Fedora released several security advisories that address vulnerabilities within the 43 and 44 product lines. Key patches update the .NET SDK runtime environment and OpenSSH daemon to resolve specific denial of service risks associated with uninitialized variables in GSSAPI functions. Other packages received critical attention including Vim text editor builds that fix code execution flaws alongside Chromium browser updates which prevent memory corruption errors.

Fedora 43 Update: dotnet10.0-10.0.104-1.fc43
Fedora 43 Update: openssh-10.0p1-7.fc43
Fedora 43 Update: bpfman-0.5.4-4.fc43
Fedora 44 Update: chromium-146.0.7680.80-1.fc44
Fedora 44 Update: vim-9.2.148-1.fc44
Fedora 44 Update: cpp-httplib-0.37.1-2.fc44
Fedora 44 Update: polkit-127-2.fc44.1

[SECURITY] Fedora 43 Update: dotnet10.0-10.0.104-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-854e553ffa
2026-03-20 01:01:53.697508+00:00
--------------------------------------------------------------------------------

Name : dotnet10.0
Product : Fedora 43
Version : 10.0.104
Release : 1.fc43
URL : https://github.com/dotnet/
Summary : .NET 10.0 Runtime and SDK
Description :
.NET is a fast, lightweight and modular platform for creating
cross platform applications that work on Linux, macOS and Windows.

It particularly focuses on creating console applications, web
applications and micro-services.

.NET contains a runtime conforming to .NET Standards a set of
framework libraries, an SDK containing compilers and a 'dotnet'
application to drive everything.

--------------------------------------------------------------------------------
Update Information:

This is the March 2026 release of .NET 10.
Release Notes:
SDK: https://github.com/dotnet/core/blob/main/release-
notes/10.0/10.0.4/10.0.104.md
Runtime: https://github.com/dotnet/core/blob/main/release-
notes/10.0/10.0.4/10.0.4.md
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 11 2026 Omair Majid [omajid@redhat.com] - 10.0.104-1
- Update to .NET SDK 10.0.104 and Runtime 10.0.4
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2446426 - CVE-2026-26130 dotnet10.0: ASP.NET Core: Denial of Service via uncontrolled resource allocation [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2446426
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-854e553ffa' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: openssh-10.0p1-7.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-bab4aa5da7
2026-03-20 01:01:53.697510+00:00
--------------------------------------------------------------------------------

Name : openssh
Product : Fedora 43
Version : 10.0p1
Release : 7.fc43
URL : http://www.openssh.com/portable.html
Summary : An open source implementation of SSH protocol version 2
Description :
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.

OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features.

This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.

--------------------------------------------------------------------------------
Update Information:

CVE-2026-3497: Fix information disclosure or denial of service due to
uninitialized variables in gssapi-keyex
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 18 2026 Zoltan Fridrich [zfridric@redhat.com] - 10.0p1-7
- CVE-2026-3497: Fix information disclosure or denial of service due
to uninitialized variables in gssapi-keyex
Resolves: rhbz#2447290
- remove obsolete patch for ssh manual page
Resolves: rhbz#2442505
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2442505 - 0043-openssh-8.7p1-ssh-manpage.patch introduces duplicates in documentation
https://bugzilla.redhat.com/show_bug.cgi?id=2442505
[ 2 ] Bug #2447289 - CVE-2026-3497 openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2447289
[ 3 ] Bug #2447290 - CVE-2026-3497 openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2447290
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-bab4aa5da7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: bpfman-0.5.4-4.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2fef29d32a
2026-03-20 01:01:53.697472+00:00
--------------------------------------------------------------------------------

Name : bpfman
Product : Fedora 43
Version : 0.5.4
Release : 4.fc43
URL : https://bpfman.io
Summary : EBPF Program Manager
Description :
bpfman operates as an eBPF manager, focusing on simplifying the deployment and
administration of eBPF programs.

--------------------------------------------------------------------------------
Update Information:

Fix CVE-2026-31812: Bump quinn-proto to 0.11.14 - Closes rhbz#2446359
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 11 2026 Daniel Mellado [dmellado@fedoraproject.org] - 0.5.4-4
- Fix CVE-2026-31812: Bump quinn-proto to 0.11.14 - Closes rhbz#2446359
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2446359 - CVE-2026-31812 bpfman: quinn-proto: Denial of Service via crafted QUIC Initial packet [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2446359
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2fef29d32a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: chromium-146.0.7680.80-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b7d2936de3
2026-03-20 00:16:04.477884+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 44
Version : 146.0.7680.80
Release : 1.fc44
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 146.0.7680.80
* CVE-2026-3909: Out of bounds write in Ski
--------------------------------------------------------------------------------
ChangeLog:

* Sat Mar 14 2026 Than Ngo [than@redhat.com] - 146.0.7680.80-1
- Update to 146.0.7680.80
* CVE-2026-3909: Out of bounds write in Skia
* Fri Mar 13 2026 Than Ngo [than@redhat.com] - 146.0.7680.75-1
- Update to 146.0.7680.75
* CVE-2026-3910: Inappropriate implementation in V8
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2447254 - CVE-2026-3909 CVE-2026-3910 chromium: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447254
[ 2 ] Bug #2447255 - CVE-2026-3909 CVE-2026-3910 chromium: various flaws [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447255
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b7d2936de3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: vim-9.2.148-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f5d072060b
2026-03-20 00:16:04.477874+00:00
--------------------------------------------------------------------------------

Name : vim
Product : Fedora 44
Version : 9.2.148
Release : 1.fc44
URL : https://www.vim.org/
Summary : The VIM editor
Description :
VIM (VIsual editor iMproved) is an updated and improved version of the
vi editor. Vi was the first real screen-based editor for UNIX, and is
still very popular. VIM improves on vi by adding new features:
multiple windows, multi-level undo, block highlighting and more.

--------------------------------------------------------------------------------
Update Information:

patchlevel 148
Security fixes for CVE-2026-28417, CVE-2026-28418, CVE-2026-28419,
CVE-2026-28420, CVE-2026-28421, CVE-2026-28422
Security fix for CVE-2026-32249
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 13 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.148-1
- patchlevel 148
* Fri Mar 6 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.112-2
- fix tests which expect mouse=a
* Fri Mar 6 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.112-1
- patchlevel 112
* Thu Feb 26 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.045-2
- SPEC file cleanup
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2443455 - CVE-2026-28417 vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin
https://bugzilla.redhat.com/show_bug.cgi?id=2443455
[ 2 ] Bug #2443474 - CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file
https://bugzilla.redhat.com/show_bug.cgi?id=2443474
[ 3 ] Bug #2443475 - CVE-2026-28422 vim: Vim: Integrity impact due to stack-buffer-overflow via wide terminal statusline rendering
https://bugzilla.redhat.com/show_bug.cgi?id=2443475
[ 4 ] Bug #2443481 - CVE-2026-28418 vim: Vim: Information disclosure via heap-based buffer overflow in Emacs-style tags file parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2443481
[ 5 ] Bug #2443482 - CVE-2026-28419 vim: Vim: Information disclosure and denial of service via malformed tags file
https://bugzilla.redhat.com/show_bug.cgi?id=2443482
[ 6 ] Bug #2443484 - CVE-2026-28420 vim: Vim: Information disclosure and denial of service via crafted Unicode characters in terminal emulator
https://bugzilla.redhat.com/show_bug.cgi?id=2443484
[ 7 ] Bug #2447110 - CVE-2026-32249 vim: NFA regex engine NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=2447110
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f5d072060b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: cpp-httplib-0.37.1-2.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2c2afa9f9e
2026-03-20 00:16:04.477762+00:00
--------------------------------------------------------------------------------

Name : cpp-httplib
Product : Fedora 44
Version : 0.37.1
Release : 2.fc44
URL : https://github.com/yhirose/cpp-httplib
Summary : A C++11 single-file header-only cross platform HTTP/HTTPS library
Description :
A C++11 single-file header-only cross platform HTTP/HTTPS library.

It's extremely easy to setup. Just include the httplib.h file in your code!

--------------------------------------------------------------------------------
Update Information:

Update to 0.37.1
Fixes Denial of Service via malformed Content-Length header
(CVE-2026-31870)
Reenable 32b builds
Update to 0.37.0 (rhbz#2441656)
Fixes Denial of Service via crafted HTTP POST request (CVE-2026-29076,
rhbz#2445663)
Update to 0.35.0
Payload size limit bypass via gzip decompression in ContentReader (streaming)
allows oversized request bodies (CVE-2026-28435, rhbz#2444638)
Default exception handler leaks e.what() to clients via EXCEPTION_WHAT response
header (CVE-2026-28434, rhbz#2444636)
https://github.com/yhirose/cpp-httplib/compare/v0.32.0...v0.37.0
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 11 2026 Petr Men????k [pemensik@redhat.com] - 0.37.1-2
- Build for 32 bits again
* Tue Mar 10 2026 Petr Men????k [pemensik@redhat.com] - 0.37.1-1
- Update to 0.37.1 (rhbz#2445943)
* Mon Mar 9 2026 Petr Men????k [pemensik@redhat.com] - 0.37.0-1
- Update to 0.37.0 (rhbz#2441656)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2441656 - cpp-httplib-0.37.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2441656
[ 2 ] Bug #2444636 - CVE-2026-28434 cpp-httplib: default exception handler leaks e.what() to clients via EXCEPTION_WHAT response header [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2444636
[ 3 ] Bug #2444638 - CVE-2026-28435 cpp-httplib: payload size limit bypass via gzip decompression in ContentReader (streaming) allows oversized request bodies [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2444638
[ 4 ] Bug #2445663 - CVE-2026-29076 cpp-httplib: cpp-httplib: Denial of Service via crafted HTTP POST request [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2445663
[ 5 ] Bug #2445943 - cpp-httplib-0.37.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2445943
[ 6 ] Bug #2446926 - CVE-2026-31870 cpp-httplib: cpp-httplib: Denial of Service via malformed Content-Length header [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2446926
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2c2afa9f9e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 44 Update: polkit-127-2.fc44.1

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d4bdf7108e
2026-03-20 00:16:04.477751+00:00
--------------------------------------------------------------------------------

Name : polkit
Product : Fedora 44
Version : 127
Release : 2.fc44.1
URL : https://github.com/polkit-org/polkit
Summary : An authorization framework
Description :
polkit is a toolkit for defining and handling authorizations. It is
used for allowing unprivileged processes to speak to privileged
processes.

--------------------------------------------------------------------------------
Update Information:

backport of significant upstream patches
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 4 2026 Jan Rybar [jrybar@redhat.com] - 127-2.1
- backport of significant upstream patches
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d4bdf7108e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new