Fedora 42 has received updates for several packages, including NetworkManager-l2tp, to fix CVE-2025-9615 by verifying file permissions and ensuring the NetworkManager dependency has the same update. The coturn package, which provides TURN/STUN & ICE server functionality, has been updated to version 4.7.0 to backport upstream patches for CVE-2025-69217, an authentication bypass vulnerability. The openssh package has also been updated to address two vulnerabilities: CVE-2025-61985 and CVE-2025-61984, which could be used to exploit SSH by rejecting usernames or URL strings with control characters. Furthermore, the tuxanci package has been updated in both Fedora 42 and 43 to remove a dysfunctional URL from its RPM metadata.

Fedora 42 Update: NetworkManager-l2tp-1.52.0-1.fc42
Fedora 42 Update: coturn-4.7.0-4.fc42
Fedora 42 Update: openssh-9.9p1-12.fc42
Fedora 42 Update: tuxanci-0.21.0-26.fc42
Fedora 43 Update: NetworkManager-l2tp-1.52.0-1.fc43
Fedora 43 Update: coturn-4.7.0-4.fc43
Fedora 43 Update: tuxanci-0.21.0-27.fc43

[SECURITY] Fedora 42 Update: NetworkManager-l2tp-1.52.0-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0d1cf2e45b
2026-01-13 01:12:50.637164+00:00
--------------------------------------------------------------------------------

Name : NetworkManager-l2tp
Product : Fedora 42
Version : 1.52.0
Release : 1.fc42
URL : https://github.com/nm-l2tp/NetworkManager-l2tp
Summary : NetworkManager VPN plugin for L2TP and L2TP/IPsec
Description :
This package contains software for integrating L2TP and L2TP over
IPsec VPN support with the NetworkManager.

--------------------------------------------------------------------------------
Update Information:

Updated to 1.52.0 release (CVE-2025-9615)
Verify file permissions for private connections to prevent
unprivileged user from using other user's certs.
Ensure NetworkManager dependency has CVE-2025-9615 update.
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jan 11 2026 Douglas Kosovic [doug@uq.edu.au] - 1.52.0-1
- Updated to 1.52.0 release
Verify file permissions for private connections to prevent unprivileged
user from using other user's certs (CVE-2025-9615)
- Ensure NetworkManager dependency has CVE-2025-9615 update.
- Correct sed example in generated README.Fedora and README.EPEL files.
* Wed Nov 12 2025 Douglas Kosovic [doug@uq.edu.au] - 1.20.20-5
- Add README.Fedora for Fedora or README.EPEL for EPEL
- Use (go-l2tp or xl2tpd) dependency for Fedora 43 to handle upgrades
from earlier Fedora versions that had xl2tpd installed.
* Tue Aug 26 2025 Douglas Kosovic [doug@uq.edu.au] - 1.20.20-4
- Fix orphaned xl2tpd dependency issue, switch to go-l2tp (rhbz#2390669,rhbz#2390688)
* Wed Jul 23 2025 Fedora Release Engineering [releng@fedoraproject.org] - 1.20.20-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0d1cf2e45b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 42 Update: coturn-4.7.0-4.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c75d08ab90
2026-01-13 01:12:50.637125+00:00
--------------------------------------------------------------------------------

Name : coturn
Product : Fedora 42
Version : 4.7.0
Release : 4.fc42
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.

STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support

The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)

Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis

Redis can also be used for status and statistics storage and notification.

Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)

The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.

--------------------------------------------------------------------------------
Update Information:

Backport upstream patches for CVE-2025-69217 (#2425955)
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jan 4 2026 Robert Scheck [robert@fedoraproject.org] - 4.7.0-4
- Backport upstream patches for CVE-2025-69217 (#2425955)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2425955 - CVE-2025-69217 coturn: coturn: Authentication bypass and port prediction via predictable random number generation
https://bugzilla.redhat.com/show_bug.cgi?id=2425955
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c75d08ab90' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 42 Update: openssh-9.9p1-12.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9d457091e8
2026-01-13 01:12:50.637147+00:00
--------------------------------------------------------------------------------

Name : openssh
Product : Fedora 42
Version : 9.9p1
Release : 12.fc42
URL : http://www.openssh.com/portable.html
Summary : An open source implementation of SSH protocol version 2
Description :
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.

OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features.

This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.

--------------------------------------------------------------------------------
Update Information:

Added fixes for CVE-2025-61985 and CVE-2025-61984
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jan 8 2026 Zoltan Fridrich [zfridric@redhat.com] - 9.9p1-12
- CVE-2025-61984: Reject usernames with control characters
Resolves: rhbz#2402667
- CVE-2025-61985: Reject URL-strings with NULL characters
Resolves: rhbz#2402670
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2402667 - CVE-2025-61984 openssh: From CVEorg collector [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2402667
[ 2 ] Bug #2402670 - CVE-2025-61985 openssh: From CVEorg collector [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2402670
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9d457091e8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 42 Update: tuxanci-0.21.0-26.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c76c93c411
2026-01-13 01:12:50.637122+00:00
--------------------------------------------------------------------------------

Name : tuxanci
Product : Fedora 42
Version : 0.21.0
Release : 26.fc42
URL : None
Summary : First Tux shooter multi-player network game
Description :
Tuxanci is a first Tux shooter game supporting single player and multi-player
modes both on a single computer and over the network.

--------------------------------------------------------------------------------
Update Information:

This release removes bad URL tag from the package.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jan 2 2026 Petr Pisar [ppisar@redhat.com] - 0.21.0-26
- Remove disfunctional and abused URL from RPM metadata (bug #2422021)
* Thu Jul 17 2025 Petr Pisar [ppisar@redhat.com] - 0.21.0-25
- Adapt to CMake 4.0 (bug #2381617)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2422021 - The tuxanci URL listed in the package info redirects to an adult content gambling website.
https://bugzilla.redhat.com/show_bug.cgi?id=2422021
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c76c93c411' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: NetworkManager-l2tp-1.52.0-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4ba84b1f69
2026-01-13 00:48:16.528009+00:00
--------------------------------------------------------------------------------

Name : NetworkManager-l2tp
Product : Fedora 43
Version : 1.52.0
Release : 1.fc43
URL : https://github.com/nm-l2tp/NetworkManager-l2tp
Summary : NetworkManager VPN plugin for L2TP and L2TP/IPsec
Description :
This package contains software for integrating L2TP and L2TP over
IPsec VPN support with the NetworkManager.

--------------------------------------------------------------------------------
Update Information:

Updated to 1.52.0 release (CVE-2025-9615)
Verify file permissions for private connections to prevent unprivileged
user from using other user's certs (CVE-2025-9615)
Ensure NetworkManager dependency has CVE-2025-9615 update.
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jan 11 2026 Douglas Kosovic [doug@uq.edu.au] - 1.52.0-1
- Updated to 1.52.0 release
Verify file permissions for private connections to prevent unprivileged
user from using other user's certs (CVE-2025-9615)
- Ensure NetworkManager dependency has CVE-2025-9615 update.
- Correct sed example in generated README.Fedora and README.EPEL files.
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4ba84b1f69' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: coturn-4.7.0-4.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c9fb3f5806
2026-01-13 00:48:16.527966+00:00
--------------------------------------------------------------------------------

Name : coturn
Product : Fedora 43
Version : 4.7.0
Release : 4.fc43
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.

STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support

The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)

Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis

Redis can also be used for status and statistics storage and notification.

Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)

The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.

--------------------------------------------------------------------------------
Update Information:

Backport upstream patches for CVE-2025-69217 (#2425955)
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jan 4 2026 Robert Scheck [robert@fedoraproject.org] - 4.7.0-4
- Backport upstream patches for CVE-2025-69217 (#2425955)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2425955 - CVE-2025-69217 coturn: coturn: Authentication bypass and port prediction via predictable random number generation
https://bugzilla.redhat.com/show_bug.cgi?id=2425955
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c9fb3f5806' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: tuxanci-0.21.0-27.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-dbbc47a56f
2026-01-13 00:48:16.527959+00:00
--------------------------------------------------------------------------------

Name : tuxanci
Product : Fedora 43
Version : 0.21.0
Release : 27.fc43
URL : None
Summary : First Tux shooter multi-player network game
Description :
Tuxanci is a first Tux shooter game supporting single player and multi-player
modes both on a single computer and over the network.

--------------------------------------------------------------------------------
Update Information:

This release removes bad URL tag from the package.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jan 2 2026 Petr Pisar [ppisar@redhat.com] - 0.21.0-27
- Remove disfunctional and abused URL from RPM metadata (bug #2422021)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2422021 - The tuxanci URL listed in the package info redirects to an adult content gambling website.
https://bugzilla.redhat.com/show_bug.cgi?id=2422021
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-dbbc47a56f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--