ALSA-2026:21756: flatpak security update (Important)
ALSA-2026:21700: cockpit security update (Important)
ALSA-2026:21745: kernel-rt security update (Important)
ALSA-2026:21293: .NET 8.0 security update (Important)
ALSA-2026:21291: .NET 8.0 security update (Important)
ALSA-2026:21468: cockpit security update (Important)
ALSA-2026:21706: kernel security update (Important)
ALSA-2026:21286: .NET 8.0 security update (Important)
ALSA-2026:21433: httpd security update (Important)
ALSA-2026:21756: flatpak security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-05-28
Summary:
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.
Security Fix(es):
* flatpak: Flatpak: Arbitrary code execution via crafted symlinks in sandbox-expose options (CVE-2026-34078)
* flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation (CVE-2026-34079)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-21756.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:21700: cockpit security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-05-28
Summary:
Cockpit enables users to administer GNU/Linux servers using a web browser. It
offers network configuration, log inspection, diagnostic reports, SELinux
troubleshooting, interactive command-line sessions, and more.
Security Fix(es):
* cockpit: Cockpit: Arbitrary command execution via crafted links in system logs
UI (CVE-2026-4802)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-21700.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:21745: kernel-rt security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-05-28
Summary:
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.
Security Fix(es):
* kernel: Bluetooth: MGMT: Fix possible UAFs (CVE-2025-39981)
* kernel: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr (CVE-2025-68183)
* kernel: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events (CVE-2025-68347)
* kernel: libceph: make decode_pool() more resilient against corrupted osdmaps (CVE-2025-71116)
* kernel: Linux kernel: Denial of service and memory corruption in RDMA umad (CVE-2026-23243)
* kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation (CVE-2026-23270)
* kernel: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() (CVE-2026-23455)
* kernel: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold (CVE-2026-31408)
* kernel: can: raw: fix ro->uniq use-after-free in raw_rcv() (CVE-2026-31532)
* kernel: net: sched: act_csum: validate nested VLAN headers (CVE-2026-31684)
* kernel: netfilter: ip6t_eui64: reject invalid MAC header for all packets (CVE-2026-31685)
* kernel: netfilter: nf_conntrack_helper: pass helper to expect cleanup (CVE-2026-43027)
* kernel: Bluetooth: MGMT: validate LTK enc_size on load (CVE-2026-43020)
* kernel: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq (CVE-2026-43051)
* kernel: smb: client: validate the whole DACL before rewriting it in cifsacl (CVE-2026-31709)
* kernel: md/bitmap: fix GPF in write_page caused by resize race (CVE-2026-43163)
* kernel: netfilter: xt_tcpmss: check remaining length before reading optlen (CVE-2026-43190)
* kernel: xfs: fix freemap adjustments when adding xattrs to leaf blocks (CVE-2026-43158)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-21745.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:21293: .NET 8.0 security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2026-05-28
Summary:
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.127 and .NET Runtime 8.0.27.Security Fix(es):
* serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization (CVE-2026-34043)
* dotnet: .NET: infinite loop allows an attacker to cause a denial of service (CVE-2026-42899)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2026-21293.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:21291: .NET 8.0 security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-05-28
Summary:
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.127 and .NET Runtime 8.0.27.Security Fix(es):
* serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization (CVE-2026-34043)
* dotnet: .NET: infinite loop allows an attacker to cause a denial of service (CVE-2026-42899)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-21291.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:21468: cockpit security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2026-05-28
Summary:
Cockpit enables users to administer GNU/Linux servers using a web browser. It offers network configuration, log inspection, diagnostic reports, SELinux troubleshooting, interactive command-line sessions, and more.
Security Fix(es):
* cockpit: Cockpit: Arbitrary command execution via crafted links in system logs UI (CVE-2026-4802)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2026-21468.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:21706: kernel security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-05-28
Summary:
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security Fix(es):
* kernel: Bluetooth: MGMT: Fix possible UAFs (CVE-2025-39981)
* kernel: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr (CVE-2025-68183)
* kernel: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events (CVE-2025-68347)
* kernel: libceph: make decode_pool() more resilient against corrupted osdmaps (CVE-2025-71116)
* kernel: Linux kernel: Denial of service and memory corruption in RDMA umad (CVE-2026-23243)
* kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation (CVE-2026-23270)
* kernel: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() (CVE-2026-23455)
* kernel: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold (CVE-2026-31408)
* kernel: can: raw: fix ro->uniq use-after-free in raw_rcv() (CVE-2026-31532)
* kernel: net: sched: act_csum: validate nested VLAN headers (CVE-2026-31684)
* kernel: netfilter: ip6t_eui64: reject invalid MAC header for all packets (CVE-2026-31685)
* kernel: netfilter: nf_conntrack_helper: pass helper to expect cleanup (CVE-2026-43027)
* kernel: Bluetooth: MGMT: validate LTK enc_size on load (CVE-2026-43020)
* kernel: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq (CVE-2026-43051)
* kernel: smb: client: validate the whole DACL before rewriting it in cifsacl (CVE-2026-31709)
* kernel: md/bitmap: fix GPF in write_page caused by resize race (CVE-2026-43163)
* kernel: netfilter: xt_tcpmss: check remaining length before reading optlen (CVE-2026-43190)
* kernel: xfs: fix freemap adjustments when adding xattrs to leaf blocks (CVE-2026-43158)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-21706.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:21286: .NET 8.0 security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-05-28
Summary:
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.127 and .NET Runtime 8.0.27.Security Fix(es):
* serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization (CVE-2026-34043)
* dotnet: .NET: infinite loop allows an attacker to cause a denial of service (CVE-2026-42899)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-21286.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:21433: httpd security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-05-28
Summary:
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Security Fix(es):
* httpd: mod_proxy_ajp: heap-based buffer over-read and memory disclosure in ajp_parse_data() (CVE-2026-34059)
* httpd: mod_proxy_ajp: heap-based buffer over-read due to missing null-termination check (CVE-2026-34032)
* httpd: mod_proxy_ajp: off-by-one out-of-bounds reads in AJP getter functions (CVE-2026-33857)
* httpd: mod_authn_socache: NULL pointer dereference can cause a child process crash (CVE-2026-33007)
* Apache HTTP Server: mod_proxy_ajp: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-21433.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
