Hplip, Python-Wsgidav, Xorg-x11-Server, and Roundcubemail updates for Fedora

Fedora Linux 9371 Published by

Fedora administrators should immediately apply several critical security patches released for both Fedora 43 and Fedora 44 systems. The hplip package receives version 3.26.4 to address arbitrary code execution flaws, while python-wsgidav upgrades to 4.3.4 to resolve a known vulnerability in its WebDAV implementation. X.Org server components gain eight separate security fixes for Fedora 44, and the roundcubemail webmail client gets updated to version 1.7.1 with patches for SQL injection, cross-site scripting, and file deletion risks. System owners can deploy these essential upgrades quickly by running standard dnf commands that pull the advisory packages directly from official repositories.

Fedora 43 Update: hplip-3.26.4-2.fc43
Fedora 43 Update: python-wsgidav-4.3.4-1.fc43
Fedora 44 Update: xorg-x11-server-21.1.23-1.fc44
Fedora 44 Update: python-wsgidav-4.3.4-1.fc44
Fedora 44 Update: roundcubemail-1.7.1-1.fc44




[SECURITY] Fedora 43 Update: hplip-3.26.4-2.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-28afc9a105
2026-06-03 01:17:29.592122+00:00
--------------------------------------------------------------------------------

Name : hplip
Product : Fedora 43
Version : 3.26.4
Release : 2.fc43
URL : https://developers.hp.com/hp-linux-imaging-and-printing
Summary : HP Linux Imaging and Printing Project
Description :
The Hewlett-Packard Linux Imaging and Printing Project provides
drivers for HP printers and multi-function peripherals.

--------------------------------------------------------------------------------
Update Information:

Update to 3.26.4, fixes CVE-2026-8631, CVE-2026-8632
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 26 2026 Zdenek Dohnal [zdohnal@redhat.com] - 3.26.4-2
- Fix location+user-agent of plugin in hp-plugin-download
* Mon May 25 2026 Zdenek Dohnal [zdohnal@redhat.com] - 3.26.4-1
- 3.26.4 (fedora#2480158), fixes CVE-2026-8631, CVE-2026-8632
* Fri Jan 23 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 3.25.8-2
- Rebuilt for net-snmp 5.9.5.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2480300 - CVE-2026-8631 HPLIP: HPLIP: Arbitrary code execution and privilege escalation via integer overflow in hpcups
https://bugzilla.redhat.com/show_bug.cgi?id=2480300
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-28afc9a105' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: python-wsgidav-4.3.4-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7d942b469f
2026-06-03 01:17:29.592069+00:00
--------------------------------------------------------------------------------

Name : python-wsgidav
Product : Fedora 43
Version : 4.3.4
Release : 1.fc43
URL : https://github.com/mar10/wsgidav
Summary : Generic and extendable WebDAV server based on WSGI
Description :
A generic and extendable WebDAV server written in Python and based on WSGI.

Main features:

??? WsgiDAV is a stand-alone WebDAV server with SSL support, that can be
installed and run as Python command line script.
??? The python-pam library is needed as extra requirement if pam-login
authentication is used on Linux or OSX.
??? WebDAV is a superset of HTTP, so WsgiDAV is also a performant,
multi-threaded web server with SSL support.
??? WsgiDAV is also a Python library that implements the WSGI protocol and can
be run behind any WSGI compliant web server.
??? WsgiDAV is implemented as a configurable stack of WSGI middleware
applications. Its open architecture allows to extend the functionality and
integrate WebDAV services into your project. Typical use cases are:
??? Expose data structures as virtual, editable file systems.
??? Allow online editing of MS Office documents.

--------------------------------------------------------------------------------
Update Information:

4.3.4 / 2026-05-24
Resolve security advisory CVE-2026-48099
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 25 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.4-1
- Update to 4.3.4 upstream release
- Resolves: rhbz#2481045
* Wed May 20 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.3-21
- Use various long options
* Wed May 20 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.3-20
- Use long pyproject options
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2481045 - python-wsgidav-4.3.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2481045
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7d942b469f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: xorg-x11-server-21.1.23-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7e38f57cef
2026-06-03 00:50:32.709810+00:00
--------------------------------------------------------------------------------

Name : xorg-x11-server
Product : Fedora 44
Version : 21.1.23
Release : 1.fc44
URL : http://www.x.org
Summary : X.Org X11 X server
Description :
X.Org X11 X server.

--------------------------------------------------------------------------------
Update Information:

Update to xserver 21.1.23, security fixes for:
ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160,
ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164,
ZDI-CAN-30165, ZDI-CAN-30168
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 2 2026 Peter Hutterer [peter.hutterer@redhat.com] - 21.1.23-1
- Update to xserver 21.1.23
Security fixes for: ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160,
ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164,
ZDI-CAN-30165, ZDI-CAN-30168
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7e38f57cef' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: python-wsgidav-4.3.4-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b2212b4742
2026-06-03 00:50:32.709749+00:00
--------------------------------------------------------------------------------

Name : python-wsgidav
Product : Fedora 44
Version : 4.3.4
Release : 1.fc44
URL : https://github.com/mar10/wsgidav
Summary : Generic and extendable WebDAV server based on WSGI
Description :
A generic and extendable WebDAV server written in Python and based on WSGI.

Main features:

??? WsgiDAV is a stand-alone WebDAV server with SSL support, that can be
installed and run as Python command line script.
??? The python-pam library is needed as extra requirement if pam-login
authentication is used on Linux or OSX.
??? WebDAV is a superset of HTTP, so WsgiDAV is also a performant,
multi-threaded web server with SSL support.
??? WsgiDAV is also a Python library that implements the WSGI protocol and can
be run behind any WSGI compliant web server.
??? WsgiDAV is implemented as a configurable stack of WSGI middleware
applications. Its open architecture allows to extend the functionality and
integrate WebDAV services into your project. Typical use cases are:
??? Expose data structures as virtual, editable file systems.
??? Allow online editing of MS Office documents.

--------------------------------------------------------------------------------
Update Information:

4.3.4 / 2026-05-24
Resolve security advisory CVE-2026-48099
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 25 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.4-1
- Update to 4.3.4 upstream release
- Resolves: rhbz#2481045
* Wed May 20 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.3-21
- Use various long options
* Wed May 20 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.3-20
- Use long pyproject options
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2481045 - python-wsgidav-4.3.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2481045
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b2212b4742' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: roundcubemail-1.7.1-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2b956d89d3
2026-06-03 00:50:32.709746+00:00
--------------------------------------------------------------------------------

Name : roundcubemail
Product : Fedora 44
Version : 1.7.1
Release : 1.fc44
URL : http://www.roundcube.net
Summary : Round Cube Webmail is a browser-based multilingual IMAP client
Description :
RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.

--------------------------------------------------------------------------------
Update Information:

Release 1.7.1
Enigma: Support automatic public key lookup (import) using HKP v1 protocol
(#5314)
Managesieve: Fix error when a mail message contains duplicate List-Id header
(#10186)
Clarified Elastic installation instructions (#10163)
Added HTMLFormElement.requestSubmit() polyfill for older browsers (#10179)
Fix so "has:attachment" search uses $HasAttachment/$HasNoAttachment keywords
(#10168)
Fix potential too long value in IMAP ID command (#10136)
Fix redis/memcache disconnection in rcube::sleep() (#10127)
Fix so static resources, e.g. skin_logo can be put inside the public_html
directory (#10160)
Fix so REQUEST_URI is used as a fallback if PATH_INFO is not set in static.php
(#10181)
Fix assets_path feature and remove dependency on PATH_INFO (#10185)
Fix MySQL upgrade on MySQL < 8.0 and MariaDB < 10.5.3 (#10188)
Security: Fix stored XSS/HTML/CSS injection in subject field of the draft
restore dialog
Security: Fix CSS injection bypass in HTML sanitizer via SVG
Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace
backslash escape bypass
Security: Fix SSRF bypass via specific local address URLs
Security: Fix bypass of remote image blocking via CSS var()
Security: Fix local/private URL fetch bypass when remote resources were not
allowed
Security: Fix pre-auth arbitrary file delete via redis/memcache session
poisoning bypass
Security: Fix code injection vulnerability - remove support for code evaluation
in LDAP autovalues option
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 25 2026 Remi Collet [remi@remirepo.net] - 1.7.1-1
- update to 1.7.1
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2481615 - CVE-2026-48842 roundcubemail: pre-auth SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481615
[ 2 ] Bug #2481617 - CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481617
[ 3 ] Bug #2481619 - CVE-2026-48843 roundcubemail: information disclosure and Server-Side Request Forgery via insufficient CSS sanitization [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481619
[ 4 ] Bug #2481622 - CVE-2026-48845 roundcubemail: privilege escalation via remote image blocking bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481622
[ 5 ] Bug #2481624 - CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481624
[ 6 ] Bug #2481626 - CVE-2026-48847 roundcubemail: arbitrary file deletion via redis/memcache session poisoning bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481626
[ 7 ] Bug #2481628 - CVE-2026-48846 roundcubemail: remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481628
[ 8 ] Bug #2481629 - CVE-2026-48849 roundcubemail: XSS via unsanitized subject field in the draft restored value [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481629
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2b956d89d3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new


Yelp, PHP-Twig, and Extended Linux Kernels for Debian

Linux Kernel and MySQL updates for Ubuntu

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...