PostgreSQL, MySQL, Nginx, and Kernel updates for Oracle Linux

Oracle Linux 6500 Published by

Oracle pushed updates across Linux 8 and 9 that tackle dozens of open vulnerabilities. The big ones cover databases like PostgreSQL jumping to 16.14 and MySQL landing at 8.4.9.

ELSA-2026-28143 Important: Oracle Linux 8 postgresql:16 security update
ELSA-2026-26180 Moderate: Oracle Linux 8 mysql:8.4 security update
ELSA-2026-27738 Important: Oracle Linux 8 libpq security update
ELSA-2026-13672 Important: Oracle Linux 9 fence-agents security update
ELBA-2026-50326 Oracle Linux 9 leapp-repository bug fix update
ELSA-2026-24369 Important: Oracle Linux 9 unbound security update
ELSA-2026-24368 Important: Oracle Linux 9 bind9.18 security update
ELSA-2026-22313 Moderate: Oracle Linux 9 compat-openssl11 security update
ELSA-2026-21755 Important: Oracle Linux 9 flatpak security update
ELSA-2026-21381 Important: Oracle Linux 9 thunderbird security update
ELSA-2026-21468 Important: Oracle Linux 9 cockpit security update
ELSA-2026-20568 Important: Oracle Linux 9 jmc security update
ELSA-2026-21391 Important: Oracle Linux 9 httpd security update
ELSA-2026-19374 Critical: Oracle Linux 9 nginx security update
ELSA-2026-19610 Important: Oracle Linux 9 libsndfile security update
ELSA-2026-19373 Important: Oracle Linux 9 dnsmasq security update
ELBA-2026-50348 Oracle Linux 9 crash bug fix update
ELSA-2026-19366 Important: Oracle Linux 9 python-markdown security update
ELSA-2026-19362 Important: Oracle Linux 9 gimp security update
ELSA-2026-19365 Important: Oracle Linux 9 jq security update
ELSA-2026-19364 Important: Oracle Linux 9 dovecot security update
ELSA-2026-50324 Moderate: Oracle Linux 9 pyOpenSSL security update
ELSA-2026-19359 Important: Oracle Linux 9 openexr security update
ELSA-2026-19358 Moderate: Oracle Linux 9 freerdp security update
ELSA-2026-19356 Moderate: Oracle Linux 9 libsoup security update
ELSA-2026-19352 Important: Oracle Linux 9 grafana security update
ELSA-2026-19351 Important: Oracle Linux 9 grafana-pcp security update
ELSA-2026-28923 Important: Oracle Linux 8 tigervnc security update
ELSA-2026-28921 Important: Oracle Linux 8 nginx:1.24 security update
ELSA-2026-28553 Moderate: Oracle Linux 8 vim security update
ELSA-2026-27811 Important: Oracle Linux 8 kernel security update




ELSA-2026-28143 Important: Oracle Linux 8 postgresql:16 security update


Oracle Linux Security Advisory ELSA-2026-28143

http://linux.oracle.com/errata/ELSA-2026-28143.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
pgaudit-16.0-1.module+el8.10.0+90275+c15b12cb.x86_64.rpm
pg_repack-1.5.1-1.module+el8.10.0+90451+109c7b24.x86_64.rpm
postgres-decoderbufs-2.4.0-1.Final.module+el8.10.0+90275+c15b12cb.x86_64.rpm
postgresql-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-contrib-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-docs-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-plperl-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-plpython3-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-pltcl-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-private-devel-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-private-libs-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-server-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-server-devel-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-static-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-test-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-test-rpm-macros-16.14-1.module+el8.10.0+90923+42a72dfe.noarch.rpm
postgresql-upgrade-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm
postgresql-upgrade-devel-16.14-1.module+el8.10.0+90923+42a72dfe.x86_64.rpm

aarch64:
pgaudit-16.0-1.module+el8.10.0+90275+c15b12cb.aarch64.rpm
pg_repack-1.5.1-1.module+el8.10.0+90451+109c7b24.aarch64.rpm
postgres-decoderbufs-2.4.0-1.Final.module+el8.10.0+90275+c15b12cb.aarch64.rpm
postgresql-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-contrib-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-docs-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-plperl-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-plpython3-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-pltcl-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-private-devel-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-private-libs-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-server-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-server-devel-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-static-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-test-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-test-rpm-macros-16.14-1.module+el8.10.0+90923+42a72dfe.noarch.rpm
postgresql-upgrade-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm
postgresql-upgrade-devel-16.14-1.module+el8.10.0+90923+42a72dfe.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/pgaudit-16.0-1.module+el8.10.0+90275+c15b12cb.src.rpm
http://oss.oracle.com/ol8/SRPMS-updates/pg_repack-1.5.1-1.module+el8.10.0+90451+109c7b24.src.rpm
http://oss.oracle.com/ol8/SRPMS-updates/postgres-decoderbufs-2.4.0-1.Final.module+el8.10.0+90275+c15b12cb.src.rpm
http://oss.oracle.com/ol8/SRPMS-updates/postgresql-16.14-1.module+el8.10.0+90923+42a72dfe.src.rpm

Related CVEs:

CVE-2026-6473
CVE-2026-6478

Description of changes:

pgaudit
[16.0-1]
- Update to 16.0
- Support postgresql 16
- Initial import for PG 16 module
- Resolves: RHEL-3636

pg_repack
[1.5.1-1]
- Update to 1.5.1

postgres-decoderbufs
[2.4.0-1.Final]
- Initial import for postgresql 16 stream
- Related: RHEL-3636

postgresql
[16.14-1]
- Update to 16.14
- Fix CVE-2026-6478



ELSA-2026-26180 Moderate: Oracle Linux 8 mysql:8.4 security update


Oracle Linux Security Advisory ELSA-2026-26180

http://linux.oracle.com/errata/ELSA-2026-26180.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
mecab-0.996-2.module+el8.10.0+90700+dfc34c39.x86_64.rpm
mecab-devel-0.996-2.module+el8.10.0+90700+dfc34c39.x86_64.rpm
mecab-ipadic-2.7.0.20070801-17.0.1.module+el8.10.0+90700+dfc34c39.x86_64.rpm
mecab-ipadic-EUCJP-2.7.0.20070801-17.0.1.module+el8.10.0+90700+dfc34c39.x86_64.rpm
mysql-8.4.9-1.module+el8.10.0+90921+caa1c0ca.x86_64.rpm
mysql-common-8.4.9-1.module+el8.10.0+90921+caa1c0ca.noarch.rpm
mysql-devel-8.4.9-1.module+el8.10.0+90921+caa1c0ca.x86_64.rpm
mysql-errmsg-8.4.9-1.module+el8.10.0+90921+caa1c0ca.noarch.rpm
mysql-libs-8.4.9-1.module+el8.10.0+90921+caa1c0ca.x86_64.rpm
mysql-server-8.4.9-1.module+el8.10.0+90921+caa1c0ca.x86_64.rpm
mysql-test-8.4.9-1.module+el8.10.0+90921+caa1c0ca.x86_64.rpm
mysql-test-data-8.4.9-1.module+el8.10.0+90921+caa1c0ca.noarch.rpm

aarch64:
mecab-0.996-2.module+el8.10.0+90700+dfc34c39.aarch64.rpm
mecab-devel-0.996-2.module+el8.10.0+90700+dfc34c39.aarch64.rpm
mecab-ipadic-2.7.0.20070801-17.0.1.module+el8.10.0+90700+dfc34c39.aarch64.rpm
mecab-ipadic-EUCJP-2.7.0.20070801-17.0.1.module+el8.10.0+90700+dfc34c39.aarch64.rpm
mysql-8.4.9-1.module+el8.10.0+90921+caa1c0ca.aarch64.rpm
mysql-common-8.4.9-1.module+el8.10.0+90921+caa1c0ca.noarch.rpm
mysql-devel-8.4.9-1.module+el8.10.0+90921+caa1c0ca.aarch64.rpm
mysql-errmsg-8.4.9-1.module+el8.10.0+90921+caa1c0ca.noarch.rpm
mysql-libs-8.4.9-1.module+el8.10.0+90921+caa1c0ca.aarch64.rpm
mysql-server-8.4.9-1.module+el8.10.0+90921+caa1c0ca.aarch64.rpm
mysql-test-8.4.9-1.module+el8.10.0+90921+caa1c0ca.aarch64.rpm
mysql-test-data-8.4.9-1.module+el8.10.0+90921+caa1c0ca.noarch.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/mecab-0.996-2.module+el8.10.0+90700+dfc34c39.src.rpm
http://oss.oracle.com/ol8/SRPMS-updates/mecab-ipadic-2.7.0.20070801-17.0.1.module+el8.10.0+90700+dfc34c39.src.rpm
http://oss.oracle.com/ol8/SRPMS-updates/mysql-8.4.9-1.module+el8.10.0+90921+caa1c0ca.src.rpm

Related CVEs:

CVE-2026-21998
CVE-2026-22001
CVE-2026-22002
CVE-2026-22004
CVE-2026-22005
CVE-2026-22009
CVE-2026-22015
CVE-2026-22017
CVE-2026-34270
CVE-2026-34271
CVE-2026-34276
CVE-2026-34303
CVE-2026-34304
CVE-2026-34308
CVE-2026-35236
CVE-2026-35237
CVE-2026-35238
CVE-2026-35239
CVE-2026-35240

Description of changes:

mecab
[0.996-2.12]
- Bump version for 'mysql' module rebuild
We are moving the 'mecab-devel' RPM from the 'buildroot' repo to the 'AppStream' repo
- Resolves: #2180411

[0.996-2]
- Rebuild to fix the issue described in #2000986
- Resolves: #2000986

[0.996-1.9]
- Release bump for rebuilding on new arches
Related: #1518842

[0.996-1.8]
- skip %verify of /etc/opt/rh/rh-mysql57/mecabrc
Resolves: #1382315

[0.996-1.7]
- Prefix library major number with SCL name in soname

[0.996-1.6]
- Require runtime package from the scl

[0.996-1.5]
- Convert to SCL package

[0.996-1.4]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

[0.996-1.3]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

[0.996-1.2]
- Rebuilt for GCC 5 C++11 ABI change

mecab-ipadic
[2.7.0.20070801-17.0.1]
- Rename the LICENSE.Fedora to LICENSE.oracle

[2.7.0.20070801-17]
- Bump the release
- Resolves: RHEL-24525

[2.7.0.20070801-16]
- Rename the LICENSE.fedora to LICENSE.rhel

[2.7.0.20070801-15]
- Release bump for rebuilding on new arches
Related: #1518842

[2.7.0.20070801-14.1]
- Require runtime package from the scl

[2.7.0.20070801-13.1]
- Convert to SCL package

[2.7.0.20070801-12.1]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

[2.7.0.20070801-11.1]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

[2.7.0.20070801-10.1]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

[2.7.0.20070801-9.1]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

mysql
[8.4.9-1]
- Rebase to 8.4.9



ELSA-2026-27738 Important: Oracle Linux 8 libpq security update


Oracle Linux Security Advisory ELSA-2026-27738

http://linux.oracle.com/errata/ELSA-2026-27738.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
libpq-13.23-2.el8_10.i686.rpm
libpq-13.23-2.el8_10.x86_64.rpm
libpq-devel-13.23-2.el8_10.i686.rpm
libpq-devel-13.23-2.el8_10.x86_64.rpm

aarch64:
libpq-13.23-2.el8_10.aarch64.rpm
libpq-devel-13.23-2.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/libpq-13.23-2.el8_10.src.rpm

Related CVEs:

CVE-2026-6473
CVE-2026-6475
CVE-2026-6477
CVE-2026-6478

Description of changes:

[13.23-2]
- Backport fixes for CVE-2026-6478, CVE-2026-6637, CVE-2026-6477,
CVE-2026-6475, CVE-2026-6473 from PostgreSQL 14.23
- Resolves: RHEL-179806



ELSA-2026-13672 Important: Oracle Linux 9 fence-agents security update


Oracle Linux Security Advisory ELSA-2026-13672

http://linux.oracle.com/errata/ELSA-2026-13672.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
fence-agents-aliyun-4.10.0-98.el9_7.12.x86_64.rpm
fence-agents-all-4.10.0-98.el9_7.12.x86_64.rpm
fence-agents-amt-ws-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-apc-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-apc-snmp-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-aws-4.10.0-98.el9_7.12.x86_64.rpm
fence-agents-azure-arm-4.10.0-98.el9_7.12.x86_64.rpm
fence-agents-bladecenter-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-brocade-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-cisco-mds-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-cisco-ucs-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-common-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-compute-4.10.0-98.el9_7.12.x86_64.rpm
fence-agents-drac5-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-eaton-snmp-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-emerson-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-eps-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-gce-4.10.0-98.el9_7.12.x86_64.rpm
fence-agents-heuristics-ping-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-hpblade-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ibm-powervs-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ibm-vpc-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ibmblade-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ifmib-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ilo-moonshot-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ilo-mp-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ilo-ssh-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ilo2-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-intelmodular-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ipdu-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ipmilan-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-kdump-4.10.0-98.el9_7.12.x86_64.rpm
fence-agents-kubevirt-4.10.0-98.el9_7.12.x86_64.rpm
fence-agents-lpar-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-mpath-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-nutanix-ahv-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-openstack-4.10.0-98.el9_7.12.x86_64.rpm
fence-agents-redfish-4.10.0-98.el9_7.12.x86_64.rpm
fence-agents-rhevm-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-rsa-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-rsb-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-sbd-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-scsi-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-virsh-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-vmware-rest-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-vmware-soap-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-wti-4.10.0-98.el9_7.12.noarch.rpm
fence-virt-4.10.0-98.el9_7.12.x86_64.rpm
fence-virtd-4.10.0-98.el9_7.12.x86_64.rpm
fence-virtd-cpg-4.10.0-98.el9_7.12.x86_64.rpm
fence-virtd-libvirt-4.10.0-98.el9_7.12.x86_64.rpm
fence-virtd-multicast-4.10.0-98.el9_7.12.x86_64.rpm
fence-virtd-serial-4.10.0-98.el9_7.12.x86_64.rpm
fence-virtd-tcp-4.10.0-98.el9_7.12.x86_64.rpm
ha-cloud-support-4.10.0-98.el9_7.12.x86_64.rpm

aarch64:
fence-agents-all-4.10.0-98.el9_7.12.aarch64.rpm
fence-agents-amt-ws-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-apc-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-apc-snmp-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-bladecenter-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-brocade-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-cisco-mds-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-cisco-ucs-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-common-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-drac5-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-eaton-snmp-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-emerson-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-eps-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-heuristics-ping-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-hpblade-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ibm-powervs-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ibm-vpc-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ibmblade-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ifmib-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ilo-moonshot-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ilo-mp-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ilo-ssh-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ilo2-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-intelmodular-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ipdu-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-ipmilan-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-kdump-4.10.0-98.el9_7.12.aarch64.rpm
fence-agents-kubevirt-4.10.0-98.el9_7.12.aarch64.rpm
fence-agents-lpar-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-mpath-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-nutanix-ahv-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-redfish-4.10.0-98.el9_7.12.aarch64.rpm
fence-agents-rhevm-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-rsa-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-rsb-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-sbd-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-scsi-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-virsh-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-vmware-rest-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-vmware-soap-4.10.0-98.el9_7.12.noarch.rpm
fence-agents-wti-4.10.0-98.el9_7.12.noarch.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/fence-agents-4.10.0-98.el9_7.12.src.rpm

Related CVEs:

CVE-2026-26007
CVE-2026-32597

Description of changes:

[4.10.0-98.12]
- bundled cryptography: replace with dependency to fix CVE-2026-26007
- bundled PyJWT: upgrade to v2.12.1 to fix CVE-2026-32597
Resolves: RHEL-148436, RHEL-155675



ELBA-2026-50326 Oracle Linux 9 leapp-repository bug fix update


Oracle Linux Bug Fix Advisory ELBA-2026-50326

http://linux.oracle.com/errata/ELBA-2026-50326.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
leapp-upgrade-el9toel10-0.22.0-1.0.8.el9.noarch.rpm
leapp-upgrade-el9toel10-deps-0.22.0-1.0.8.el9.noarch.rpm

aarch64:
leapp-upgrade-el9toel10-0.22.0-1.0.8.el9.noarch.rpm
leapp-upgrade-el9toel10-deps-0.22.0-1.0.8.el9.noarch.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/leapp-repository-0.22.0-1.0.8.el9.src.rpm

Description of changes:

[0.22.0-1.0.8]
- Update inhibitor report title to wait for 10.2 release [Orabug: 39262903]



ELSA-2026-24369 Important: Oracle Linux 9 unbound security update


Oracle Linux Security Advisory ELSA-2026-24369

http://linux.oracle.com/errata/ELSA-2026-24369.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
python3-unbound-1.24.2-3.el9_8.1.x86_64.rpm
unbound-1.24.2-3.el9_8.1.x86_64.rpm
unbound-devel-1.24.2-3.el9_8.1.i686.rpm
unbound-devel-1.24.2-3.el9_8.1.x86_64.rpm
unbound-dracut-1.24.2-3.el9_8.1.x86_64.rpm
unbound-libs-1.24.2-3.el9_8.1.i686.rpm
unbound-libs-1.24.2-3.el9_8.1.x86_64.rpm

aarch64:
python3-unbound-1.24.2-3.el9_8.1.aarch64.rpm
unbound-1.24.2-3.el9_8.1.aarch64.rpm
unbound-devel-1.24.2-3.el9_8.1.aarch64.rpm
unbound-dracut-1.24.2-3.el9_8.1.aarch64.rpm
unbound-libs-1.24.2-3.el9_8.1.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/unbound-1.24.2-3.el9_8.1.src.rpm

Related CVEs:

CVE-2026-33278
CVE-2026-42944
CVE-2026-42959

Description of changes:

[1.24.2-3.1]
- Fix CVE-2026-33278 (RHEL‑177822)
Fix CVE-2026-42944 (RHEL-177936)
Fix CVE-2026-42959 (RHEL-177797)

[1.24.2-3]
- Install correct trust anchor source in Image Mode (RHEL-127540)



ELSA-2026-24368 Important: Oracle Linux 9 bind9.18 security update


Oracle Linux Security Advisory ELSA-2026-24368

http://linux.oracle.com/errata/ELSA-2026-24368.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
bind9.18-9.18.29-14.el9_8.2.x86_64.rpm
bind9.18-chroot-9.18.29-14.el9_8.2.x86_64.rpm
bind9.18-devel-9.18.29-14.el9_8.2.i686.rpm
bind9.18-devel-9.18.29-14.el9_8.2.x86_64.rpm
bind9.18-dnssec-utils-9.18.29-14.el9_8.2.x86_64.rpm
bind9.18-doc-9.18.29-14.el9_8.2.noarch.rpm
bind9.18-libs-9.18.29-14.el9_8.2.i686.rpm
bind9.18-libs-9.18.29-14.el9_8.2.x86_64.rpm
bind9.18-utils-9.18.29-14.el9_8.2.x86_64.rpm

aarch64:
bind9.18-9.18.29-14.el9_8.2.aarch64.rpm
bind9.18-chroot-9.18.29-14.el9_8.2.aarch64.rpm
bind9.18-devel-9.18.29-14.el9_8.2.aarch64.rpm
bind9.18-dnssec-utils-9.18.29-14.el9_8.2.aarch64.rpm
bind9.18-doc-9.18.29-14.el9_8.2.noarch.rpm
bind9.18-libs-9.18.29-14.el9_8.2.aarch64.rpm
bind9.18-utils-9.18.29-14.el9_8.2.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/bind9.18-9.18.29-14.el9_8.2.src.rpm

Related CVEs:

CVE-2026-3039
CVE-2026-5946

Description of changes:

[32:9.18.29-14.2]
- Fix GSS-API resource leak (CVE-2026-3039)
- Invalid handling of CLASS != IN (CVE-2026-5946)



ELSA-2026-22313 Moderate: Oracle Linux 9 compat-openssl11 security update


Oracle Linux Security Advisory ELSA-2026-22313

http://linux.oracle.com/errata/ELSA-2026-22313.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
compat-openssl11-1.1.1k-5.el9_8.3.i686.rpm
compat-openssl11-1.1.1k-5.el9_8.3.x86_64.rpm

aarch64:
compat-openssl11-1.1.1k-5.el9_8.3.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/compat-openssl11-1.1.1k-5.el9_8.3.src.rpm

Related CVEs:

CVE-2026-28390

Description of changes:

[1:1.1.1k-5.3]
- Fixes CVE-2026-28390: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing
Resolves: RHEL-165863



ELSA-2026-21755 Important: Oracle Linux 9 flatpak security update


Oracle Linux Security Advisory ELSA-2026-21755

http://linux.oracle.com/errata/ELSA-2026-21755.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
flatpak-1.12.9-4.el9_8.1.i686.rpm
flatpak-1.12.9-4.el9_8.1.x86_64.rpm
flatpak-devel-1.12.9-4.el9_8.1.i686.rpm
flatpak-devel-1.12.9-4.el9_8.1.x86_64.rpm
flatpak-libs-1.12.9-4.el9_8.1.i686.rpm
flatpak-libs-1.12.9-4.el9_8.1.x86_64.rpm
flatpak-selinux-1.12.9-4.el9_8.1.noarch.rpm
flatpak-session-helper-1.12.9-4.el9_8.1.i686.rpm
flatpak-session-helper-1.12.9-4.el9_8.1.x86_64.rpm

aarch64:
flatpak-1.12.9-4.el9_8.1.aarch64.rpm
flatpak-devel-1.12.9-4.el9_8.1.aarch64.rpm
flatpak-libs-1.12.9-4.el9_8.1.aarch64.rpm
flatpak-selinux-1.12.9-4.el9_8.1.noarch.rpm
flatpak-session-helper-1.12.9-4.el9_8.1.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/flatpak-1.12.9-4.el9_8.1.src.rpm

Related CVEs:

CVE-2026-34078
CVE-2026-34079

Description of changes:

[1.12.9-4.1]
- Fix arbitrary code execution via crafted symlinks in sandbox-expose options
Resolves: RHEL-165643
- Fix arbitrary file deletion on host via improper cache file path validation
Resolves: RHEL-170171



ELSA-2026-21381 Important: Oracle Linux 9 thunderbird security update


Oracle Linux Security Advisory ELSA-2026-21381

http://linux.oracle.com/errata/ELSA-2026-21381.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
thunderbird-140.11.0-1.0.1.el9_8.x86_64.rpm

aarch64:
thunderbird-140.11.0-1.0.1.el9_8.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/thunderbird-140.11.0-1.0.1.el9_8.src.rpm

Related CVEs:

CVE-2026-8388
CVE-2026-8391
CVE-2026-8401
CVE-2026-8946
CVE-2026-8947
CVE-2026-8950
CVE-2026-8953
CVE-2026-8954
CVE-2026-8955
CVE-2026-8956
CVE-2026-8957
CVE-2026-8958
CVE-2026-8959
CVE-2026-8961
CVE-2026-8962
CVE-2026-8968
CVE-2026-8970
CVE-2026-8974
CVE-2026-8975

Description of changes:

[140.11.0-1.0.1]
- Fix prefs for new nss [Orabug: 37079813]
- Add Oracle prefs

[140.11.0]
- Add OpenELA debranding

[140.11.0-1]
- Update to 140.11.0 ESR

[140.10.1-1]
- Update to 140.10.1 ESR



ELSA-2026-21468 Important: Oracle Linux 9 cockpit security update


Oracle Linux Security Advisory ELSA-2026-21468

http://linux.oracle.com/errata/ELSA-2026-21468.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
cockpit-356.2-1.0.1.el9_8.x86_64.rpm
cockpit-bridge-356.2-1.0.1.el9_8.noarch.rpm
cockpit-doc-356.2-1.0.1.el9_8.noarch.rpm
cockpit-packagekit-356.2-1.0.1.el9_8.noarch.rpm
cockpit-storaged-356.2-1.0.1.el9_8.noarch.rpm
cockpit-system-356.2-1.0.1.el9_8.noarch.rpm
cockpit-ws-356.2-1.0.1.el9_8.x86_64.rpm
cockpit-ws-selinux-356.2-1.0.1.el9_8.x86_64.rpm

aarch64:
cockpit-356.2-1.0.1.el9_8.aarch64.rpm
cockpit-bridge-356.2-1.0.1.el9_8.noarch.rpm
cockpit-doc-356.2-1.0.1.el9_8.noarch.rpm
cockpit-packagekit-356.2-1.0.1.el9_8.noarch.rpm
cockpit-storaged-356.2-1.0.1.el9_8.noarch.rpm
cockpit-system-356.2-1.0.1.el9_8.noarch.rpm
cockpit-ws-356.2-1.0.1.el9_8.aarch64.rpm
cockpit-ws-selinux-356.2-1.0.1.el9_8.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/cockpit-356.2-1.0.1.el9_8.src.rpm

Related CVEs:

CVE-2026-4802

Description of changes:

[356.2-1.0.1]
- Apply the patch for duplicate reference [Orabug: 39250109]
- Storage: Enable btrfs support [Orabug: 37464632]
- Replaced upstream urls in documentation with oracle links [Orabug: 36528753]
- Drop subscription-manager-cockpit requirement for ol [Orabug: 34681110]
- Remove duplicate reference to server in cockpit [Orabug: 34030494]
- Update documentation links [Orabug: 30271413], [Orabug: 32013095],
[Orabug: 32795691], [Orabug: 34398512], [Orabug: 34742876], [Orabug: 37253273]
- Update spec file for new release

[356.2]
- Remove recommends on subscription-manager-cockpit if applicable

[356.1-1]
- ws: Prevent remote code execution with SSH argument injection (RHEL-158310)
- node: update lodash dependency (RHEL-164196)



ELSA-2026-20568 Important: Oracle Linux 9 jmc security update


Oracle Linux Security Advisory ELSA-2026-20568

http://linux.oracle.com/errata/ELSA-2026-20568.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
jmc-8.2.0-19.el9_8.2.x86_64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/jmc-8.2.0-19.el9_8.2.src.rpm

Related CVEs:

CVE-2025-66566
CVE-2026-2332

Description of changes:

[8.2.0-5]
- Remove the websocket plugin. Related: RHEL-168615

[8.2.0-4]
- Bump LZ4 Version to 1.10.2. Related: RHEL-135478



ELSA-2026-21391 Important: Oracle Linux 9 httpd security update


Oracle Linux Security Advisory ELSA-2026-21391

http://linux.oracle.com/errata/ELSA-2026-21391.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
httpd-2.4.62-13.0.1.el9_8.1.x86_64.rpm
httpd-core-2.4.62-13.0.1.el9_8.1.x86_64.rpm
httpd-devel-2.4.62-13.0.1.el9_8.1.x86_64.rpm
httpd-filesystem-2.4.62-13.0.1.el9_8.1.noarch.rpm
httpd-manual-2.4.62-13.0.1.el9_8.1.noarch.rpm
httpd-tools-2.4.62-13.0.1.el9_8.1.x86_64.rpm
mod_ldap-2.4.62-13.0.1.el9_8.1.x86_64.rpm
mod_lua-2.4.62-13.0.1.el9_8.1.x86_64.rpm
mod_proxy_html-2.4.62-13.0.1.el9_8.1.x86_64.rpm
mod_session-2.4.62-13.0.1.el9_8.1.x86_64.rpm
mod_ssl-2.4.62-13.0.1.el9_8.1.x86_64.rpm

aarch64:
httpd-2.4.62-13.0.1.el9_8.1.aarch64.rpm
httpd-core-2.4.62-13.0.1.el9_8.1.aarch64.rpm
httpd-devel-2.4.62-13.0.1.el9_8.1.aarch64.rpm
httpd-filesystem-2.4.62-13.0.1.el9_8.1.noarch.rpm
httpd-manual-2.4.62-13.0.1.el9_8.1.noarch.rpm
httpd-tools-2.4.62-13.0.1.el9_8.1.aarch64.rpm
mod_ldap-2.4.62-13.0.1.el9_8.1.aarch64.rpm
mod_lua-2.4.62-13.0.1.el9_8.1.aarch64.rpm
mod_proxy_html-2.4.62-13.0.1.el9_8.1.aarch64.rpm
mod_session-2.4.62-13.0.1.el9_8.1.aarch64.rpm
mod_ssl-2.4.62-13.0.1.el9_8.1.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/httpd-2.4.62-13.0.1.el9_8.1.src.rpm

Related CVEs:

CVE-2026-28780
CVE-2026-33007
CVE-2026-33857
CVE-2026-34032
CVE-2026-34059

Description of changes:

[2.4.62-13.0.1.el9_8.1]
- Replace index.html with Oracle's index page oracle_index.html.

[2.4.62-13.1]
- Resolves: RHEL-173555 - httpd: Apache HTTP Server mod_proxy_ajp: Arbitrary
code execution via heap-based buffer overflow (CVE-2026-28780)
- Resolves: RHEL-175080 - httpd: NULL pointer dereference can cause a child
process crash (CVE-2026-33007)
- Resolves: RHEL-175100 - httpd: off-by-one out-of-bounds reads in AJP getter
functions (CVE-2026-33857)
- Resolves: RHEL-175028 - httpd: heap-based buffer over-read due to missing
null-termination check (CVE-2026-34032)
- Resolves: RHEL-175062 - httpd: heap-based buffer over-read and memory
disclosure in ajp_parse_data() (CVE-2026-34059)



ELSA-2026-19374 Critical: Oracle Linux 9 nginx security update


Oracle Linux Security Advisory ELSA-2026-19374

http://linux.oracle.com/errata/ELSA-2026-19374.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
nginx-1.20.1-28.0.1.el9_8.2.x86_64.rpm
nginx-all-modules-1.20.1-28.0.1.el9_8.2.noarch.rpm
nginx-core-1.20.1-28.0.1.el9_8.2.x86_64.rpm
nginx-filesystem-1.20.1-28.0.1.el9_8.2.noarch.rpm
nginx-mod-devel-1.20.1-28.0.1.el9_8.2.x86_64.rpm
nginx-mod-http-image-filter-1.20.1-28.0.1.el9_8.2.x86_64.rpm
nginx-mod-http-perl-1.20.1-28.0.1.el9_8.2.x86_64.rpm
nginx-mod-http-xslt-filter-1.20.1-28.0.1.el9_8.2.x86_64.rpm
nginx-mod-mail-1.20.1-28.0.1.el9_8.2.x86_64.rpm
nginx-mod-stream-1.20.1-28.0.1.el9_8.2.x86_64.rpm

aarch64:
nginx-1.20.1-28.0.1.el9_8.2.aarch64.rpm
nginx-all-modules-1.20.1-28.0.1.el9_8.2.noarch.rpm
nginx-core-1.20.1-28.0.1.el9_8.2.aarch64.rpm
nginx-filesystem-1.20.1-28.0.1.el9_8.2.noarch.rpm
nginx-mod-devel-1.20.1-28.0.1.el9_8.2.aarch64.rpm
nginx-mod-http-image-filter-1.20.1-28.0.1.el9_8.2.aarch64.rpm
nginx-mod-http-perl-1.20.1-28.0.1.el9_8.2.aarch64.rpm
nginx-mod-http-xslt-filter-1.20.1-28.0.1.el9_8.2.aarch64.rpm
nginx-mod-mail-1.20.1-28.0.1.el9_8.2.aarch64.rpm
nginx-mod-stream-1.20.1-28.0.1.el9_8.2.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/nginx-1.20.1-28.0.1.el9_8.2.src.rpm

Related CVEs:

CVE-2026-42945

Description of changes:

[1.20.1-28.0.1.el9_8.2]
- Reference oracle-indexhtml within Requires [Orabug: 33802044]
- Remove Red Hat references [Orabug: 29498217]
- Update upstream references [Orabug: 36579090]

[2:1.20.1-28.2]
- Resolves: RHEL-176232 - nginx: NGINX: Arbitrary Code Execution
Vulnerability (CVE-2026-42945)

[2:1.20.1-28.1]
- RHEL-159560 CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module
- RHEL-159539 CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file
- RHEL-159447 CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled
- RHEL-157888 CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files



ELSA-2026-19610 Important: Oracle Linux 9 libsndfile security update


Oracle Linux Security Advisory ELSA-2026-19610

http://linux.oracle.com/errata/ELSA-2026-19610.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
libsndfile-1.0.31-9.el9_8.1.i686.rpm
libsndfile-1.0.31-9.el9_8.1.x86_64.rpm
libsndfile-devel-1.0.31-9.el9_8.1.i686.rpm
libsndfile-devel-1.0.31-9.el9_8.1.x86_64.rpm
libsndfile-utils-1.0.31-9.el9_8.1.x86_64.rpm

aarch64:
libsndfile-1.0.31-9.el9_8.1.aarch64.rpm
libsndfile-devel-1.0.31-9.el9_8.1.aarch64.rpm
libsndfile-utils-1.0.31-9.el9_8.1.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/libsndfile-1.0.31-9.el9_8.1.src.rpm

Related CVEs:

CVE-2026-37555

Description of changes:

[1.0.32-9.1]
- apply patch for CVE-2026-37555
Resolves: RHEL-174543



ELSA-2026-19373 Important: Oracle Linux 9 dnsmasq security update


Oracle Linux Security Advisory ELSA-2026-19373

http://linux.oracle.com/errata/ELSA-2026-19373.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
dnsmasq-2.85-18.el9_8.1.x86_64.rpm
dnsmasq-utils-2.85-18.el9_8.1.x86_64.rpm

aarch64:
dnsmasq-2.85-18.el9_8.1.aarch64.rpm
dnsmasq-utils-2.85-18.el9_8.1.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/dnsmasq-2.85-18.el9_8.1.src.rpm

Related CVEs:

CVE-2026-2291
CVE-2026-4890
CVE-2026-4891
CVE-2026-4892
CVE-2026-4893

Description of changes:

[2.85-18.1]
- Prevent overflow in extract_name function (CVE-2026-2291)
- Prevent DoS in DNSSEC validation (CVE-2026-4890)
- Prevent out-of-bounds read in DNSSEC validation (CVE-2026-4891)
- Prevent out-of-bounds write in DHCPv6 server (CVE-2026-4892)
- Prevent source check avoidance by RFC 7871 client-subnet (CVE-2026-4893)



ELBA-2026-50348 Oracle Linux 9 crash bug fix update


Oracle Linux Bug Fix Advisory ELBA-2026-50348

http://linux.oracle.com/errata/ELBA-2026-50348.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
crash-9.0.2-1.0.1.el9.x86_64.rpm
crash-devel-9.0.2-1.0.1.el9.i686.rpm
crash-devel-9.0.2-1.0.1.el9.x86_64.rpm

aarch64:
crash-9.0.2-1.0.1.el9.aarch64.rpm
crash-devel-9.0.2-1.0.1.el9.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/crash-9.0.2-1.0.1.el9.src.rpm

Description of changes:

[9.0.2-1.0.1]
- Update crash tool to latest version 9.0.2 [Orabug: 39402268]



ELSA-2026-19366 Important: Oracle Linux 9 python-markdown security update


Oracle Linux Security Advisory ELSA-2026-19366

http://linux.oracle.com/errata/ELSA-2026-19366.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
python3-markdown-3.3.4-4.el9_8.2.noarch.rpm

aarch64:
python3-markdown-3.3.4-4.el9_8.2.noarch.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/python-markdown-3.3.4-4.el9_8.2.src.rpm

Related CVEs:

CVE-2025-69534

Description of changes:

[3.3.4-4.2]
- Fix CVE-2025-69534 (RHEL-153747)



ELSA-2026-19362 Important: Oracle Linux 9 gimp security update


Oracle Linux Security Advisory ELSA-2026-19362

http://linux.oracle.com/errata/ELSA-2026-19362.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
gimp-3.0.4-4.el9_8.4.x86_64.rpm
gimp-libs-3.0.4-4.el9_8.4.i686.rpm
gimp-libs-3.0.4-4.el9_8.4.x86_64.rpm

aarch64:
gimp-3.0.4-4.el9_8.4.aarch64.rpm
gimp-libs-3.0.4-4.el9_8.4.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/gimp-3.0.4-4.el9_8.4.src.rpm

Related CVEs:

CVE-2026-4150
CVE-2026-4151
CVE-2026-4152
CVE-2026-4153
CVE-2026-4154
CVE-2026-4887

Description of changes:

[2:3.0.4-4.4]
- fix CVE-2026-4150 - align with Y-stream
- fix CVE-2026-4151
- fix CVE-2026-4152
- fix CVE-2026-4153
- fix CVE-2026-4154
- fix CVE-2026-4887

[2:3.0.4-4.3]
- fix CVE-2026-4150
- Resolves: RHEL-167738



ELSA-2026-19365 Important: Oracle Linux 9 jq security update


Oracle Linux Security Advisory ELSA-2026-19365

http://linux.oracle.com/errata/ELSA-2026-19365.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
jq-1.6-19.el9_8.2.i686.rpm
jq-1.6-19.el9_8.2.x86_64.rpm
jq-devel-1.6-19.el9_8.2.i686.rpm
jq-devel-1.6-19.el9_8.2.x86_64.rpm

aarch64:
jq-1.6-19.el9_8.2.aarch64.rpm
jq-devel-1.6-19.el9_8.2.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/jq-1.6-19.el9_8.2.src.rpm

Related CVEs:

CVE-2026-39979
CVE-2026-40164

Description of changes:

[1.6-19.2]
- Fix CVE-2026-40164 - Denial of Service via crafted JSON object causing hash collisions
- Resolves: RHEL-168185

[1.6-19.1]
- Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized()
- Resolves: RHEL-168202



ELSA-2026-19364 Important: Oracle Linux 9 dovecot security update


Oracle Linux Security Advisory ELSA-2026-19364

http://linux.oracle.com/errata/ELSA-2026-19364.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
dovecot-2.3.16-18.el9_8.i686.rpm
dovecot-2.3.16-18.el9_8.x86_64.rpm
dovecot-devel-2.3.16-18.el9_8.i686.rpm
dovecot-devel-2.3.16-18.el9_8.x86_64.rpm
dovecot-mysql-2.3.16-18.el9_8.x86_64.rpm
dovecot-pgsql-2.3.16-18.el9_8.x86_64.rpm
dovecot-pigeonhole-2.3.16-18.el9_8.x86_64.rpm

aarch64:
dovecot-2.3.16-18.el9_8.aarch64.rpm
dovecot-devel-2.3.16-18.el9_8.aarch64.rpm
dovecot-mysql-2.3.16-18.el9_8.aarch64.rpm
dovecot-pgsql-2.3.16-18.el9_8.aarch64.rpm
dovecot-pigeonhole-2.3.16-18.el9_8.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/dovecot-2.3.16-18.el9_8.src.rpm

Related CVEs:

CVE-2025-59032
CVE-2026-27857
CVE-2026-27858

Description of changes:

[1:2.3.16-18]
- rebuild

[1:2.3.16-17]
- fix CVE-2026-27858: denial of service via crafted message before authentication (RHEL-161640)
- fix CVE-2025-59032: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (RHEL-162288)
- fix CVE-2026-27857: denial of service via specially crafted NOOP command (RHEL-161679)



ELSA-2026-50324 Moderate: Oracle Linux 9 pyOpenSSL security update


Oracle Linux Security Advisory ELSA-2026-50324

http://linux.oracle.com/errata/ELSA-2026-50324.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
python3-pyOpenSSL-19.0.0-1.0.3.el9.noarch.rpm

aarch64:
python3-pyOpenSSL-19.0.0-1.0.3.el9.noarch.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/pyOpenSSL-19.0.0-1.0.3.el9.src.rpm

Related CVEs:

CVE-2026-27448

Description of changes:

[19.0.0-1.0.3]
- Backport CVE-2026-27448 [Orabug: 39565553]



ELSA-2026-19359 Important: Oracle Linux 9 openexr security update


Oracle Linux Security Advisory ELSA-2026-19359

http://linux.oracle.com/errata/ELSA-2026-19359.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
openexr-3.1.1-3.el9_8.2.x86_64.rpm
openexr-devel-3.1.1-3.el9_8.2.i686.rpm
openexr-devel-3.1.1-3.el9_8.2.x86_64.rpm
openexr-libs-3.1.1-3.el9_8.2.i686.rpm
openexr-libs-3.1.1-3.el9_8.2.x86_64.rpm

aarch64:
openexr-3.1.1-3.el9_8.2.aarch64.rpm
openexr-devel-3.1.1-3.el9_8.2.aarch64.rpm
openexr-libs-3.1.1-3.el9_8.2.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/openexr-3.1.1-3.el9_8.2.src.rpm

Related CVEs:

CVE-2026-34588

Description of changes:

[3.1.1-3.2]
- fix CVE-2026-34588



ELSA-2026-19358 Moderate: Oracle Linux 9 freerdp security update


Oracle Linux Security Advisory ELSA-2026-19358

http://linux.oracle.com/errata/ELSA-2026-19358.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
freerdp-2.11.7-7.el9_8.3.x86_64.rpm
freerdp-devel-2.11.7-7.el9_8.3.i686.rpm
freerdp-devel-2.11.7-7.el9_8.3.x86_64.rpm
freerdp-libs-2.11.7-7.el9_8.3.i686.rpm
freerdp-libs-2.11.7-7.el9_8.3.x86_64.rpm
libwinpr-2.11.7-7.el9_8.3.i686.rpm
libwinpr-2.11.7-7.el9_8.3.x86_64.rpm
libwinpr-devel-2.11.7-7.el9_8.3.i686.rpm
libwinpr-devel-2.11.7-7.el9_8.3.x86_64.rpm

aarch64:
freerdp-2.11.7-7.el9_8.3.aarch64.rpm
freerdp-devel-2.11.7-7.el9_8.3.aarch64.rpm
freerdp-libs-2.11.7-7.el9_8.3.aarch64.rpm
libwinpr-2.11.7-7.el9_8.3.aarch64.rpm
libwinpr-devel-2.11.7-7.el9_8.3.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/freerdp-2.11.7-7.el9_8.3.src.rpm

Related CVEs:

CVE-2026-25952
CVE-2026-26986
CVE-2026-27951
CVE-2026-29775
CVE-2026-31883
CVE-2026-31884
CVE-2026-31885
CVE-2026-33985

Description of changes:

[2:2.11.7-7.3]
- Lock appWindow to fix use-after-free in RAIL mode (CVE-2026-25952)
Resolves: RHEL-159860

[2:2.11.7-7.2]
- Fix double free in xf_rail_window_common cleanup (CVE-2026-26986)
- Fix growth of preallocated buffers (CVE-2026-27951)
- Fix heap-buffer-overflow in bitmap_cache_put (CVE-2026-29775)
- Add DSP format checks (CVE-2026-31884)
- Fix DSP array bounds checks (CVE-2026-31883)
- Fix DSP array bounds checks (CVE-2026-31885)
- Update CLEAR_GLYPH_ENTRY::count after alloc (CVE-2026-33985)
Resolves: RHEL-159816, RHEL-155478, RHEL-161047, RHEL-161482
Resolves: RHEL-161519, RHEL-161085, RHEL-168463

[2:2.11.7-7.1]
- Update CLEAR_VBAR_ENTRY size after alloc (CVE-2026-33984)
- Fail progressive_rfx_quant_sub on invalid values (CVE-2026-33983)
Resolves: RHEL-163097, RHEL-163113



ELSA-2026-19356 Moderate: Oracle Linux 9 libsoup security update


Oracle Linux Security Advisory ELSA-2026-19356

http://linux.oracle.com/errata/ELSA-2026-19356.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
libsoup-2.72.0-16.el9_8.1.i686.rpm
libsoup-2.72.0-16.el9_8.1.x86_64.rpm
libsoup-devel-2.72.0-16.el9_8.1.i686.rpm
libsoup-devel-2.72.0-16.el9_8.1.x86_64.rpm

aarch64:
libsoup-2.72.0-16.el9_8.1.aarch64.rpm
libsoup-devel-2.72.0-16.el9_8.1.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/libsoup-2.72.0-16.el9_8.1.src.rpm

Related CVEs:

CVE-2026-5119

Description of changes:

[2.72.0-16.1]
- Backport patch for CVE-2026-5119

[2.72.0-16]
- Backport patch for CVE-2026-1761

[2.72.0-15]
- Backport patch for CVE-2026-0719
- Fix NTLM authentication test failures in FIPS mode

[2.72.0-14]
- Backport patch for CVE-2025-14523

[2.72.0-13]
- Backport patch for CVE-2025-4945 and CVE-2025-11021



ELSA-2026-19352 Important: Oracle Linux 9 grafana security update


Oracle Linux Security Advisory ELSA-2026-19352

http://linux.oracle.com/errata/ELSA-2026-19352.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
grafana-10.2.6-22.el9_8.x86_64.rpm
grafana-selinux-10.2.6-22.el9_8.x86_64.rpm

aarch64:
grafana-10.2.6-22.el9_8.aarch64.rpm
grafana-selinux-10.2.6-22.el9_8.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/grafana-10.2.6-22.el9_8.src.rpm

Related CVEs:

CVE-2026-27877
CVE-2026-32282
CVE-2026-32283

Description of changes:

[10.2.6-22]
- Resolves RHEL-161803: CVE-2026-27877
- Resolves RHEL-166678: CVE-2026-32282
- Resolves RHEL-167678: CVE-2026-32283



ELSA-2026-19351 Important: Oracle Linux 9 grafana-pcp security update


Oracle Linux Security Advisory ELSA-2026-19351

http://linux.oracle.com/errata/ELSA-2026-19351.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
grafana-pcp-5.1.1-15.el9_8.x86_64.rpm

aarch64:
grafana-pcp-5.1.1-15.el9_8.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/grafana-pcp-5.1.1-15.el9_8.src.rpm

Related CVEs:

CVE-2026-32282
CVE-2026-32283

Description of changes:

[5.1.1-15]
- Resolves RHEL-166679: CVE-2026-32282
- Resolves RHEL-167679: CVE-2026-32283



ELSA-2026-28923 Important: Oracle Linux 8 tigervnc security update


Oracle Linux Security Advisory ELSA-2026-28923

http://linux.oracle.com/errata/ELSA-2026-28923.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
tigervnc-1.15.0-10.el8_10.x86_64.rpm
tigervnc-icons-1.15.0-10.el8_10.noarch.rpm
tigervnc-license-1.15.0-10.el8_10.noarch.rpm
tigervnc-selinux-1.15.0-10.el8_10.noarch.rpm
tigervnc-server-1.15.0-10.el8_10.x86_64.rpm
tigervnc-server-minimal-1.15.0-10.el8_10.x86_64.rpm
tigervnc-server-module-1.15.0-10.el8_10.x86_64.rpm

aarch64:
tigervnc-1.15.0-10.el8_10.aarch64.rpm
tigervnc-icons-1.15.0-10.el8_10.noarch.rpm
tigervnc-license-1.15.0-10.el8_10.noarch.rpm
tigervnc-selinux-1.15.0-10.el8_10.noarch.rpm
tigervnc-server-1.15.0-10.el8_10.aarch64.rpm
tigervnc-server-minimal-1.15.0-10.el8_10.aarch64.rpm
tigervnc-server-module-1.15.0-10.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/tigervnc-1.15.0-10.el8_10.src.rpm

Related CVEs:

CVE-2026-50256
CVE-2026-50257
CVE-2026-50258
CVE-2026-50259
CVE-2026-50260
CVE-2026-50261
CVE-2026-50262
CVE-2026-50263
CVE-2026-50264

Description of changes:

[1.15.0-10]
- Rebuild for updated xorg-x11-server
Resolves: RHEL-183998



ELSA-2026-28921 Important: Oracle Linux 8 nginx:1.24 security update


Oracle Linux Security Advisory ELSA-2026-28921

http://linux.oracle.com/errata/ELSA-2026-28921.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
nginx-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.x86_64.rpm
nginx-all-modules-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.noarch.rpm
nginx-filesystem-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.noarch.rpm
nginx-mod-devel-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.x86_64.rpm
nginx-mod-http-image-filter-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.x86_64.rpm
nginx-mod-http-perl-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.x86_64.rpm
nginx-mod-http-xslt-filter-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.x86_64.rpm
nginx-mod-mail-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.x86_64.rpm
nginx-mod-stream-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.x86_64.rpm

aarch64:
nginx-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.aarch64.rpm
nginx-all-modules-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.noarch.rpm
nginx-filesystem-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.noarch.rpm
nginx-mod-devel-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.aarch64.rpm
nginx-mod-http-image-filter-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.aarch64.rpm
nginx-mod-http-perl-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.aarch64.rpm
nginx-mod-http-xslt-filter-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.aarch64.rpm
nginx-mod-mail-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.aarch64.rpm
nginx-mod-stream-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/nginx-1.24.0-3.0.1.module+el8.10.0+90930+6a64aa8a.2.src.rpm

Related CVEs:

CVE-2026-9256

Description of changes:

[1.24.0-3.0.1.2]
- Remove Red Hat references [Orabug: 29498217]

[1:1.24.0-3.2]
- Resolves: RHEL-178676 - nginx:1.24/nginx: code execution and denial
of service (CVE-2026-9256)
- Resolves: RHEL-182543 - nginx: HTTP/2: Remote Denial of Service via
compression bomb and Slowloris-style attack

[1:1.24.0-3.1]
- Resolves: RHEL-176224 - nginx:1.24/nginx: NGINX: Arbitrary Code Execution
Vulnerability (CVE-2026-42945)

[1:1.24.0-3]
- Resolves: RHEL-157877 CVE-2026-32647 nginx:1.24/nginx: NGINX: Denial of
Service or Code Execution via specially crafted MP4 files
- Resolves: RHEL-159436 CVE-2026-27651 nginx:1.24/nginx: NGINX: Denial of
Service via undisclosed requests when ngx_mail_auth_http_module is enabled
- Resolves: RHEL-159549 CVE-2026-27654 nginx:1.24/nginx: NGINX: Denial of
Service or file modification via buffer overflow in ngx_http_dav_module
- Resolves: RHEL-159528 CVE-2026-27784 nginx:1.24/nginx: NGINX: Denial of
Service due to memory corruption via crafted MP4 file

[1:1.24.0-2]
- Resolves: RHEL-146517 - nginx:1.24/nginx: NGINX: Data injection via
man-in-the-middle attack on TLS proxied connections (CVE-2026-1642)

[1:1.24.0-1]
- Resolves: RHEL-14714 - add nginx:1.24 to RHEL 8.10

[1:1.22.1-2]
- Resolves: RHEL-12728 - nginx:1.22/nginx: HTTP/2: Multiple HTTP/2 enabled web
servers are vulnerable to a DDoS attack (Rapid Reset Attack)(CVE-2023-44487)

[1:1.22.1-1]
- Resolves: #2112345 - nginx:1.22 for RHEL 8
- add stream_geoip_module and stream_realip_module
- remove obsolete --with-ipv6

[1:1.20.1-1]
- rebase to 1.20.1 (addressing CVE-2021-23017)

[1:1.20.0-4]
- add delaycompress to logrotate config (#2015243)



ELSA-2026-28553 Moderate: Oracle Linux 8 vim security update


Oracle Linux Security Advisory ELSA-2026-28553

http://linux.oracle.com/errata/ELSA-2026-28553.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
vim-X11-8.0.1763-24.0.1.el8_10.x86_64.rpm
vim-common-8.0.1763-24.0.1.el8_10.x86_64.rpm
vim-enhanced-8.0.1763-24.0.1.el8_10.x86_64.rpm
vim-filesystem-8.0.1763-24.0.1.el8_10.noarch.rpm
vim-minimal-8.0.1763-24.0.1.el8_10.x86_64.rpm

aarch64:
vim-X11-8.0.1763-24.0.1.el8_10.aarch64.rpm
vim-common-8.0.1763-24.0.1.el8_10.aarch64.rpm
vim-enhanced-8.0.1763-24.0.1.el8_10.aarch64.rpm
vim-filesystem-8.0.1763-24.0.1.el8_10.noarch.rpm
vim-minimal-8.0.1763-24.0.1.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/vim-8.0.1763-24.0.1.el8_10.src.rpm

Related CVEs:

CVE-2026-41411

Description of changes:

[8.0.1763-24.0.1]
- Remove upstream references [Orabug: 31197557]
- Added glibc-gconv-extra to common requires to provide ISO-8859-2 [Orabug: 34114984]

[2:8.0.1763-24]
- CVE-2026-41411 vim: Command injection via backticks in tag files



ELSA-2026-27811 Important: Oracle Linux 8 kernel security update


Oracle Linux Security Advisory ELSA-2026-27811

http://linux.oracle.com/errata/ELSA-2026-27811.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
bpftool-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-abi-stablelists-4.18.0-553.137.1.el8_10.noarch.rpm
kernel-core-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-cross-headers-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-debug-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-debug-core-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-debug-devel-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-debug-modules-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-debug-modules-extra-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-devel-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-doc-4.18.0-553.137.1.el8_10.noarch.rpm
kernel-headers-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-modules-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-modules-extra-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-tools-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-tools-libs-4.18.0-553.137.1.el8_10.x86_64.rpm
kernel-tools-libs-devel-4.18.0-553.137.1.el8_10.x86_64.rpm
perf-4.18.0-553.137.1.el8_10.x86_64.rpm
python3-perf-4.18.0-553.137.1.el8_10.x86_64.rpm

aarch64:
bpftool-4.18.0-553.137.1.el8_10.aarch64.rpm
kernel-cross-headers-4.18.0-553.137.1.el8_10.aarch64.rpm
kernel-headers-4.18.0-553.137.1.el8_10.aarch64.rpm
kernel-tools-4.18.0-553.137.1.el8_10.aarch64.rpm
kernel-tools-libs-4.18.0-553.137.1.el8_10.aarch64.rpm
kernel-tools-libs-devel-4.18.0-553.137.1.el8_10.aarch64.rpm
perf-4.18.0-553.137.1.el8_10.aarch64.rpm
python3-perf-4.18.0-553.137.1.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/kernel-4.18.0-553.137.1.el8_10.src.rpm

Related CVEs:

CVE-2026-46054

Description of changes:

[4.18.0-553.137.1]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64

Libmatio, PostgreSQL 13, cloud-init, yelp, and libhttp-daemon-perl updates for Debian

Kpatch, Important Python 3.14, OpenShift, Buildah, and OpenSSL updates for RHEL

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...