Critical security updates for Fedora Linux have been released recently to patch vulnerabilities across multiple versions of the operating system. The localsearch package on Fedora 43 requires an update that addresses heap buffer overflows within its MP3 extraction tools. Administrators should also prioritize installing fixes for the Xen hypervisor to resolve memory management flaws and denial of service risks immediately. Finally, users on Fedora 42, 43 or 44 must apply changes to scitokens-cpp to block unauthorized path traversal attempts.

Fedora 43 Update: localsearch-3.10.2-2.fc43
Fedora 43 Update: xen-4.20.2-4.fc43
Fedora 43 Update: scitokens-cpp-1.4.1-1.fc43
Fedora 42 Update: scitokens-cpp-1.4.1-1.fc42
Fedora 44 Update: scitokens-cpp-1.4.1-1.fc44

[SECURITY] Fedora 43 Update: localsearch-3.10.2-2.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ba6641558a
2026-03-23 01:07:08.010780+00:00
--------------------------------------------------------------------------------

Name : localsearch
Product : Fedora 43
Version : 3.10.2
Release : 2.fc43
URL : https://gnome.pages.gitlab.gnome.org/localsearch/
Summary : Localsearch and metadata extractors
Description :
Tinysparql is a powerful desktop-neutral first class object database,
tag/metadata database and search tool.

This package contains various miners and metadata extractors for tinysparql.

--------------------------------------------------------------------------------
Update Information:

Add a patch for several CVEs:
CVE-2026-1764 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor
CVE-2026-1765 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor (TXXX
Tags)
CVE-2026-1766 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor (ID3v2.3
COMM Tags)
CVE-2026-1767 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor
--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 19 2026 Milan Crha [mcrha@redhat.com] - 3.10.2-2
- Add patch for several CVE-s:
- CVE-2026-1764 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor
- CVE-2026-1765 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor
(TXXX Tags)
- CVE-2026-1766 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor
(ID3v2.3 COMM Tags)
- CVE-2026-1767 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2435995 - CVE-2026-1764 CVE-2026-1765 CVE-2026-1766 CVE-2026-1767 localsearch: various flaws [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2435995
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ba6641558a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: xen-4.20.2-4.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8ae1a1c3d7
2026-03-23 01:07:08.010775+00:00
--------------------------------------------------------------------------------

Name : xen
Product : Fedora 43
Version : 4.20.2
Release : 4.fc43
URL : http://xen.org/
Summary : Xen is a virtual machine monitor
Description :
This package contains the XenD daemon and xm command line
tools, needed to manage virtual machines running under the
Xen hypervisor

--------------------------------------------------------------------------------
Update Information:

Use after free of paging structures in EPT [XSA-480, CVE-2026-23554]
Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 18 2026 Michael Young [m.a.young@durham.ac.uk] - 4.20.2-4
- Use after free of paging structures in EPT [XSA-480, CVE-2026-23554]
- Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8ae1a1c3d7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: scitokens-cpp-1.4.1-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-52c99ecf64
2026-03-23 01:07:08.010689+00:00
--------------------------------------------------------------------------------

Name : scitokens-cpp
Product : Fedora 43
Version : 1.4.1
Release : 1.fc43
URL : https://github.com/scitokens/scitokens-cpp
Summary : C++ Implementation of the SciTokens Library
Description :
C++ Implementation of the SciTokens Library

--------------------------------------------------------------------------------
Update Information:

Fix scope path boundary validation to deny sibling-prefix authorization bypasses
Reject parent-directory traversal in scope paths, including encoded traversal
forms
Add regression tests covering sibling-prefix and traversal authorization checks
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 13 2026 Derek Weitzel [dweitzel@unl.edu] - 1.4.1-1
- Fix scope path boundary validation to deny sibling-prefix authorization bypasses
- Reject parent-directory traversal in scope paths, including encoded traversal forms
- Add regression tests covering sibling-prefix and traversal authorization checks
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-52c99ecf64' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: scitokens-cpp-1.4.1-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a6d1791c49
2026-03-23 00:54:11.125976+00:00
--------------------------------------------------------------------------------

Name : scitokens-cpp
Product : Fedora 42
Version : 1.4.1
Release : 1.fc42
URL : https://github.com/scitokens/scitokens-cpp
Summary : C++ Implementation of the SciTokens Library
Description :
C++ Implementation of the SciTokens Library

--------------------------------------------------------------------------------
Update Information:

Fix scope path boundary validation to deny sibling-prefix authorization bypasses
Reject parent-directory traversal in scope paths, including encoded traversal
forms
Add regression tests covering sibling-prefix and traversal authorization checks
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 13 2026 Derek Weitzel [dweitzel@unl.edu] - 1.4.1-1
- Fix scope path boundary validation to deny sibling-prefix authorization bypasses
- Reject parent-directory traversal in scope paths, including encoded traversal forms
- Add regression tests covering sibling-prefix and traversal authorization checks
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a6d1791c49' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: scitokens-cpp-1.4.1-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-176625c3fc
2026-03-23 00:15:11.960107+00:00
--------------------------------------------------------------------------------

Name : scitokens-cpp
Product : Fedora 44
Version : 1.4.1
Release : 1.fc44
URL : https://github.com/scitokens/scitokens-cpp
Summary : C++ Implementation of the SciTokens Library
Description :
C++ Implementation of the SciTokens Library

--------------------------------------------------------------------------------
Update Information:

Fix scope path boundary validation to deny sibling-prefix authorization bypasses
Reject parent-directory traversal in scope paths, including encoded traversal
forms
Add regression tests covering sibling-prefix and traversal authorization checks
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 13 2026 Derek Weitzel [dweitzel@unl.edu] - 1.4.1-1
- Fix scope path boundary validation to deny sibling-prefix authorization bypasses
- Reject parent-directory traversal in scope paths, including encoded traversal forms
- Add regression tests covering sibling-prefix and traversal authorization checks
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-176625c3fc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new