ruby 3.4.10 is released. This new version contains severay security bug fixes in
zlib, net-imap and erb..
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jul 8 2026 Mamoru TASAKA [mtasaka@fedoraproject.org] - 3.4.10-31
- Update to Ruby 3.4.10
- Resolves: CVE-2026-41316 (rhbz#2463216)
- Resolves: CVE-2026-42245 (rhbz#2484324)
- Resolves: CVE-2026-42246 (rhbz#2492090)
- Resolves: CVE-2026-42256
- Resolves: CVE-2026-42257
- Resolves: CVE-2026-42258 (rhbz#2487319)
- Resolves: CVE-2026-47240
- Resolves: CVE-2026-47241
- Resolves: CVE-2026-47242
* Mon Jun 29 2026 Mamoru TASAKA [mtasaka@fedoraproject.org] - 3.4.9-30
- Update to Ruby 3.4.9
- Resolves: CVE-2026-27820
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2463216 - CVE-2026-41316 ruby: ERB: Arbitrary code execution via deserialization bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463216
[ 2 ] Bug #2484324 - CVE-2026-42245 ruby: Net::IMAP: Denial of Service via crafted IMAP responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2484324
[ 3 ] Bug #2487319 - CVE-2026-42258 ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2487319
[ 4 ] Bug #2492090 - CVE-2026-42246 ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2492090
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7b7c2b373e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: proftpd-1.3.9c-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-75a8969e55
2026-07-18 00:27:50.464547+00:00
--------------------------------------------------------------------------------

Name : proftpd
Product : Fedora 43
Version : 1.3.9c
Release : 1.fc43
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by systemd instead are included.

--------------------------------------------------------------------------------
Update Information:

Cumulative bug-fix update, including several buffer overflow fixes.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jul 8 2026 Paul Howarth - 1.3.9c-1
- Update to 1.3.9c
- ExecEnviron values not passed due to regression since 1.3.8.d (GH#2135)
- Stack buffer overflow in MLSD/MLST handling for long path names (GH#2146)
- MaxTransfersPerUser no longer enforces configured limits (GH#2158)
- AdminControlsACLs for config, get actions not honored as they should be
(GH#2163)
- Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed
buffers without bounds checking (GH#2166)
- RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails
to reject illegal characters (GH#2173)
- SQL group name lookup concatenates client-provided group names without
escaping (GH#2188)
- Authenticated SFTP sessions can overflow the SFTP packet buffer (GH#2190)
- Default Controls socket ACLs unintentionally allow all users access for
sending Controls requests (GH#2210)
* Fri Jun 12 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 1.3.9b-2
- Rebuilt for openssl 4.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-75a8969e55' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: log4cxx-1.7.0-2.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-31a8569c4b
2026-07-18 00:27:50.464532+00:00
--------------------------------------------------------------------------------

Name : log4cxx
Product : Fedora 43
Version : 1.7.0
Release : 2.fc43
URL : http://logging.apache.org/log4cxx/index.html
Summary : A port to C++ of the Log4j project
Description :
Log4cxx is a popular logging package written in C++. One of its distinctive
features is the notion of inheritance in loggers. Using a logger hierarchy it
is possible to control which log statements are output at arbitrary
granularity. This helps reduce the volume of logged output and minimize the
cost of logging.

--------------------------------------------------------------------------------
Update Information:

Update to log4cxx 1.7.0.
Fixes CVE-2026-40023: XMLLayout did not escape characters forbidden
by the XML 1.0 specification, which could cause conforming XML
parsers to reject the produced document, silently dropping log
records.
No ABI-relevant changes; liblog4cxx SONAME (%{sover}) is unchanged.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Till Hofmann [thofmann@fedoraproject.org] - 1.7.0-2
- Skip 2GB-message test on 32-bit architectures
* Fri May 22 2026 Till Hofmann [thofmann@fedoraproject.org] - 1.7.0-1
- Update to 1.7.0
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2457923 - CVE-2026-40023 log4cxx: Apache Log4cxx: Log processing impairment due to unsanitized XML characters [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457923
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-31a8569c4b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: chromium-150.0.7871.124-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7437330b17
2026-07-18 00:26:14.273094+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 44
Version : 150.0.7871.124
Release : 1.fc44
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 150.0.7871.124
* CVE-2026-15764: Use after free in Ozone
* CVE-2026-15765: Use after free in Ozone
* CVE-2026-15766: Uninitialized Use in Skia
* CVE-2026-15767: Heap buffer overflow in libyuv
* CVE-2026-15768: Insufficient policy enforcement in HTML-in-Canvas
* CVE-2026-15769: Insufficient validation of untrusted input in Linux Toolkit
Theming
* CVE-2026-15770: Uninitialized Use in V8
* CVE-2026-15771: Insufficient validation of untrusted input in Media
* CVE-2026-15772: Use after free in GPU
* CVE-2026-15773: Use after free in Core
* CVE-2026-15774: Use after free in Skia
* CVE-2026-15775: Insufficient policy enforcement in V8
* CVE-2026-15776: Type Confusion in V8
* CVE-2026-15777: Use after free in UI
* CVE-2026-15778: Insufficient validation of untrusted input in Navigation
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jul 15 2026 Than Ngo [than@redhat.com] - 150.0.7871.124-1
- Update to 150.0.7871.124
* CVE-2026-15764: Use after free in Ozone
* CVE-2026-15765: Use after free in Ozone
* CVE-2026-15766: Uninitialized Use in Skia
* CVE-2026-15767: Heap buffer overflow in libyuv
* CVE-2026-15768: Insufficient policy enforcement in HTML-in-Canvas
* CVE-2026-15769: Insufficient validation of untrusted input in Linux Toolkit Theming
* CVE-2026-15770: Uninitialized Use in V8
* CVE-2026-15771: Insufficient validation of untrusted input in Media
* CVE-2026-15772: Use after free in GPU
* CVE-2026-15773: Use after free in Core
* CVE-2026-15774: Use after free in Skia
* CVE-2026-15775: Insufficient policy enforcement in V8
* CVE-2026-15776: Type Confusion in V8
* CVE-2026-15777: Use after free in UI
* CVE-2026-15778: Insufficient validation of untrusted input in Navigation
- Backport patches to improve auto darkmode
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7437330b17' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: python-django5-5.2.16-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-595d35a4d1
2026-07-18 00:26:14.273091+00:00
--------------------------------------------------------------------------------

Name : python-django5
Product : Fedora 44
Version : 5.2.16
Release : 1.fc44
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.

--------------------------------------------------------------------------------
Update Information:

Update python-django5 to version 5.2.16
Fixes three low-severity CVEs
CVE-2026-48588: Potential exposure of private data via cached Set-Cookie
response
CVE-2026-53877: Heap buffer over-read in GDALRaster
CVE-2026-53878: Header injection possibility since DomainNameValidator accepted
newlines in input
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 16 2026 Michel Lind [salimma@fedoraproject.org] - 5.2.16-1
- Update to version 5.2.16; Resolves RHBZ#2497734
- Fixes three low-severity CVEs
- CVE-2026-48588: Potential exposure of private data via cached Set-Cookie
response
- CVE-2026-53877: Heap buffer over-read in GDALRaster
- CVE-2026-53878: Header injection possibility since DomainNameValidator
accepted newlines in input
* Thu Jul 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 5.2.15-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_45_Mass_Rebuild
* Fri Jun 19 2026 Miro Hron??ok [miro@hroncok.cz] - 5.2.15-5
- Heavily reduce the list of skipped tests
* Sat Jun 6 2026 Michel Lind [salimma@fedoraproject.org] - 5.2.15-4
- Remove dump of disabled tests from the end of the spec
* Sat Jun 6 2026 Michel Lind [salimma@fedoraproject.org] - 5.2.15-3
- Disable failing tests on Python 3.15
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2497734 - python-django5-5.2.16 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2497734
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-595d35a4d1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: libtiff-4.7.2-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-cfbf964c2e
2026-07-18 00:26:14.273082+00:00
--------------------------------------------------------------------------------

Name : libtiff
Product : Fedora 44
Version : 4.7.2
Release : 1.fc44
URL : http://www.simplesystems.org/libtiff/
Summary : Library of functions for manipulating TIFF format image files
Description :
The libtiff package contains a library of functions for manipulating
TIFF (Tagged Image File Format) image format files. TIFF is a widely
used file format for bitmapped images. TIFF files usually end in the
.tif extension and they are often quite large.

The libtiff package should be installed if you need to manipulate TIFF
format image files.

--------------------------------------------------------------------------------
Update Information:

updated to 4.7.2, fixes security issues
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jul 13 2026 Michal Hlavinka [mhlavink@redhat.com] - 4.7.2-1
- updated to 4.7.2 (#2496751)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2450771 - CVE-2026-4775 libtiff: libtiff: Arbitrary code execution or denial of service via signed integer overflow in TIFF file processing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450771
[ 2 ] Bug #2494140 - CVE-2026-12912 libtiff: libtiff: Heap-based buffer overflow via crafted PixarLog-compressed TIFF image [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494140
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-cfbf964c2e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: ruby-4.0.6-36.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-32d5a3d450
2026-07-18 00:26:14.273071+00:00
--------------------------------------------------------------------------------

Name : ruby
Product : Fedora 44
Version : 4.0.6
Release : 36.fc44
URL : https://www.ruby-lang.org/
Summary : An interpreter of object-oriented scripting language
Description :
Ruby is the interpreted scripting language for quick and easy
object-oriented programming. It has many features to process text
files and to do system management tasks (as in Perl). It is simple,
straight-forward, and extensible.

--------------------------------------------------------------------------------
Update Information:

Ruby 4.0.6 is released. This new ruby contains several security fixes in net-
snmp.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 14 2026 Mamoru TASAKA [mtasaka@fedoraproject.org] - 4.0.6-36
- Update to Ruby 4.0.6
Resolves: rhbz#2499884
- Resolves: CVE-2026-42245 (rhbz#2484324)
- Resolves: CVE-2026-42246 (rhbz#2492090)
- Resolves: CVE-2026-42256
- Resolves: CVE-2026-42257
- Resolves: CVE-2026-42258 (rhbz#2487319)
- Resolves: CVE-2026-47240 (rhbz#2498917)
- Resolves: CVE-2026-47241
- Resolves: CVE-2026-47242
* Sun Jun 14 2026 Mamoru TASAKA [mtasaka@fedoraproject.org] - 4.0.5-35
- Backport ruby/openssl 4.0.2 from ruby 4.0 branch to support openssl 4.0
* Fri Jun 12 2026 Yaakov Selkowitz [yselkowi@redhat.com]
- Rebuilt for openssl 4.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2463216 - CVE-2026-41316 ruby: ERB: Arbitrary code execution via deserialization bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463216
[ 2 ] Bug #2484324 - CVE-2026-42245 ruby: Net::IMAP: Denial of Service via crafted IMAP responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2484324
[ 3 ] Bug #2487319 - CVE-2026-42258 ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2487319
[ 4 ] Bug #2492090 - CVE-2026-42246 ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2492090
[ 5 ] Bug #2498917 - CVE-2026-47240 ruby: Net::IMAP: Command injection via non-synchronizing literals [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2498917
[ 6 ] Bug #2499884 - ruby-4.0.6 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2499884
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-32d5a3d450' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: spoofdpi-1.5.3-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-812049f95c
2026-07-18 00:26:14.273051+00:00
--------------------------------------------------------------------------------

Name : spoofdpi
Product : Fedora 44
Version : 1.5.3
Release : 1.fc44
URL : https://github.com/xvzc/SpoofDPI
Summary : Simple and fast anti-censorship tool written in Go
Description :
Simple and fast anti-censorship tool written in Go.

--------------------------------------------------------------------------------
Update Information:

Update spoofdpi to 1.5.3
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 14 2026 Emir Akdag [infraw.linux@proton.me] - 1.5.3-1
- Update spoofdpi to 1.5.3
- Update to 1.5.3 to fix CVE-2026-27145
- Add missing license for go-localereader
- Fix build directory case sensitivity issue
- Resolves: rhbz#2494220, rhbz#2494389
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494220 - CVE-2026-27145 spoofdpi: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494220
[ 2 ] Bug #2494389 - CVE-2026-27145 spoofdpi: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494389
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-812049f95c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: yq-4.53.3-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-710adfa806
2026-07-18 00:26:14.273055+00:00
--------------------------------------------------------------------------------

Name : yq
Product : Fedora 44
Version : 4.53.3
Release : 1.fc44
URL : https://github.com/mikefarah/yq
Summary : Yq is a portable command-line YAML, JSON, XML, CSV, TOML, HCL and properties processor
Description :
Yq is a portable command-line YAML, JSON, XML, CSV, TOML, HCL and properties
processor.

--------------------------------------------------------------------------------
Update Information:

Update to 4.53.3
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 14 2026 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 4.53.3-1
- Update to 4.53.3 and add packit integration
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2495328 - CVE-2026-25681 yq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2495328
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-710adfa806' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: proftpd-1.3.9c-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2f95481529
2026-07-18 00:26:14.272998+00:00
--------------------------------------------------------------------------------

Name : proftpd
Product : Fedora 44
Version : 1.3.9c
Release : 1.fc44
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by systemd instead are included.

--------------------------------------------------------------------------------
Update Information:

Cumulative bug-fix update, including several buffer overflow fixes.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jul 8 2026 Paul Howarth - 1.3.9c-1
- Update to 1.3.9c
- ExecEnviron values not passed due to regression since 1.3.8.d (GH#2135)
- Stack buffer overflow in MLSD/MLST handling for long path names (GH#2146)
- MaxTransfersPerUser no longer enforces configured limits (GH#2158)
- AdminControlsACLs for config, get actions not honored as they should be
(GH#2163)
- Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed
buffers without bounds checking (GH#2166)
- RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails
to reject illegal characters (GH#2173)
- SQL group name lookup concatenates client-provided group names without
escaping (GH#2188)
- Authenticated SFTP sessions can overflow the SFTP packet buffer (GH#2190)
- Default Controls socket ACLs unintentionally allow all users access for
sending Controls requests (GH#2210)
* Fri Jun 12 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 1.3.9b-2
- Rebuilt for openssl 4.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2f95481529' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: python-libcst-1.8.6-4.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-17c484fafa
2026-07-18 00:26:14.272987+00:00
--------------------------------------------------------------------------------

Name : python-libcst
Product : Fedora 44
Version : 1.8.6
Release : 4.fc44
URL : https://github.com/Instagram/LibCST
Summary : A concrete syntax tree with AST-like properties for Python 3
Description :
LibCST parses Python source code as a CST tree that keeps all formatting
details (comments, whitespaces, parentheses, etc). It's useful for building
automated refactoring (codemod) applications and linters.

LibCST creates a compromise between an Abstract Syntax Tree (AST) and a
traditional Concrete Syntax Tree (CST). By carefully reorganizing and naming
node types and fields, it creates a lossless CST that looks and feels like an
AST.

--------------------------------------------------------------------------------
Update Information:

Update to 1.8.6. Build with PyO3 (fixes RUSTSEC-2026-0176, RUSTSEC-2026-0177).
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jul 8 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 1.8.6-4
- Don???t attempt cargo tests on ppc64le due to a linker error
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 1.8.6-3
- Update PyO3 to 0.29 (fixes RUSTSEC-2026-0176, RUSTSEC-2026-0177)
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 1.8.6-2
- Also run cargo tests for native (Rust) parser
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 1.8.6-1
- Update to 1.8.6 (close RHBZ#2368777)
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 1.8.0-12
- Let LICENSE.dependencies be included in the .dist-info
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 1.8.0-11
- Test both the pure-Python parser and the Rust parser
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 1.8.0-10
- Drop the hypothesmith test dependency (omit fuzz tests)
- Also drop hypothesis since it is also only used for fuzz tests
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 1.8.0-9
- Simplify and update build conditionals
* Wed Jun 3 2026 Python Maint - 1.8.0-8
- Rebuilt for Python 3.15
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-17c484fafa' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------