Libcap, LibPNG, Vim, and more updates for Fedora

Fedora Linux 9310 Published by

Fedora has released multiple security updates for versions 42 and 43 to address critical vulnerabilities found across various software packages. Fixes include patches for libcap, libpng, and vim which resolve issues ranging from memory corruption to potential denial of service attacks. Users are urged to apply the updates immediately. Installation is handled via the standard dnf upgrade command using the advisory identifiers provided within each notification message for verification purposes.

Fedora 43 Update: libcap-2.76-4.fc43
Fedora 43 Update: libpng-1.6.56-1.fc43
Fedora 43 Update: trivy-0.69.3-1.fc43
Fedora 43 Update: pdns-recursor-5.2.8-1.fc43
Fedora 42 Update: pdns-recursor-5.2.8-1.fc42
Fedora 42 Update: vim-9.2.280-1.fc42
Fedora 42 Update: polkit-126-3.fc42.2
Fedora 42 Update: mupdf-1.26.3-6.fc42
Fedora 42 Update: trafficserver-10.1.2-1.fc42
Fedora 42 Update: corosync-3.1.9-4.fc42
Fedora 42 Update: mingw-exiv2-0.28.8-1.fc42
Fedora 42 Update: libmicrohttpd-1.0.3-1.fc42
Fedora 42 Update: yarnpkg-1.22.22-18.fc42
Fedora 43 Update: mupdf-1.27.1-10.fc43
Fedora 43 Update: trafficserver-10.1.2-1.fc43
Fedora 43 Update: yarnpkg-1.22.22-18.fc43
Fedora 43 Update: mingw-exiv2-0.28.8-1.fc43
Fedora 43 Update: libmicrohttpd-1.0.3-1.fc43




[SECURITY] Fedora 43 Update: libcap-2.76-4.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ccc66d5ab4
2026-04-13 01:07:11.071227+00:00
--------------------------------------------------------------------------------

Name : libcap
Product : Fedora 43
Version : 2.76
Release : 4.fc43
URL : https://sites.google.com/site/fullycapable/
Summary : Library for getting and setting POSIX.1e capabilities
Description :
libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
draft 15 capabilities.

--------------------------------------------------------------------------------
Update Information:

An update to patch a security vulnerability.
Advisory: https://github.com/AndrewGMorgan/libcap_mirror/security/advisories/GHS
A-f78v-p5hx-m7hh
Changelog
* Mon Apr 06 2026 Carlos Rodriguez-Fernandez [carlosrodrifernandez@gmail.com] -
2.76-4
- Patch for security vulnerability
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr 6 2026 Carlos Rodriguez-Fernandez [carlosrodrifernandez@gmail.com] - 2.76-4
- Patch for security vulnerability
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ccc66d5ab4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: libpng-1.6.56-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-67c20bfb74
2026-04-13 01:07:11.071231+00:00
--------------------------------------------------------------------------------

Name : libpng
Product : Fedora 43
Version : 1.6.56
Release : 1.fc43
URL : http://www.libpng.org/pub/png/
Summary : A library of functions for manipulating PNG image format files
Description :
The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files. PNG
is a bit-mapped graphics format similar to the GIF format. PNG was
created to replace the GIF format, since GIF uses a patented data
compression algorithm.

Libpng should be installed if you need to manipulate PNG format image
files.

--------------------------------------------------------------------------------
Update Information:

1.6.56 is release fixes for the following two security vulnerabilities:
CVE-2026-33416 (high severity): Use-after-free memory bug in the transparency
and palette-handling code. Similar to its predecessor CVE-2026-25646, this
latent bug has existed for 25 years. Both Halil Oktay and Ryo Shimada discovered
it within days of one another.
CVE-2026-33636 (high severity): Out-of-bounds read and write vulnerability in
the ARM Neon palette-expansion code. This one was found and fixed by Taegu Ha
and has existed since 1.6.36.
The images that trigger these bugs are valid. Users are encouraged to update
immediately.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr 6 2026 Michal Hlavinka [mhlavink@redhat.com] - 2:1.6.56-1
- updated to 1.6.56 (#2451569)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2452129 - CVE-2026-33636 libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2452129
[ 2 ] Bug #2452155 - CVE-2026-33416 libpng: libpng: Arbitrary code execution due to use-after-free vulnerability [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2452155
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-67c20bfb74' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: trivy-0.69.3-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-868e266938
2026-04-13 01:07:11.071194+00:00
--------------------------------------------------------------------------------

Name : trivy
Product : Fedora 43
Version : 0.69.3
Release : 1.fc43
URL : https://github.com/aquasecurity/trivy
Summary : Vulnerability and license scanner
Description :
Find vulnerabilities, misconfigurations, secrets, SBOM in containers,
Kubernetes, code repositories, clouds and more.

--------------------------------------------------------------------------------
Update Information:

Update to 0.69.3
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 3 2026 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 0.69.3-1
- Update to 0.69.3 - Closes rhbz#2419395
* Tue Feb 3 2026 Maxwell G [maxwell@gtmx.me] - 0.67.2-3
- Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 0.67.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Sun Oct 12 2025 Maxwell G [maxwell@gtmx.me] - 0.67.2-1
- Update to 0.67.2. Fixes rhbz#2385338.
- Add missing bundled() Provides for Go modules
* Fri Oct 10 2025 Alejandro S??ez [asm@redhat.com] - 0.64.1-4
- rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2408364 - CVE-2025-58189 trivy: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408364
[ 2 ] Bug #2408748 - CVE-2025-61725 trivy: Excessive CPU consumption in ParseAddress in net/mail [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408748
[ 3 ] Bug #2409835 - CVE-2025-61723 trivy: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2409835
[ 4 ] Bug #2410785 - CVE-2025-58185 trivy: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2410785
[ 5 ] Bug #2411681 - CVE-2025-58188 trivy: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2411681
[ 6 ] Bug #2412610 - CVE-2025-58183 trivy: Unbounded allocation when parsing GNU sparse map [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2412610
[ 7 ] Bug #2419050 - CVE-2024-25621 trivy: containerd local privilege escalation [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2419050
[ 8 ] Bug #2420630 - CVE-2025-47913 trivy: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2420630
[ 9 ] Bug #2421872 - CVE-2025-66564 trivy: Sigstore Timestamp Authority: Denial of Service via excessive OID or Content-Type header parsing [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2421872
[ 10 ] Bug #2429310 - CVE-2026-22703 trivy: Cosign verification accepts any valid Rekor entry under certain conditions [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2429310
[ 11 ] Bug #2441182 - CVE-2025-69725 trivy: Go-chi/chi: Open Redirect vulnerability allows redirection to malicious websites [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2441182
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-868e266938' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: pdns-recursor-5.2.8-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9c582575e5
2026-04-13 01:07:11.071161+00:00
--------------------------------------------------------------------------------

Name : pdns-recursor
Product : Fedora 43
Version : 5.2.8
Release : 1.fc43
URL : https://powerdns.com
Summary : Modern, advanced and high performance recursing/non authoritative name server
Description :
PowerDNS Recursor is a non authoritative/recursing DNS server. Use this
package if you need a dns cache for your network.

--------------------------------------------------------------------------------
Update Information:

Update to latest 5.2 release, fixing multiple security issues
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 3 2026 Sander Hoentjen [shoentjen@antagonist.nl] - 5.2.8-1
- Update to latest 5.2 minor, 5.2.8
* Fri Jul 25 2025 Fedora Release Engineering [releng@fedoraproject.org] - 5.2.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2420814 - CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2420814
[ 2 ] Bug #2423072 - CVE-2025-59029 pdns: PowerDNS: Assertion failure due to crafted DNS records [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2423072
[ 3 ] Bug #2423073 - CVE-2025-59029 pdns-recursor: PowerDNS: Assertion failure due to crafted DNS records [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2423073
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9c582575e5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: pdns-recursor-5.2.8-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2490896a5d
2026-04-13 00:49:53.479978+00:00
--------------------------------------------------------------------------------

Name : pdns-recursor
Product : Fedora 42
Version : 5.2.8
Release : 1.fc42
URL : https://powerdns.com
Summary : Modern, advanced and high performance recursing/non authoritative name server
Description :
PowerDNS Recursor is a non authoritative/recursing DNS server. Use this
package if you need a dns cache for your network.

--------------------------------------------------------------------------------
Update Information:

Update to latest 5.2 release, fixing multiple security issues
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 3 2026 Sander Hoentjen [shoentjen@antagonist.nl] - 5.2.8-1
- Update to latest 5.2 minor, 5.2.8
* Fri Jul 25 2025 Fedora Release Engineering [releng@fedoraproject.org] - 5.2.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Wed Feb 12 2025 Zbigniew J??drzejewski-Szmek [zbyszek@in.waw.pl] - 5.2.0-3
- Add sysusers.d config file to allow rpm to create users/groups
automatically
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2382367 - CVE-2025-30192 pdns-recursor: A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2382367
[ 2 ] Bug #2420813 - CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2420813
[ 3 ] Bug #2423070 - CVE-2025-59029 pdns: PowerDNS: Assertion failure due to crafted DNS records [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2423070
[ 4 ] Bug #2423071 - CVE-2025-59029 pdns-recursor: PowerDNS: Assertion failure due to crafted DNS records [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2423071
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2490896a5d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 42 Update: vim-9.2.280-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c718defeb6
2026-04-13 00:49:53.479914+00:00
--------------------------------------------------------------------------------

Name : vim
Product : Fedora 42
Version : 9.2.280
Release : 1.fc42
URL : https://www.vim.org/
Summary : The VIM editor
Description :
VIM (VIsual editor iMproved) is an updated and improved version of the
vi editor. Vi was the first real screen-based editor for UNIX, and is
still very popular. VIM improves on vi by adding new features:
multiple windows, multi-level undo, block highlighting and more.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2026-34714, CVE-2026-35177, CVE-2026-34982
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 2 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.280-1
- patchlevel 280
* Tue Mar 31 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.272-1
- patchlevel 272
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2453139 - CVE-2026-34714 vim: Vim: Arbitrary code execution via crafted file
https://bugzilla.redhat.com/show_bug.cgi?id=2453139
[ 2 ] Bug #2455400 - CVE-2026-34982 vim: arbitrary command execution via modeline sandbox bypass
https://bugzilla.redhat.com/show_bug.cgi?id=2455400
[ 3 ] Bug #2455542 - CVE-2026-35177 vim: zip.vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass
https://bugzilla.redhat.com/show_bug.cgi?id=2455542
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c718defeb6' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: polkit-126-3.fc42.2


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1774635f74
2026-04-13 00:49:53.479885+00:00
--------------------------------------------------------------------------------

Name : polkit
Product : Fedora 42
Version : 126
Release : 3.fc42.2
URL : https://github.com/polkit-org/polkit
Summary : An authorization framework
Description :
polkit is a toolkit for defining and handling authorizations. It is
used for allowing unprivileged processes to speak to privileged
processes.

--------------------------------------------------------------------------------
Update Information:

CVE-2026-4897 aisle.com fix of unsanitized getline
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 27 2026 Jan Rybar [jrybar@redhat.com] - 126-3.2
- CVE-2026-4897 aisle.com fix of unsanitized getline
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1774635f74' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: mupdf-1.26.3-6.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b56fe1f040
2026-04-12 15:52:51.750312+00:00
--------------------------------------------------------------------------------

Name : mupdf
Product : Fedora 42
Version : 1.26.3
Release : 6.fc42
URL : http://mupdf.com/
Summary : A lightweight PDF viewer and toolkit
Description :
MuPDF is a lightweight PDF viewer and toolkit written in portable C.
The renderer in MuPDF is tailored for high quality anti-aliased
graphics. MuPDF renders text with metrics and spacing accurate to
within fractions of a pixel for the highest fidelity in reproducing
the look of a printed page on screen.
MuPDF has a small footprint. A binary that includes the standard
Roman fonts is only one megabyte. A build with full CJK support
(including an Asian font) is approximately seven megabytes.
MuPDF has support for all non-interactive PDF 1.7 features, and the
toolkit provides a simple API for accessing the internal structures of
the PDF document. Example code for navigating interactive links and
bookmarks, encrypting PDF files, extracting fonts, images, and
searchable text, and rendering pages to image files is provided.

--------------------------------------------------------------------------------
Update Information:

fix CVE-2026-3308 (rhbz#2454360)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 2 2026 Michael J Gruber [mjg@fedoraproject.org] - 1.26.3-6
- fix CVE-2026-3308 (rhbz#2454360)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2454360 - CVE-2026-3308 mupdf: MuPDF: Arbitrary code execution via integer overflow with a crafted PDF [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2454360
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b56fe1f040' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: trafficserver-10.1.2-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a157bd84c4
2026-04-12 15:52:51.750306+00:00
--------------------------------------------------------------------------------

Name : trafficserver
Product : Fedora 42
Version : 10.1.2
Release : 1.fc42
URL : https://trafficserver.apache.org/
Summary : Fast, scalable and extensible HTTP/1.1 and HTTP/2 caching proxy server
Description :
Traffic Server is a high-performance building block for cloud services.
It's more than just a caching proxy server; it also has support for
plugins to build large scale web applications. Key features:

Caching - Improve your response time, while reducing server load and
bandwidth needs by caching and reusing frequently-requested web pages,
images, and web service calls.

Proxying - Easily add keep-alive, filter or anonymize content
requests, or add load balancing by adding a proxy layer.

Fast - Scales well on modern SMP hardware, handling 10s of thousands
of requests per second.

Extensible - APIs to write your own plug-ins to do anything from
modifying HTTP headers to handling ESI requests to writing your own
cache algorithm.

Proven - Handling over 400TB a day at Yahoo! both as forward and
reverse proxies, Apache Traffic Server is battle hardened.

--------------------------------------------------------------------------------
Update Information:

Resolves:
CVE-2025-58136 - A simple legitimate POST request causes a crash
CVE-2025-65114 - Malformed chunked message body allows request smuggling
Changes with Apache Traffic Server 10.1.2
#12864 - Fix ppa log field
#13037 - Fix prev_is_cr flag handling in chunked encoding parser
#13040 - HttpSM - make sure we have a valid buffer to write on.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 2 2026 Jered Floyd [jered@redhat.com] - 10.1.2-1
- Update to upstream 10.1.2
* Tue Feb 10 2026 Jered Floyd [jered@redhat.com] - 10.1.1-2
- Ignore warnings (temporarily) for Fedora rawhide/GCC 16 in libswoc
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2453244 - trafficserver-10.1.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2453244
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a157bd84c4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: corosync-3.1.9-4.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-95ee0edcd5
2026-04-12 15:52:51.750301+00:00
--------------------------------------------------------------------------------

Name : corosync
Product : Fedora 42
Version : 3.1.9
Release : 4.fc42
URL : http://corosync.github.io/corosync/
Summary : The Corosync Cluster Engine and Application Programming Interfaces
Description :
This package contains the Corosync Cluster Engine Executive, several default
APIs and libraries, default configuration files, and an init script.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2026-35091 and CVE-2026-35092
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 2 2026 Jan Friesse [jfriesse@redhat.com] - 3.1.9-4
- totemsrp: Return error if sanity check fails
(fixes CVE-2026-35091)
- totemsrp: Fix integer overflow in memb_join_sanity
(fixes CVE-2026-35092)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2453169 - corosync: pre-auth OOB read in check_memb_commit_token_sanity + integer overflow in check_memb_join_sanity
https://bugzilla.redhat.com/show_bug.cgi?id=2453169
[ 2 ] Bug #2453815 - CVE-2026-35091 corosync: Corosync: Denial of Service and information disclosure via crafted UDP packet [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453815
[ 3 ] Bug #2453821 - CVE-2026-35092 corosync: Corosync: Denial of Service via integer overflow in join message validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453821
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-95ee0edcd5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: mingw-exiv2-0.28.8-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-592e4238fa
2026-04-12 15:52:51.750287+00:00
--------------------------------------------------------------------------------

Name : mingw-exiv2
Product : Fedora 42
Version : 0.28.8
Release : 1.fc42
URL : http://www.exiv2.org/
Summary : MinGW Windows exiv2 library
Description :
MinGW Windows exiv2 library.

--------------------------------------------------------------------------------
Update Information:

Update to exiv2-0.28.8.
--------------------------------------------------------------------------------
ChangeLog:

* Sat Mar 7 2026 Sandro Mani [manisandro@gmail.com] - 0.28.8-1
- Update to 0.28.8
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 0.28.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2453392 - CVE-2026-25884 mingw-exiv2: Exiv2: Denial of service via out-of-bounds read in CRW image parser [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453392
[ 2 ] Bug #2453394 - CVE-2026-27596 mingw-exiv2: Exiv2: Denial of Service via out-of-bounds read in preview component [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453394
[ 3 ] Bug #2453396 - CVE-2026-27631 mingw-exiv2: Exiv2: Denial of Service via integer overflow in preview component [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453396
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-592e4238fa' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: libmicrohttpd-1.0.3-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7a0641ca41
2026-04-12 15:52:51.750283+00:00
--------------------------------------------------------------------------------

Name : libmicrohttpd
Product : Fedora 42
Version : 1.0.3
Release : 1.fc42
URL : http://www.gnu.org/software/libmicrohttpd/
Summary : Lightweight library for embedding a webserver in applications
Description :
GNU libmicrohttpd is a small C library that is supposed to make it
easy to run an HTTP server as part of another application.
Key features that distinguish libmicrohttpd from other projects are:

* C library: fast and small
* API is simple, expressive and fully reentrant
* Implementation is http 1.1 compliant
* HTTP server can listen on multiple ports
* Support for IPv6
* Support for incremental processing of POST data
* Creates binary of only 25k (for now)
* Three different threading models

--------------------------------------------------------------------------------
Update Information:

Update to 1.0.3-1
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 2 2026 Martin Gansser [martinkg@fedoraproject.org] - 1:1.0.3-1
- Update to 1:1.0.3
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1:1.0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Thu Jul 24 2025 Fedora Release Engineering [releng@fedoraproject.org] - 1:1.0.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2413882 - CVE-2025-59777 libmicrohttpd: GNU libmicrohttpd null pointer dereference [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2413882
[ 2 ] Bug #2413888 - CVE-2025-59777 libmicrohttpd: GNU libmicrohttpd null pointer dereference [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2413888
[ 3 ] Bug #2413893 - CVE-2025-62689 libmicrohttpd: GNU libmicrohttpd null pointer dereference [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2413893
[ 4 ] Bug #2413896 - CVE-2025-62689 libmicrohttpd: GNU libmicrohttpd null pointer dereference [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2413896
[ 5 ] Bug #2454160 - libmicrohttpd-1.0.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2454160
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7a0641ca41' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: yarnpkg-1.22.22-18.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7a6943e57d
2026-04-12 15:52:51.750289+00:00
--------------------------------------------------------------------------------

Name : yarnpkg
Product : Fedora 42
Version : 1.22.22
Release : 18.fc42
URL : https://github.com/yarnpkg/yarn
Summary : Fast, reliable, and secure dependency management.
Description :
Fast, reliable, and secure dependency management.

--------------------------------------------------------------------------------
Update Information:

Refresh vendor bundle, fixes CVE-2026-4800.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 2 2026 Sandro Mani [manisandro@gmail.com] - 1.22.22-18
- Add yarn-jsyaml4.patch
- Refresh vendor bundle, fixes CVE-2026-4800
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2454058 - CVE-2026-4800 yarnpkg: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454058
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7a6943e57d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: mupdf-1.27.1-10.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7a9c0c8c04
2026-04-12 15:36:52.829623+00:00
--------------------------------------------------------------------------------

Name : mupdf
Product : Fedora 43
Version : 1.27.1
Release : 10.fc43
URL : http://mupdf.com/
Summary : A lightweight PDF viewer and toolkit
Description :
MuPDF is a lightweight PDF viewer and toolkit written in portable C.
The renderer in MuPDF is tailored for high quality anti-aliased
graphics. MuPDF renders text with metrics and spacing accurate to
within fractions of a pixel for the highest fidelity in reproducing
the look of a printed page on screen.
MuPDF has a small footprint. A binary that includes the standard
Roman fonts is only one megabyte. A build with full CJK support
(including an Asian font) is approximately seven megabytes.
MuPDF has support for all non-interactive PDF 1.7 features, and the
toolkit provides a simple API for accessing the internal structures of
the PDF document. Example code for navigating interactive links and
bookmarks, encrypting PDF files, extracting fonts, images, and
searchable text, and rendering pages to image files is provided.

--------------------------------------------------------------------------------
Update Information:

fix CVE-2026-3308 (rhbz#2454361)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 2 2026 Michael J Gruber [mjg@fedoraproject.org] - 1.27.1-10
- fix CVE-2026-3308 (rhbz#2454361)
* Tue Mar 24 2026 Michael J Gruber [mjg@fedoraproject.org] - 1.27.1-6
- Limit python3-clang version to

FFmpeg, Flatpak, Mediawiki updates for Debian

NodeJS, RHC, Firefox, and morte updates for RHEL

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...