Recent security notifications announce updates for Fedora 42 and 43 systems to address various vulnerabilities in popular packages like kea, corosync, pspp, goose, and rauc. These advisories highlight fixes for specific CVEs including denial of service attacks and memory corruption flaws that could compromise system stability if left unpatched. To apply these updates administrators should use the dnf upgrade program by entering the provided advisory identifiers directly into their command line interface.

Fedora 42 Update: kea-3.0.3-1.fc42
Fedora 43 Update: corosync-3.1.10-2.fc43
Fedora 43 Update: pspp-2.1.1-5.fc43
Fedora 43 Update: goose-1.23.2-7.fc43
Fedora 43 Update: rauc-1.15.2-1.fc43
Fedora 43 Update: kea-3.0.3-1.fc43

[SECURITY] Fedora 42 Update: kea-3.0.3-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-66f19b11e0
2026-04-08 01:11:50.124000+00:00
--------------------------------------------------------------------------------

Name : kea
Product : Fedora 42
Version : 3.0.3
Release : 1.fc42
URL : http://kea.isc.org
Summary : DHCPv4, DHCPv6 and DDNS server from ISC
Description :
DHCP implementation from Internet Systems Consortium, Inc. that features fully
functional DHCPv4, DHCPv6 and Dynamic DNS servers.
Both DHCP servers fully support server discovery, address assignment, renewal,
rebinding and release. The DHCPv6 server supports prefix delegation. Both
servers support DNS Update mechanism, using stand-alone DDNS daemon.

--------------------------------------------------------------------------------
Update Information:

New version 3.0.3 (rhbz#2451141)
Fixes CVE-2026-3608 (rhbz#2451621)
--------------------------------------------------------------------------------
ChangeLog:

* Mon Mar 30 2026 Martin Osvald [mosvald@redhat.com] - 3.0.3-1
- New version 3.0.3 (rhbz#2451141)
- Fixes CVE-2026-3608 (rhbz#2451621)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2451141 - kea-3.0.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2451141
[ 2 ] Bug #2451621 - CVE-2026-3608 kea: Kea: Denial of Service via maliciously crafted message [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2451621
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-66f19b11e0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: corosync-3.1.10-2.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ee4ff58256
2026-04-08 00:52:24.173309+00:00
--------------------------------------------------------------------------------

Name : corosync
Product : Fedora 43
Version : 3.1.10
Release : 2.fc43
URL : http://corosync.github.io/corosync/
Summary : The Corosync Cluster Engine and Application Programming Interfaces
Description :
This package contains the Corosync Cluster Engine Executive, several default
APIs and libraries, default configuration files, and an init script.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2026-35091 and CVE-2026-35092
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 2 2026 Jan Friesse [jfriesse@redhat.com] - 3.1.10-2
- totemsrp: Return error if sanity check fails
(fixes CVE-2026-35091)
- totemsrp: Fix integer overflow in memb_join_sanity
(fixes CVE-2026-35092)
* Fri Jan 23 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 3.1.10-4
- Rebuilt for net-snmp 5.9.5.2
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 3.1.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 3.1.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2453169 - corosync: pre-auth OOB read in check_memb_commit_token_sanity + integer overflow in check_memb_join_sanity
https://bugzilla.redhat.com/show_bug.cgi?id=2453169
[ 2 ] Bug #2453815 - CVE-2026-35091 corosync: Corosync: Denial of Service and information disclosure via crafted UDP packet [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453815
[ 3 ] Bug #2453821 - CVE-2026-35092 corosync: Corosync: Denial of Service via integer overflow in join message validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453821
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ee4ff58256' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: pspp-2.1.1-5.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7b2964fc42
2026-04-08 00:52:24.173305+00:00
--------------------------------------------------------------------------------

Name : pspp
Product : Fedora 43
Version : 2.1.1
Release : 5.fc43
URL : https://www.gnu.org/software/pspp/
Summary : A program for statistical analysis of sampled data
Description :
PSPP is a program for statistical analysis of sampled data. It
interprets commands in the SPSS language and produces tabular
output in ASCII, PostScript, or HTML format.

PSPP development is ongoing. It already supports a large subset
of SPSS's transformation language. Its statistical procedure
support is currently limited, but growing.

--------------------------------------------------------------------------------
Update Information:

Fix several low-priority CVEs
Build with new Gnulib
--------------------------------------------------------------------------------
ChangeLog:

* Mon Mar 30 2026 Peter Lemenkov [lemenkov@gmail.com] - 2.1.1-5
- Fix FTBFS
* Mon Mar 30 2026 Peter Lemenkov [lemenkov@gmail.com] - 2.1.1-4
- Fix bunch of low-priority CVEs
* Mon Mar 23 2026 Peter Lemenkov [lemenkov@gmail.com] - 2.1.1-3
- Fix for a recent gnulib
* Tue Mar 10 2026 Peter Lemenkov [lemenkov@gmail.com] - 2.1.1-2
- Clarify how to get Smake file
* Sat Mar 7 2026 Peter Lemenkov [lemenkov@gmail.com] - 2.1.1-1
- PSPP ver. 2.1.1
* Thu Mar 5 2026 Peter Lemenkov [lemenkov@gmail.com] - 2.1.0-1
- PSPP ver. 2.1.0
* Mon Mar 2 2026 Peter Lemenkov [lemenkov@gmail.com] - 2.0.1-11
- Fix build with more recent gettext
* Thu Feb 12 2026 Peter Lemenkov [lemenkov@gmail.com] - 2.0.1-10
- Address CVE-2025-47229
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 2.0.1-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jul 25 2025 Fedora Release Engineering [releng@fedoraproject.org] - 2.0.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Tue May 13 2025 Yaakov Selkowitz [yselkowi@redhat.com] - 2.0.1-7
- Fix flatpak build
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2364045 - CVE-2025-47229 pspp: denial of service via crafted input data in pspp [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2364045
[ 2 ] Bug #2365598 - CVE-2025-47815 pspp: PSPP: Heap Buffer Overflow [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2365598
[ 3 ] Bug #2365601 - CVE-2025-47814 pspp: PSPP: Heap Buffer Overflow [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2365601
[ 4 ] Bug #2367194 - CVE-2025-48188 pspp: Heap Buffer Over-Read in PSPP rijndaelDecrypt Function [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2367194
[ 5 ] Bug #2367692 - CVE-2025-5001 pspp: GNU PSPP pspp-convert.c calloc integer overflow [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2367692
[ 6 ] Bug #2371375 - CVE-2025-5898 pspp: GNU PSPP pspp-convert.c parse_variables_option out-of-bounds write [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2371375
[ 7 ] Bug #2371378 - CVE-2025-5899 pspp: GNU PSPP pspp-convert.c parse_variables_option free of memory not on the heap [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2371378
[ 8 ] Bug #2385429 - pspp: FTBFS in Fedora rawhide/f43
https://bugzilla.redhat.com/show_bug.cgi?id=2385429
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7b2964fc42' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: goose-1.23.2-7.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a45f438402
2026-04-08 00:52:24.173289+00:00
--------------------------------------------------------------------------------

Name : goose
Product : Fedora 43
Version : 1.23.2
Release : 7.fc43
URL : https://github.com/block/goose
Summary : Extensible AI agent client
Description :
Goose is your on-machine AI agent, capable of automating complex development
tasks from start to finish. More than just code suggestions, goose can build
entire projects from scratch, write and execute code, debug failures,
orchestrate workflows, and interact with external APIs - autonomously.

Whether you're prototyping an idea, refining existing code, or managing
intricate engineering pipelines, goose adapts to your workflow and executes
tasks with precision.

Designed for maximum flexibility, goose works with any LLM and supports
multi-model configuration to optimize performance and cost, seamlessly
integrates with MCP servers, and is available as both a desktop app as well as
CLI - making it the ultimate AI assistant for developers who want to move
faster and focus on innovation.

--------------------------------------------------------------------------------
Update Information:

Update goose to fix fedora#2449678
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 27 2026 Manuel Moran [mmoran@redhat.com] - 1.23.2-7
- [skip changelog] Fix gating
* Fri Mar 27 2026 Martin Litwora [mlitwora@redhat.com] - 1.23.2-6
- Change the test plan URL to point directly to centos-stream test
repository
* Fri Mar 27 2026 Sam Doran [sdoran@redhat.com] - 1.23.2-5
- Fix CVE-2026-33056 for tar dependency
* Thu Mar 26 2026 Sam Doran [sdoran@redhat.com] - 1.23.2-4
- Raise recursion limit on server_test.rs
* Mon Mar 23 2026 Manuel Moran [mmoran@redhat.com] - 1.23.2-3
- Add gating
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2449678 - CVE-2026-33056 goose: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449678
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a45f438402' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: rauc-1.15.2-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f0293b845e
2026-04-08 00:52:24.173281+00:00
--------------------------------------------------------------------------------

Name : rauc
Product : Fedora 43
Version : 1.15.2
Release : 1.fc43
URL : https://rauc.io/
Summary : Safe and secure software updates for embedded Linux
Description :
RAUC is a lightweight update client that runs on your Embedded Linux device
and reliably controls the procedure of updating your device with a new firmware
revision. RAUC is also the tool on your host system that lets you create,
inspect and modify update artifacts for your device.
Service is not installed as that is only needed on device.

--------------------------------------------------------------------------------
Update Information:

version bumped from 1.15.1 to 1.15.2
--------------------------------------------------------------------------------
ChangeLog:

* Mon Mar 30 2026 Bruno Thomsen [bruno.thomsen@gmail.com] - 1.15.2-1
- Update package from 1.15.1 to 1.15.2
- Fixes CVE-2026-34155
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2452217 - rauc-1.15.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2452217
[ 2 ] Bug #2453895 - CVE-2026-34155 rauc: improper signing of plain bundles exceeding 2 GiB [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453895
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f0293b845e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: kea-3.0.3-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-04263e2a5b
2026-04-08 00:52:24.173260+00:00
--------------------------------------------------------------------------------

Name : kea
Product : Fedora 43
Version : 3.0.3
Release : 1.fc43
URL : http://kea.isc.org
Summary : DHCPv4, DHCPv6 and DDNS server from ISC
Description :
DHCP implementation from Internet Systems Consortium, Inc. that features fully
functional DHCPv4, DHCPv6 and Dynamic DNS servers.
Both DHCP servers fully support server discovery, address assignment, renewal,
rebinding and release. The DHCPv6 server supports prefix delegation. Both
servers support DNS Update mechanism, using stand-alone DDNS daemon.

--------------------------------------------------------------------------------
Update Information:

New version 3.0.3 (rhbz#2451141)
Fixes CVE-2026-3608 (rhbz#2451621)
--------------------------------------------------------------------------------
ChangeLog:

* Mon Mar 30 2026 Martin Osvald [mosvald@redhat.com] - 3.0.3-1
- New version 3.0.3 (rhbz#2451141)
- Fixes CVE-2026-3608 (rhbz#2451621)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2451141 - kea-3.0.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2451141
[ 2 ] Bug #2451621 - CVE-2026-3608 kea: Kea: Denial of Service via maliciously crafted message [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2451621
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-04263e2a5b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new