Netatalk, urllib3, and Perl Libraries updates for Fedora

Fedora Linux 9368 Published 2026-05-31 07:10 by Philipp Esselbach

News

Fedora users need to install urgent security patches that target netatalk, python urllib3, and perl libwww perl across Fedora 43 and 44 environments. The massive netatalk update alone closes over twenty separate CVEs including dangerous heap buffer overflows, arbitrary code execution paths, and several information disclosure flaws that could leak private data. Python urllib3 moves forward to version 2.7.0 with better connection pooling features while perl libwww perl adds strict redirect rules to stop credential leakage during cross-origin requests. You can push these fixes through your terminal using standard dnf upgrade commands, but leaving older versions running will keep your servers vulnerable to known exploitation techniques.

Fedora 43 Update: netatalk-4.4.3-1.fc43
Fedora 43 Update: python-urllib3-2.7.0-2.fc43
Fedora 44 Update: netatalk-4.4.3-1.fc44
Fedora 44 Update: perl-libwww-perl-6.83-1.fc44

[SECURITY] Fedora 43 Update: netatalk-4.4.3-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9fd50b2ff1
2026-05-31 01:13:21.121569+00:00
--------------------------------------------------------------------------------

Name : netatalk
Product : Fedora 43
Version : 4.4.3
Release : 1.fc43
URL : http://netatalk.sourceforge.net
Summary : Open Source Apple Filing Protocol(AFP) File Server
Description :
Netatalk is a freely-available Open Source AFP file server. A *NIX/*BSD
system running Netatalk is capable of serving many Macintosh clients
simultaneously as an AppleShare file server (AFP).

In addition to the AFP file server daemon, the following utility programs
are also included:
* ad - AppleDouble file utility suite
* afpldaptest - validate Netatalk LDAP parameters
* afppasswd - RandNum UAM password management
* afpstats - inquire AFP server usage stats
* asip-status - inquire AFP server capabilities
* dbd - CNID database maintenance
* macusers - list connected AFP server users

--------------------------------------------------------------------------------
Update Information:

4.4.3 Release
--------------------------------------------------------------------------------
ChangeLog:

--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2459261 - netatalk-4.4.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2459261
[ 2 ] Bug #2480439 - CVE-2026-44057 netatalk: Netatalk: Information disclosure via crafted Spotlight RPC requests [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480439
[ 3 ] Bug #2480440 - CVE-2026-44057 netatalk: Netatalk: Information disclosure via crafted Spotlight RPC requests [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480440
[ 4 ] Bug #2480449 - CVE-2026-44049 netatalk: Netatalk: Arbitrary code execution via out-of-bounds write [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480449
[ 5 ] Bug #2480450 - CVE-2026-44049 netatalk: Netatalk: Arbitrary code execution via out-of-bounds write [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480450
[ 6 ] Bug #2480467 - CVE-2026-44069 netatalk: Netatalk: Integer underflow vulnerability in volxlate function [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480467
[ 7 ] Bug #2480470 - CVE-2026-44052 netatalk: Netatalk: Information Disclosure via ldap simple-bind password exposure in logs [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480470
[ 8 ] Bug #2480471 - CVE-2026-44052 netatalk: Netatalk: Information Disclosure via ldap simple-bind password exposure in logs [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480471
[ 9 ] Bug #2480472 - CVE-2026-44054 netatalk: Netatalk: Denial of Service via predictable session token [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480472
[ 10 ] Bug #2480473 - CVE-2026-44054 netatalk: Netatalk: Denial of Service via predictable session token [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480473
[ 11 ] Bug #2480478 - CVE-2026-44062 netatalk: Netatalk: Arbitrary code execution or denial of service due to missing bounds check [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480478
[ 12 ] Bug #2480479 - CVE-2026-44062 netatalk: Netatalk: Arbitrary code execution or denial of service due to missing bounds check [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480479
[ 13 ] Bug #2480483 - CVE-2026-44068 netatalk: Netatalk: Arbitrary file access via path traversal [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480483
[ 14 ] Bug #2480486 - CVE-2026-44076 netatalk: Netatalk: Arbitrary Code Execution via shell injection in volume path [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480486
[ 15 ] Bug #2480487 - CVE-2026-44076 netatalk: Netatalk: Arbitrary Code Execution via shell injection in volume path [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480487
[ 16 ] Bug #2480488 - CVE-2026-44060 netatalk: Netatalk: Denial of Service via integer underflow [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480488
[ 17 ] Bug #2480489 - CVE-2026-44060 netatalk: Netatalk: Denial of Service via integer underflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480489
[ 18 ] Bug #2480490 - CVE-2026-44055 netatalk: Netatalk: Arbitrary code execution via shell injection [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480490
[ 19 ] Bug #2480491 - CVE-2026-44055 netatalk: Netatalk: Arbitrary code execution via shell injection [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480491
[ 20 ] Bug #2480496 - CVE-2026-44050 netatalk: Netatalk: Arbitrary code execution via heap buffer overflow in cnid daemon [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480496
[ 21 ] Bug #2480497 - CVE-2026-44050 netatalk: Netatalk: Arbitrary code execution via heap buffer overflow in cnid daemon [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480497
[ 22 ] Bug #2480501 - CVE-2026-44047 netatalk: Netatalk: Arbitrary code execution and data compromise via SQL injection [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480501
[ 23 ] Bug #2480502 - CVE-2026-44047 netatalk: Netatalk: Arbitrary code execution and data compromise via SQL injection [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480502
[ 24 ] Bug #2480624 - CVE-2026-44048 netatalk: stack buffer overflow via UCS-2 type confusion in convert_charset() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480624
[ 25 ] Bug #2480625 - CVE-2026-44048 netatalk: stack buffer overflow via UCS-2 type confusion in convert_charset() [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480625
[ 26 ] Bug #2480626 - CVE-2026-44066 netatalk: heap out-of-bounds reads in Spotlight RPC unmarshalling [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480626
[ 27 ] Bug #2480627 - CVE-2026-44066 netatalk: heap out-of-bounds reads in Spotlight RPC unmarshalling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480627
[ 28 ] Bug #2480628 - CVE-2026-44064 netatalk: ASP session ID out-of-bounds access [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480628
[ 29 ] Bug #2480629 - CVE-2026-44064 netatalk: ASP session ID out-of-bounds access [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480629
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9fd50b2ff1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: python-urllib3-2.7.0-2.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-6dde06a6e9
2026-05-31 01:13:21.121542+00:00
--------------------------------------------------------------------------------

Name : python-urllib3
Product : Fedora 43
Version : 2.7.0
Release : 2.fc43
URL : https://github.com/urllib3/urllib3
Summary : HTTP library with thread-safe connection pooling, file post, and more
Description :
urllib3 is a powerful, user-friendly HTTP client for Python. urllib3 brings
many critical features that are missing from the Python standard libraries:

??? Thread safety.
??? Connection pooling.
??? Client-side SSL/TLS verification.
??? File uploads with multipart encoding.
??? Helpers for retrying requests and dealing with HTTP redirects.
??? Support for gzip, deflate, brotli, and zstd encoding.
??? Proxy support for HTTP and SOCKS.
??? 100% test coverage.

--------------------------------------------------------------------------------
Update Information:

Update to 2.7.0 (rhbz#2467787)
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 15 2026 Lumir Balhar [lbalhar@redhat.com] - 2.7.0-2
- Remove lower bounds for trustme
* Tue May 12 2026 Lumir Balhar [lbalhar@redhat.com] - 2.7.0-1
- Update to 2.7.0 (rhbz#2467787)
* Wed Apr 8 2026 Miro Hron??ok [miro@hroncok.cz] - 2.6.3-3
- Allow building with setuptools-scm 10+
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 2.6.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2467787 - python-urllib3-2.7.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2467787
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-6dde06a6e9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 44 Update: netatalk-4.4.3-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-e7e7bb2417
2026-05-31 00:55:16.967046+00:00
--------------------------------------------------------------------------------

Name : netatalk
Product : Fedora 44
Version : 4.4.3
Release : 1.fc44
URL : http://netatalk.sourceforge.net
Summary : Open Source Apple Filing Protocol(AFP) File Server
Description :
Netatalk is a freely-available Open Source AFP file server. A *NIX/*BSD
system running Netatalk is capable of serving many Macintosh clients
simultaneously as an AppleShare file server (AFP).

In addition to the AFP file server daemon, the following utility programs
are also included:
* ad - AppleDouble file utility suite
* afpldaptest - validate Netatalk LDAP parameters
* afppasswd - RandNum UAM password management
* afpstats - inquire AFP server usage stats
* asip-status - inquire AFP server capabilities
* dbd - CNID database maintenance
* macusers - list connected AFP server users

--------------------------------------------------------------------------------
Update Information:

4.4.3 Release
--------------------------------------------------------------------------------
ChangeLog:

--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2459261 - netatalk-4.4.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2459261
[ 2 ] Bug #2480439 - CVE-2026-44057 netatalk: Netatalk: Information disclosure via crafted Spotlight RPC requests [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480439
[ 3 ] Bug #2480440 - CVE-2026-44057 netatalk: Netatalk: Information disclosure via crafted Spotlight RPC requests [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480440
[ 4 ] Bug #2480449 - CVE-2026-44049 netatalk: Netatalk: Arbitrary code execution via out-of-bounds write [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480449
[ 5 ] Bug #2480450 - CVE-2026-44049 netatalk: Netatalk: Arbitrary code execution via out-of-bounds write [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480450
[ 6 ] Bug #2480467 - CVE-2026-44069 netatalk: Netatalk: Integer underflow vulnerability in volxlate function [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480467
[ 7 ] Bug #2480470 - CVE-2026-44052 netatalk: Netatalk: Information Disclosure via ldap simple-bind password exposure in logs [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480470
[ 8 ] Bug #2480471 - CVE-2026-44052 netatalk: Netatalk: Information Disclosure via ldap simple-bind password exposure in logs [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480471
[ 9 ] Bug #2480472 - CVE-2026-44054 netatalk: Netatalk: Denial of Service via predictable session token [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480472
[ 10 ] Bug #2480473 - CVE-2026-44054 netatalk: Netatalk: Denial of Service via predictable session token [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480473
[ 11 ] Bug #2480478 - CVE-2026-44062 netatalk: Netatalk: Arbitrary code execution or denial of service due to missing bounds check [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480478
[ 12 ] Bug #2480479 - CVE-2026-44062 netatalk: Netatalk: Arbitrary code execution or denial of service due to missing bounds check [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480479
[ 13 ] Bug #2480483 - CVE-2026-44068 netatalk: Netatalk: Arbitrary file access via path traversal [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480483
[ 14 ] Bug #2480486 - CVE-2026-44076 netatalk: Netatalk: Arbitrary Code Execution via shell injection in volume path [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480486
[ 15 ] Bug #2480487 - CVE-2026-44076 netatalk: Netatalk: Arbitrary Code Execution via shell injection in volume path [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480487
[ 16 ] Bug #2480488 - CVE-2026-44060 netatalk: Netatalk: Denial of Service via integer underflow [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480488
[ 17 ] Bug #2480489 - CVE-2026-44060 netatalk: Netatalk: Denial of Service via integer underflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480489
[ 18 ] Bug #2480490 - CVE-2026-44055 netatalk: Netatalk: Arbitrary code execution via shell injection [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480490
[ 19 ] Bug #2480491 - CVE-2026-44055 netatalk: Netatalk: Arbitrary code execution via shell injection [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480491
[ 20 ] Bug #2480496 - CVE-2026-44050 netatalk: Netatalk: Arbitrary code execution via heap buffer overflow in cnid daemon [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480496
[ 21 ] Bug #2480497 - CVE-2026-44050 netatalk: Netatalk: Arbitrary code execution via heap buffer overflow in cnid daemon [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480497
[ 22 ] Bug #2480501 - CVE-2026-44047 netatalk: Netatalk: Arbitrary code execution and data compromise via SQL injection [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480501
[ 23 ] Bug #2480502 - CVE-2026-44047 netatalk: Netatalk: Arbitrary code execution and data compromise via SQL injection [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480502
[ 24 ] Bug #2480624 - CVE-2026-44048 netatalk: stack buffer overflow via UCS-2 type confusion in convert_charset() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480624
[ 25 ] Bug #2480625 - CVE-2026-44048 netatalk: stack buffer overflow via UCS-2 type confusion in convert_charset() [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480625
[ 26 ] Bug #2480626 - CVE-2026-44066 netatalk: heap out-of-bounds reads in Spotlight RPC unmarshalling [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480626
[ 27 ] Bug #2480627 - CVE-2026-44066 netatalk: heap out-of-bounds reads in Spotlight RPC unmarshalling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480627
[ 28 ] Bug #2480628 - CVE-2026-44064 netatalk: ASP session ID out-of-bounds access [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480628
[ 29 ] Bug #2480629 - CVE-2026-44064 netatalk: ASP session ID out-of-bounds access [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2480629
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-e7e7bb2417' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: perl-libwww-perl-6.83-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8d1333fb52
2026-05-31 00:55:16.967014+00:00
--------------------------------------------------------------------------------

Name : perl-libwww-perl
Product : Fedora 44
Version : 6.83
Release : 1.fc44
URL : https://metacpan.org/release/libwww-perl
Summary : A Perl interface to the World-Wide Web
Description :
The libwww-perl collection is a set of Perl modules which provides a simple and
consistent application programming interface to the World-Wide Web. The main
focus of the library is to provide classes and functions that allow you to
write WWW clients. The library also contain modules that are of more general
use and even classes that help you implement simple HTTP servers.

--------------------------------------------------------------------------------
Update Information:

Changes:
6.83 2026-05-12 11:41:48Z
- LWP::UserAgent now strips Authorization and Proxy-Authorization headers
on cross-origin redirects (a different scheme, host, or port) to prevent
credential leakage to the redirect target. Same-origin redirects retain
credentials. Opt out with allow_credentialed_redirects => 1.
CVE-2026-8368 reported by Kai Zen; PoC and initial patch by Stig
Palmquist.
- LWP::UserAgent now refuses https to http redirects by default to prevent
leaking remaining request headers and bodies over plaintext. Opt in with
allow_downgrade => 1. Related hardening alongside CVE-2026-8368; PoC by
Stig Palmquist.
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 19 2026 Michal Josef ??pa??ek [mspacek@redhat.com] - 6.83-1
- 6.83 bump
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2476481 - perl-libwww-perl-6.83 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2476481
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8d1333fb52' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

Linux Kernel, ImageMagick, and Nginx Security Updates for Debian

Kernel, Nginx, .NET, Firefox, and Core Packages updates for Rocky Linux

Netatalk, urllib3, and Perl Libraries updates for Fedora

[SECURITY] Fedora 43 Update: netatalk-4.4.3-1.fc43

[SECURITY] Fedora 43 Update: python-urllib3-2.7.0-2.fc43

[SECURITY] Fedora 44 Update: netatalk-4.4.3-1.fc44

[SECURITY] Fedora 44 Update: perl-libwww-perl-6.83-1.fc44

Windows

Linux

macOS

Community