MinGW-LibRaw, Smb4k, Mac, and more updates for Fedora

Fedora Linux 9316 Published 2026-04-18 07:53 by Philipp Esselbach

News

Fedora 42 and 43 just received a batch of security updates that patch multiple critical vulnerabilities across several key packages. The releases address serious flaws in libraries like mingw-LibRaw, mbedtls, and usd, which could otherwise allow attackers to execute arbitrary code or corrupt system memory. Additional fixes target the smb4k share browser and audio tools such as mac and aqualung by resolving buffer overflow risks and information disclosure issues. You can apply these important patches right away using the standard dnf upgrade command with the specific advisory identifiers listed in each notice.

Fedora 42 Update: mingw-LibRaw-0.21.5-3.fc42
Fedora 42 Update: smb4k-4.0.6-1.fc42
Fedora 42 Update: mac-12.63-1.fc42
Fedora 42 Update: aqualung-1.2-10.fc42
Fedora 42 Update: stb-0^20260313git904aa67-2.fc42
Fedora 42 Update: mbedtls-3.6.6-1.fc42
Fedora 43 Update: mingw-LibRaw-0.21.5-3.fc43
Fedora 43 Update: smb4k-4.0.6-1.fc43
Fedora 43 Update: stb-0^20260313git904aa67-2.fc43
Fedora 43 Update: usd-25.08-20.fc43
Fedora 43 Update: aqualung-1.2-12.fc43
Fedora 43 Update: mac-12.63-1.fc43

[SECURITY] Fedora 42 Update: mingw-LibRaw-0.21.5-3.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-826db1b5c0
2026-04-18 01:08:05.671430+00:00
--------------------------------------------------------------------------------

Name : mingw-LibRaw
Product : Fedora 42
Version : 0.21.5
Release : 3.fc42
URL : http://www.libraw.org
Summary : Library for reading RAW files obtained from digital photo cameras
Description :
MinGW Windows LibRaw library.

--------------------------------------------------------------------------------
Update Information:

Backport patch for CVE-2026-20884.
Backport fixes for CVE-2026-20889 CVE-2026-21413 CVE-2026-24450 CVE-2026-24660
Update to libraw-0.21.5.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 9 2026 Sandro Mani [manisandro@gmail.com] - 0.21.5-3
- Backport patch for CVE-2026-20884
* Wed Apr 8 2026 Sandro Mani [manisandro@gmail.com] - 0.21.5-2
- Backport fixes for CVE-2026-20889 CVE-2026-21413 CVE-2026-24450 CVE-2026-24660
* Thu Apr 2 2026 Sandro Mani [manisandro@gmail.com] - 0.21.5-1
- Update to 0.21.5
* Thu Jul 24 2025 Fedora Release Engineering [releng@fedoraproject.org] - 0.21.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2456057 - CVE-2026-24450 mingw-LibRaw: LibRaw: Arbitrary code execution via a specially crafted malicious file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456057
[ 2 ] Bug #2456240 - CVE-2026-21413 mingw-LibRaw: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456240
[ 3 ] Bug #2456243 - CVE-2026-20889 mingw-LibRaw: LibRaw: Arbitrary code execution via specially crafted image file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456243
[ 4 ] Bug #2456245 - CVE-2026-24660 mingw-LibRaw: LibRaw: Memory Corruption via Malicious File Processing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456245
[ 5 ] Bug #2456561 - CVE-2026-20884 mingw-LibRaw: LibRaw: Arbitrary code execution via integer overflow in deflate_dng_load_raw [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456561
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-826db1b5c0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: smb4k-4.0.6-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4ce552d940
2026-04-18 01:08:05.671412+00:00
--------------------------------------------------------------------------------

Name : smb4k
Product : Fedora 42
Version : 4.0.6
Release : 1.fc42
URL : https://smb4k.sourceforge.net/
Summary : The SMB/CIFS Share Browser for KDE
Description :
Smb4K is an SMB/CIFS share browser for KDE. It uses the Samba software suite to
access the SMB/CIFS shares of the local network neighborhood. Its purpose is to
provide a program that's easy to use and has as many features as possible.

--------------------------------------------------------------------------------
Update Information:

Update to version 4.0.6
--------------------------------------------------------------------------------
ChangeLog:

* Sun Feb 15 2026 Packit [hello@packit.dev] - 4.0.6-1
- Update to version 4.0.6
- Resolves: rhbz#2365800
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.0.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jul 25 2025 Fedora Release Engineering [releng@fedoraproject.org] - 4.0.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2365800 - smb4k-4.0.6 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2365800
[ 2 ] Bug #2443263 - CVE-2025-66003 smb4k: smb4k local root exploit [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2443263
[ 3 ] Bug #2443267 - CVE-2025-66002 smb4k: SMB4K Arbitrary Mount [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2443267
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4ce552d940' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: mac-12.63-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-43278d411e
2026-04-18 01:08:05.671399+00:00
--------------------------------------------------------------------------------

Name : mac
Product : Fedora 42
Version : 12.63
Release : 1.fc42
URL : https://monkeysaudio.com
Summary : Monkey's Audio Codec
Description :
Monkey's Audio is a fast and easy way to compress digital music. Unlike
traditional methods such as mp3, ogg, or lqt that permanently discard
quality to save space, Monkey's Audio only makes perfect, bit-for-bit
copies of your music. That means it always sounds perfect ??? exactly the
same as the original. Even though the sound is perfect, it still saves a
lot of space.

--------------------------------------------------------------------------------
Update Information:

Latest Monkey's Audio Codec release. Changes:
https://monkeysaudio.com/versionhistory.html .
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 8 2026 Dominik 'Rathann' Mierzejewski [dominik@greysector.net] - 12.63-1
- Updated to 12.63 (resolves rhbz#2446305)
- Dropped obsolete patch
- Bump ABI to 15
* Tue Mar 10 2026 Dominik 'Rathann' Mierzejewski [dominik@greysector.net] - 12.50-1
- Updated to 12.50 (resolves rhbz#2363650)
* Tue Feb 24 2026 Dominik 'Rathann' Mierzejewski [dominik@greysector.net] - 12.35-3
- assume platform is Linux in headers if unspecified
* Mon Feb 23 2026 Dominik 'Rathann' Mierzejewski [dominik@greysector.net] - 12.35-2
- bump minimum CMake version (resolves rhbz#2380887)
* Mon Feb 23 2026 Dominik 'Rathann' Mierzejewski [dominik@greysector.net] - 12.35-1
- update to 12.35 (resolves rhbz#2363650)
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 10.18-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Thu Jul 24 2025 Fedora Release Engineering [releng@fedoraproject.org] - 10.18-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2406922 - CVE-2025-61043 mac: out-of-bounds read in CAPECharacterHelper::GetUTF16FromUTF8 [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2406922
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-43278d411e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 42 Update: aqualung-1.2-10.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-43278d411e
2026-04-18 01:08:05.671399+00:00
--------------------------------------------------------------------------------

Name : aqualung
Product : Fedora 42
Version : 1.2
Release : 10.fc42
URL : https://aqualung.jeremyevans.net
Summary : Music Player for GNU/Linux
Description :
Aqualung is an advanced music player originally targeted at the GNU/Linux
operating system. It plays audio CDs, internet radio streams and pod casts as
well as sound files in just about any audio format and has the feature of
inserting no gaps between adjacent tracks.

--------------------------------------------------------------------------------
Update Information:

Latest Monkey's Audio Codec release. Changes:
https://monkeysaudio.com/versionhistory.html .
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 8 2026 Dominik Mierzejewski [dominik@greysector.net] - 1.2-10
- Rebuilt for libMAC 12.63
- Fixed build against pipewire-jack
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2406922 - CVE-2025-61043 mac: out-of-bounds read in CAPECharacterHelper::GetUTF16FromUTF8 [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2406922
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-43278d411e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: stb-0^20260313git904aa67-2.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-651e3129a9
2026-04-18 01:08:05.671404+00:00
--------------------------------------------------------------------------------

Name : stb
Product : Fedora 42
Version : 0^20260313git904aa67
Release : 2.fc42
URL : https://github.com/nothings/stb
Summary : Single-file public domain libraries for C/C++
Description :
Single-file public domain libraries for C/C++.

--------------------------------------------------------------------------------
Update Information:

Fix access/use of uninitialized memory in stb_image
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 8 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0^20260313git904aa67-2
- Fix access/use of uninitialized memory in stb_image
- This was undefined behavior, and could leak security-relevant information
from other data structures. See
https://github.com/nothings/stb/issues/1929.
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-651e3129a9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: mbedtls-3.6.6-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-10443c65e3
2026-04-18 01:08:05.671392+00:00
--------------------------------------------------------------------------------

Name : mbedtls
Product : Fedora 42
Version : 3.6.6
Release : 1.fc42
URL : https://www.trustedfirmware.org/projects/mbed-tls
Summary : Light-weight cryptographic and SSL/TLS library
Description :
Mbed TLS is a light-weight open source cryptographic and SSL/TLS
library written in C. Mbed TLS makes it easy for developers to include
cryptographic and SSL/TLS capabilities in their (embedded)
applications with as little hassle as possible.

--------------------------------------------------------------------------------
Update Information:

Update to 3.6.6
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 2 2026 Peter Robinson [pbrobinson@fedoraproject.org] - 3.6.6-1
- Update to 3.6.6
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 3.6.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2340826 - mbedtls: FTBFS in Fedora rawhide/f42
https://bugzilla.redhat.com/show_bug.cgi?id=2340826
[ 2 ] Bug #2454030 - CVE-2026-25833 mbedtls: buffer underflow in x509_inet_pton_ipv6() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454030
[ 3 ] Bug #2454045 - CVE-2026-34874 mbedtls: NULL pointer dereference when setting a distinguished name [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454045
[ 4 ] Bug #2454085 - CVE-2026-34871 mbedtls: entropy on Linux can fall back to /dev/urandom [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454085
[ 5 ] Bug #2454116 - CVE-2026-25835 mbedtls: PSA random generator cloning [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454116
[ 6 ] Bug #2454193 - CVE-2026-34873 mbedtls: Mbed TLS: Client impersonation during TLS 1.3 session resumption [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454193
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-10443c65e3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: mingw-LibRaw-0.21.5-3.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-635a001215
2026-04-18 00:52:25.911688+00:00
--------------------------------------------------------------------------------

Name : mingw-LibRaw
Product : Fedora 43
Version : 0.21.5
Release : 3.fc43
URL : http://www.libraw.org
Summary : Library for reading RAW files obtained from digital photo cameras
Description :
MinGW Windows LibRaw library.

--------------------------------------------------------------------------------
Update Information:

Backport patch for CVE-2026-20884.
Backport fixes for CVE-2026-20889 CVE-2026-21413 CVE-2026-24450 CVE-2026-24660
Update to libraw-0.21.5.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 9 2026 Sandro Mani [manisandro@gmail.com] - 0.21.5-3
- Backport patch for CVE-2026-20884
* Wed Apr 8 2026 Sandro Mani [manisandro@gmail.com] - 0.21.5-2
- Backport fixes for CVE-2026-20889 CVE-2026-21413 CVE-2026-24450 CVE-2026-24660
* Thu Apr 2 2026 Sandro Mani [manisandro@gmail.com] - 0.21.5-1
- Update to 0.21.5
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2456057 - CVE-2026-24450 mingw-LibRaw: LibRaw: Arbitrary code execution via a specially crafted malicious file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456057
[ 2 ] Bug #2456240 - CVE-2026-21413 mingw-LibRaw: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456240
[ 3 ] Bug #2456243 - CVE-2026-20889 mingw-LibRaw: LibRaw: Arbitrary code execution via specially crafted image file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456243
[ 4 ] Bug #2456245 - CVE-2026-24660 mingw-LibRaw: LibRaw: Memory Corruption via Malicious File Processing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456245
[ 5 ] Bug #2456561 - CVE-2026-20884 mingw-LibRaw: LibRaw: Arbitrary code execution via integer overflow in deflate_dng_load_raw [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456561
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-635a001215' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: smb4k-4.0.6-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9250fdf5cb
2026-04-18 00:52:25.911659+00:00
--------------------------------------------------------------------------------

Name : smb4k
Product : Fedora 43
Version : 4.0.6
Release : 1.fc43
URL : https://smb4k.sourceforge.net/
Summary : The SMB/CIFS Share Browser for KDE
Description :
Smb4K is an SMB/CIFS share browser for KDE. It uses the Samba software suite to
access the SMB/CIFS shares of the local network neighborhood. Its purpose is to
provide a program that's easy to use and has as many features as possible.

--------------------------------------------------------------------------------
Update Information:

Update to version 4.0.6
--------------------------------------------------------------------------------
ChangeLog:

* Sun Feb 15 2026 Packit [hello@packit.dev] - 4.0.6-1
- Update to version 4.0.6
- Resolves: rhbz#2365800
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.0.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2365800 - smb4k-4.0.6 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2365800
[ 2 ] Bug #2443264 - CVE-2025-66003 smb4k: smb4k local root exploit [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2443264
[ 3 ] Bug #2443268 - CVE-2025-66002 smb4k: SMB4K Arbitrary Mount [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2443268
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9250fdf5cb' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: stb-0^20260313git904aa67-2.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0a9a99c841
2026-04-18 00:52:25.911646+00:00
--------------------------------------------------------------------------------

Name : stb
Product : Fedora 43
Version : 0^20260313git904aa67
Release : 2.fc43
URL : https://github.com/nothings/stb
Summary : Single-file public domain libraries for C/C++
Description :
Single-file public domain libraries for C/C++.

--------------------------------------------------------------------------------
Update Information:

Fix access/use of uninitialized memory in stb_image
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 8 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0^20260313git904aa67-2
- Fix access/use of uninitialized memory in stb_image
- This was undefined behavior, and could leak security-relevant information
from other data structures. See
https://github.com/nothings/stb/issues/1929.
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0a9a99c841' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: usd-25.08-20.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-cde75a1416
2026-04-18 00:52:25.911654+00:00
--------------------------------------------------------------------------------

Name : usd
Product : Fedora 43
Version : 25.08
Release : 20.fc43
URL : http://www.openusd.org/
Summary : 3D VFX pipeline interchange file format
Description :
Universal Scene Description (USD) is a time-sampled scene
description for interchange between graphics applications.

--------------------------------------------------------------------------------
Update Information:

Backport several OpenEXRCore security fixes
Fixes CVE-2026-34378 / GHSA-v76p-4qvv-vh4g; closes RHBZ#2455493
Fixes CVE-2026-34380 / GHSA-q3v8-hw4m-59w5; closes RHBZ#2455534
Fixes CVE-2026-34588 / GHSA-588r-cr5c-w6hf; closes RHBZ#2455505
Fixes CVE-2026-34589 / GHSA-p8xc-w3q4-h64x; closes RHBZ#2455501
Fixes CVE-2026-34379 / GHSA-w88v-vqhq-5p24; closes RHBZ#2455497
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 8 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 25.08-20
- Backport several OpenEXRCore security fixes
- Fixes CVE-2026-34378 / GHSA-v76p-4qvv-vh4g; closes RHBZ#2455493
- Fixes CVE-2026-34380 / GHSA-q3v8-hw4m-59w5; closes RHBZ#2455534
- Fixes CVE-2026-34588 / GHSA-588r-cr5c-w6hf; closes RHBZ#2455505
- Fixes CVE-2026-34589 / GHSA-p8xc-w3q4-h64x; closes RHBZ#2455501
- Fixes CVE-2026-34379 / GHSA-w88v-vqhq-5p24; closes RHBZ#2455497
* Tue Apr 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 25.08-19
- Backport fix for CVE-2026-34544 in OpenEXRCore
- Fixes RHBZ#2454226
* Tue Apr 7 2026 Orion Poplawski [orion@nwra.com] - 25.08-18
- Make devel require cmake(OpenSubdiv) and cmake(materialx)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2455493 - CVE-2026-34378 usd: OpenEXR: Denial of Service via crafted EXR file integer overflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455493
[ 2 ] Bug #2455497 - CVE-2026-34379 usd: OpenEXR: Denial of Service due to misaligned memory write during EXR file decoding [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455497
[ 3 ] Bug #2455501 - CVE-2026-34589 usd: OpenEXR: Memory corruption leading to arbitrary code execution or denial of service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455501
[ 4 ] Bug #2455505 - CVE-2026-34588 usd: OpenEXR: Arbitrary code execution and information disclosure via crafted EXR file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455505
[ 5 ] Bug #2455534 - CVE-2026-34380 usd: OpenEXR: Denial of Service due to signed integer overflow in image decoding [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455534
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-cde75a1416' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: aqualung-1.2-12.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f091fe88bd
2026-04-18 00:52:25.911633+00:00
--------------------------------------------------------------------------------

Name : aqualung
Product : Fedora 43
Version : 1.2
Release : 12.fc43
URL : https://aqualung.jeremyevans.net
Summary : Music Player for GNU/Linux
Description :
Aqualung is an advanced music player originally targeted at the GNU/Linux
operating system. It plays audio CDs, internet radio streams and pod casts as
well as sound files in just about any audio format and has the feature of
inserting no gaps between adjacent tracks.

--------------------------------------------------------------------------------
Update Information:

Latest Monkey's Audio Codec release. Changes:
https://monkeysaudio.com/versionhistory.html .
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 8 2026 Dominik Mierzejewski [dominik@greysector.net] - 1.2-12
- Rebuilt for libMAC 12.63
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2406923 - CVE-2025-61043 mac: out-of-bounds read in CAPECharacterHelper::GetUTF16FromUTF8 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2406923
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f091fe88bd' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: mac-12.63-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f091fe88bd
2026-04-18 00:52:25.911633+00:00
--------------------------------------------------------------------------------

Name : mac
Product : Fedora 43
Version : 12.63
Release : 1.fc43
URL : https://monkeysaudio.com
Summary : Monkey's Audio Codec
Description :
Monkey's Audio is a fast and easy way to compress digital music. Unlike
traditional methods such as mp3, ogg, or lqt that permanently discard
quality to save space, Monkey's Audio only makes perfect, bit-for-bit
copies of your music. That means it always sounds perfect ??? exactly the
same as the original. Even though the sound is perfect, it still saves a
lot of space.

--------------------------------------------------------------------------------
Update Information:

Latest Monkey's Audio Codec release. Changes:
https://monkeysaudio.com/versionhistory.html .
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 8 2026 Dominik 'Rathann' Mierzejewski [dominik@greysector.net] - 12.63-1
- Updated to 12.63 (resolves rhbz#2446305)
- Dropped obsolete patch
- Bump ABI to 15
* Tue Mar 10 2026 Dominik 'Rathann' Mierzejewski [dominik@greysector.net] - 12.50-1
- Updated to 12.50 (resolves rhbz#2363650)
* Tue Feb 24 2026 Dominik 'Rathann' Mierzejewski [dominik@greysector.net] - 12.35-3
- assume platform is Linux in headers if unspecified
* Mon Feb 23 2026 Dominik 'Rathann' Mierzejewski [dominik@greysector.net] - 12.35-2
- bump minimum CMake version (resolves rhbz#2380887)
* Mon Feb 23 2026 Dominik 'Rathann' Mierzejewski [dominik@greysector.net] - 12.35-1
- update to 12.35 (resolves rhbz#2363650)
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 10.18-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2406923 - CVE-2025-61043 mac: out-of-bounds read in CAPECharacterHelper::GetUTF16FromUTF8 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2406923
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f091fe88bd' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

NSS, PostgreSQL, Mapserver, and more updates for Debian

DTrace and Fuse updates for Gentoo

MinGW-LibRaw, Smb4k, Mac, and more updates for Fedora

[SECURITY] Fedora 42 Update: mingw-LibRaw-0.21.5-3.fc42

[SECURITY] Fedora 42 Update: smb4k-4.0.6-1.fc42

[SECURITY] Fedora 42 Update: mac-12.63-1.fc42

[SECURITY] Fedora 42 Update: aqualung-1.2-10.fc42

[SECURITY] Fedora 42 Update: stb-0^20260313git904aa67-2.fc42

[SECURITY] Fedora 42 Update: mbedtls-3.6.6-1.fc42

[SECURITY] Fedora 43 Update: mingw-LibRaw-0.21.5-3.fc43

[SECURITY] Fedora 43 Update: smb4k-4.0.6-1.fc43

[SECURITY] Fedora 43 Update: stb-0^20260313git904aa67-2.fc43

[SECURITY] Fedora 43 Update: usd-25.08-20.fc43

[SECURITY] Fedora 43 Update: aqualung-1.2-12.fc43

[SECURITY] Fedora 43 Update: mac-12.63-1.fc43

Windows

Linux

macOS

Community