ALSA-2026:9264: kernel security update (Important)
ALSA-2026:9666: wireshark security update (Moderate)
ALSA-2026:9638: thunderbird security update (Important)
ALSA-2026:9693: java-25-openjdk security update (Important)
ALSA-2026:9692: webkit2gtk3 security update (Important)
ALSA-2026:9693: java-25-openjdk security update (Important)
ALSA-2026:8456: osbuild-composer security update (Important)
ALSA-2026:9345: thunderbird security update (Important)
ALSA-2026:9264: kernel security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-04-24
Summary:
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security Fix(es):
* kernel: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit (CVE-2025-39766)
* kernel: scsi: qla2xxx: Fix improper freeing of purex item (CVE-2025-68741)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-9264.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:9666: wireshark security update (Moderate)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 10
Type: Security
Severity: Moderate
Release date: 2026-04-24
Summary:
The wireshark packages contain a network protocol analyzer used to capture and browse the traffic running on a computer network.
Security Fix(es):
* wireshark: Buffer Over-read in Wireshark (CVE-2026-3203)
* wireshark: Improperly Controlled Sequential Memory Allocation in Wireshark (CVE-2026-3201)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-9666.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:9638: thunderbird security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-04-24
Summary:
Mozilla Thunderbird is a standalone mail and newsgroup client.
Security Fix(es):
* libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)
* libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)
* thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734)
* thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731)
* firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-9638.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:9693: java-25-openjdk security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-04-24
Summary:
The OpenJDK 25 packages provide the OpenJDK 25 Java Runtime Environment and the OpenJDK 25 Java Software Development Kit.
Security Fix(es):
* JDK: Enhance crypto algorithm support (CVE-2026-22007)
* JDK: Improved Arena allocations (CVE-2026-22008)
* JDK: Improve Kerberos credentialing (CVE-2026-22013)
* JDK: Enhance Path Factories Redux (CVE-2026-22016)
* JDK: Enhance Zip file reading (CVE-2026-22018)
* JDK: Enhance certificate chain validation (CVE-2026-22021)
* JDK: Updating FreeType 2.14.1 (CVE-2026-23865)
* JDK: Enhance TLS connection handling (CVE-2026-34282)
* JDK: Enhance key generation (CVE-2026-34268)
This release also updates a number of third-party libraries included in the JDK. The libraries themselves are affected by the following CVEs, but this is not a statement that the JDK itself is affected:
* giflib: Denial of Service via buffer overflow in EGifGCBToExtension (CVE-2026-26740)
* libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)
* libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)
Bug Fix(es):
* When copying files, OpenJDK 25 prefers to use the copy_file_range native function for performance reasons, only falling back to sendfile when this fails. However, in previous OpenJDK 25 releases, a response of EOPNOTSUPP (operation not supported) did not cause the JDK to fall back to sendfile. This is rectified in this release. (AlmaLinux-169939, AlmaLinux-169937)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-9693.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:9692: webkit2gtk3 security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2026-04-24
Summary:
WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.
Security Fix(es):
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43213)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43214)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43457)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43511)
* webkitgtk: Processing maliciously crafted web content may disclose internal states of the app (CVE-2025-46299)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20608)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20635)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20636)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20644)
* webkitgtk: A remote attacker may be able to cause a denial-of-service (CVE-2026-20652)
* webkitgtk: A website may be able to track users through Safari web extensions (CVE-2026-20676)
* webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy (CVE-2026-20643)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20664)
* webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-20665)
* webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2026-20691)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28857)
* webkitgtk: A malicious website may be able to process restricted web content outside the sandbox (CVE-2026-28859)
* webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack (CVE-2026-28871)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2026-9692.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:9693: java-25-openjdk security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 9
Type: Security
Severity: Important
Release date: 2026-04-24
Summary:
The OpenJDK 25 packages provide the OpenJDK 25 Java Runtime Environment and the OpenJDK 25 Java Software Development Kit.
Security Fix(es):
* JDK: Enhance crypto algorithm support (CVE-2026-22007)
* JDK: Improved Arena allocations (CVE-2026-22008)
* JDK: Improve Kerberos credentialing (CVE-2026-22013)
* JDK: Enhance Path Factories Redux (CVE-2026-22016)
* JDK: Enhance Zip file reading (CVE-2026-22018)
* JDK: Enhance certificate chain validation (CVE-2026-22021)
* JDK: Updating FreeType 2.14.1 (CVE-2026-23865)
* JDK: Enhance TLS connection handling (CVE-2026-34282)
* JDK: Enhance key generation (CVE-2026-34268)
This release also updates a number of third-party libraries included in the JDK. The libraries themselves are affected by the following CVEs, but this is not a statement that the JDK itself is affected:
* giflib: Denial of Service via buffer overflow in EGifGCBToExtension (CVE-2026-26740)
* libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)
* libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)
Bug Fix(es):
* When copying files, OpenJDK 25 prefers to use the copy_file_range native function for performance reasons, only falling back to sendfile when this fails. However, in previous OpenJDK 25 releases, a response of EOPNOTSUPP (operation not supported) did not cause the JDK to fall back to sendfile. This is rectified in this release. (AlmaLinux-169939, AlmaLinux-169937)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2026-9693.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:8456: osbuild-composer security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-04-24
Summary:
A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.
Security Fix(es):
* net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-8456.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:9345: thunderbird security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-04-22
Summary:
Mozilla Thunderbird is a standalone mail and newsgroup client.
Security Fix(es):
* libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)
* libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)
* thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734)
* thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731)
* firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-9345.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
