Fedora 43 Update: kernel-7.0.14-101.fc43
Fedora 43 Update: transmission-4.1.3-1.fc43
Fedora 43 Update: thunderbird-152.0-2.fc43
Fedora 43 Update: caddy-2.10.2-9.fc43
Fedora 43 Update: rclone-1.74.3-1.fc43
Fedora 43 Update: opkssh-0.14.0-3.fc43
Fedora 44 Update: kernel-7.0.14-201.fc44
Fedora 43 Update: hut-0.8.0-1.fc43
Fedora 44 Update: transmission-4.1.3-1.fc44
Fedora 44 Update: ipp-usb-0.9.34-2.fc44
Fedora 44 Update: caddy-2.10.2-9.fc44
Fedora 44 Update: rclone-1.74.3-1.fc44
Fedora 44 Update: opkssh-0.14.0-3.fc44
Fedora 44 Update: hut-0.8.0-1.fc44
[SECURITY] Fedora 43 Update: kernel-7.0.14-101.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-35e2185559
2026-07-02 01:07:29.332059+00:00
--------------------------------------------------------------------------------
Name : kernel
Product : Fedora 43
Version : 7.0.14
Release : 101.fc43
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package
--------------------------------------------------------------------------------
Update Information:
The 7.0.14-101/201 kernel builds contain a fix for an unprivileged container /
jail escape. This has not been assigned a CVE number yet, but a POC is in the
wild.
The 7.0.14 stable kernel update contains a number of important fixes across the
tree.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 1 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.14-1]
- ipv6: account for fraggap on the paged allocation path (Wongi Lee)
- ipv4: account for fraggap on the paged allocation path (Wongi Lee)
* Sat Jun 27 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.14-0]
- Revert "Input: rmi4 - remove the need for artificial IRQ in case of HID" (Justin M. Forbes)
- Linux v7.0.14
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-35e2185559' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: transmission-4.1.3-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0ed2011b62
2026-07-02 01:07:29.332055+00:00
--------------------------------------------------------------------------------
Name : transmission
Product : Fedora 43
Version : 4.1.3
Release : 1.fc43
URL : http://www.transmissionbt.com
Summary : A lightweight GTK+ BitTorrent client
Description :
Transmission is a free, lightweight BitTorrent client. It features a
simple, intuitive interface on top on an efficient, cross-platform
back-end.
--------------------------------------------------------------------------------
Update Information:
Fixed a CORS bug that leaked the anti-CSRF nonce. (#8938)
Fixed a use-after-free bug in peer code. (#8921)
Fixed build error when compiling with fmt 12.2.0. (#8942)
Fix qt icon
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 30 2026 Gwyn Ciesla [gwync@protonmail.com] - 4.1.3-1
- 4.1.3
* Sat Jun 20 2026 Ryan Nosurname [fauxpark@gmail.com] - 4.1.2-3
- Remove unnecessary Qt icon rename
* Fri Jun 12 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 4.1.2-2
- Rebuilt for openssl 4.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2447219 - transmission-qt has no icon
https://bugzilla.redhat.com/show_bug.cgi?id=2447219
[ 2 ] Bug #2494743 - transmission-4.1.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494743
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0ed2011b62' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: thunderbird-152.0-2.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2fb5ca48a2
2026-07-02 01:07:29.332031+00:00
--------------------------------------------------------------------------------
Name : thunderbird
Product : Fedora 43
Version : 152.0
Release : 2.fc43
URL : http://www.mozilla.org/projects/thunderbird/
Summary : Mozilla Thunderbird mail/newsgroup client
Description :
Mozilla Thunderbird is a standalone mail and newsgroup client.
--------------------------------------------------------------------------------
Update Information:
Update to latest upstream version
Update to latest upstream version.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 23 2026 Jan Horak [jhorak@redhat.com] - 152.0-1
- Update to 152.0
* Fri Jun 5 2026 Jan Horak [jhorak@redhat.com] - 151.0.1-1
- Update to 151.0.1
* Thu May 21 2026 Jan Horak [jhorak@redhat.com] - 151.0-1
- Update to 151.0
* Thu May 14 2026 Jan Horak [jhorak@redhat.com] - 150.0.2-1
- Update to 150.0.2
* Tue Apr 28 2026 Jan Horak [jhorak@redhat.com] - 150.0-1
- Update to Thunderbird 150.0
* Tue Apr 14 2026 Jan Horak [jhorak@redhat.com] - 149.0.2-1
- Update to 149.0.2
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2fb5ca48a2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: caddy-2.10.2-9.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3dc324bd9a
2026-07-02 01:07:29.332017+00:00
--------------------------------------------------------------------------------
Name : caddy
Product : Fedora 43
Version : 2.10.2
Release : 9.fc43
URL : https://caddyserver.com
Summary : Web server with automatic HTTPS
Description :
Caddy is an extensible server platform that uses TLS by default.
--------------------------------------------------------------------------------
Update Information:
Security update resolving 22 CVEs across both caddy itself and its vendored
libraries.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 23 2026 Carl George [carlwgeorge@gmail.com] - 2.10.2-9
- Port to new golang packaging guidelines
- Backport upstream fix for CVE-2026-27585
- Backport upstream fix for CVE-2026-27586
- Backport upstream fix for CVE-2026-27587
- Backport upstream fix for CVE-2026-27588
- Backport upstream fix for CVE-2026-27589
- Backport upstream fix for CVE-2026-27590
- Backport upstream fix for CVE-2026-30851
- Backport upstream fix for CVE-2026-30852
- Update vendored github.com/quic-go/quic-go to v0.57.0 for CVE-2025-64702
- Update vendored golang.org/x/crypto to v0.52.0 for CVE-2025-47913,
CVE-2026-39828, CVE-2026-39829, and CVE-2026-39830
- Update vendored github.com/smallstep/certificates to v0.30.0 for
CVE-2025-44005 and CVE-2026-40097
- Update vendored github.com/go-chi/chi/v5 to v5.2.5 for CVE-2025-69725
- Update vendored github.com/yuin/goldmark/renderer/html to v1.7.17 for
CVE-2026-5160
* Mon Feb 2 2026 Maxwell G [maxwell@gtmx.me] - 2.10.2-5
- Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 2.10.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 2.10.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Oct 10 2025 Alejandro S??ez [asm@redhat.com] - 2.10.2-2
- rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2488094 - CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488094
[ 2 ] Bug #2488095 - CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488095
[ 3 ] Bug #2488141 - CVE-2026-40097 caddy: Step CA: Denial of Service via crafted attestation key certificate [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488141
[ 4 ] Bug #2488502 - CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488502
[ 5 ] Bug #2488503 - CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488503
[ 6 ] Bug #2488514 - CVE-2026-27587 caddy: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488514
[ 7 ] Bug #2488516 - CVE-2026-27588 caddy: Caddy: Access control bypass due to case-sensitive host matching [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488516
[ 8 ] Bug #2488517 - CVE-2026-27589 caddy: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488517
[ 9 ] Bug #2488518 - CVE-2026-27590 caddy: Caddy: Remote Code Execution via FastCGI path confusion [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488518
[ 10 ] Bug #2488572 - CVE-2025-47910 caddy: CrossOriginProtection bypass in net/http [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2488572
[ 11 ] Bug #2488575 - CVE-2025-58185 caddy: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2488575
[ 12 ] Bug #2488578 - CVE-2025-58188 caddy: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2488578
[ 13 ] Bug #2488580 - CVE-2025-58189 caddy: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2488580
[ 14 ] Bug #2488582 - CVE-2025-61723 caddy: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2488582
[ 15 ] Bug #2488661 - CVE-2025-64702 caddy: quic-go HTTP/3 QPACK Header Expansion DoS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488661
[ 16 ] Bug #2488663 - CVE-2025-47913 caddy: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488663
[ 17 ] Bug #2488665 - CVE-2025-44005 caddy: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488665
[ 18 ] Bug #2488666 - CVE-2025-69725 caddy: Go-chi/chi: Open Redirect vulnerability allows redirection to malicious websites [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488666
[ 19 ] Bug #2488667 - CVE-2026-5160 caddy: github.com/yuin/goldmark/renderer/html: Cross-site Scripting due to improper URL validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488667
[ 20 ] Bug #2489962 - CVE-2026-39828 caddy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489962
[ 21 ] Bug #2490067 - CVE-2026-39829 caddy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490067
[ 22 ] Bug #2490486 - CVE-2026-39830 caddy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490486
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3dc324bd9a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 43 Update: rclone-1.74.3-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-e1d1b349cd
2026-07-02 01:07:29.331996+00:00
--------------------------------------------------------------------------------
Name : rclone
Product : Fedora 43
Version : 1.74.3
Release : 1.fc43
URL : https://github.com/rclone/rclone
Summary : Rsync for cloud storage
Description :
"rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Drive,
Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex
Files.
--------------------------------------------------------------------------------
Update Information:
Update to 1.74.3
--------------------------------------------------------------------------------
ChangeLog:
* Sat Jun 6 2026 Packit [hello@packit.dev] - 1.74.3-1
- Update to 1.74.3 upstream release
- Resolves: rhbz#2485621
* Sat May 23 2026 Packit [hello@packit.dev] - 1.74.2-1
- Update to 1.74.2 upstream release
- Resolves: rhbz#2468412
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2486295 - CVE-2026-45287 rclone: OpenTelemetry-Go: Denial of Service due to file descriptor leak [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486295
[ 2 ] Bug #2489905 - CVE-2026-39828 rclone: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489905
[ 3 ] Bug #2490091 - CVE-2026-39829 rclone: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490091
[ 4 ] Bug #2490402 - CVE-2026-39830 rclone: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490402
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-e1d1b349cd' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: opkssh-0.14.0-3.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-12d4cde449
2026-07-02 01:07:29.331951+00:00
--------------------------------------------------------------------------------
Name : opkssh
Product : Fedora 43
Version : 0.14.0
Release : 3.fc43
URL : https://github.com/openpubkey/opkssh
Summary : OpenPubkey SSH
Description :
OpenPubkey SSH is a tool which enables ssh to be used with OpenID Connect
allowing SSH access to be managed via identities like alice@example.com instead
of long-lived SSH keys.
--------------------------------------------------------------------------------
Update Information:
Update bundled golang.org/x/crypto to 0.53.0
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 22 2026 Till Hofmann [thofmann@fedoraproject.org] - 0.14.0-3
- Update bundled golang.org/x/crypto to 0.53.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2489950 - CVE-2026-39828 opkssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489950
[ 2 ] Bug #2490498 - CVE-2026-39830 opkssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490498
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-12d4cde449' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: kernel-7.0.14-201.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7ae597d1d2
2026-07-02 01:05:29.984027+00:00
--------------------------------------------------------------------------------
Name : kernel
Product : Fedora 44
Version : 7.0.14
Release : 201.fc44
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package
--------------------------------------------------------------------------------
Update Information:
The 7.0.14-101/201 kernel builds contain a fix for an unprivileged container /
jail escape. This has not been assigned a CVE number yet, but a POC is in the
wild.
The 7.0.14 stable kernel update contains a number of important fixes across the
tree.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 1 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.14-1]
- ipv6: account for fraggap on the paged allocation path (Wongi Lee)
- ipv4: account for fraggap on the paged allocation path (Wongi Lee)
* Sat Jun 27 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.14-0]
- Revert "Input: rmi4 - remove the need for artificial IRQ in case of HID" (Justin M. Forbes)
- Linux v7.0.14
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7ae597d1d2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: hut-0.8.0-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-32113d4817
2026-07-02 01:07:29.331944+00:00
--------------------------------------------------------------------------------
Name : hut
Product : Fedora 43
Version : 0.8.0
Release : 1.fc43
URL : https://git.sr.ht/~xenrox/hut
Summary : A CLI tool for Sourcehut
Description :
hut is a CLI tool for interacting with Sourcehut instances. It supports
git.sr.ht as well as self-hosted Sourcehut instances.
--------------------------------------------------------------------------------
Update Information:
Update!
Close Go standard library CVE bugs that are solved by a rebuild
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 23 2026 Javier Olaechea [pirata@gmail.com] - 0.8.0-1
- Update to 0.8.0. Fixes rhbz#2451702.
* Tue Feb 3 2026 Maxwell G [maxwell@gtmx.me] - 0.7.0-4
- Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 0.7.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Oct 10 2025 Alejandro S??ez [asm@redhat.com] - 0.7.0-2
- rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2408304 - CVE-2025-58189 hut: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408304
[ 2 ] Bug #2408723 - CVE-2025-61725 hut: Excessive CPU consumption in ParseAddress in net/mail [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408723
[ 3 ] Bug #2409777 - CVE-2025-61723 hut: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2409777
[ 4 ] Bug #2410727 - CVE-2025-58185 hut: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2410727
[ 5 ] Bug #2411623 - CVE-2025-58188 hut: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2411623
[ 6 ] Bug #2412711 - CVE-2025-58183 hut: Unbounded allocation when parsing GNU sparse map [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2412711
[ 7 ] Bug #2451702 - hut-0.8.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2451702
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-32113d4817' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 44 Update: transmission-4.1.3-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0c067e5040
2026-07-02 01:05:29.984018+00:00
--------------------------------------------------------------------------------
Name : transmission
Product : Fedora 44
Version : 4.1.3
Release : 1.fc44
URL : http://www.transmissionbt.com
Summary : A lightweight GTK+ BitTorrent client
Description :
Transmission is a free, lightweight BitTorrent client. It features a
simple, intuitive interface on top on an efficient, cross-platform
back-end.
--------------------------------------------------------------------------------
Update Information:
Fixed a CORS bug that leaked the anti-CSRF nonce. (#8938)
Fixed a use-after-free bug in peer code. (#8921)
Fixed build error when compiling with fmt 12.2.0. (#8942)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 30 2026 Gwyn Ciesla [gwync@protonmail.com] - 4.1.3-1
- 4.1.3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2494743 - transmission-4.1.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494743
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0c067e5040' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: ipp-usb-0.9.34-2.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-00901a5e8f
2026-07-02 01:05:29.984014+00:00
--------------------------------------------------------------------------------
Name : ipp-usb
Product : Fedora 44
Version : 0.9.34
Release : 2.fc44
URL : https://github.com/OpenPrinting/ipp-usb
Summary : HTTP reverse proxy, backed by IPP-over-USB connection to device
Description :
HTTP reverse proxy, backed by IPP-over-USB connection to device. It enables
driverless support for USB devices capable of using IPP-over-USB protocol.
--------------------------------------------------------------------------------
Update Information:
0.9.34 - security fix for CVE-2026-27145
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 30 2026 Zdenek Dohnal [zdohnal@redhat.com] - 0.9.34-2
- ipp-usb-0.9.34 is available (fedora#2463247, fedora#2484207, fedora#2494316)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2484207 - CVE-2026-27145 crypto/x509: golang: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries
https://bugzilla.redhat.com/show_bug.cgi?id=2484207
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-00901a5e8f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: caddy-2.10.2-9.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-950cac64f2
2026-07-02 01:05:29.983957+00:00
--------------------------------------------------------------------------------
Name : caddy
Product : Fedora 44
Version : 2.10.2
Release : 9.fc44
URL : https://caddyserver.com
Summary : Web server with automatic HTTPS
Description :
Caddy is an extensible server platform that uses TLS by default.
--------------------------------------------------------------------------------
Update Information:
Security update resolving 17 CVEs across both caddy itself and its vendored
libraries.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 23 2026 Carl George [carlwgeorge@gmail.com] - 2.10.2-9
- Port to new golang packaging guidelines
- Backport upstream fix for CVE-2026-27585
- Backport upstream fix for CVE-2026-27586
- Backport upstream fix for CVE-2026-27587
- Backport upstream fix for CVE-2026-27588
- Backport upstream fix for CVE-2026-27589
- Backport upstream fix for CVE-2026-27590
- Backport upstream fix for CVE-2026-30851
- Backport upstream fix for CVE-2026-30852
- Update vendored github.com/quic-go/quic-go to v0.57.0 for CVE-2025-64702
- Update vendored golang.org/x/crypto to v0.52.0 for CVE-2025-47913,
CVE-2026-39828, CVE-2026-39829, and CVE-2026-39830
- Update vendored github.com/smallstep/certificates to v0.30.0 for
CVE-2025-44005 and CVE-2026-40097
- Update vendored github.com/go-chi/chi/v5 to v5.2.5 for CVE-2025-69725
- Update vendored github.com/yuin/goldmark/renderer/html to v1.7.17 for
CVE-2026-5160
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2488094 - CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488094
[ 2 ] Bug #2488095 - CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488095
[ 3 ] Bug #2488141 - CVE-2026-40097 caddy: Step CA: Denial of Service via crafted attestation key certificate [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488141
[ 4 ] Bug #2488502 - CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488502
[ 5 ] Bug #2488503 - CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488503
[ 6 ] Bug #2488514 - CVE-2026-27587 caddy: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488514
[ 7 ] Bug #2488516 - CVE-2026-27588 caddy: Caddy: Access control bypass due to case-sensitive host matching [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488516
[ 8 ] Bug #2488517 - CVE-2026-27589 caddy: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488517
[ 9 ] Bug #2488518 - CVE-2026-27590 caddy: Caddy: Remote Code Execution via FastCGI path confusion [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488518
[ 10 ] Bug #2488661 - CVE-2025-64702 caddy: quic-go HTTP/3 QPACK Header Expansion DoS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488661
[ 11 ] Bug #2488663 - CVE-2025-47913 caddy: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488663
[ 12 ] Bug #2488665 - CVE-2025-44005 caddy: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488665
[ 13 ] Bug #2488666 - CVE-2025-69725 caddy: Go-chi/chi: Open Redirect vulnerability allows redirection to malicious websites [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488666
[ 14 ] Bug #2488667 - CVE-2026-5160 caddy: github.com/yuin/goldmark/renderer/html: Cross-site Scripting due to improper URL validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488667
[ 15 ] Bug #2489962 - CVE-2026-39828 caddy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489962
[ 16 ] Bug #2490067 - CVE-2026-39829 caddy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490067
[ 17 ] Bug #2490486 - CVE-2026-39830 caddy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490486
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-950cac64f2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: rclone-1.74.3-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-6145ae14ca
2026-07-02 01:05:29.983954+00:00
--------------------------------------------------------------------------------
Name : rclone
Product : Fedora 44
Version : 1.74.3
Release : 1.fc44
URL : https://github.com/rclone/rclone
Summary : Rsync for cloud storage
Description :
"rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Drive,
Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex
Files.
--------------------------------------------------------------------------------
Update Information:
Update to 1.74.3
--------------------------------------------------------------------------------
ChangeLog:
* Sat Jun 6 2026 Packit [hello@packit.dev] - 1.74.3-1
- Update to 1.74.3 upstream release
- Resolves: rhbz#2485621
* Sat May 23 2026 Packit [hello@packit.dev] - 1.74.2-1
- Update to 1.74.2 upstream release
- Resolves: rhbz#2468412
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2486295 - CVE-2026-45287 rclone: OpenTelemetry-Go: Denial of Service due to file descriptor leak [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486295
[ 2 ] Bug #2489905 - CVE-2026-39828 rclone: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489905
[ 3 ] Bug #2490091 - CVE-2026-39829 rclone: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490091
[ 4 ] Bug #2490402 - CVE-2026-39830 rclone: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490402
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-6145ae14ca' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: opkssh-0.14.0-3.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7794729685
2026-07-02 01:05:29.983902+00:00
--------------------------------------------------------------------------------
Name : opkssh
Product : Fedora 44
Version : 0.14.0
Release : 3.fc44
URL : https://github.com/openpubkey/opkssh
Summary : OpenPubkey SSH
Description :
OpenPubkey SSH is a tool which enables ssh to be used with OpenID Connect
allowing SSH access to be managed via identities like alice@example.com instead
of long-lived SSH keys.
--------------------------------------------------------------------------------
Update Information:
Update bundled golang.org/x/crypto to 0.53.0
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 22 2026 Till Hofmann [thofmann@fedoraproject.org] - 0.14.0-3
- Update bundled golang.org/x/crypto to 0.53.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2489950 - CVE-2026-39828 opkssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489950
[ 2 ] Bug #2490498 - CVE-2026-39830 opkssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490498
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7794729685' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: hut-0.8.0-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ed208f5337
2026-07-02 01:05:29.983895+00:00
--------------------------------------------------------------------------------
Name : hut
Product : Fedora 44
Version : 0.8.0
Release : 1.fc44
URL : https://git.sr.ht/~xenrox/hut
Summary : A CLI tool for Sourcehut
Description :
hut is a CLI tool for interacting with Sourcehut instances. It supports
git.sr.ht as well as self-hosted Sourcehut instances.
--------------------------------------------------------------------------------
Update Information:
Update!
Close Go standard library CVE bugs that are solved by a rebuild
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 23 2026 Javier Olaechea [pirata@gmail.com] - 0.8.0-1
- Update to 0.8.0. Fixes rhbz#2451702.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2408304 - CVE-2025-58189 hut: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408304
[ 2 ] Bug #2408723 - CVE-2025-61725 hut: Excessive CPU consumption in ParseAddress in net/mail [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408723
[ 3 ] Bug #2409777 - CVE-2025-61723 hut: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2409777
[ 4 ] Bug #2410727 - CVE-2025-58185 hut: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2410727
[ 5 ] Bug #2411623 - CVE-2025-58188 hut: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2411623
[ 6 ] Bug #2412711 - CVE-2025-58183 hut: Unbounded allocation when parsing GNU sparse map [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2412711
[ 7 ] Bug #2451702 - hut-0.8.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2451702
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ed208f5337' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new