PgBouncer, Coturn, Valkey, and more updates for Fedora

Fedora Linux 9353 Published by

Fedora 42, 43, and 44 are receiving a batch of critical security updates that patch multiple widely used software packages. The releases address dozens of vulnerabilities across tools like Chromium, Valkey, and Apptainer, fixing issues ranging from memory corruption flaws to injection attacks that could allow remote code execution. The update cycle also touches essential infrastructure components, including database drivers and container virtualization tools, which helps close gaps that attackers might exploit through malformed inputs or race conditions. System administrators can apply these patches immediately by running the standard dnf upgrade command with the specific advisory identifiers provided in each notification.

Fedora 42 Update: pgbouncer-1.25.2-1.fc42
Fedora 42 Update: coturn-4.11.0-1.fc42
Fedora 42 Update: valkey-8.0.9-1.fc42
Fedora 42 Update: apptainer-1.5.0-1.fc42
Fedora 42 Update: uv-0.11.11-1.fc42
Fedora 42 Update: rust-astral-tokio-tar-0.6.1-1.fc42
Fedora 42 Update: python-uv-build-0.11.11-1.fc42
Fedora 43 Update: pgbouncer-1.25.2-1.fc43
Fedora 43 Update: coturn-4.11.0-1.fc43
Fedora 43 Update: valkey-8.1.7-1.fc43
Fedora 43 Update: uv-0.11.11-1.fc43
Fedora 43 Update: apptainer-1.5.0-1.fc43
Fedora 43 Update: rust-astral-tokio-tar-0.6.1-1.fc43
Fedora 43 Update: python-uv-build-0.11.11-1.fc43
Fedora 44 Update: chromium-148.0.7778.167-1.fc44
Fedora 44 Update: pgbouncer-1.25.2-1.fc44
Fedora 44 Update: open-amp-2026.04.0-1.fc44
Fedora 44 Update: libmetal-2026.04.0-2.fc44
Fedora 44 Update: coturn-4.11.0-1.fc44
Fedora 44 Update: valkey-9.0.4-1.fc44
Fedora 44 Update: apptainer-1.5.0-1.fc44
Fedora 44 Update: uv-0.11.11-1.fc44
Fedora 44 Update: python-uv-build-0.11.11-1.fc44
Fedora 44 Update: rust-astral-tokio-tar-0.6.1-1.fc44




[SECURITY] Fedora 42 Update: pgbouncer-1.25.2-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-cf2ba5b766
2026-05-18 01:23:32.591566+00:00
--------------------------------------------------------------------------------

Name : pgbouncer
Product : Fedora 42
Version : 1.25.2
Release : 1.fc42
URL : https://www.pgbouncer.org
Summary : Lightweight connection pooler for PostgreSQL
Description :
pgbouncer is a lightweight connection pooler for PostgreSQL and uses libevent
for low-level socket handling.

--------------------------------------------------------------------------------
Update Information:

Update to 1.25.2.
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 9 2026 Simone Caronni [negativo17@gmail.com] - 1.25.2-1
- Update to 1.25.2
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.25.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2419513 - CVE-2025-12819 pgbouncer: Untrusted search path in auth_query connection in PgBouncer [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2419513
[ 2 ] Bug #2419514 - CVE-2025-12819 pgbouncer: Untrusted search path in auth_query connection in PgBouncer [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2419514
[ 3 ] Bug #2419515 - CVE-2025-12819 pgbouncer: Untrusted search path in auth_query connection in PgBouncer [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2419515
[ 4 ] Bug #2419516 - CVE-2025-12819 pgbouncer: Untrusted search path in auth_query connection in PgBouncer [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2419516
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-cf2ba5b766' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: coturn-4.11.0-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-dfa8ea5809
2026-05-18 01:23:32.591546+00:00
--------------------------------------------------------------------------------

Name : coturn
Product : Fedora 42
Version : 4.11.0
Release : 1.fc42
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.

STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support

The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)

Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis

Redis can also be used for status and statistics storage and notification.

Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)

The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.

--------------------------------------------------------------------------------
Update Information:

Coturn 4.11.0
Fix prometheus response memory leak introduced in 4.10.0
Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC
Fix format-string injection in Redis DB driver
Abort on malformed allowed/denied-peer-ip at startup
Pin session origin only after MESSAGE-INTEGRITY validates
Fix build failure: define _GNU_SOURCE for recvmmsg() on Linux
Drop udp_relay_servers_number config and clean up dead UDP id-space
Add Unity-based unit test scaffolding
Delete log line per relay thread on start
Out of bound HTTP detection in parser
Extend STUN client fuzz builder coverage
Extend fuzzing coverage and enable local fuzzing in a container
Cover all public stun_buffer.c wrappers in FuzzStunClient
HTTP parsing fixes
Unblock fuzz coverage for is_http and rare STUN attributes
Seed address-mapping table in fuzz initializer
Add deterministic challenge-response builder to FuzzStun
Add fuzz coverage for integrity helpers
Hoist turn_server_get_engine() out of per-packet hot path
Inline addr_cpy() in the header
Trim two redundant checks from per-packet relay hot path
Inline get_ioa_addr_len() in the header
Cache hot lookups in TURN data-path handlers
Load generator mode in turnutils_uclient
Filc harness and pointer typedefs
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 9 2026 Robert Scheck [robert@fedoraproject.org] - 4.11.0-1
- Upgrade to 4.11.0 (#2466643)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466643 - coturn-4.11.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466643
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-dfa8ea5809' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: valkey-8.0.9-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-114b1e5d3a
2026-05-18 01:23:32.591525+00:00
--------------------------------------------------------------------------------

Name : valkey
Product : Fedora 42
Version : 8.0.9
Release : 1.fc42
URL : https://valkey.io
Summary : A persistent key-value database
Description :
Valkey is an advanced key-value store. It is often referred to as a data
structure server since keys can contain strings, hashes, lists, sets and
sorted sets.

You can run atomic operations on these types, like appending to a string;
incrementing the value in a hash; pushing to a list; computing set
intersection, union and difference; or getting the member with highest
ranking in a sorted set.

In order to achieve its outstanding performance, Valkey works with an
in-memory dataset. Depending on your use case, you can persist it either
by dumping the dataset to disk every once in a while, or by appending
each command to a log.

Valkey also supports trivial-to-setup master-slave replication, with very
fast non-blocking first synchronization, auto-reconnection on net split
and so forth.

Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
limited time-to-live, and configuration settings to make Valkey behave like
a cache.

You can use Valkey from most programming languages also.

--------------------------------------------------------------------------------
Update Information:

Version 8.0.9
Security fixes
(CVE-2026-23479) Use-After-Free in unblock client flow
(CVE-2026-25243) Invalid Memory Access in RESTORE command
(CVE-2026-23631) Use-after-free when full sync occurs during a yielding
Lua/function execution
--------------------------------------------------------------------------------
ChangeLog:

* Thu May 7 2026 Remi Collet [remi@fedoraproject.org] - 8.0.9-1
- Valkey 8.0.9 - Wed 06 May 2026
- Upgrade urgency SECURITY: This release includes security fixes
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2477968 - CVE-2026-23479 valkey: use-after-free in unblock client flow may allow remote code execution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2477968
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-114b1e5d3a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: apptainer-1.5.0-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-db5621b65e
2026-05-18 01:23:32.591522+00:00
--------------------------------------------------------------------------------

Name : apptainer
Product : Fedora 42
Version : 1.5.0
Release : 1.fc42
URL : https://apptainer.org
Summary : Application and environment virtualization formerly known as Singularity
Description :
Apptainer provides functionality to make portable
containers that can be used across host environments.

--------------------------------------------------------------------------------
Update Information:

Update to upstream 1.5.0, fix CVE-2026-32285 and CVE-2026-34986
Update to upstream 1.5.0-rc.2
Update to upstream 1.5.0-rc.1
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 6 2026 Dave Dykstra [dwd@cern.ch] - 1.5.0
- Update to upstream 1.5.0
* Tue Apr 14 2026 Dave Dykstra [dwd@cern.ch] - 1.5.0~rc.2
- Update to upstream 1.5.0~rc.2
* Thu Mar 12 2026 Dave Dykstra [dwd@cern.ch] - 1.5.0~rc.1
- Update to upstream 1.5.0~rc.1
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2447072 - apptainer-1.5.0-rc.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2447072
[ 2 ] Bug #2452369 - CVE-2026-32285 apptainer: github.com/buger/jsonparser: Denial of Service via malformed JSON input [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452369
[ 3 ] Bug #2455644 - CVE-2026-34986 apptainer: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455644
[ 4 ] Bug #2467573 - apptainer-1.5.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2467573
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-db5621b65e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: uv-0.11.11-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8d8aee6aaf
2026-05-18 01:23:32.591517+00:00
--------------------------------------------------------------------------------

Name : uv
Product : Fedora 42
Version : 0.11.11
Release : 1.fc42
URL : https://github.com/astral-sh/uv
Summary : An extremely fast Python package installer and resolver, written in Rust
Description :
An extremely fast Python package and project manager, written in Rust.

Highlights:

??? A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twine,
virtualenv, and more.
??? 10-100x faster than pip.
??? Provides comprehensive project management, with a universal lockfile.
??? Runs scripts, with support for inline dependency metadata.
??? Installs and manages Python versions.
??? Runs and installs tools published as Python packages.
??? Includes a pip-compatible interface for a performance boost with a familiar
CLI.
??? Supports Cargo-style workspaces for scalable projects.
??? Disk-space efficient, with a global cache for dependency deduplication.

--------------------------------------------------------------------------------
Update Information:

Update uv and python-uv-build to 0.11.11. Update the astral-tokio-tar Rust crate
to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-
fp55-jw48-c537.
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 8 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.11-1
- Update to 0.11.11 (close RHBZ#2466908)
* Wed May 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.10-1
- Update to 0.11.10 (close RHBZ#2466908)
* Tue May 5 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.9-1
- Update to 0.11.9 (close RHBZ#2466654)
* Thu Apr 16 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.7-1
- Update to 0.11.7 (close RHBZ#2458860)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466653 - python-uv-build-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466653
[ 2 ] Bug #2466654 - uv-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466654
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8d8aee6aaf' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 42 Update: rust-astral-tokio-tar-0.6.1-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8d8aee6aaf
2026-05-18 01:23:32.591517+00:00
--------------------------------------------------------------------------------

Name : rust-astral-tokio-tar
Product : Fedora 42
Version : 0.6.1
Release : 1.fc42
URL : https://crates.io/crates/astral-tokio-tar
Summary : Rust implementation of an async TAR file reader and writer
Description :
A Rust implementation of an async TAR file reader and writer. This
library does not currently handle compression, but it is abstract over
all I/O readers and writers. Additionally, great lengths are taken to
ensure that the entire contents are never required to be entirely
resident in memory all at once.

--------------------------------------------------------------------------------
Update Information:

Update uv and python-uv-build to 0.11.11. Update the astral-tokio-tar Rust crate
to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-
fp55-jw48-c537.
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 5 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.6.1-1
- Update to version 0.6.1
- Fixes GHSA-fp55-jw48-c537; fixes GHSA-xx64-wwv2-hcqq
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466653 - python-uv-build-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466653
[ 2 ] Bug #2466654 - uv-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466654
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8d8aee6aaf' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: python-uv-build-0.11.11-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8d8aee6aaf
2026-05-18 01:23:32.591517+00:00
--------------------------------------------------------------------------------

Name : python-uv-build
Product : Fedora 42
Version : 0.11.11
Release : 1.fc42
URL : https://pypi.org/project/uv-build
Summary : The uv build backend
Description :

This package is a slimmed down version of uv containing only the build
backend.

--------------------------------------------------------------------------------
Update Information:

Update uv and python-uv-build to 0.11.11. Update the astral-tokio-tar Rust crate
to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-
fp55-jw48-c537.
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 8 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.11-1
- Update to 0.11.11 (close RHBZ#2466907)
* Wed May 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.10-1
- Update to 0.11.10 (close RHBZ#2466907)
* Tue May 5 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.9-1
- Update to 0.11.9 (close RHBZ#2466653)
* Thu Apr 16 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.7-1
- Update to 0.11.7 (close RHBZ#2458852)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466653 - python-uv-build-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466653
[ 2 ] Bug #2466654 - uv-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466654
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8d8aee6aaf' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: pgbouncer-1.25.2-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-fad57ac86d
2026-05-18 00:58:32.597423+00:00
--------------------------------------------------------------------------------

Name : pgbouncer
Product : Fedora 43
Version : 1.25.2
Release : 1.fc43
URL : https://www.pgbouncer.org
Summary : Lightweight connection pooler for PostgreSQL
Description :
pgbouncer is a lightweight connection pooler for PostgreSQL and uses libevent
for low-level socket handling.

--------------------------------------------------------------------------------
Update Information:

Update to 1.25.2.
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 9 2026 Simone Caronni [negativo17@gmail.com] - 1.25.2-1
- Update to 1.25.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2419513 - CVE-2025-12819 pgbouncer: Untrusted search path in auth_query connection in PgBouncer [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2419513
[ 2 ] Bug #2419514 - CVE-2025-12819 pgbouncer: Untrusted search path in auth_query connection in PgBouncer [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2419514
[ 3 ] Bug #2419515 - CVE-2025-12819 pgbouncer: Untrusted search path in auth_query connection in PgBouncer [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2419515
[ 4 ] Bug #2419516 - CVE-2025-12819 pgbouncer: Untrusted search path in auth_query connection in PgBouncer [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2419516
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-fad57ac86d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: coturn-4.11.0-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f0fbd93125
2026-05-18 00:58:32.597402+00:00
--------------------------------------------------------------------------------

Name : coturn
Product : Fedora 43
Version : 4.11.0
Release : 1.fc43
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.

STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support

The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)

Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis

Redis can also be used for status and statistics storage and notification.

Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)

The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.

--------------------------------------------------------------------------------
Update Information:

Coturn 4.11.0
Fix prometheus response memory leak introduced in 4.10.0
Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC
Fix format-string injection in Redis DB driver
Abort on malformed allowed/denied-peer-ip at startup
Pin session origin only after MESSAGE-INTEGRITY validates
Fix build failure: define _GNU_SOURCE for recvmmsg() on Linux
Drop udp_relay_servers_number config and clean up dead UDP id-space
Add Unity-based unit test scaffolding
Delete log line per relay thread on start
Out of bound HTTP detection in parser
Extend STUN client fuzz builder coverage
Extend fuzzing coverage and enable local fuzzing in a container
Cover all public stun_buffer.c wrappers in FuzzStunClient
HTTP parsing fixes
Unblock fuzz coverage for is_http and rare STUN attributes
Seed address-mapping table in fuzz initializer
Add deterministic challenge-response builder to FuzzStun
Add fuzz coverage for integrity helpers
Hoist turn_server_get_engine() out of per-packet hot path
Inline addr_cpy() in the header
Trim two redundant checks from per-packet relay hot path
Inline get_ioa_addr_len() in the header
Cache hot lookups in TURN data-path handlers
Load generator mode in turnutils_uclient
Filc harness and pointer typedefs
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 9 2026 Robert Scheck [robert@fedoraproject.org] - 4.11.0-1
- Upgrade to 4.11.0 (#2466643)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466643 - coturn-4.11.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466643
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f0fbd93125' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: valkey-8.1.7-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-76cf27ea56
2026-05-18 00:58:32.597369+00:00
--------------------------------------------------------------------------------

Name : valkey
Product : Fedora 43
Version : 8.1.7
Release : 1.fc43
URL : https://valkey.io
Summary : A persistent key-value database
Description :
Valkey is an advanced key-value store. It is often referred to as a data
structure server since keys can contain strings, hashes, lists, sets and
sorted sets.

You can run atomic operations on these types, like appending to a string;
incrementing the value in a hash; pushing to a list; computing set
intersection, union and difference; or getting the member with highest
ranking in a sorted set.

In order to achieve its outstanding performance, Valkey works with an
in-memory dataset. Depending on your use case, you can persist it either
by dumping the dataset to disk every once in a while, or by appending
each command to a log.

Valkey also supports trivial-to-setup master-slave replication, with very
fast non-blocking first synchronization, auto-reconnection on net split
and so forth.

Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
limited time-to-live, and configuration settings to make Valkey behave like
a cache.

You can use Valkey from most programming languages also.

See https://valkey.io/topics/

--------------------------------------------------------------------------------
Update Information:

Version 8.1.7
Security fixes
(CVE-2026-23479) Use-After-Free in unblock client flow
(CVE-2026-25243) Invalid Memory Access in RESTORE command
(CVE-2026-23631) Use-after-free when full sync occurs during a yielding
Lua/function execution
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 6 2026 Remi Collet [remi@remirepo.net] - 8.1.7-1
- Valkey 8.1.7 - Tue 05 May 2026
- Upgrade urgency SECURITY: This release includes security fixes.
CVE-2026-23479 CVE-2026-25243 CVE-2026-23631
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2477968 - CVE-2026-23479 valkey: use-after-free in unblock client flow may allow remote code execution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2477968
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-76cf27ea56' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: uv-0.11.11-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a8100094df
2026-05-18 00:58:32.597359+00:00
--------------------------------------------------------------------------------

Name : uv
Product : Fedora 43
Version : 0.11.11
Release : 1.fc43
URL : https://github.com/astral-sh/uv
Summary : An extremely fast Python package installer and resolver, written in Rust
Description :
An extremely fast Python package and project manager, written in Rust.

Highlights:

??? A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twine,
virtualenv, and more.
??? 10-100x faster than pip.
??? Provides comprehensive project management, with a universal lockfile.
??? Runs scripts, with support for inline dependency metadata.
??? Installs and manages Python versions.
??? Runs and installs tools published as Python packages.
??? Includes a pip-compatible interface for a performance boost with a familiar
CLI.
??? Supports Cargo-style workspaces for scalable projects.
??? Disk-space efficient, with a global cache for dependency deduplication.

--------------------------------------------------------------------------------
Update Information:

Update uv and python-uv-build to 0.11.11. Update the astral-tokio-tar Rust crate
to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-
fp55-jw48-c537.
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 8 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.11-1
- Update to 0.11.11 (close RHBZ#2466908)
* Wed May 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.10-1
- Update to 0.11.10 (close RHBZ#2466908)
* Tue May 5 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.9-1
- Update to 0.11.9 (close RHBZ#2466654)
* Thu Apr 16 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.7-1
- Update to 0.11.7 (close RHBZ#2458860)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466653 - python-uv-build-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466653
[ 2 ] Bug #2466654 - uv-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466654
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a8100094df' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: apptainer-1.5.0-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-6c547e9f64
2026-05-18 00:58:32.597366+00:00
--------------------------------------------------------------------------------

Name : apptainer
Product : Fedora 43
Version : 1.5.0
Release : 1.fc43
URL : https://apptainer.org
Summary : Application and environment virtualization formerly known as Singularity
Description :
Apptainer provides functionality to make portable
containers that can be used across host environments.

--------------------------------------------------------------------------------
Update Information:

Update to upstream 1.5.0, fix CVE-2026-32285 and CVE-2026-34986
Update to upstream 1.5.0-rc.2
Update to upstream 1.5.0-rc.1
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 6 2026 Dave Dykstra [dwd@cern.ch] - 1.5.0
- Update to upstream 1.5.0
* Tue Apr 14 2026 Dave Dykstra [dwd@cern.ch] - 1.5.0~rc.2
- Update to upstream 1.5.0~rc.2
* Thu Mar 12 2026 Dave Dykstra [dwd@cern.ch] - 1.5.0~rc.1
- Update to upstream 1.5.0~rc.1
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2447072 - apptainer-1.5.0-rc.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2447072
[ 2 ] Bug #2452369 - CVE-2026-32285 apptainer: github.com/buger/jsonparser: Denial of Service via malformed JSON input [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452369
[ 3 ] Bug #2455644 - CVE-2026-34986 apptainer: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455644
[ 4 ] Bug #2467573 - apptainer-1.5.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2467573
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-6c547e9f64' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: rust-astral-tokio-tar-0.6.1-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a8100094df
2026-05-18 00:58:32.597359+00:00
--------------------------------------------------------------------------------

Name : rust-astral-tokio-tar
Product : Fedora 43
Version : 0.6.1
Release : 1.fc43
URL : https://crates.io/crates/astral-tokio-tar
Summary : Rust implementation of an async TAR file reader and writer
Description :
A Rust implementation of an async TAR file reader and writer. This
library does not currently handle compression, but it is abstract over
all I/O readers and writers. Additionally, great lengths are taken to
ensure that the entire contents are never required to be entirely
resident in memory all at once.

--------------------------------------------------------------------------------
Update Information:

Update uv and python-uv-build to 0.11.11. Update the astral-tokio-tar Rust crate
to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-
fp55-jw48-c537.
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 5 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.6.1-1
- Update to version 0.6.1
- Fixes GHSA-fp55-jw48-c537; fixes GHSA-xx64-wwv2-hcqq
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466653 - python-uv-build-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466653
[ 2 ] Bug #2466654 - uv-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466654
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a8100094df' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: python-uv-build-0.11.11-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a8100094df
2026-05-18 00:58:32.597359+00:00
--------------------------------------------------------------------------------

Name : python-uv-build
Product : Fedora 43
Version : 0.11.11
Release : 1.fc43
URL : https://pypi.org/project/uv-build
Summary : The uv build backend
Description :

This package is a slimmed down version of uv containing only the build
backend.

--------------------------------------------------------------------------------
Update Information:

Update uv and python-uv-build to 0.11.11. Update the astral-tokio-tar Rust crate
to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-
fp55-jw48-c537.
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 8 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.11-1
- Update to 0.11.11 (close RHBZ#2466907)
* Wed May 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.10-1
- Update to 0.11.10 (close RHBZ#2466907)
* Tue May 5 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.9-1
- Update to 0.11.9 (close RHBZ#2466653)
* Thu Apr 16 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.7-1
- Update to 0.11.7 (close RHBZ#2458852)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466653 - python-uv-build-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466653
[ 2 ] Bug #2466654 - uv-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466654
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a8100094df' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: chromium-148.0.7778.167-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-885a3f8c70
2026-05-18 00:40:49.529082+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 44
Version : 148.0.7778.167
Release : 1.fc44
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 148.0.7778.167
CVE-2026-8509: Heap buffer overflow in WebML
CVE-2026-8510: Integer overflow in Skia
CVE-2026-8511: Use after free in UI
CVE-2026-8512: Use after free in FileSystem
CVE-2026-8513: Use after free in Input
CVE-2026-8514: Use after free in Aura
CVE-2026-8515: Use after free in HID
CVE-2026-8516: Insufficient validation of untrusted input in DataTransfer
CVE-2026-8517: Object lifecycle issue in WebShare
CVE-2026-8518: Use after free in Blink
CVE-2026-8519: Integer overflow in ANGLE
CVE-2026-8520: Race in Payments
CVE-2026-8521: Use after free in Tab Groups
CVE-2026-8522: Use after free in Downloads
CVE-2026-8523: Use after free in Mojo
CVE-2026-8558: Out of bounds write in Fonts
CVE-2026-8524: Out of bounds write in WebAudio
CVE-2026-8525: Heap buffer overflow in ANGLE
CVE-2026-8526: Out of bounds write in WebRTC
CVE-2026-8527: Insufficient validation of untrusted input in Downloads
CVE-2026-8528: Insufficient validation of untrusted input in SiteIsolation
CVE-2026-8529: Heap buffer overflow in Codecs
CVE-2026-8530: Use after free in Network
CVE-2026-8531: Heap buffer overflow in WebML
CVE-2026-8532: Integer overflow in XML
CVE-2026-8533: Use after free in Accessibility
CVE-2026-8534: Integer overflow in GPU
CVE-2026-8535: Out of bounds read in Media
CVE-2026-8536: Insufficient validation of untrusted input in ReadingMode
CVE-2026-8537: Insufficient policy enforcement in ViewTransitions
CVE-2026-8538: Insufficient validation of untrusted input in GPU
CVE-2026-8539: Script injection in SanitizerAPI
CVE-2026-8540: Type Confusion in V8
CVE-2026-8541: Out of bounds read in UI
CVE-2026-8542: Use after free in Core
CVE-2026-8543: Out of bounds read in FileSystem
CVE-2026-8544: Use after free in Media
CVE-2026-8545: Object corruption in Compositing
CVE-2026-8546: Out of bounds read in GPU
CVE-2026-8547: Insufficient policy enforcement in Passwords
CVE-2026-8548: Out of bounds write in Media
CVE-2026-8549: Use after free in Media
CVE-2026-8550: Use after free in Google Lens
CVE-2026-8551: Use after free in Downloads
CVE-2026-8552: Heap buffer overflow in GPU
CVE-2026-8553: Use after free in GPU
CVE-2026-8554: Type Confusion in ANGLE
CVE-2026-8555: Use after free in GTK
CVE-2026-8556: Inappropriate implementation in ANGLE
CVE-2026-8557: Use after free in Accessibility
CVE-2026-8559: Integer overflow in Internationalization
CVE-2026-8560: Heap buffer overflow in SwiftShader
CVE-2026-8561: Incorrect security UI in Fullscreen
CVE-2026-8562: Side-channel information leakage in Navigation
CVE-2026-8563: Insufficient policy enforcement in IFrame Sandbox
CVE-2026-8564: Incorrect security UI in Downloads
CVE-2026-8565: Inappropriate implementation in Downloads
CVE-2026-8566: Insufficient policy enforcement in Payments
CVE-2026-8567: Integer overflow in ANGLE
CVE-2026-8568: Insufficient policy enforcement in AI
CVE-2026-8569: Out of bounds write in Codecs
CVE-2026-8570: Type Confusion in V8
CVE-2026-8571: Insufficient policy enforcement in GPU
CVE-2026-8572: Insufficient policy enforcement in Network
CVE-2026-8573: Integer overflow in Codecs
CVE-2026-8574: Use after free in Core
CVE-2026-8575: Use after free in UI
CVE-2026-8576: Inappropriate implementation in CORS
CVE-2026-8577: Integer overflow in Fonts
CVE-2026-8578: Out of bounds read in GPU
CVE-2026-8579: Insufficient validation of untrusted input in Skia
CVE-2026-8580: Use after free in Mojo
CVE-2026-8581: Use after free in GPU
CVE-2026-8582: Object lifecycle issue in Dawn
CVE-2026-8583: Insufficient policy enforcement in WebXR
CVE-2026-8584: Inappropriate implementation in Views
CVE-2026-8585: Inappropriate implementation in Media
CVE-2026-8586: Inappropriate implementation in Chromoting
CVE-2026-8587: Use after free in Extensions
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 13 2026 Than Ngo [than@redhat.com] - 148.0.7778.167-1
- Update to 148.0.7778.167
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2468370 - CVE-2026-7896 CVE-2026-7897 CVE-2026-7898 CVE-2026-7899 CVE-2026-7900 CVE-2026-7901 CVE-2026-7902 CVE-2026-7903 CVE-2026-7904 CVE-2026-7905 CVE-2026-7906 CVE-2026-7907 CVE-2026-7908 CVE-2026-7909 CVE-2026-7910 ... chromium: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2468370
[ 2 ] Bug #2477796 - CVE-2026-8509 CVE-2026-8510 CVE-2026-8511 CVE-2026-8512 CVE-2026-8513 CVE-2026-8514 CVE-2026-8515 CVE-2026-8516 CVE-2026-8517 CVE-2026-8518 CVE-2026-8519 CVE-2026-8520 CVE-2026-8521 CVE-2026-8522 CVE-2026-8523 ... chromium: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2477796
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-885a3f8c70' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: pgbouncer-1.25.2-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d3d959a176
2026-05-18 00:40:49.529053+00:00
--------------------------------------------------------------------------------

Name : pgbouncer
Product : Fedora 44
Version : 1.25.2
Release : 1.fc44
URL : https://www.pgbouncer.org
Summary : Lightweight connection pooler for PostgreSQL
Description :
pgbouncer is a lightweight connection pooler for PostgreSQL and uses libevent
for low-level socket handling.

--------------------------------------------------------------------------------
Update Information:

Update to 1.25.2.
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 9 2026 Simone Caronni [negativo17@gmail.com] - 1.25.2-1
- Update to 1.25.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2419513 - CVE-2025-12819 pgbouncer: Untrusted search path in auth_query connection in PgBouncer [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2419513
[ 2 ] Bug #2419514 - CVE-2025-12819 pgbouncer: Untrusted search path in auth_query connection in PgBouncer [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2419514
[ 3 ] Bug #2419515 - CVE-2025-12819 pgbouncer: Untrusted search path in auth_query connection in PgBouncer [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2419515
[ 4 ] Bug #2419516 - CVE-2025-12819 pgbouncer: Untrusted search path in auth_query connection in PgBouncer [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2419516
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d3d959a176' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: open-amp-2026.04.0-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c618807faa
2026-05-18 00:40:49.529044+00:00
--------------------------------------------------------------------------------

Name : open-amp
Product : Fedora 44
Version : 2026.04.0
Release : 1.fc44
URL : https://github.com/OpenAMP/open-amp/
Summary : Open Asymmetric Multi Processing (OpenAMP) framework project
Description :
The OpenAMP framework provides software components that enable development of
software applications for Asymmetric Multiprocessing (AMP) systems.

--------------------------------------------------------------------------------
Update Information:

Update to 2026.04.0
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 5 2026 Peter Robinson [pbrobinson@gmail.com] - 2026.04.0-1
- Update to 2026.04.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2467993 - CVE-2026-37540 open-amp: OpenAMP: Integer overflow in ELF loader can lead to arbitrary code execution or privilege escalation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2467993
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c618807faa' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: libmetal-2026.04.0-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c618807faa
2026-05-18 00:40:49.529044+00:00
--------------------------------------------------------------------------------

Name : libmetal
Product : Fedora 44
Version : 2026.04.0
Release : 2.fc44
URL : https://github.com/OpenAMP/libmetal/
Summary : An abstraction layer across user-space Linux, baremetal, and RTOS environments
Description :
An abstraction layer across user-space Linux, baremetal, and RTOS environments.

--------------------------------------------------------------------------------
Update Information:

Update to 2026.04.0
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 4 2026 Peter Robinson [pbrobinson@gmail.com] - 2026.04.0-2
- Update file list
* Mon May 4 2026 Peter Robinson [pbrobinson@gmail.com] - 2026.04.0-1
- Update to 2026.04.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2467993 - CVE-2026-37540 open-amp: OpenAMP: Integer overflow in ELF loader can lead to arbitrary code execution or privilege escalation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2467993
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c618807faa' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: coturn-4.11.0-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3b3139882c
2026-05-18 00:40:49.529034+00:00
--------------------------------------------------------------------------------

Name : coturn
Product : Fedora 44
Version : 4.11.0
Release : 1.fc44
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.

STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support

The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)

Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis

Redis can also be used for status and statistics storage and notification.

Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)

The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.

--------------------------------------------------------------------------------
Update Information:

Coturn 4.11.0
Fix prometheus response memory leak introduced in 4.10.0
Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC
Fix format-string injection in Redis DB driver
Abort on malformed allowed/denied-peer-ip at startup
Pin session origin only after MESSAGE-INTEGRITY validates
Fix build failure: define _GNU_SOURCE for recvmmsg() on Linux
Drop udp_relay_servers_number config and clean up dead UDP id-space
Add Unity-based unit test scaffolding
Delete log line per relay thread on start
Out of bound HTTP detection in parser
Extend STUN client fuzz builder coverage
Extend fuzzing coverage and enable local fuzzing in a container
Cover all public stun_buffer.c wrappers in FuzzStunClient
HTTP parsing fixes
Unblock fuzz coverage for is_http and rare STUN attributes
Seed address-mapping table in fuzz initializer
Add deterministic challenge-response builder to FuzzStun
Add fuzz coverage for integrity helpers
Hoist turn_server_get_engine() out of per-packet hot path
Inline addr_cpy() in the header
Trim two redundant checks from per-packet relay hot path
Inline get_ioa_addr_len() in the header
Cache hot lookups in TURN data-path handlers
Load generator mode in turnutils_uclient
Filc harness and pointer typedefs
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 9 2026 Robert Scheck [robert@fedoraproject.org] - 4.11.0-1
- Upgrade to 4.11.0 (#2466643)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466643 - coturn-4.11.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466643
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3b3139882c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: valkey-9.0.4-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3e31dafe5c
2026-05-18 00:40:49.528987+00:00
--------------------------------------------------------------------------------

Name : valkey
Product : Fedora 44
Version : 9.0.4
Release : 1.fc44
URL : https://valkey.io
Summary : A persistent key-value database
Description :
Valkey is an advanced key-value store. It is often referred to as a data
structure server since keys can contain strings, hashes, lists, sets and
sorted sets.

You can run atomic operations on these types, like appending to a string;
incrementing the value in a hash; pushing to a list; computing set
intersection, union and difference; or getting the member with highest
ranking in a sorted set.

In order to achieve its outstanding performance, Valkey works with an
in-memory dataset. Depending on your use case, you can persist it either
by dumping the dataset to disk every once in a while, or by appending
each command to a log.

Valkey also supports trivial-to-setup master-slave replication, with very
fast non-blocking first synchronization, auto-reconnection on net split
and so forth.

Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
limited time-to-live, and configuration settings to make Valkey behave like
a cache.

You can use Valkey from most programming languages also.

See https://valkey.io/topics/

--------------------------------------------------------------------------------
Update Information:

Version 9.0.4
Security fixes
(CVE-2026-23479) Use-After-Free in unblock client flow
(CVE-2026-25243) Invalid Memory Access in RESTORE command
(CVE-2026-23631) Use-after-free when full sync occurs during a yielding
Lua/function execution
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 6 2026 Remi Collet [remi@remirepo.net] - 9.0.4-1
- Valkey 9.0.4 - May 5, 2026
- Upgrade urgency SECURITY: This release includes security fixes.
CVE-2026-23479 CVE-2026-25243 CVE-2026-23631
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2477968 - CVE-2026-23479 valkey: use-after-free in unblock client flow may allow remote code execution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2477968
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3e31dafe5c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: apptainer-1.5.0-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d516d12934
2026-05-18 00:40:49.528977+00:00
--------------------------------------------------------------------------------

Name : apptainer
Product : Fedora 44
Version : 1.5.0
Release : 1.fc44
URL : https://apptainer.org
Summary : Application and environment virtualization formerly known as Singularity
Description :
Apptainer provides functionality to make portable
containers that can be used across host environments.

--------------------------------------------------------------------------------
Update Information:

Update to upstream 1.5.0, fix CVE-2026-32285 and CVE-2026-34986
Update to upstream 1.5.0-rc.2
Update to upstream 1.5.0-rc.1
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 6 2026 Dave Dykstra [dwd@cern.ch] - 1.5.0
- Update to upstream 1.5.0
* Tue Apr 14 2026 Dave Dykstra [dwd@cern.ch] - 1.5.0~rc.2
- Update to upstream 1.5.0~rc.2
* Thu Mar 12 2026 Dave Dykstra [dwd@cern.ch] - 1.5.0~rc.1
- Update to upstream 1.5.0~rc.1
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2447072 - apptainer-1.5.0-rc.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2447072
[ 2 ] Bug #2452369 - CVE-2026-32285 apptainer: github.com/buger/jsonparser: Denial of Service via malformed JSON input [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452369
[ 3 ] Bug #2455644 - CVE-2026-34986 apptainer: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455644
[ 4 ] Bug #2467573 - apptainer-1.5.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2467573
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d516d12934' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: uv-0.11.11-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7aacc8ea7d
2026-05-18 00:40:49.528970+00:00
--------------------------------------------------------------------------------

Name : uv
Product : Fedora 44
Version : 0.11.11
Release : 1.fc44
URL : https://github.com/astral-sh/uv
Summary : An extremely fast Python package installer and resolver, written in Rust
Description :
An extremely fast Python package and project manager, written in Rust.

Highlights:

??? A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twine,
virtualenv, and more.
??? 10-100x faster than pip.
??? Provides comprehensive project management, with a universal lockfile.
??? Runs scripts, with support for inline dependency metadata.
??? Installs and manages Python versions.
??? Runs and installs tools published as Python packages.
??? Includes a pip-compatible interface for a performance boost with a familiar
CLI.
??? Supports Cargo-style workspaces for scalable projects.
??? Disk-space efficient, with a global cache for dependency deduplication.

--------------------------------------------------------------------------------
Update Information:

Update uv and python-uv-build to 0.11.11. Update the astral-tokio-tar Rust crate
to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-
fp55-jw48-c537.
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 8 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.11-1
- Update to 0.11.11 (close RHBZ#2466908)
* Wed May 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.10-1
- Update to 0.11.10 (close RHBZ#2466908)
* Tue May 5 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.9-1
- Update to 0.11.9 (close RHBZ#2466654)
* Thu Apr 16 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.7-1
- Update to 0.11.7 (close RHBZ#2458860)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466653 - python-uv-build-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466653
[ 2 ] Bug #2466654 - uv-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466654
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7aacc8ea7d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: python-uv-build-0.11.11-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7aacc8ea7d
2026-05-18 00:40:49.528970+00:00
--------------------------------------------------------------------------------

Name : python-uv-build
Product : Fedora 44
Version : 0.11.11
Release : 1.fc44
URL : https://pypi.org/project/uv-build
Summary : The uv build backend
Description :

This package is a slimmed down version of uv containing only the build
backend.

--------------------------------------------------------------------------------
Update Information:

Update uv and python-uv-build to 0.11.11. Update the astral-tokio-tar Rust crate
to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-
fp55-jw48-c537.
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 8 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.11-1
- Update to 0.11.11 (close RHBZ#2466907)
* Wed May 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.10-1
- Update to 0.11.10 (close RHBZ#2466907)
* Tue May 5 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.9-1
- Update to 0.11.9 (close RHBZ#2466653)
* Thu Apr 16 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.7-1
- Update to 0.11.7 (close RHBZ#2458852)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466653 - python-uv-build-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466653
[ 2 ] Bug #2466654 - uv-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466654
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7aacc8ea7d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: rust-astral-tokio-tar-0.6.1-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7aacc8ea7d
2026-05-18 00:40:49.528970+00:00
--------------------------------------------------------------------------------

Name : rust-astral-tokio-tar
Product : Fedora 44
Version : 0.6.1
Release : 1.fc44
URL : https://crates.io/crates/astral-tokio-tar
Summary : Rust implementation of an async TAR file reader and writer
Description :
A Rust implementation of an async TAR file reader and writer. This
library does not currently handle compression, but it is abstract over
all I/O readers and writers. Additionally, great lengths are taken to
ensure that the entire contents are never required to be entirely
resident in memory all at once.

--------------------------------------------------------------------------------
Update Information:

Update uv and python-uv-build to 0.11.11. Update the astral-tokio-tar Rust crate
to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-
fp55-jw48-c537.
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 5 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.6.1-1
- Update to version 0.6.1
- Fixes GHSA-fp55-jw48-c537; fixes GHSA-xx64-wwv2-hcqq
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466653 - python-uv-build-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466653
[ 2 ] Bug #2466654 - uv-0.11.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2466654
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7aacc8ea7d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new


PHP, Redis, OpenSSH, Kernel, LibPNG updates for Debian

Kernel-Devel, Java, Apache, Chromedriver, Expat updates for SUSE

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...