MinGW, Mapserver, OpenBao, and more updates for Fedora

Fedora Linux 9328 Published by

Fedora has released a batch of security patches across versions 42, 43, and 44 to address multiple critical vulnerabilities in widely used software packages. These advisories target essential tools like Nginx, Python, BIND DNS server, and libpng by fixing issues that could otherwise lead to remote code execution or denial of service attacks.

Fedora 44 Update: mingw-python3-3.11.15-2.fc44
Fedora 44 Update: mapserver-8.6.1-1.fc44
Fedora 44 Update: mingw-libpng-1.6.56-1.fc44
Fedora 44 Update: rust-sccache-0.14.0-2.fc44
Fedora 44 Update: tcpflow-1.6.2-0.1.8d47b53.fc44
Fedora 44 Update: libgsasl-1.10.0-15.fc44
Fedora 44 Update: python3.9-3.9.25-7.fc44
Fedora 44 Update: openbao-2.5.2-1.fc44
Fedora 44 Update: bind9-next-9.21.20-1.fc44
Fedora 44 Update: nginx-mod-vts-0.2.4-7.fc44
Fedora 44 Update: nginx-mod-brotli-1.0.0~rc-7.fc44
Fedora 44 Update: nginx-mod-fancyindex-0.6.0-2.fc44
Fedora 44 Update: nginx-1.28.3-1.fc44
Fedora 44 Update: nginx-mod-naxsi-1.6-15.fc44
Fedora 44 Update: nginx-mod-modsecurity-1.0.4-8.fc44
Fedora 44 Update: nginx-mod-headers-more-0.39-7.fc44
Fedora 44 Update: libarchive-3.8.6-1.fc44
Fedora 44 Update: bpfman-0.5.4-7.fc44
Fedora 43 Update: coturn-4.10.0-1.fc43
Fedora 43 Update: opam-2.5.1-1.fc43
Fedora 43 Update: tigervnc-1.16.2-2.fc43
Fedora 42 Update: opam-2.5.1-1.fc42
Fedora 42 Update: coturn-4.10.0-1.fc42
Fedora 42 Update: minetest-5.15.2-1.fc42
Fedora 42 Update: tigervnc-1.16.2-2.fc42



[SECURITY] Fedora 44 Update: mingw-python3-3.11.15-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3d13d52f58
2026-04-25 01:21:36.171100+00:00
--------------------------------------------------------------------------------

Name : mingw-python3
Product : Fedora 44
Version : 3.11.15
Release : 2.fc44
URL : https://www.python.org/
Summary : MinGW Windows python3
Description :
MinGW Windows python3

--------------------------------------------------------------------------------
Update Information:

Update to python-3.11.15, backport fixes for CVE-2026-4519, CVE-2026-3644,
CVE-2026-4224, CVE-2026-2297
Update to python-3.11.15.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 27 2026 Sandro Mani [manisandro@gmail.com] - 3.11.15-2
- Backport fixes for CVE-2026-4519, CVE-2026-3644, CVE-2026-4224
* Fri Mar 27 2026 Sandro Mani [manisandro@gmail.com] - 3.11.15-1
- Update to 3.11.15
- Backport fix for CVE-2026-2297
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2444702 - CVE-2026-2297 mingw-python3: CPython: Logging Bypass in Legacy .pyc File Handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2444702
[ 2 ] Bug #2448186 - CVE-2026-3644 mingw-python3: Incomplete control character validation in http.cookies [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448186
[ 3 ] Bug #2448202 - CVE-2026-4224 mingw-python3: Stack overflow parsing XML with deeply nested DTD content models [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448202
[ 4 ] Bug #2449725 - CVE-2026-4519 mingw-python3: Python: Command-line option injection in webbrowser.open() via crafted URLs [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449725
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3d13d52f58' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: mapserver-8.6.1-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b5a2da2c73
2026-04-25 01:21:36.171079+00:00
--------------------------------------------------------------------------------

Name : mapserver
Product : Fedora 44
Version : 8.6.1
Release : 1.fc44
URL : https://mapserver.org
Summary : Platform for publishing spatial data and interactive mapping applications to the web
Description :
MapServer is an Open Source platform for publishing spatial data and
interactive mapping applications to the web.

--------------------------------------------------------------------------------
Update Information:

Update to mapserver 8.6.1.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 27 2026 Sandro Mani [manisandro@gmail.com] - 8.6.1-1
- Update to 8.6.1
* Sun Jan 25 2026 Elliott Sales de Andrade [quantum.analyst@gmail.com] - 8.6.0-4
- Drop support for i686
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2452126 - CVE-2026-33721 mapserver: MapServer: Denial of Service via crafted Styled Layer Descriptor [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452126
[ 2 ] Bug #2452127 - CVE-2026-33721 mapserver: MapServer: Denial of Service via crafted Styled Layer Descriptor [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452127
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b5a2da2c73' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: mingw-libpng-1.6.56-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c33aec93da
2026-04-25 01:21:36.171073+00:00
--------------------------------------------------------------------------------

Name : mingw-libpng
Product : Fedora 44
Version : 1.6.56
Release : 1.fc44
URL : http://www.libpng.org/pub/png/
Summary : MinGW Windows Libpng library
Description :
MinGW Windows Libpng library.

--------------------------------------------------------------------------------
Update Information:

Update to libpng-1.6.56.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 27 2026 Sandro Mani [manisandro@gmail.com] - 1.6.56-1
- Update to 1.6.56
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2452119 - CVE-2026-33636 mingw-libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2452119
[ 2 ] Bug #2452132 - CVE-2026-33636 mingw-libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2452132
[ 3 ] Bug #2452147 - CVE-2026-33416 mingw-libpng: libpng: Arbitrary code execution due to use-after-free vulnerability [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2452147
[ 4 ] Bug #2452158 - CVE-2026-33416 mingw-libpng: libpng: Arbitrary code execution due to use-after-free vulnerability [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2452158
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c33aec93da' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: rust-sccache-0.14.0-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-aef1b21b9c
2026-04-25 01:21:36.171050+00:00
--------------------------------------------------------------------------------

Name : rust-sccache
Product : Fedora 44
Version : 0.14.0
Release : 2.fc44
URL : https://crates.io/crates/sccache
Summary : Sccache is a ccache-like tool
Description :
Sccache is a ccache-like tool. It is used as a compiler wrapper and
avoids compilation when possible. Sccache has the capability to utilize
caching in remote storage environments, including various cloud storage
options, or alternatively, in local storage.

--------------------------------------------------------------------------------
Update Information:

Update to version 0.14.0
Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 26 2026 Andreas Schneider [asn@redhat.com] - 0.14.0-1
- Update to version 0.14.0
* Mon Mar 23 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.13.0-4
- Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
- Restore binary package License expression, lost in a previous update
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2438014 - rust-sccache-0.14.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2438014
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-aef1b21b9c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: tcpflow-1.6.2-0.1.8d47b53.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3efb70d4da
2026-04-25 01:21:36.171036+00:00
--------------------------------------------------------------------------------

Name : tcpflow
Product : Fedora 44
Version : 1.6.2
Release : 0.1.8d47b53.fc44
URL : https://github.com/simsong/tcpflow
Summary : Network traffic recorder
Description :
tcpflow is a program that captures data transmitted as part of TCP
connections (flows), and stores the data in a way that is convenient
for protocol analysis or debugging. A program like 'tcpdump' shows a
summary of packets seen on the wire, but usually doesn't store the
data that's actually being transmitted. In contrast, tcpflow
reconstructs the actual data streams and stores each flow in a
separate file for later analysis.

--------------------------------------------------------------------------------
Update Information:

The update fixes CVS-2026-25061
--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 26 2026 Terje R??sten [terjeros@gmail.com] - 1.6.2-0.1.8d47b53
- Update to 1.6.2 / 8d47b53 to fix CVE-2026-25061
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2435430 - CVE-2026-25061 tcpflow: tcpflow TIM Element OOB Write [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2435430
[ 2 ] Bug #2435431 - CVE-2026-25061 tcpflow: tcpflow TIM Element OOB Write [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2435431
[ 3 ] Bug #2435432 - CVE-2026-25061 tcpflow: tcpflow TIM Element OOB Write [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2435432
[ 4 ] Bug #2435433 - CVE-2026-25061 tcpflow: tcpflow TIM Element OOB Write [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2435433
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3efb70d4da' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: libgsasl-1.10.0-15.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5868a8d652
2026-04-25 01:21:36.171025+00:00
--------------------------------------------------------------------------------

Name : libgsasl
Product : Fedora 44
Version : 1.10.0
Release : 15.fc44
URL : https://www.gnu.org/software/gsasl/
Summary : GNU SASL library
Description :
The library includes support for the SASL framework
and at least partial support for the CRAM-MD5, EXTERNAL,
GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, LOGIN,
and NTLM mechanisms.

--------------------------------------------------------------------------------
Update Information:

GSSAPI server: Boundary check gss_wrap token (read OOB)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 26 2026 Peter Lemenkov [lemenkov@gmail.com] - 1.10.0-15
- Fix CVE-2022-2469
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2451759 - CVE-2022-2469 libgsasl: Out of bounds read causes DoS [fedora-44]
https://bugzilla.redhat.com/show_bug.cgi?id=2451759
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5868a8d652' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: python3.9-3.9.25-7.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f7b3ebe324
2026-04-25 01:21:36.171010+00:00
--------------------------------------------------------------------------------

Name : python3.9
Product : Fedora 44
Version : 3.9.25
Release : 7.fc44
URL : https://www.python.org/
Summary : Version 3.9 of the Python interpreter
Description :
Python 3.9 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

The python3.9 package provides the "python3.9" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.9-libs package,
which should be installed automatically along with python3.9.
The remaining parts of the Python standard library are broken out into the
python3.9-tkinter and python3.9-test packages, which may need to be installed
separately.

Documentation for Python is provided in the python3.9-docs package.

Packages containing additional libraries for Python are generally named with
the "python3.9-" prefix.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2026-4519.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 26 2026 Lum??r Balhar [lbalhar@redhat.com] - 3.9.25-7
- Security fix for CVE-2026-4519 (rhbz#2449735)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2449735 - CVE-2026-4519 python3.9: Python: Command-line option injection in webbrowser.open() via crafted URLs [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449735
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f7b3ebe324' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: openbao-2.5.2-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-bb074cb239
2026-04-25 01:21:36.170948+00:00
--------------------------------------------------------------------------------

Name : openbao
Product : Fedora 44
Version : 2.5.2
Release : 1.fc44
URL : https://openbao.org
Summary : A tool for securely accessing secrets
Description :
Openbao secures, stores, and tightly controls access to tokens, passwords,
certificates, API keys, and other secrets in modern computing. Openbao handles
leasing, key revocation, key rolling, and auditing. Through a unified API, users
can access an encrypted Key/Value store and network encryption-as-a-service, or
generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH
credentials, and more.

--------------------------------------------------------------------------------
Update Information:

Update to upstream 2.5.2, including fixes for CVE-2026-33757 and CVE-2026-33758
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 25 2026 Dave Dykstra - 2.5.2-1
- update to upstream 2.5.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2452352 - CVE-2026-33757 openbao: lack of user confirmation for OpenBao OIDC direct callback mode [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452352
[ 2 ] Bug #2452355 - CVE-2026-33758 openbao: reflected XSS in OpenBao OIDC authentication error message [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452355
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-bb074cb239' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: bind9-next-9.21.20-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-01c20fe8ca
2026-04-25 01:21:36.170941+00:00
--------------------------------------------------------------------------------

Name : bind9-next
Product : Fedora 44
Version : 9.21.20
Release : 1.fc44
URL : https://www.isc.org/downloads/bind/
Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Description :
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating properly.

--------------------------------------------------------------------------------
Update Information:

Update to 9.21.20 (rhbz#2440560)
Security Fixes:
Fix unbounded NSEC3 iterations when validating referrals to unsigned
delegations. (CVE-2026-1519)
Fix memory leaks in code preparing DNSSEC proofs of non-existence.
(CVE-2026-3104)
Prevent a crash in code processing queries containing a TKEY record.
(CVE-2026-3119)
Fix a stack use-after-return flaw in SIG(0) handling code. (CVE-2026-3591)
New Features:
Provide response round-trip time (RTT) counters via statistics channel.
Introduce max-delegation-servers configuration option.
Bug Fixes:
Fix parsing key inactivation time in KASP code.
Fix the handling of key statements defined inside views.
Update to 9.21.19
Security Fixes:
Fix a use-after-free error in dns_client_resolve() triggered by a DNAME
response.
Fix a NULL pointer dereference in qp-trie cache code.
Immediately remove purged ADB names and entries from the SIEVE list.
Feature Changes:
Record query time for all dnstap responses.
Optimize TCP source port selection on Linux.
and multiple bug fixes.
Update to 9.21.18
Feature Changes:
Enable minimal ANY answers by default.
Lowercase the NSEC Next Domain Name field.
Update requirements for system test suite.
Bug Fixes:
Make catalog zone names and member zones' entry names case-insensitive. [GL
#5693]
Fix implementation of BRID and HHIT record types. [GL #5710]
Fix implementation of DSYNC record type. [GL #5711]
Fix response policy and catalog zones to work with $INCLUDE directive.
Source:
https://downloads.isc.org/isc/bind9/9.21.20/doc/arm/html/notes.html#notes-for-
bind-9-21-20
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 25 2026 Petr Men????k [pemensik@redhat.com] - 32:9.21.20-1
- Update to 9.21.20 (rhbz#2440560)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2440560 - bind9-next-9.21.20 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2440560
[ 2 ] Bug #2451573 - CVE-2026-3591 bind9-next: BIND: Unauthorized access due to use-after-return vulnerability in DNS query handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2451573
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-01c20fe8ca' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: nginx-mod-vts-0.2.4-7.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4de4d247a0
2026-04-25 01:21:36.170930+00:00
--------------------------------------------------------------------------------

Name : nginx-mod-vts
Product : Fedora 44
Version : 0.2.4
Release : 7.fc44
URL : https://github.com/vozlt/nginx-module-vts
Summary : Nginx virtual host traffic status module
Description :
Nginx virtual host traffic status module.

--------------------------------------------------------------------------------
Update Information:

nginx-mod-brotli:
Rebuild for 1.28.3
nginx-mod-fancyindex:
Rebuild for 1.28.3
nginx-mod-naxsi:
Rebuild for 1.28.3
nginx-mod-headers-more:
Rebuild for 1.28.3
nginx-mod-vts:
Rebuild for 1.28.3
nginx-mod-modsecurity:
Rebuild for 1.28.3
nginx:
Update to 1.28.3
fixes CVE-2026-27654, CVE-2026-27784, CVE-2026-32647, CVE-2026-27651,
CVE-2026-28753, CVE-2026-28755
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 0.2.4-7
- Rebuild for 1.28.3
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2372546 - Use `systemctl kill` in logrotate postrotate script
https://bugzilla.redhat.com/show_bug.cgi?id=2372546
[ 2 ] Bug #2393382 - nginx-upgrade: Support custom PID and config file locations
https://bugzilla.redhat.com/show_bug.cgi?id=2393382
[ 3 ] Bug #2413647 - The default server (i.e. _) is not the default server
https://bugzilla.redhat.com/show_bug.cgi?id=2413647
[ 4 ] Bug #2445461 - RFE: please enable the geoip module
https://bugzilla.redhat.com/show_bug.cgi?id=2445461
[ 5 ] Bug #2450834 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450834
[ 6 ] Bug #2450837 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450837
[ 7 ] Bug #2450838 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450838
[ 8 ] Bug #2450839 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450839
[ 9 ] Bug #2450840 - CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450840
[ 10 ] Bug #2450842 - CVE-2026-28753 nginx: NGINX Plus and NGINX Open Source: Request manipulation via header injection in SMTP upstream requests [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450842
[ 11 ] Bug #2450844 - CVE-2026-28755 nginx: NGINX: Certificate revocation bypass when OCSP is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450844
[ 12 ] Bug #2450849 - CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450849
[ 13 ] Bug #2452220 - CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452220
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4de4d247a0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: nginx-mod-brotli-1.0.0~rc-7.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4de4d247a0
2026-04-25 01:21:36.170930+00:00
--------------------------------------------------------------------------------

Name : nginx-mod-brotli
Product : Fedora 44
Version : 1.0.0~rc
Release : 7.fc44
URL : https://github.com/google/ngx_brotli
Summary : NGINX module for Brotli compression
Description :
NGINX module for Brotli compression.

--------------------------------------------------------------------------------
Update Information:

nginx-mod-brotli:
Rebuild for 1.28.3
nginx-mod-fancyindex:
Rebuild for 1.28.3
nginx-mod-naxsi:
Rebuild for 1.28.3
nginx-mod-headers-more:
Rebuild for 1.28.3
nginx-mod-vts:
Rebuild for 1.28.3
nginx-mod-modsecurity:
Rebuild for 1.28.3
nginx:
Update to 1.28.3
fixes CVE-2026-27654, CVE-2026-27784, CVE-2026-32647, CVE-2026-27651,
CVE-2026-28753, CVE-2026-28755
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 1.0.0~rc-7
- Rebuild for 1.28.3
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2372546 - Use `systemctl kill` in logrotate postrotate script
https://bugzilla.redhat.com/show_bug.cgi?id=2372546
[ 2 ] Bug #2393382 - nginx-upgrade: Support custom PID and config file locations
https://bugzilla.redhat.com/show_bug.cgi?id=2393382
[ 3 ] Bug #2413647 - The default server (i.e. _) is not the default server
https://bugzilla.redhat.com/show_bug.cgi?id=2413647
[ 4 ] Bug #2445461 - RFE: please enable the geoip module
https://bugzilla.redhat.com/show_bug.cgi?id=2445461
[ 5 ] Bug #2450834 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450834
[ 6 ] Bug #2450837 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450837
[ 7 ] Bug #2450838 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450838
[ 8 ] Bug #2450839 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450839
[ 9 ] Bug #2450840 - CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450840
[ 10 ] Bug #2450842 - CVE-2026-28753 nginx: NGINX Plus and NGINX Open Source: Request manipulation via header injection in SMTP upstream requests [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450842
[ 11 ] Bug #2450844 - CVE-2026-28755 nginx: NGINX: Certificate revocation bypass when OCSP is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450844
[ 12 ] Bug #2450849 - CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450849
[ 13 ] Bug #2452220 - CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452220
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4de4d247a0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: nginx-mod-fancyindex-0.6.0-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4de4d247a0
2026-04-25 01:21:36.170930+00:00
--------------------------------------------------------------------------------

Name : nginx-mod-fancyindex
Product : Fedora 44
Version : 0.6.0
Release : 2.fc44
URL : https://github.com/aperezdc/ngx-fancyindex
Summary : Nginx FancyIndex module
Description :
The Fancy Index module makes possible the generation of file listings,
like the built-in autoindex module does, but adding a touch of style.
This is possible because the module allows a certain degree of
customization of the generated content:

* Custom headers. Either local or stored remotely.
* Custom footers. Either local or stored remotely.
* Add you own CSS style rules.
* Allow choosing to sort elements by name (default),
modification time, or size; both ascending (default),
or descending.

--------------------------------------------------------------------------------
Update Information:

nginx-mod-brotli:
Rebuild for 1.28.3
nginx-mod-fancyindex:
Rebuild for 1.28.3
nginx-mod-naxsi:
Rebuild for 1.28.3
nginx-mod-headers-more:
Rebuild for 1.28.3
nginx-mod-vts:
Rebuild for 1.28.3
nginx-mod-modsecurity:
Rebuild for 1.28.3
nginx:
Update to 1.28.3
fixes CVE-2026-27654, CVE-2026-27784, CVE-2026-32647, CVE-2026-27651,
CVE-2026-28753, CVE-2026-28755
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 0.6.0-2
- Rebuild for 1.28.3
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2372546 - Use `systemctl kill` in logrotate postrotate script
https://bugzilla.redhat.com/show_bug.cgi?id=2372546
[ 2 ] Bug #2393382 - nginx-upgrade: Support custom PID and config file locations
https://bugzilla.redhat.com/show_bug.cgi?id=2393382
[ 3 ] Bug #2413647 - The default server (i.e. _) is not the default server
https://bugzilla.redhat.com/show_bug.cgi?id=2413647
[ 4 ] Bug #2445461 - RFE: please enable the geoip module
https://bugzilla.redhat.com/show_bug.cgi?id=2445461
[ 5 ] Bug #2450834 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450834
[ 6 ] Bug #2450837 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450837
[ 7 ] Bug #2450838 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450838
[ 8 ] Bug #2450839 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450839
[ 9 ] Bug #2450840 - CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450840
[ 10 ] Bug #2450842 - CVE-2026-28753 nginx: NGINX Plus and NGINX Open Source: Request manipulation via header injection in SMTP upstream requests [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450842
[ 11 ] Bug #2450844 - CVE-2026-28755 nginx: NGINX: Certificate revocation bypass when OCSP is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450844
[ 12 ] Bug #2450849 - CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450849
[ 13 ] Bug #2452220 - CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452220
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4de4d247a0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: nginx-1.28.3-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4de4d247a0
2026-04-25 01:21:36.170930+00:00
--------------------------------------------------------------------------------

Name : nginx
Product : Fedora 44
Version : 1.28.3
Release : 1.fc44
URL : https://nginx.org
Summary : A high performance web server and reverse proxy server
Description :
Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
IMAP protocols, with a strong focus on high concurrency, performance and low
memory usage.

--------------------------------------------------------------------------------
Update Information:

nginx-mod-brotli:
Rebuild for 1.28.3
nginx-mod-fancyindex:
Rebuild for 1.28.3
nginx-mod-naxsi:
Rebuild for 1.28.3
nginx-mod-headers-more:
Rebuild for 1.28.3
nginx-mod-vts:
Rebuild for 1.28.3
nginx-mod-modsecurity:
Rebuild for 1.28.3
nginx:
Update to 1.28.3
fixes CVE-2026-27654, CVE-2026-27784, CVE-2026-32647, CVE-2026-27651,
CVE-2026-28753, CVE-2026-28755
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 2:1.28.3-1
- Update to 1.28.3
- fixes CVE-2026-27654, CVE-2026-27784, CVE-2026-32647, CVE-2026-27651,
CVE-2026-28753, CVE-2026-28755
* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 2:1.28.2-9
- Spec file and macro cleanups
- move some files into the packages that have the dependencies they rely on
(e.g. systemd, logrotate are not present in nginx-core, so don't install
files pertaining to them there)
- remove unused LDFLAGS and DESTDIR overrides, for perl we patch the
Makefile.PL already
- use zlib-ng-devel dependency also in nginx-mod-devel
- improve macro consistency
- sync configure command in macros.nginxmods.in with main package
* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 2:1.28.2-8
- Use systemctl kill in logrotate postrotate script
* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 2:1.28.2-7
- Use file triggers to reload dynamic modules upon upgrade
* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 2:1.28.2-6
- Rewrite nginx-upgrade to support instances
* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 2:1.28.2-5
- Move modular configuration file include after default host
- fixes rhbz#2413647
* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 2:1.28.2-4
- Fix RHEL 8 & 9 compatibility
- Fix SSL passphrase dialog patch when used with OpenSSL < 3 (EL8 w/o EPEL)
- Build now works with and without EPEL enabled
* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 2:1.28.2-3
- Build GeoIP module by default on Fedora and EPEL8
- fixes rhbz#2445461
* Thu Mar 5 2026 Timoth??e Ravier [tim@siosm.fr] - 2:1.28.2-2
- Move ABI 'Provides' to the core sub package
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2372546 - Use `systemctl kill` in logrotate postrotate script
https://bugzilla.redhat.com/show_bug.cgi?id=2372546
[ 2 ] Bug #2393382 - nginx-upgrade: Support custom PID and config file locations
https://bugzilla.redhat.com/show_bug.cgi?id=2393382
[ 3 ] Bug #2413647 - The default server (i.e. _) is not the default server
https://bugzilla.redhat.com/show_bug.cgi?id=2413647
[ 4 ] Bug #2445461 - RFE: please enable the geoip module
https://bugzilla.redhat.com/show_bug.cgi?id=2445461
[ 5 ] Bug #2450834 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450834
[ 6 ] Bug #2450837 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450837
[ 7 ] Bug #2450838 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450838
[ 8 ] Bug #2450839 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450839
[ 9 ] Bug #2450840 - CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450840
[ 10 ] Bug #2450842 - CVE-2026-28753 nginx: NGINX Plus and NGINX Open Source: Request manipulation via header injection in SMTP upstream requests [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450842
[ 11 ] Bug #2450844 - CVE-2026-28755 nginx: NGINX: Certificate revocation bypass when OCSP is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450844
[ 12 ] Bug #2450849 - CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450849
[ 13 ] Bug #2452220 - CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452220
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4de4d247a0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: nginx-mod-naxsi-1.6-15.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4de4d247a0
2026-04-25 01:21:36.170930+00:00
--------------------------------------------------------------------------------

Name : nginx-mod-naxsi
Product : Fedora 44
Version : 1.6
Release : 15.fc44
URL : https://github.com/wargio/naxsi
Summary : nginx web application firewall module
Description :
naxsi is an nginx module that provides score based Web Application Firewall
(WAF) abilities in a highly granular fashion.

--------------------------------------------------------------------------------
Update Information:

nginx-mod-brotli:
Rebuild for 1.28.3
nginx-mod-fancyindex:
Rebuild for 1.28.3
nginx-mod-naxsi:
Rebuild for 1.28.3
nginx-mod-headers-more:
Rebuild for 1.28.3
nginx-mod-vts:
Rebuild for 1.28.3
nginx-mod-modsecurity:
Rebuild for 1.28.3
nginx:
Update to 1.28.3
fixes CVE-2026-27654, CVE-2026-27784, CVE-2026-32647, CVE-2026-27651,
CVE-2026-28753, CVE-2026-28755
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 1.6-15
- Rebuild for 1.28.3
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2372546 - Use `systemctl kill` in logrotate postrotate script
https://bugzilla.redhat.com/show_bug.cgi?id=2372546
[ 2 ] Bug #2393382 - nginx-upgrade: Support custom PID and config file locations
https://bugzilla.redhat.com/show_bug.cgi?id=2393382
[ 3 ] Bug #2413647 - The default server (i.e. _) is not the default server
https://bugzilla.redhat.com/show_bug.cgi?id=2413647
[ 4 ] Bug #2445461 - RFE: please enable the geoip module
https://bugzilla.redhat.com/show_bug.cgi?id=2445461
[ 5 ] Bug #2450834 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450834
[ 6 ] Bug #2450837 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450837
[ 7 ] Bug #2450838 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450838
[ 8 ] Bug #2450839 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450839
[ 9 ] Bug #2450840 - CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450840
[ 10 ] Bug #2450842 - CVE-2026-28753 nginx: NGINX Plus and NGINX Open Source: Request manipulation via header injection in SMTP upstream requests [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450842
[ 11 ] Bug #2450844 - CVE-2026-28755 nginx: NGINX: Certificate revocation bypass when OCSP is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450844
[ 12 ] Bug #2450849 - CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450849
[ 13 ] Bug #2452220 - CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452220
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4de4d247a0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: nginx-mod-modsecurity-1.0.4-8.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4de4d247a0
2026-04-25 01:21:36.170930+00:00
--------------------------------------------------------------------------------

Name : nginx-mod-modsecurity
Product : Fedora 44
Version : 1.0.4
Release : 8.fc44
URL : https://github.com/SpiderLabs/ModSecurity-nginx
Summary : ModSecurity v3 nginx connector
Description :
The ModSecurity-nginx connector is the connection point between nginx and
libmodsecurity (ModSecurity v3). Said another way, this project provides a
communication channel between nginx and libmodsecurity. This connector is
required to use LibModSecurity with nginx.

The ModSecurity-nginx connector takes the form of an nginx module. The module
simply serves as a layer of communication between nginx and ModSecurity

--------------------------------------------------------------------------------
Update Information:

nginx-mod-brotli:
Rebuild for 1.28.3
nginx-mod-fancyindex:
Rebuild for 1.28.3
nginx-mod-naxsi:
Rebuild for 1.28.3
nginx-mod-headers-more:
Rebuild for 1.28.3
nginx-mod-vts:
Rebuild for 1.28.3
nginx-mod-modsecurity:
Rebuild for 1.28.3
nginx:
Update to 1.28.3
fixes CVE-2026-27654, CVE-2026-27784, CVE-2026-32647, CVE-2026-27651,
CVE-2026-28753, CVE-2026-28755
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 1.0.4-8
- Rebuild for 1.28.3
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2372546 - Use `systemctl kill` in logrotate postrotate script
https://bugzilla.redhat.com/show_bug.cgi?id=2372546
[ 2 ] Bug #2393382 - nginx-upgrade: Support custom PID and config file locations
https://bugzilla.redhat.com/show_bug.cgi?id=2393382
[ 3 ] Bug #2413647 - The default server (i.e. _) is not the default server
https://bugzilla.redhat.com/show_bug.cgi?id=2413647
[ 4 ] Bug #2445461 - RFE: please enable the geoip module
https://bugzilla.redhat.com/show_bug.cgi?id=2445461
[ 5 ] Bug #2450834 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450834
[ 6 ] Bug #2450837 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450837
[ 7 ] Bug #2450838 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450838
[ 8 ] Bug #2450839 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450839
[ 9 ] Bug #2450840 - CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450840
[ 10 ] Bug #2450842 - CVE-2026-28753 nginx: NGINX Plus and NGINX Open Source: Request manipulation via header injection in SMTP upstream requests [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450842
[ 11 ] Bug #2450844 - CVE-2026-28755 nginx: NGINX: Certificate revocation bypass when OCSP is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450844
[ 12 ] Bug #2450849 - CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450849
[ 13 ] Bug #2452220 - CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452220
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4de4d247a0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: nginx-mod-headers-more-0.39-7.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4de4d247a0
2026-04-25 01:21:36.170930+00:00
--------------------------------------------------------------------------------

Name : nginx-mod-headers-more
Product : Fedora 44
Version : 0.39
Release : 7.fc44
URL : https://github.com/openresty/headers-more-nginx-module
Summary : This module allows adding, setting, or clearing specified input/output headers
Description :
This module allows adding, setting, or clearing specified input/output headers.

This is an enhanced version of the standard headers module because it provides
more utilities like resetting or clearing "builtin headers" like Content-Type,
Content-Length, and Server.

--------------------------------------------------------------------------------
Update Information:

nginx-mod-brotli:
Rebuild for 1.28.3
nginx-mod-fancyindex:
Rebuild for 1.28.3
nginx-mod-naxsi:
Rebuild for 1.28.3
nginx-mod-headers-more:
Rebuild for 1.28.3
nginx-mod-vts:
Rebuild for 1.28.3
nginx-mod-modsecurity:
Rebuild for 1.28.3
nginx:
Update to 1.28.3
fixes CVE-2026-27654, CVE-2026-27784, CVE-2026-32647, CVE-2026-27651,
CVE-2026-28753, CVE-2026-28755
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 25 2026 Felix Kaechele [felix@kaechele.ca] - 0.39-7
- Rebuild for 1.28.3
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2372546 - Use `systemctl kill` in logrotate postrotate script
https://bugzilla.redhat.com/show_bug.cgi?id=2372546
[ 2 ] Bug #2393382 - nginx-upgrade: Support custom PID and config file locations
https://bugzilla.redhat.com/show_bug.cgi?id=2393382
[ 3 ] Bug #2413647 - The default server (i.e. _) is not the default server
https://bugzilla.redhat.com/show_bug.cgi?id=2413647
[ 4 ] Bug #2445461 - RFE: please enable the geoip module
https://bugzilla.redhat.com/show_bug.cgi?id=2445461
[ 5 ] Bug #2450834 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450834
[ 6 ] Bug #2450837 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450837
[ 7 ] Bug #2450838 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450838
[ 8 ] Bug #2450839 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450839
[ 9 ] Bug #2450840 - CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450840
[ 10 ] Bug #2450842 - CVE-2026-28753 nginx: NGINX Plus and NGINX Open Source: Request manipulation via header injection in SMTP upstream requests [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450842
[ 11 ] Bug #2450844 - CVE-2026-28755 nginx: NGINX: Certificate revocation bypass when OCSP is enabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450844
[ 12 ] Bug #2450849 - CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450849
[ 13 ] Bug #2452220 - CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452220
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4de4d247a0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: libarchive-3.8.6-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b42b8b1c00
2026-04-25 01:21:36.170872+00:00
--------------------------------------------------------------------------------

Name : libarchive
Product : Fedora 44
Version : 3.8.6
Release : 1.fc44
URL : https://www.libarchive.org/
Summary : A library for handling streaming archive formats
Description :
Libarchive is a programming library that can create and read several different
streaming archive formats, including most popular tar variants, several cpio
formats, and both BSD and GNU ar variants. It can also write shar archives and
read ISO9660 CDROM images and ZIP archives.

--------------------------------------------------------------------------------
Update Information:

CVE-2026-4111 libarchive: Infinite Loop Denial of Service in RAR5 Decompression
via archive_read_data() in libarchive
--------------------------------------------------------------------------------
ChangeLog:

* Tue Mar 10 2026 Packit [hello@packit.dev] - 3.8.6-1
- Update to version 3.8.6
- Resolves: rhbz#2427134
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2448049 - CVE-2026-4111 libarchive: Infinite Loop Denial of Service in RAR5 Decompression via archive_read_data() in libarchive [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448049
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b42b8b1c00' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: bpfman-0.5.4-7.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2fc36ddefe
2026-04-25 01:21:36.170784+00:00
--------------------------------------------------------------------------------

Name : bpfman
Product : Fedora 44
Version : 0.5.4
Release : 7.fc44
URL : https://bpfman.io
Summary : EBPF Program Manager
Description :
bpfman operates as an eBPF manager, focusing on simplifying the deployment and
administration of eBPF programs.

--------------------------------------------------------------------------------
Update Information:

Fix CVE-2026-31812: Bump tar-rs to .5.45 - Closes rhbz#2449672
--------------------------------------------------------------------------------
ChangeLog:

* Sun Mar 22 2026 Daniel Mellado [dmellado@fedoraproject.org] - 0.5.4-7
- Fix CVE-2026-31812: Bump tar-rs to .5.45 - Closes rhbz#2449672
* Wed Mar 11 2026 Daniel Mellado [dmellado@fedoraproject.org] - 0.5.4-6
- Fix CVE-2026-31812: Bump quinn-proto to 0.11.14 - Closes rhbz#2446359
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2449672 - CVE-2026-33056 bpfman: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449672
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2fc36ddefe' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: coturn-4.10.0-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1adc5f1ef8
2026-04-25 01:42:21.312856+00:00
--------------------------------------------------------------------------------

Name : coturn
Product : Fedora 43
Version : 4.10.0
Release : 1.fc43
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.

STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support

The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)

Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis

Redis can also be used for status and statistics storage and notification.

Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)

The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.

--------------------------------------------------------------------------------
Update Information:

Coturn 4.10.0
Performance
Add Linux-only recvmmsg client receive path for DTLS/UDP listener
Skip response buffer allocation for STUN indications
Remove mutex from per-thread super_memory allocator
Eliminate mutex and reduce copies on auth message dispatch
Replace mutex_bps with lock-free atomics for bandwidth tracking
Remove unused mutex from ur_map structure
WebRTC Auth optimization path
Improve worst case scenario - avoid memory allocation
Memory issues
Fix null pointer dereferences in post_parse()
Fix stack buffer overflow in OAuth token decoding
Fix uint16_t truncation overflow in stun_get_message_len_str()
Initialize variables before use
Security
CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
Disable reason string in response messages to reduce amplification factor
Keep only NEV_UDP_SOCKET_PER_THREAD network engine
Replace perror with logging
Extend seed corpus and add more fuzzing scenarios
Update config and Readme files about deprecated TLSv1/1.1
Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
Change port identifiers to use uint16_t
Fixes: run_tests.sh and no db
Improve PostgreSQL.md clarity
Add session usage reporting callback to TURN database driver
CLI interface is disabled by default
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 17 2026 Robert Scheck [robert@fedoraproject.org] - 4.10.0-1
- Upgrade to 4.10.0 (#2458094)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2460213 - CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages
https://bugzilla.redhat.com/show_bug.cgi?id=2460213
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1adc5f1ef8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: opam-2.5.1-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-42ff51d2c7
2026-04-25 01:42:21.312851+00:00
--------------------------------------------------------------------------------

Name : opam
Product : Fedora 43
Version : 2.5.1
Release : 1.fc43
URL : https://opam.ocaml.org/
Summary : Source-based package manager for OCaml
Description :
Opam is a source-based package manager for OCaml. It supports multiple
simultaneous compiler installations, flexible package constraints, and a
Git-friendly development workflow.

--------------------------------------------------------------------------------
Update Information:

See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version
2.5.1.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 16 2026 Jerry James [loganjerry@gmail.com] - 2.5.1-1
- Version 2.5.1
* Thu Apr 16 2026 Jerry James [loganjerry@gmail.com] - 2.5.0-4
- BR gpgverify instead of gnupg2
* Thu Apr 16 2026 Jerry James [loganjerry@gmail.com] - 2.5.0-3
- Reflow the description text
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2458843 - opam-2.5.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2458843
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-42ff51d2c7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: tigervnc-1.16.2-2.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-492e92b32d
2026-04-25 01:42:21.312792+00:00
--------------------------------------------------------------------------------

Name : tigervnc
Product : Fedora 43
Version : 1.16.2
Release : 2.fc43
URL : https://www.tigervnc.com
Summary : A TigerVNC remote display system
Description :
Virtual Network Computing (VNC) is a remote display system which
allows you to view a computing 'desktop' environment not only on the
machine where it is running, but from anywhere on the Internet and
from a wide variety of machine architectures. This package contains a
client which will allow you to connect to other desktops running a VNC
server.

--------------------------------------------------------------------------------
Update Information:

Update to xserver 21.1.22, CVE fix for: CVE-2026-33999, CVE-2026-34000,
CVE-2026-34001, CVE-2026-34002, CVE-2026-34003
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 16 2026 Jan Grulich [jgrulich@redhat.com] - 1.16.2-2
- Fixes CVEs: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001,
CVE-2026-34002, CVE-2026-34003
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-492e92b32d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: opam-2.5.1-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-301505f38f
2026-04-25 00:52:53.710794+00:00
--------------------------------------------------------------------------------

Name : opam
Product : Fedora 42
Version : 2.5.1
Release : 1.fc42
URL : https://opam.ocaml.org/
Summary : Source-based package manager for OCaml
Description :
Opam is a source-based package manager for OCaml. It supports multiple
simultaneous compiler installations, flexible package constraints, and a
Git-friendly development workflow.

--------------------------------------------------------------------------------
Update Information:

See https://github.com/ocaml/opam/releases/tag/2.5.1 for changes in version
2.5.1.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 16 2026 Jerry James [loganjerry@gmail.com] - 2.5.1-1
- Version 2.5.1
* Thu Apr 16 2026 Jerry James [loganjerry@gmail.com] - 2.5.0-4
- BR gpgverify instead of gnupg2
* Thu Apr 16 2026 Jerry James [loganjerry@gmail.com] - 2.5.0-3
- Reflow the description text
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2458843 - opam-2.5.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2458843
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-301505f38f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: coturn-4.10.0-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-e673311164
2026-04-25 00:52:53.710799+00:00
--------------------------------------------------------------------------------

Name : coturn
Product : Fedora 42
Version : 4.10.0
Release : 1.fc42
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.

STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support

The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)

Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis

Redis can also be used for status and statistics storage and notification.

Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)

The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.

--------------------------------------------------------------------------------
Update Information:

Coturn 4.10.0
Performance
Add Linux-only recvmmsg client receive path for DTLS/UDP listener
Skip response buffer allocation for STUN indications
Remove mutex from per-thread super_memory allocator
Eliminate mutex and reduce copies on auth message dispatch
Replace mutex_bps with lock-free atomics for bandwidth tracking
Remove unused mutex from ur_map structure
WebRTC Auth optimization path
Improve worst case scenario - avoid memory allocation
Memory issues
Fix null pointer dereferences in post_parse()
Fix stack buffer overflow in OAuth token decoding
Fix uint16_t truncation overflow in stun_get_message_len_str()
Initialize variables before use
Security
CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
Disable reason string in response messages to reduce amplification factor
Keep only NEV_UDP_SOCKET_PER_THREAD network engine
Replace perror with logging
Extend seed corpus and add more fuzzing scenarios
Update config and Readme files about deprecated TLSv1/1.1
Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
Change port identifiers to use uint16_t
Fixes: run_tests.sh and no db
Improve PostgreSQL.md clarity
Add session usage reporting callback to TURN database driver
CLI interface is disabled by default
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 17 2026 Robert Scheck [robert@fedoraproject.org] - 4.10.0-1
- Upgrade to 4.10.0 (#2458094)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2460213 - CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages
https://bugzilla.redhat.com/show_bug.cgi?id=2460213
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-e673311164' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: minetest-5.15.2-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-036e523144
2026-04-25 00:52:53.710780+00:00
--------------------------------------------------------------------------------

Name : minetest
Product : Fedora 42
Version : 5.15.2
Release : 1.fc42
URL : https://luanti.org
Summary : Multiplayer infinite-world block sandbox with survival mode
Description :
Game of mining, crafting and building in the infinite world of cubic blocks with
optional hostile creatures, features both single and the network multiplayer
mode, mods. Public multiplayer servers are available.

--------------------------------------------------------------------------------
Update Information:

5.15.2
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 16 2026 Gwyn Ciesla [gwync@protonmail.com] - 5.15.2-1
- 5.15.2
* Sun Mar 22 2026 Bj??rn Esser [besser82@fedoraproject.org] - 5.15.1-2
- Rebuild (jsoncpp)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2458512 - minetest-5.15.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2458512
[ 2 ] Bug #2458908 - CVE-2026-40960 minetest: Luanti: Unauthorized access to insecure environment via crafted module [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458908
[ 3 ] Bug #2458909 - CVE-2026-40959 minetest: Luanti: Lua sandbox escape via crafted mod [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458909
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-036e523144' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 42 Update: tigervnc-1.16.2-2.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0b633ecc7c
2026-04-25 00:52:53.710760+00:00
--------------------------------------------------------------------------------

Name : tigervnc
Product : Fedora 42
Version : 1.16.2
Release : 2.fc42
URL : https://www.tigervnc.com
Summary : A TigerVNC remote display system
Description :
Virtual Network Computing (VNC) is a remote display system which
allows you to view a computing 'desktop' environment not only on the
machine where it is running, but from anywhere on the Internet and
from a wide variety of machine architectures. This package contains a
client which will allow you to connect to other desktops running a VNC
server.

--------------------------------------------------------------------------------
Update Information:

Update to xserver 21.1.22, CVE fix for: CVE-2026-33999, CVE-2026-34000,
CVE-2026-34001, CVE-2026-34002, CVE-2026-34003
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 16 2026 Jan Grulich [jgrulich@redhat.com] - 1.16.2-2
- Fixes CVEs: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001,
CVE-2026-34002, CVE-2026-34003
* Fri Mar 27 2026 Jan Grulich [jgrulich@redhat.com] - 1.16.2-1
- 1.16.2
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0b633ecc7c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new


Pillow, Chromium, Thunderbird updates for Debian

OpenJDK, Grafana, Buildah updates for RHEL

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...