Fedora 43 Update: yt-dlp-2026.06.09-1.fc43
Fedora 43 Update: chromium-149.0.7827.155-1.fc43
Fedora 43 Update: materialx-1.39.5-1.fc43
Fedora 43 Update: coturn-4.13.1-1.fc43
Fedora 43 Update: perl-Crypt-DSA-1.21-1.fc43
Fedora 44 Update: materialx-1.39.5-1.fc44
Fedora 44 Update: coturn-4.13.1-1.fc44
Fedora 44 Update: perl-Crypt-DSA-1.21-1.fc44
Fedora 44 Update: frr-10.6.1-1.fc44
Fedora 44 Update: grout-0.16.0-1.fc44
[SECURITY] Fedora 43 Update: yt-dlp-2026.06.09-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-03f87de373
2026-06-24 01:32:08.556598+00:00
--------------------------------------------------------------------------------
Name : yt-dlp
Product : Fedora 43
Version : 2026.06.09
Release : 1.fc43
URL : https://github.com/yt-dlp/yt-dlp
Summary : A command-line program to download videos from online video platforms
Description :
yt-dlp is a command-line program to download videos from many different online
video platforms, such as youtube.com. The project is a fork of youtube-dl with
additional features and fixes.
--------------------------------------------------------------------------------
Update Information:
Update to 2026.06.09. Fixes rhbz#2487407.
Mitigates CVE-2026-50019, CVE-2026-50023, CVE-2026-50574
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jun 19 2026 Maxwell G [maxwell@gtmx.me] - 2026.06.09-1
- Update to 2026.06.09. Fixes rhbz#2487407.
- Mitigates CVE-2026-50019, CVE-2026-50023, CVE-2026-50574
* Fri Jun 5 2026 Maxwell G [maxwell@gtmx.me] - 2026.03.17-3
- Add Python 3.15 support patches
* Thu Jun 4 2026 Python Maint - 2026.03.17-2
- Rebuilt for Python 3.15
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2487407 - yt-dlp-2026.06.09 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2487407
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-03f87de373' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: chromium-149.0.7827.155-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f9a0af40b2
2026-06-24 01:32:08.556596+00:00
--------------------------------------------------------------------------------
Name : chromium
Product : Fedora 43
Version : 149.0.7827.155
Release : 1.fc43
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).
--------------------------------------------------------------------------------
Update Information:
Update to 149.0.7827.155
CVE-2026-12437: Use after free in WebShare
CVE-2026-12438: Inappropriate implementation in WebView
CVE-2026-12439: Use after free in Digital Credentials
CVE-2026-12440: Use after free in DigitalCredentials
CVE-2026-12441: Use after free in File Input
CVE-2026-12442: Use after free in Passwords
CVE-2026-12443: Use after free in Web Authentication
CVE-2026-12444: Out of bounds read in Chromoting
CVE-2026-12445: Use after free in Extensions
CVE-2026-12446: Insufficient data validation in Passwords
CVE-2026-12447: Heap buffer overflow in WebRTC
CVE-2026-12448: Inappropriate implementation in WebView
CVE-2026-12449: Use after free in Chromoting
CVE-2026-12450: Inappropriate implementation in Media
CVE-2026-12451: Use after free in DigitalCredentials
CVE-2026-12452: Use after free in Downloads
CVE-2026-12453: Insufficient validation of untrusted input in Input
CVE-2026-12454: Race in Safe Browsing
CVE-2026-12455: Use after free in Tab Strip
CVE-2026-12456: Insufficient validation of untrusted input in Extensions
CVE-2026-12457: Insufficient data validation in Extensions
CVE-2026-12458: Incorrect security UI in Passwords
CVE-2026-12459: Inappropriate implementation in Serial
CVE-2026-12460: Insufficient policy enforcement in File System Access
CVE-2026-12461: Out of bounds read in WebRTC
CVE-2026-12462: Use after free in Media
CVE-2026-12463: Inappropriate implementation in Views
CVE-2026-12464: Use after free in Browser
CVE-2026-12465: Insufficient validation of untrusted input in Metrics
CVE-2026-12466: Heap buffer overflow in WebRTC
CVE-2026-12467: Use after free in Extensions
CVE-2026-12468: Inappropriate implementation in Updater
CVE-2026-12469: Uninitialized Use in GPU
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jun 17 2026 Than Ngo [than@redhat.com] - 149.0.7827.155-1
- Update to 149.0.7827.155
* CVE-2026-12437: Use after free in WebShare
* CVE-2026-12438: Inappropriate implementation in WebView
* CVE-2026-12439: Use after free in Digital Credentials
* CVE-2026-12440: Use after free in DigitalCredentials
* CVE-2026-12441: Use after free in File Input
* CVE-2026-12442: Use after free in Passwords
* CVE-2026-12443: Use after free in Web Authentication
* CVE-2026-12444: Out of bounds read in Chromoting
* CVE-2026-12445: Use after free in Extensions
* CVE-2026-12446: Insufficient data validation in Passwords
* CVE-2026-12447: Heap buffer overflow in WebRTC
* CVE-2026-12448: Inappropriate implementation in WebView
* CVE-2026-12449: Use after free in Chromoting
* CVE-2026-12450: Inappropriate implementation in Media
* CVE-2026-12451: Use after free in DigitalCredentials
* CVE-2026-12452: Use after free in Downloads
* CVE-2026-12453: Insufficient validation of untrusted input in Input
* CVE-2026-12454: Race in Safe Browsing
* CVE-2026-12455: Use after free in Tab Strip
* CVE-2026-12456: Insufficient validation of untrusted input in Extensions
* CVE-2026-12457: Insufficient data validation in Extensions
* CVE-2026-12458: Incorrect security UI in Passwords
* CVE-2026-12459: Inappropriate implementation in Serial
* CVE-2026-12460: Insufficient policy enforcement in File System Access
* CVE-2026-12461: Out of bounds read in WebRTC
* CVE-2026-12462: Use after free in Media
* CVE-2026-12463: Inappropriate implementation in Views
* CVE-2026-12464: Use after free in Browser
* CVE-2026-12465: Insufficient validation of untrusted input in Metrics
* CVE-2026-12466: Heap buffer overflow in WebRTC
* CVE-2026-12467: Use after free in Extensions
* CVE-2026-12468: Inappropriate implementation in Updater
* CVE-2026-12469: Uninitialized Use in GPU
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2490693 - CVE-2026-12437 CVE-2026-12438 CVE-2026-12439 CVE-2026-12440 CVE-2026-12441 CVE-2026-12442 CVE-2026-12443 CVE-2026-12444 CVE-2026-12445 CVE-2026-12446 CVE-2026-12447 CVE-2026-12448 CVE-2026-12449 CVE-2026-12450 ... chromium: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490693
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f9a0af40b2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: materialx-1.39.5-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-85d5d5f493
2026-06-24 01:32:08.556589+00:00
--------------------------------------------------------------------------------
Name : materialx
Product : Fedora 43
Version : 1.39.5
Release : 1.fc43
URL : https://materialx.org/
Summary : Vendor-neutral specification for 3D material interchange
Description :
Physically-based material interchange specification for 3D rendering workflows.
--------------------------------------------------------------------------------
Update Information:
New release version 1.39.5.
See the change log.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 15 2026 Luya Tshimbalanga [luya@fedoraproject.org] - 1.39.5-1
- Update to upstream 1.39.5
* Mon Jun 15 2026 Python Maint - 1.39.4-6
- Rebuilt for Python 3.15
* Mon Jun 15 2026 Luya Tshimbalanga [luya@fedoraproject.org] - 1.39.4-5
- Fix CMake configuration error for OpenGL (fedora#2439818)
* Mon Jun 15 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.39.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2437393 - CVE-2025-68458 materialx: webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2437393
[ 2 ] Bug #2437404 - CVE-2025-68157 materialx: webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2437404
[ 3 ] Bug #2441663 - cmake module fails to import
https://bugzilla.redhat.com/show_bug.cgi?id=2441663
[ 4 ] Bug #2459522 - materialx-1.39.5 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2459522
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-85d5d5f493' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: coturn-4.13.1-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c42d951aad
2026-06-24 01:32:08.556594+00:00
--------------------------------------------------------------------------------
Name : coturn
Product : Fedora 43
Version : 4.13.1
Release : 1.fc43
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.
This implementation also includes some extra features. Supported RFCs:
TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.
STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support
The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)
Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)
Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis
Redis can also be used for status and statistics storage and notification.
Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)
The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.
--------------------------------------------------------------------------------
Update Information:
Coturn 4.13.1
What's in this release
Security fixes
What's Changed
Null-terminate server_name in stun_is_challenge_response_str
Canonicalize all IPv4-in-IPv6 encodings before peer-IP checks
Auto-deny coturn's own database backend endpoints as relay peers
Deny link-local / ULA / site-local relay peers by default
Coturn 4.13.0
What's in this release
More performance improvements for --udp-recvmmsg and --multiplex-peer. If your
system does not rely on TURN unique ports give multiplexing a try - it has
capacity to dramatically increase performance.
Security fixes
What's Changed
Wrap atomic everywhere
Fix sendmmsg stride bug in multiplex-peer UDP batch flush
Reap TURN permissions/channels via a per-thread sweep instead of per-object
timers
Add --udp-sendmmsg-log to observe egress sendmmsg/UDP-GSO batching
Expose recvmmsg/sendmmsg UDP batch sizes as Prometheus metrics
Restrict recvmmsg fast path to shared fan-in sockets (make --udp-recvmmsg useful
standalone)
Enable --udp-recvmmsg by default on Linux
Security hardening: port parsing, admin brute-force throttle, credential log
redaction, constant-time compare, OAuth bounds checks, permission cap
Add continuous latency mode to stunclient
Fix test_redis_format link failure
Fix configure MANPREFIX typo
Fix missing sqlite3 dependendcy
Fix UDP receive buffer ownership
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 16 2026 Robert Scheck [robert@fedoraproject.org] - 4.13.1-1
- Upgrade to 4.13.1 (#2488712 #c1)
* Sun Jun 14 2026 Robert Scheck [robert@fedoraproject.org] - 4.13.0-1
- Upgrade to 4.13.0 (#2488712)
* Fri Jun 12 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 4.12.0-3
- Rebuilt for openssl 4.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2490558 - CVE-2026-43915 coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation
https://bugzilla.redhat.com/show_bug.cgi?id=2490558
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c42d951aad' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: perl-Crypt-DSA-1.21-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5cf57e43e3
2026-06-24 01:32:08.556555+00:00
--------------------------------------------------------------------------------
Name : perl-Crypt-DSA
Product : Fedora 43
Version : 1.21
Release : 1.fc43
URL : https://metacpan.org/release/Crypt-DSA
Summary : Perl module for DSA signatures and key generation
Description :
Crypt::DSA is an implementation of the DSA (Digital Signature Algorithm)
signature verification system. This package provides DSA signing, signature
verification, and key generation.
DSA (Digital Signature Algorithm) signatures are no longer considered to be
adequate for security. This module should only be used for verifying old
signatures and should not be used for new signatures. That being said, some
technologies still require DSA signatures even now. Consider using other
solutions or explicitly not using DSA signatures. Crypt-DSA-GMP is a possible
replacement.
--------------------------------------------------------------------------------
Update Information:
This update, to the current upstream release, prevents key material reuse for
multiple signing events (CVE-2026-12205, CWE-323).
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 15 2026 Paul Howarth - 1.21-1
- Update to 1.21
- Fixed key material reuse for multiple signing events (CVE-2026-12205,
CWE-323)
- sign() reused the DSA nonce k across signatures (r and k^-1 were cached
on the key and not regenerated), allowing private-key recovery from two
signatures over different messages
- Now generates a fresh nonce per signature
- Keys used to sign more than once with an affected version should be
considered compromised
* Fri Jun 12 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 1.20-2
- Rebuilt for openssl 4.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2491340 - CVE-2026-12205 perl-Crypt-DSA: Crypt::DSA: Private-key recovery via nonce reuse across signatures [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2491340
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5cf57e43e3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: materialx-1.39.5-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d2806ddffc
2026-06-24 01:28:48.584560+00:00
--------------------------------------------------------------------------------
Name : materialx
Product : Fedora 44
Version : 1.39.5
Release : 1.fc44
URL : https://materialx.org/
Summary : Vendor-neutral specification for 3D material interchange
Description :
Physically-based material interchange specification for 3D rendering workflows.
--------------------------------------------------------------------------------
Update Information:
New release version 1.39.5.
See the change log.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 15 2026 Luya Tshimbalanga [luya@fedoraproject.org] - 1.39.5-1
- Update to upstream 1.39.5
* Fri Jun 5 2026 Python Maint - 1.39.4-6
- Rebuilt for Python 3.15
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2437393 - CVE-2025-68458 materialx: webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2437393
[ 2 ] Bug #2437404 - CVE-2025-68157 materialx: webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2437404
[ 3 ] Bug #2441663 - cmake module fails to import
https://bugzilla.redhat.com/show_bug.cgi?id=2441663
[ 4 ] Bug #2459522 - materialx-1.39.5 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2459522
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d2806ddffc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: coturn-4.13.1-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-dda1360c18
2026-06-24 01:28:48.584565+00:00
--------------------------------------------------------------------------------
Name : coturn
Product : Fedora 44
Version : 4.13.1
Release : 1.fc44
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.
This implementation also includes some extra features. Supported RFCs:
TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.
STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support
The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)
Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)
Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis
Redis can also be used for status and statistics storage and notification.
Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)
The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.
--------------------------------------------------------------------------------
Update Information:
Coturn 4.13.1
What's in this release
Security fixes
What's Changed
Null-terminate server_name in stun_is_challenge_response_str
Canonicalize all IPv4-in-IPv6 encodings before peer-IP checks
Auto-deny coturn's own database backend endpoints as relay peers
Deny link-local / ULA / site-local relay peers by default
Coturn 4.13.0
What's in this release
More performance improvements for --udp-recvmmsg and --multiplex-peer. If your
system does not rely on TURN unique ports give multiplexing a try - it has
capacity to dramatically increase performance.
Security fixes
What's Changed
Wrap atomic everywhere
Fix sendmmsg stride bug in multiplex-peer UDP batch flush
Reap TURN permissions/channels via a per-thread sweep instead of per-object
timers
Add --udp-sendmmsg-log to observe egress sendmmsg/UDP-GSO batching
Expose recvmmsg/sendmmsg UDP batch sizes as Prometheus metrics
Restrict recvmmsg fast path to shared fan-in sockets (make --udp-recvmmsg useful
standalone)
Enable --udp-recvmmsg by default on Linux
Security hardening: port parsing, admin brute-force throttle, credential log
redaction, constant-time compare, OAuth bounds checks, permission cap
Add continuous latency mode to stunclient
Fix test_redis_format link failure
Fix configure MANPREFIX typo
Fix missing sqlite3 dependendcy
Fix UDP receive buffer ownership
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 16 2026 Robert Scheck [robert@fedoraproject.org] - 4.13.1-1
- Upgrade to 4.13.1 (#2488712 #c1)
* Sun Jun 14 2026 Robert Scheck [robert@fedoraproject.org] - 4.13.0-1
- Upgrade to 4.13.0 (#2488712)
* Fri Jun 12 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 4.12.0-3
- Rebuilt for openssl 4.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2490558 - CVE-2026-43915 coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation
https://bugzilla.redhat.com/show_bug.cgi?id=2490558
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-dda1360c18' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: perl-Crypt-DSA-1.21-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f4a6b0c635
2026-06-24 01:28:48.584512+00:00
--------------------------------------------------------------------------------
Name : perl-Crypt-DSA
Product : Fedora 44
Version : 1.21
Release : 1.fc44
URL : https://metacpan.org/release/Crypt-DSA
Summary : Perl module for DSA signatures and key generation
Description :
Crypt::DSA is an implementation of the DSA (Digital Signature Algorithm)
signature verification system. This package provides DSA signing, signature
verification, and key generation.
DSA (Digital Signature Algorithm) signatures are no longer considered to be
adequate for security. This module should only be used for verifying old
signatures and should not be used for new signatures. That being said, some
technologies still require DSA signatures even now. Consider using other
solutions or explicitly not using DSA signatures. Crypt-DSA-GMP is a possible
replacement.
--------------------------------------------------------------------------------
Update Information:
This update, to the current upstream release, prevents key material reuse for
multiple signing events (CVE-2026-12205, CWE-323).
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 15 2026 Paul Howarth - 1.21-1
- Update to 1.21
- Fixed key material reuse for multiple signing events (CVE-2026-12205,
CWE-323)
- sign() reused the DSA nonce k across signatures (r and k^-1 were cached
on the key and not regenerated), allowing private-key recovery from two
signatures over different messages
- Now generates a fresh nonce per signature
- Keys used to sign more than once with an affected version should be
considered compromised
* Fri Jun 12 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 1.20-2
- Rebuilt for openssl 4.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2491340 - CVE-2026-12205 perl-Crypt-DSA: Crypt::DSA: Private-key recovery via nonce reuse across signatures [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2491340
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f4a6b0c635' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: frr-10.6.1-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-28949d21e5
2026-06-24 01:28:48.584491+00:00
--------------------------------------------------------------------------------
Name : frr
Product : Fedora 44
Version : 10.6.1
Release : 1.fc44
URL : http://www.frrouting.org
Summary : Routing daemon
Description :
FRRouting is free software that manages TCP/IP based routing protocols. It takes
a multi-server and multi-threaded approach to resolve the current complexity
of the Internet.
FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR,
EIGRP and BFD.
FRRouting is a fork of Quagga.
--------------------------------------------------------------------------------
Update Information:
New version of frr and grout. I am keeping libyang to version 3 at the moment
due to recommendations from
https://github.com/FRRouting/frr/blob/master/doc/developer/building-libyang.rst.
Once changes to build with libyang5 land, I will rebase libyang as well.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 9 2026 Michal Ruprich [mruprich@redhat.com] - 10.6.1-1
- New version 10.6.1
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2413655 - frr-10.6.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2413655
[ 2 ] Bug #2468134 - CVE-2026-37457 frr: denial of service via crafted FlowSpec component [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2468134
[ 3 ] Bug #2468135 - CVE-2026-37458 frr: denial of service via crafted UPDATE message [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2468135
[ 4 ] Bug #2468136 - CVE-2026-37459 frr: denial of service via crafted BGP UPDATE message [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2468136
[ 5 ] Bug #2487832 - grout-0.16.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2487832
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-28949d21e5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: grout-0.16.0-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-28949d21e5
2026-06-24 01:28:48.584491+00:00
--------------------------------------------------------------------------------
Name : grout
Product : Fedora 44
Version : 0.16.0
Release : 1.fc44
URL : https://github.com/DPDK/grout
Summary : Graph router based on DPDK
Description :
grout stands for Graph Router. In English, "grout" refers to thin mortar that
hardens to fill gaps between tiles.
grout is a DPDK based network processing application. It uses the rte_graph
library for data path processing.
Its main purpose is to simulate a network function or a physical router for
testing/replicating real (usually closed source) VNF/CNF behavior with an
open-source tool.
It comes with a client library to configure it over a standard UNIX socket and
a CLI that uses that library. The CLI can be used as an interactive shell, but
also in scripts one command at a time, or by batches.
--------------------------------------------------------------------------------
Update Information:
New version of frr and grout. I am keeping libyang to version 3 at the moment
due to recommendations from
https://github.com/FRRouting/frr/blob/master/doc/developer/building-libyang.rst.
Once changes to build with libyang5 land, I will rebase libyang as well.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jun 11 2026 Robin Jarry [rjarry@redhat.com] - 0.16.0-1
- New upstream release 0.15.0 (fedora#2487832)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2413655 - frr-10.6.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2413655
[ 2 ] Bug #2468134 - CVE-2026-37457 frr: denial of service via crafted FlowSpec component [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2468134
[ 3 ] Bug #2468135 - CVE-2026-37458 frr: denial of service via crafted UPDATE message [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2468135
[ 4 ] Bug #2468136 - CVE-2026-37459 frr: denial of service via crafted BGP UPDATE message [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2468136
[ 5 ] Bug #2487832 - grout-0.16.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2487832
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-28949d21e5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
