Nextcloud, Dotnet, Exim, and more updates for Fedora

Fedora Linux 9346 Published by

Fedora has rolled out a series of critical security updates across versions 42, 43, and 44 to patch dangerous vulnerabilities in widely used software packages. The releases target applications like Nextcloud, .NET runtime, Exim mail server, Prosody XMPP server, Python requests library, and rclone cloud storage tool. Each update resolves multiple critical flaws ranging from remote code execution and cross-site scripting attacks to denial of service exploits and unauthorized access issues. System administrators should run the standard dnf upgrade command immediately to apply these patches before attackers can exploit the unpatched weaknesses.

Fedora 42 Update: nextcloud-33.0.3-1.fc42
Fedora 42 Update: dotnet10.0-10.0.107-1.fc42
Fedora 42 Update: exim-4.99.2-1.fc42
Fedora 42 Update: prosody-13.0.5-1.fc42
Fedora 43 Update: exim-4.99.2-1.fc43
Fedora 43 Update: prosody-13.0.5-1.fc43
Fedora 44 Update: python-pulp-glue-0.37.0-5.fc44
Fedora 44 Update: python-requests-2.33.1-1.fc44
Fedora 44 Update: nextcloud-33.0.3-1.fc44
Fedora 44 Update: dotnet10.0-10.0.107-1.fc44
Fedora 44 Update: rclone-1.74.0-2.fc44
Fedora 44 Update: exim-4.99.2-1.fc44
Fedora 44 Update: prosody-13.0.5-1.fc44



[SECURITY] Fedora 42 Update: nextcloud-33.0.3-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2fed8dd674
2026-05-10 03:21:58.076217+00:00
--------------------------------------------------------------------------------

Name : nextcloud
Product : Fedora 42
Version : 33.0.3
Release : 1.fc42
URL : http://nextcloud.com
Summary : Private file sync and share server
Description :
NextCloud gives you universal access to your files through a web interface or
WebDAV. It also provides a platform to easily view & sync your contacts,
calendars and bookmarks across all your devices and enables basic editing right
on the web. NextCloud is extendable via a simple but powerful API for
applications and plugins.

--------------------------------------------------------------------------------
Update Information:

33.0.3 Release
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 2 2026 Andrew Bauer [zonexpertconsulting@outlook.com] - 33.0.3-1
- 33.0.3 Release RHBZ#2454311
* Sat Apr 18 2026 Andrew Bauer [zonexpertconsulting@outlook.com] - 33.0.1-2
- fix cli upgrade advice
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2452582 - CVE-2026-33916 nextcloud: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452582
[ 2 ] Bug #2452588 - CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452588
[ 3 ] Bug #2452590 - CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452590
[ 4 ] Bug #2452593 - CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452593
[ 5 ] Bug #2452596 - CVE-2026-33940 nextcloud: Handlebars.js: Arbitrary code execution via crafted template context [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452596
[ 6 ] Bug #2452597 - CVE-2026-33941 nextcloud: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452597
[ 7 ] Bug #2452622 - CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452622
[ 8 ] Bug #2452631 - CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452631
[ 9 ] Bug #2452635 - CVE-2026-33940 nextcloud: Handlebars.js: Arbitrary code execution via crafted template context [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452635
[ 10 ] Bug #2452645 - CVE-2026-33941 nextcloud: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452645
[ 11 ] Bug #2452647 - CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452647
[ 12 ] Bug #2453984 - CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453984
[ 13 ] Bug #2454038 - CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454038
[ 14 ] Bug #2454311 - nextcloud-33.0.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2454311
[ 15 ] Bug #2456569 - CVE-2026-39865 nextcloud: Axios: Denial of Service via HTTP/2 session cleanup logic state corruption [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456569
[ 16 ] Bug #2456575 - CVE-2026-39865 nextcloud: Axios: Denial of Service via HTTP/2 session cleanup logic state corruption [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456575
[ 17 ] Bug #2457496 - CVE-2025-62718 nextcloud: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457496
[ 18 ] Bug #2457502 - CVE-2025-62718 nextcloud: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457502
[ 19 ] Bug #2457809 - CVE-2026-40194 nextcloud: phpseclib: Information disclosure via timing attack in SSH HMAC comparison [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457809
[ 20 ] Bug #2457810 - CVE-2026-40194 nextcloud: phpseclib: Information disclosure via timing attack in SSH HMAC comparison [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457810
[ 21 ] Bug #2457869 - CVE-2026-40175 nextcloud: Axios: Remote Code Execution via Prototype Pollution escalation [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457869
[ 22 ] Bug #2457875 - CVE-2026-40175 nextcloud: Axios: Remote Code Execution via Prototype Pollution escalation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457875
[ 23 ] Bug #2463440 - CVE-2026-42035 nextcloud: Axios: Arbitrary HTTP header injection via prototype pollution [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463440
[ 24 ] Bug #2463443 - CVE-2026-42035 nextcloud: Axios: Arbitrary HTTP header injection via prototype pollution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463443
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2fed8dd674' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: dotnet10.0-10.0.107-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-be6ea464d0
2026-05-10 03:21:58.076191+00:00
--------------------------------------------------------------------------------

Name : dotnet10.0
Product : Fedora 42
Version : 10.0.107
Release : 1.fc42
URL : https://github.com/dotnet/
Summary : .NET 10.0 Runtime and SDK
Description :
.NET is a fast, lightweight and modular platform for creating
cross platform applications that work on Linux, macOS and Windows.

It particularly focuses on creating console applications, web
applications and micro-services.

.NET contains a runtime conforming to .NET Standards a set of
framework libraries, an SDK containing compilers and a 'dotnet'
application to drive everything.

--------------------------------------------------------------------------------
Update Information:

Update to .NET SDK 10.0.107 and Runtime 10.0.7
Fixes: CVE-2026-40372
Release Notes:
SDK: https://github.com/dotnet/core/blob/main/release-
notes/10.0/10.0.7/10.0.107.md
Runtime: https://github.com/dotnet/core/blob/main/release-
notes/10.0/10.0.7/10.0.7.md
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 1 2026 Omair Majid [omajid@redhat.com] - 10.0.107-1
- Update to .NET SDK 10.0.107 and Runtime 10.0.7
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-be6ea464d0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: exim-4.99.2-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-fff37fe569
2026-05-10 03:21:58.076188+00:00
--------------------------------------------------------------------------------

Name : exim
Product : Fedora 42
Version : 4.99.2
Release : 1.fc42
URL : https://www.exim.org/
Summary : The exim mail transfer agent
Description :
Exim is a message transfer agent (MTA) developed at the University of
Cambridge for use on Unix systems connected to the Internet. It is
freely available under the terms of the GNU General Public Licence. In
style it is similar to Smail 3, but its facilities are more
general. There is a great deal of flexibility in the way mail can be
routed, and there are extensive facilities for checking incoming
mail. Exim can be installed in place of sendmail, although the
configuration of exim is quite different to that of sendmail.

--------------------------------------------------------------------------------
Update Information:

This is new version of exim fixing some security bugs.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2026 Jaroslav ??karvada [jskarvad@redhat.com] - 4.99.2-1
- New version
Resolves: rhbz#2463798
- Refreshed keyring
* Mon Jan 19 2026 Jaroslav ??karvada [jskarvad@redhat.com] - 4.99.1-3
- Dummy rebuild to check the CI functionality
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.99.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2463798 - exim-4.99.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2463798
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-fff37fe569' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 42 Update: prosody-13.0.5-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1efa008794
2026-05-10 03:21:58.076173+00:00
--------------------------------------------------------------------------------

Name : prosody
Product : Fedora 42
Version : 13.0.5
Release : 1.fc42
URL : https://prosody.im/
Summary : Flexible communications server for Jabber/XMPP
Description :
Prosody is a flexible communications server for Jabber/XMPP written in Lua.
It aims to be easy to use, and light on resources. For developers it aims
to be easy to extend and give a flexible system on which to rapidly develop
added functionality, or prototype new protocols.

--------------------------------------------------------------------------------
Update Information:

Prosody 13.0.5
Upstream is pleased to announce a new minor release from their stable branch.
This is a security release for the Prosody 13.0.x stable series. It fixes
multiple security issues, some memory leaks and some smaller bugs and changes
which have been implemented since the previous release.
Full details about the security vulnerabilities can be found in upstream's
security advisory. Upstream encourages all Prosody operators on 13.0.4 or
earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and
implement appropriate mitigations.
A summary of changes in this release:
Security
mod_proxy65: Consistently apply authorization checks
mod_proxy65: Don???t proxy data until after bytestream activation
mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
Add limit for stanza max child elements
mod_c2s: Remove timers immediately on disconnection
net.server_epoll: Clean up timers after disconnection
Fixes and improvements
net.http.parser: Fix handling of chunked request
MUC: Advertise hats feature on room JID
moduleapi: Use multitable add/remove instead of set (fixes memory leak)
mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
Improve federation with servers using only IP addresses
prosody: Prevent loading local code when installed system-wide
mod_http_file_share: Improve handling of Range requests
mod_carbons: Fix some carbons decision-making bugs
Minor changes
net.resolvers: Fix to avoid SRV lookups for IP addresses
prosody: Abort earlier on incompatible Lua version
mod_turn_external: hand out credentials for type == turns too
mod_s2s: Fully validate stream addressing
prosodyctl check features: Warn if http file sharing enabled on both host and
component
util.prosodyctl: Don???t check for mod_posix being disabled, it???s deprecated
util.startup: Improve error message when failing to load config file
util.x509: Add support for iPAddress certs
prosodyctl: Trim any trailing newline from password entry
mod_admin_shell: Make cert index search path relative to config file
mod_admin_shell: Improve multi-host command handling
mod_admin_shell: Show help listing when specifying only a section name
mod_admin_shell: Ensure password validity when setting passwords for
new/existing users
mod_account_activity: Handle authentication provider returning no user info
config: Use default value when enum option has incorrect value
mod_http: ???Handle??? streaming requests to avoid invoking redirect handler
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2026 Robert Scheck [robert@fedoraproject.org] 13.0.5-1
- Upgrade to 13.0.5 (#2463898)
* Thu Apr 16 2026 Tom Callaway [spot@fedoraproject.org] - 13.0.4-3
- rebuild
* Sun Mar 15 2026 Tom Callaway [spot@fedoraproject.org] - 13.0.4-2
- rebuild for lua 5.5
- apply upstream fix for configure
- make a new patch to actually support lua 5.5
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2464363 - CVE-2026-43507 Prosody: Prosody: Denial of Service via XML parsing resource amplification
https://bugzilla.redhat.com/show_bug.cgi?id=2464363
[ 2 ] Bug #2464412 - CVE-2026-43504 Prosody: mod_proxy65: Prosody: Unauthenticated traffic relay due to access control mishandling in mod_proxy65
https://bugzilla.redhat.com/show_bug.cgi?id=2464412
[ 3 ] Bug #2464452 - CVE-2026-43505 Prosody: mod_proxy65: Prosody: Unauthorized traffic relay via mod_proxy65 access control flaw
https://bugzilla.redhat.com/show_bug.cgi?id=2464452
[ 4 ] Bug #2464492 - CVE-2026-43506 Prosody: Prosody: Denial of Service via memory exhaustion from unauthenticated connections
https://bugzilla.redhat.com/show_bug.cgi?id=2464492
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1efa008794' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: exim-4.99.2-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c23e1d19d2
2026-05-10 03:04:49.565385+00:00
--------------------------------------------------------------------------------

Name : exim
Product : Fedora 43
Version : 4.99.2
Release : 1.fc43
URL : https://www.exim.org/
Summary : The exim mail transfer agent
Description :
Exim is a message transfer agent (MTA) developed at the University of
Cambridge for use on Unix systems connected to the Internet. It is
freely available under the terms of the GNU General Public Licence. In
style it is similar to Smail 3, but its facilities are more
general. There is a great deal of flexibility in the way mail can be
routed, and there are extensive facilities for checking incoming
mail. Exim can be installed in place of sendmail, although the
configuration of exim is quite different to that of sendmail.

--------------------------------------------------------------------------------
Update Information:

This is new version of exim fixing some security bugs.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2026 Jaroslav ??karvada [jskarvad@redhat.com] - 4.99.2-1
- New version
Resolves: rhbz#2463798
- Refreshed keyring
* Mon Jan 19 2026 Jaroslav ??karvada [jskarvad@redhat.com] - 4.99.1-3
- Dummy rebuild to check the CI functionality
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.99.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2463798 - exim-4.99.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2463798
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c23e1d19d2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: prosody-13.0.5-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-36c53b9ca8
2026-05-10 03:04:49.565358+00:00
--------------------------------------------------------------------------------

Name : prosody
Product : Fedora 43
Version : 13.0.5
Release : 1.fc43
URL : https://prosody.im/
Summary : Flexible communications server for Jabber/XMPP
Description :
Prosody is a flexible communications server for Jabber/XMPP written in Lua.
It aims to be easy to use, and light on resources. For developers it aims
to be easy to extend and give a flexible system on which to rapidly develop
added functionality, or prototype new protocols.

--------------------------------------------------------------------------------
Update Information:

Prosody 13.0.5
Upstream is pleased to announce a new minor release from their stable branch.
This is a security release for the Prosody 13.0.x stable series. It fixes
multiple security issues, some memory leaks and some smaller bugs and changes
which have been implemented since the previous release.
Full details about the security vulnerabilities can be found in upstream's
security advisory. Upstream encourages all Prosody operators on 13.0.4 or
earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and
implement appropriate mitigations.
A summary of changes in this release:
Security
mod_proxy65: Consistently apply authorization checks
mod_proxy65: Don???t proxy data until after bytestream activation
mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
Add limit for stanza max child elements
mod_c2s: Remove timers immediately on disconnection
net.server_epoll: Clean up timers after disconnection
Fixes and improvements
net.http.parser: Fix handling of chunked request
MUC: Advertise hats feature on room JID
moduleapi: Use multitable add/remove instead of set (fixes memory leak)
mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
Improve federation with servers using only IP addresses
prosody: Prevent loading local code when installed system-wide
mod_http_file_share: Improve handling of Range requests
mod_carbons: Fix some carbons decision-making bugs
Minor changes
net.resolvers: Fix to avoid SRV lookups for IP addresses
prosody: Abort earlier on incompatible Lua version
mod_turn_external: hand out credentials for type == turns too
mod_s2s: Fully validate stream addressing
prosodyctl check features: Warn if http file sharing enabled on both host and
component
util.prosodyctl: Don???t check for mod_posix being disabled, it???s deprecated
util.startup: Improve error message when failing to load config file
util.x509: Add support for iPAddress certs
prosodyctl: Trim any trailing newline from password entry
mod_admin_shell: Make cert index search path relative to config file
mod_admin_shell: Improve multi-host command handling
mod_admin_shell: Show help listing when specifying only a section name
mod_admin_shell: Ensure password validity when setting passwords for
new/existing users
mod_account_activity: Handle authentication provider returning no user info
config: Use default value when enum option has incorrect value
mod_http: ???Handle??? streaming requests to avoid invoking redirect handler
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2026 Robert Scheck [robert@fedoraproject.org] 13.0.5-1
- Upgrade to 13.0.5 (#2463898)
* Thu Apr 16 2026 Tom Callaway [spot@fedoraproject.org] - 13.0.4-3
- rebuild
* Sun Mar 15 2026 Tom Callaway [spot@fedoraproject.org] - 13.0.4-2
- rebuild for lua 5.5
- apply upstream fix for configure
- make a new patch to actually support lua 5.5
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2464363 - CVE-2026-43507 Prosody: Prosody: Denial of Service via XML parsing resource amplification
https://bugzilla.redhat.com/show_bug.cgi?id=2464363
[ 2 ] Bug #2464412 - CVE-2026-43504 Prosody: mod_proxy65: Prosody: Unauthenticated traffic relay due to access control mishandling in mod_proxy65
https://bugzilla.redhat.com/show_bug.cgi?id=2464412
[ 3 ] Bug #2464452 - CVE-2026-43505 Prosody: mod_proxy65: Prosody: Unauthorized traffic relay via mod_proxy65 access control flaw
https://bugzilla.redhat.com/show_bug.cgi?id=2464452
[ 4 ] Bug #2464492 - CVE-2026-43506 Prosody: Prosody: Denial of Service via memory exhaustion from unauthenticated connections
https://bugzilla.redhat.com/show_bug.cgi?id=2464492
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-36c53b9ca8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: python-pulp-glue-0.37.0-5.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-44919b3d9f
2026-05-10 02:48:49.647116+00:00
--------------------------------------------------------------------------------

Name : python-pulp-glue
Product : Fedora 44
Version : 0.37.0
Release : 5.fc44
URL : https://github.com/pulp/pulp-cli
Summary : The version agnostic Pulp 3 client library in python
Description :
pulp-glue is a library to ease the programmatic communication with the Pulp3
API. It helps to abstract different resource types with so called contexts and
allows to build or even provides complex workflows like chunked upload or
waiting on tasks.
It is built around an openapi3 parser to provide client side validation of http
requests, while accounting for known quirks and incompatibilities between
different Pulp server component versions.

--------------------------------------------------------------------------------
Update Information:

2.33.1 (2026-03-30)
Bugfixes
- Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
files in the tmp directory.
- Fixed Content-Type header parsing for malformed values.
- Improved error consistency for malformed header values.
2.33.0 (2026-03-25)
Announcements
- ???? Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at
#7271.
Give it a try, and report any gaps or feedback you may have in the issue. ????
Security
- CVE-2026-25645
requests.utils.extract_zipped_paths now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.
Improvements
- Migrated to a PEP 517 build system using setuptools.
Bugfixes
- Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+.
Deprecations
- Dropped support for Python 3.9 following its end of support.
Documentation
- Various typo fixes and doc improvements.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 2 2026 Lumir Balhar [lbalhar@redhat.com] - 0.37.0-5
- Remove upper version bound on requests
* Tue Feb 17 2026 Simone Caronni [negativo17@gmail.com] - 0.37.0-4
- Clean up .gitignore
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2467989 - python3-requests package lacks fix for CVE-2026-25645
https://bugzilla.redhat.com/show_bug.cgi?id=2467989
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-44919b3d9f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: python-requests-2.33.1-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-44919b3d9f
2026-05-10 02:48:49.647116+00:00
--------------------------------------------------------------------------------

Name : python-requests
Product : Fedora 44
Version : 2.33.1
Release : 1.fc44
URL : https://pypi.io/project/requests
Summary : HTTP library, written in Python, for human beings
Description :
Most existing Python modules for sending HTTP requests are extremely verbose and
cumbersome. Python???s built-in urllib2 module provides most of the HTTP
capabilities you should need, but the API is thoroughly broken. This library is
designed to make HTTP requests easy for developers.

--------------------------------------------------------------------------------
Update Information:

2.33.1 (2026-03-30)
Bugfixes
- Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
files in the tmp directory.
- Fixed Content-Type header parsing for malformed values.
- Improved error consistency for malformed header values.
2.33.0 (2026-03-25)
Announcements
- ???? Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at
#7271.
Give it a try, and report any gaps or feedback you may have in the issue. ????
Security
- CVE-2026-25645
requests.utils.extract_zipped_paths now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.
Improvements
- Migrated to a PEP 517 build system using setuptools.
Bugfixes
- Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+.
Deprecations
- Dropped support for Python 3.9 following its end of support.
Documentation
- Various typo fixes and doc improvements.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Mar 31 2026 Lumir Balhar [lbalhar@redhat.com] - 2.33.1-1
- Update to 2.33.1 (rhbz#2451396)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2467989 - python3-requests package lacks fix for CVE-2026-25645
https://bugzilla.redhat.com/show_bug.cgi?id=2467989
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-44919b3d9f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: nextcloud-33.0.3-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-cb5661d883
2026-05-10 02:48:49.647077+00:00
--------------------------------------------------------------------------------

Name : nextcloud
Product : Fedora 44
Version : 33.0.3
Release : 1.fc44
URL : http://nextcloud.com
Summary : Private file sync and share server
Description :
NextCloud gives you universal access to your files through a web interface or
WebDAV. It also provides a platform to easily view & sync your contacts,
calendars and bookmarks across all your devices and enables basic editing right
on the web. NextCloud is extendable via a simple but powerful API for
applications and plugins.

--------------------------------------------------------------------------------
Update Information:

33.0.3 Release
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 2 2026 Andrew Bauer [zonexpertconsulting@outlook.com] - 33.0.3-1
- 33.0.3 Release RHBZ#2454311
* Sat Apr 18 2026 Andrew Bauer [zonexpertconsulting@outlook.com] - 33.0.1-2
- fix cli upgrade advice
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2452582 - CVE-2026-33916 nextcloud: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452582
[ 2 ] Bug #2452588 - CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452588
[ 3 ] Bug #2452590 - CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452590
[ 4 ] Bug #2452593 - CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452593
[ 5 ] Bug #2452596 - CVE-2026-33940 nextcloud: Handlebars.js: Arbitrary code execution via crafted template context [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452596
[ 6 ] Bug #2452597 - CVE-2026-33941 nextcloud: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452597
[ 7 ] Bug #2452622 - CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452622
[ 8 ] Bug #2452631 - CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452631
[ 9 ] Bug #2452635 - CVE-2026-33940 nextcloud: Handlebars.js: Arbitrary code execution via crafted template context [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452635
[ 10 ] Bug #2452645 - CVE-2026-33941 nextcloud: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452645
[ 11 ] Bug #2452647 - CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452647
[ 12 ] Bug #2453984 - CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453984
[ 13 ] Bug #2454038 - CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454038
[ 14 ] Bug #2454311 - nextcloud-33.0.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2454311
[ 15 ] Bug #2456569 - CVE-2026-39865 nextcloud: Axios: Denial of Service via HTTP/2 session cleanup logic state corruption [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456569
[ 16 ] Bug #2456575 - CVE-2026-39865 nextcloud: Axios: Denial of Service via HTTP/2 session cleanup logic state corruption [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456575
[ 17 ] Bug #2457496 - CVE-2025-62718 nextcloud: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457496
[ 18 ] Bug #2457502 - CVE-2025-62718 nextcloud: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457502
[ 19 ] Bug #2457809 - CVE-2026-40194 nextcloud: phpseclib: Information disclosure via timing attack in SSH HMAC comparison [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457809
[ 20 ] Bug #2457810 - CVE-2026-40194 nextcloud: phpseclib: Information disclosure via timing attack in SSH HMAC comparison [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457810
[ 21 ] Bug #2457869 - CVE-2026-40175 nextcloud: Axios: Remote Code Execution via Prototype Pollution escalation [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457869
[ 22 ] Bug #2457875 - CVE-2026-40175 nextcloud: Axios: Remote Code Execution via Prototype Pollution escalation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457875
[ 23 ] Bug #2463440 - CVE-2026-42035 nextcloud: Axios: Arbitrary HTTP header injection via prototype pollution [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463440
[ 24 ] Bug #2463443 - CVE-2026-42035 nextcloud: Axios: Arbitrary HTTP header injection via prototype pollution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463443
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-cb5661d883' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: dotnet10.0-10.0.107-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-32952baba5
2026-05-10 02:48:49.647048+00:00
--------------------------------------------------------------------------------

Name : dotnet10.0
Product : Fedora 44
Version : 10.0.107
Release : 1.fc44
URL : https://github.com/dotnet/
Summary : .NET 10.0 Runtime and SDK
Description :
.NET is a fast, lightweight and modular platform for creating
cross platform applications that work on Linux, macOS and Windows.

It particularly focuses on creating console applications, web
applications and micro-services.

.NET contains a runtime conforming to .NET Standards a set of
framework libraries, an SDK containing compilers and a 'dotnet'
application to drive everything.

--------------------------------------------------------------------------------
Update Information:

Update to .NET SDK 10.0.107 and Runtime 10.0.7
Fixes: CVE-2026-40372
Release Notes:
SDK: https://github.com/dotnet/core/blob/main/release-
notes/10.0/10.0.7/10.0.107.md
Runtime: https://github.com/dotnet/core/blob/main/release-
notes/10.0/10.0.7/10.0.7.md
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 1 2026 Omair Majid [omajid@redhat.com] - 10.0.107-1
- Update to .NET SDK 10.0.107 and Runtime 10.0.7
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-32952baba5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: rclone-1.74.0-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-63341da831
2026-05-10 02:48:49.647071+00:00
--------------------------------------------------------------------------------

Name : rclone
Product : Fedora 44
Version : 1.74.0
Release : 2.fc44
URL : https://github.com/rclone/rclone
Summary : Rsync for cloud storage
Description :
"rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Drive,
Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex
Files.

--------------------------------------------------------------------------------
Update Information:

Update to 1.74.0
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 2 2026 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 1.74.0-2
- Fix tests failing with Go 1.25
* Fri May 1 2026 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 1.74.0-1
- Update to 1.74.0 - Closes rhbz#2459511
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2456042 - CVE-2026-33817 rclone: go.etcd.io/bbolt: Denial of Service via index out-of-range error [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456042
[ 2 ] Bug #2461128 - CVE-2026-41176 rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2461128
[ 3 ] Bug #2463186 - CVE-2026-3006 rclone: winfsp: Local privilege escalation via race condition and kernel heap overflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463186
[ 4 ] Bug #2464137 - CVE-2026-41179 rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2464137
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-63341da831' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: exim-4.99.2-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7f7b8d957f
2026-05-10 02:48:49.647046+00:00
--------------------------------------------------------------------------------

Name : exim
Product : Fedora 44
Version : 4.99.2
Release : 1.fc44
URL : https://www.exim.org/
Summary : The exim mail transfer agent
Description :
Exim is a message transfer agent (MTA) developed at the University of
Cambridge for use on Unix systems connected to the Internet. It is
freely available under the terms of the GNU General Public Licence. In
style it is similar to Smail 3, but its facilities are more
general. There is a great deal of flexibility in the way mail can be
routed, and there are extensive facilities for checking incoming
mail. Exim can be installed in place of sendmail, although the
configuration of exim is quite different to that of sendmail.

--------------------------------------------------------------------------------
Update Information:

This is new version of exim fixing some security bugs.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2026 Jaroslav ??karvada [jskarvad@redhat.com] - 4.99.2-1
- New version
Resolves: rhbz#2463798
- Refreshed keyring
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2463798 - exim-4.99.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2463798
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7f7b8d957f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: prosody-13.0.5-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2947986ad6
2026-05-10 02:48:49.647007+00:00
--------------------------------------------------------------------------------

Name : prosody
Product : Fedora 44
Version : 13.0.5
Release : 1.fc44
URL : https://prosody.im/
Summary : Flexible communications server for Jabber/XMPP
Description :
Prosody is a flexible communications server for Jabber/XMPP written in Lua.
It aims to be easy to use, and light on resources. For developers it aims
to be easy to extend and give a flexible system on which to rapidly develop
added functionality, or prototype new protocols.

--------------------------------------------------------------------------------
Update Information:

Prosody 13.0.5
Upstream is pleased to announce a new minor release from their stable branch.
This is a security release for the Prosody 13.0.x stable series. It fixes
multiple security issues, some memory leaks and some smaller bugs and changes
which have been implemented since the previous release.
Full details about the security vulnerabilities can be found in upstream's
security advisory. Upstream encourages all Prosody operators on 13.0.4 or
earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and
implement appropriate mitigations.
A summary of changes in this release:
Security
mod_proxy65: Consistently apply authorization checks
mod_proxy65: Don???t proxy data until after bytestream activation
mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
Add limit for stanza max child elements
mod_c2s: Remove timers immediately on disconnection
net.server_epoll: Clean up timers after disconnection
Fixes and improvements
net.http.parser: Fix handling of chunked request
MUC: Advertise hats feature on room JID
moduleapi: Use multitable add/remove instead of set (fixes memory leak)
mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
Improve federation with servers using only IP addresses
prosody: Prevent loading local code when installed system-wide
mod_http_file_share: Improve handling of Range requests
mod_carbons: Fix some carbons decision-making bugs
Minor changes
net.resolvers: Fix to avoid SRV lookups for IP addresses
prosody: Abort earlier on incompatible Lua version
mod_turn_external: hand out credentials for type == turns too
mod_s2s: Fully validate stream addressing
prosodyctl check features: Warn if http file sharing enabled on both host and
component
util.prosodyctl: Don???t check for mod_posix being disabled, it???s deprecated
util.startup: Improve error message when failing to load config file
util.x509: Add support for iPAddress certs
prosodyctl: Trim any trailing newline from password entry
mod_admin_shell: Make cert index search path relative to config file
mod_admin_shell: Improve multi-host command handling
mod_admin_shell: Show help listing when specifying only a section name
mod_admin_shell: Ensure password validity when setting passwords for
new/existing users
mod_account_activity: Handle authentication provider returning no user info
config: Use default value when enum option has incorrect value
mod_http: ???Handle??? streaming requests to avoid invoking redirect handler
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2026 Robert Scheck [robert@fedoraproject.org] 13.0.5-1
- Upgrade to 13.0.5 (#2463898)
* Thu Apr 16 2026 Tom Callaway [spot@fedoraproject.org] - 13.0.4-3
- rebuild
* Sun Mar 15 2026 Tom Callaway [spot@fedoraproject.org] - 13.0.4-2
- rebuild for lua 5.5
- apply upstream fix for configure
- make a new patch to actually support lua 5.5
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2464363 - CVE-2026-43507 Prosody: Prosody: Denial of Service via XML parsing resource amplification
https://bugzilla.redhat.com/show_bug.cgi?id=2464363
[ 2 ] Bug #2464412 - CVE-2026-43504 Prosody: mod_proxy65: Prosody: Unauthenticated traffic relay due to access control mishandling in mod_proxy65
https://bugzilla.redhat.com/show_bug.cgi?id=2464412
[ 3 ] Bug #2464452 - CVE-2026-43505 Prosody: mod_proxy65: Prosody: Unauthorized traffic relay via mod_proxy65 access control flaw
https://bugzilla.redhat.com/show_bug.cgi?id=2464452
[ 4 ] Bug #2464492 - CVE-2026-43506 Prosody: Prosody: Denial of Service via memory exhaustion from unauthenticated connections
https://bugzilla.redhat.com/show_bug.cgi?id=2464492
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2947986ad6' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Linux, OpenJDK, Firefox, and more updates for Debian

Libtree-Sitter, Redis, Semaphore, and more updates for SUSE

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...