ProFTPD, Kernel, NodeJS, and more updates for Fedora

Fedora Linux 9345 Published by

Fedora 42, 43, and 44 have received a batch of critical security updates covering essential system components like the Linux kernel, ProFTPD, Node.js 22, GnuTLS, and SDL3_image. The kernel releases patch a severe local privilege escalation vulnerability known as dirtyfrag while also introducing hardware support improvements across multiple architectures.Meanwhile, ProFTPD addresses a dangerous SQL injection flaw in its database module, and Node.js 22 resolves over ten distinct issues ranging from memory exhaustion attacks to unauthorized file permission changes. Administrators should run the standard dnf upgrade command promptly to apply these patches before attackers can exploit the documented weaknesses.

Fedora 43 Update: proftpd-1.3.9a-1.fc43
Fedora 43 Update: kernel-7.0.4-100.fc43
Fedora 43 Update: nodejs22-22.22.2-2.fc43
Fedora 42 Update: kernel-6.19.14-101.fc42
Fedora 42 Update: proftpd-1.3.9a-1.fc42
Fedora 44 Update: gnutls-3.8.13-1.fc44
Fedora 44 Update: kernel-7.0.4-200.fc44
Fedora 44 Update: proftpd-1.3.9a-1.fc44
Fedora 44 Update: nodejs22-22.22.2-3.fc44
Fedora 44 Update: SDL3_image-3.4.4-1.fc44




[SECURITY] Fedora 43 Update: proftpd-1.3.9a-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-bdb9342c72
2026-05-08 19:57:57.884176+00:00
--------------------------------------------------------------------------------

Name : proftpd
Product : Fedora 43
Version : 1.3.9a
Release : 1.fc43
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by systemd instead are included.

--------------------------------------------------------------------------------
Update Information:

Cumulative bug-fix release from upstream. Includes fix for a possible SQL-
injection issue via mod_sql (CVE-2026-42167). Note that mod_sql is not enabled
by default.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2026 Paul Howarth - 1.3.9a-1
- Update to 1.3.9a
- SCP transfers failed for files with spaces in their names (GH#1886)
- LDAPDefaultGID ignored since 1.3.9 (GH#1898)
- Compilation of mod_wrap2 failed when the --enable-wrapper-options configure
option was used (Bug #4512)
- mod_sftp failed to parse authorized user/host public keys with CRLF line
endings (GH#1904)
- Uploads using MODE Z sometimes resulted in corrupted files or broken
transfers (GH#1896)
- Remove usage of the deprecated MySQL_OPT_RECONNECT option for newer MySQL
versions (GH#1911)
- Update usage of MySQL API for SSL/TLS connections to server (GH#340)
- mod_sftp leaked file descriptor when reading SFTPHostKey file (GH#1959)
- Large/slow SCP downloads could be unnecessarily truncated by TimeoutStalled
(GH#1964)
- Handling of CRLs in mod_tls was incorrect, leading to confusing errors
(GH#1960)
- Resumed SSL_SESSION management in mod_tls lead to memory growth, infinite
loop using newer OpenSSL versions (GH#1963)
- mod_quotatab_ldap interactions could lead to segfault due to stale pointer
(GH#1984)
- RNTO before authentication lead to out-of-order response codes (GH#2003)
- MaxLoginAttemptsFromUser event never triggered in mod_ban for SFTP sessions
(GH#2009)
- Using toupper(3) on non-ASCII FTP command bytes might cause remote DoS
(GH#2019)
- Out-of-bounds single byte read when FTP command input buffer starts with LF
(GH#2020)
- FTP command LIST/NLST -B could cause buffer overflow when listing certain
crafted filenames (GH#2030)
- Memory exhaustion with mod_log_forensic when downloading very large files
via SFTP (GH#2043)
- Setting process groups during authentication crashed when using mod_radius
and (GH#2046)
- SQL injection possible via mod_sql because of is_escaped_text() logic error
(GH#2052, CVE-2026-42167)
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.3.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466604 - CVE-2026-42167 proftpd: SQL injection due to logic error in is_escaped_text() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2466604
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-bdb9342c72' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: kernel-7.0.4-100.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-abc00fb4e8
2026-05-08 19:57:57.884186+00:00
--------------------------------------------------------------------------------

Name : kernel
Product : Fedora 43
Version : 7.0.4
Release : 100.fc43
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package

--------------------------------------------------------------------------------
Update Information:

The 7.0.4 stable kernel rebase contains additional hardware support, new
features, and a number of important fixes across the tree. It also contains a
fix for the dirtyfrag vulnerability. This covers CVE-2026-43284 and
CVE-2026-43500. For users who experience a problem with the 7.0.4 rebase, a
build of 6.19.14 with just the dirtyfrag fixes should be available in koji
shortly.
--------------------------------------------------------------------------------
ChangeLog:

* Thu May 7 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.4-100]
- xfrm: esp: avoid in-place decrypt on shared skb frags (Kuan-Ting Chen)
- rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present (Hyunwoo Kim)
* Thu May 7 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.4-0]
- wifi: mt76: mt7925: fix incorrect TLV length in CLC command (Quan Zhou)
- ASoC: SOF: Don't allow pointer operations on unconfigured streams (Mark Brown)
- Turn on DVB_PT3 for Fedora at user request (Justin M. Forbes)
- Enable MEDIA_TUNER_MXL301RF for Fedora (Justin M. Forbes)
- mfd: bcm2835-pm: Add BCM2712 PM device support (Phil Elwell)
- mfd: bcm2835-pm: Introduce SoC-specific type identifier (Phil Elwell)
- Linux v7.0.4
* Thu Apr 30 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.3-0]
- Linux v7.0.3
* Mon Apr 27 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.2-0]
- drm/v3d: Reject empty multisync extension to prevent infinite loop (Ashutosh Desai)
- net: macb: Use napi_schedule_irqoff() in IRQ handler (Kevin Hao)
- net: macb: Use netif_napi_add_tx() instead of netif_napi_add() for TX NAPI (Kevin Hao)
- net: macb: Remove dedicated IRQ handler for WoL (Kevin Hao)
- net: macb: Factor out the handling of non-hot IRQ events into a separate function (Kevin Hao)
- net: macb: Introduce macb_queue_isr_clear() helper function (Kevin Hao)
- net: macb: Replace open-coded implementation with napi_schedule() (Kevin Hao)
- net: macb: fix use of at91_default_usrio without CONFIG_OF (Conor Dooley)
- net: macb: drop usrio pointer on EyeQ5 config (Th??o Lebrun)
- net: macb: set MACB_CAPS_USRIO_DISABLED if no usrio config is provided (Th??o Lebrun)
- net: macb: runtime detect MACB_CAPS_USRIO_DISABLED (Th??o Lebrun)
- net: macb: timer adjust mode is not supported (Conor Dooley)
- net: macb: clean up tsu clk rate acquisition (Conor Dooley)
- net: macb: warn on pclk use as a tsu_clk fallback (Conor Dooley)
- net: macb: add mpfs specific usrio configuration (Conor Dooley)
- net: macb: np4 doesn't need a usrio pointer (Conor Dooley)
- net: macb: rework usrio refclk selection code (Conor Dooley)
- net: macb: split USRIO_HAS_CLKEN capability in two (Conor Dooley)
- net: macb: rename macb_default_usrio to at91_default_usrio as not all platforms have mii mode control in usrio (Conor Dooley)
- Revert "net: macb: Clean up the .usrio settings in macb_config instances" (Conor Dooley)
- net: macb: add support for Microchip pic64hpsc ethernet endpoint (Charles Perry)
- net: macb: add safeguards for jumbo frame larger than 10240 (Charles Perry)
- net: macb: set default_an_inband to true for SGMII (Charles Perry)
- net: macb: Clean up the .usrio settings in macb_config instances (Kevin Hao)
- net: macb: Clean up the .init settings in macb_config instances (Kevin Hao)
- net: macb: Clean up the .clk_init setting in the macb_config instances (Kevin Hao)
- net: cadence: macb: enable EEE for Mobileye EyeQ5 (Nicolai Buchwitz)
- net: cadence: macb: enable EEE for Raspberry Pi RP1 (Nicolai Buchwitz)
- net: cadence: macb: add ethtool EEE support (Nicolai Buchwitz)
- net: cadence: macb: implement EEE TX LPI support (Nicolai Buchwitz)
- net: cadence: macb: add EEE LPI statistics counters (Nicolai Buchwitz)
- net: macb: use ethtool_sprintf to fill ethtool stats strings (Sean Chang)
- net: macb: add the .pcs_inband_caps() callback for SGMII (Charles Perry)
- net: macb: add support for reporting SGMII inband link status (Charles Perry)
- net: macb: fix SGMII with inband aneg disabled (Charles Perry)
- net: cadence: macb: add ethtool nway_reset support (Nicolai Buchwitz)
- ARM: dts: broadcom: bcm2835-rpi: Move non simple-bus nodes to root level (Rob Herring (Arm))
- arm64: dts: broadcom: bcm2712: Move non simple-bus nodes to root level (Rob Herring (Arm))
- arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt (Gregor Herburger)
- arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for pinctrl/pinctrl_aon (Gregor Herburger)
- arm64: dts: broadcom: bcm2712-rpi-5-b: add pinctrl properties for csi i2cs (Gregor Herburger)
- arm64: dts: broadcom: bcm2712: add camera backend node pispbe (Gregor Herburger)
- arm64: dts: broadcom: rp1: add csi nodes (Gregor Herburger)
- arm64: dts: broadcom: rp1: add i2c controller (Gregor Herburger)
- arm64: dts: broadcom: bcm2712: Add V3D device node (Ma??ra Canal)
- arm64: dts: freescale: imx93: Add Ethos-U65 NPU and SRAM nodes (Rob Herring (Arm))
- redhat: configs: fedora: Enable AMD ISP4 MIPI camera solution (Kate Hsuan)
- Documentation: add documentation of AMD isp 4 driver (Bin Du)
- media: platform: amd: isp4 debug fs logging and more descriptive errors (Bin Du)
- media: platform: amd: isp4 video node and buffers handling added (Bin Du)
- media: platform: amd: isp4 subdev and firmware loading handling added (Bin Du)
- media: platform: amd: Add isp4 fw and hw interface (Bin Du)
- media: platform: amd: low level support for isp4 firmware (Bin Du)
- media: platform: amd: Introduce amd isp4 capture driver (Bin Du)
- Linux v7.0.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2467807 - [Major Incident] kernel: "Dirty Frag" is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2467807
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-abc00fb4e8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: nodejs22-22.22.2-2.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-e3f870229a
2026-05-08 19:57:57.884168+00:00
--------------------------------------------------------------------------------

Name : nodejs22
Product : Fedora 43
Version : 22.22.2
Release : 2.fc43
URL : http://nodejs.org/
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome's JavaScript runtime \
for easily building fast, scalable network applications. \
Node.js uses an event-driven, non-blocking I/O model that \
makes it lightweight and efficient, perfect for data-intensive \
real-time applications that run across distributed devices.}

--------------------------------------------------------------------------------
Update Information:

Update to version 22.22.2
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 29 2026 tjuhasz [tjuhasz@redhat.com] - 1:22.22.2-2
- update of nghttp2
* Wed Apr 29 2026 tjuhasz [tjuhasz@redhat.com] - 1:22.22.2-1
- Update to version 22.22.2 (rhbz#2444849)
* Mon Jan 19 2026 Jan Stan??k [jstanek@redhat.com] - 1:22.22.0-3
- Diverge from rawhide
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2447160 - CVE-2026-1528 nodejs22: undici: Denial of Service via crafted WebSocket frame with large length [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447160
[ 2 ] Bug #2447163 - CVE-2026-2229 nodejs22: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447163
[ 3 ] Bug #2447170 - CVE-2026-1525 nodejs22: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447170
[ 4 ] Bug #2447175 - CVE-2026-1527 nodejs22: Undici: HTTP header injection and request smuggling vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447175
[ 5 ] Bug #2447181 - CVE-2026-1526 nodejs22: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447181
[ 6 ] Bug #2453565 - CVE-2026-21717 nodejs22: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453565
[ 7 ] Bug #2453568 - CVE-2026-21714 nodejs22: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453568
[ 8 ] Bug #2453572 - CVE-2026-21713 nodejs22: Node.js: Information disclosure via timing oracle in HMAC verification [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453572
[ 9 ] Bug #2453595 - CVE-2026-21716 nodejs22: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453595
[ 10 ] Bug #2453598 - CVE-2026-21715 nodejs22: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453598
[ 11 ] Bug #2453600 - CVE-2026-21710 nodejs22: Node.js: Denial of Service due to crafted HTTP `__proto__` header [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453600
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-e3f870229a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 42 Update: kernel-6.19.14-101.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-87dc12705e
2026-05-08 19:40:45.156117+00:00
--------------------------------------------------------------------------------

Name : kernel
Product : Fedora 42
Version : 6.19.14
Release : 101.fc42
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package

--------------------------------------------------------------------------------
Update Information:

The 6.19.14-101 stable update contains a fix for the dirtyfrag vulnerability.
This covers CVE-2026-43284 and CVE-2026-43500
--------------------------------------------------------------------------------
ChangeLog:

* Thu May 7 2026 Justin M. Forbes [jforbes@fedoraproject.org] [6.19.14-101]
- Revert "redhat/kernel.spec.template: Fix indentation of uki-virt generation code" (Justin M. Forbes)
- Revert "redhat/kernel.spec.template: Simplify uki-virt signing" (Justin M. Forbes)
- Revert "redhat/kernel.spec.template: Add kernel-uki-dtbloader sub-package" (Justin M. Forbes)
- Revert "redhat/kernel.spec.template: Make -uki-dtbloader provide kernel-core-uname-r" (Justin M. Forbes)
- Turn off F43 and F44 release targets (Justin M. Forbes)
- rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present (Hyunwoo Kim)
- rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets (David Howells)
- rxrpc: Fix re-decryption of RESPONSE packets (David Howells)
- rxrpc: Fix error handling in rxgk_extract_token() (David Howells)
- rxrpc: Fix rxkad crypto unalignment handling (David Howells)
- rxrpc: Fix conn-level packet handling to unshare RESPONSE packets (David Howells)
- rxrpc: Fix memory leaks in rxkad_verify_response() (David Howells)
- rxrpc: Fix potential UAF after skb_unshare() failure (David Howells)
- xfrm: esp: avoid in-place decrypt on shared skb frags (Kuan-Ting Chen)
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-87dc12705e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: proftpd-1.3.9a-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-739d341ab8
2026-05-08 19:40:45.156106+00:00
--------------------------------------------------------------------------------

Name : proftpd
Product : Fedora 42
Version : 1.3.9a
Release : 1.fc42
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by systemd instead are included.

--------------------------------------------------------------------------------
Update Information:

Cumulative bug-fix release from upstream. Includes fix for a possible SQL-
injection issue via mod_sql (CVE-2026-42167). Note that mod_sql is not enabled
by default.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2026 Paul Howarth - 1.3.9a-1
- Update to 1.3.9a
- SCP transfers failed for files with spaces in their names (GH#1886)
- LDAPDefaultGID ignored since 1.3.9 (GH#1898)
- Compilation of mod_wrap2 failed when the --enable-wrapper-options configure
option was used (Bug #4512)
- mod_sftp failed to parse authorized user/host public keys with CRLF line
endings (GH#1904)
- Uploads using MODE Z sometimes resulted in corrupted files or broken
transfers (GH#1896)
- Remove usage of the deprecated MySQL_OPT_RECONNECT option for newer MySQL
versions (GH#1911)
- Update usage of MySQL API for SSL/TLS connections to server (GH#340)
- mod_sftp leaked file descriptor when reading SFTPHostKey file (GH#1959)
- Large/slow SCP downloads could be unnecessarily truncated by TimeoutStalled
(GH#1964)
- Handling of CRLs in mod_tls was incorrect, leading to confusing errors
(GH#1960)
- Resumed SSL_SESSION management in mod_tls lead to memory growth, infinite
loop using newer OpenSSL versions (GH#1963)
- mod_quotatab_ldap interactions could lead to segfault due to stale pointer
(GH#1984)
- RNTO before authentication lead to out-of-order response codes (GH#2003)
- MaxLoginAttemptsFromUser event never triggered in mod_ban for SFTP sessions
(GH#2009)
- Using toupper(3) on non-ASCII FTP command bytes might cause remote DoS
(GH#2019)
- Out-of-bounds single byte read when FTP command input buffer starts with LF
(GH#2020)
- FTP command LIST/NLST -B could cause buffer overflow when listing certain
crafted filenames (GH#2030)
- Memory exhaustion with mod_log_forensic when downloading very large files
via SFTP (GH#2043)
- Setting process groups during authentication crashed when using mod_radius
and (GH#2046)
- SQL injection possible via mod_sql because of is_escaped_text() logic error
(GH#2052, CVE-2026-42167)
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.3.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jul 25 2025 Fedora Release Engineering [releng@fedoraproject.org] - 1.3.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466604 - CVE-2026-42167 proftpd: SQL injection due to logic error in is_escaped_text() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2466604
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-739d341ab8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: gnutls-3.8.13-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-668d2793e8
2026-05-08 19:27:40.960942+00:00
--------------------------------------------------------------------------------

Name : gnutls
Product : Fedora 44
Version : 3.8.13
Release : 1.fc44
URL : http://www.gnutls.org/
Summary : A TLS protocol implementation
Description :
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.

--------------------------------------------------------------------------------
Update Information:

Update to 3.8.13, fixes, like 13 CVEs.
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 4 2026 Alexander Sosedkin [asosedkin@redhat.com] - 3.8.13-1
- Update to 3.8.13
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-668d2793e8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: kernel-7.0.4-200.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8cffa03dad
2026-05-08 19:27:40.960947+00:00
--------------------------------------------------------------------------------

Name : kernel
Product : Fedora 44
Version : 7.0.4
Release : 200.fc44
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package

--------------------------------------------------------------------------------
Update Information:

The 7.0.4 stable kernel rebase contains additional hardware support, new
features, and a number of important fixes across the tree. It also contains a
fix for the dirtyfrag vulnerability. This covers CVE-2026-43284 and
CVE-2026-43500. For users who experience a problem with the 7.0.4 rebase, a
build of 6.19.14 with just the dirtyfrag fixes should be available in koji
shortly.
--------------------------------------------------------------------------------
ChangeLog:

* Thu May 7 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.4-200]
- xfrm: esp: avoid in-place decrypt on shared skb frags (Kuan-Ting Chen)
- rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present (Hyunwoo Kim)
* Thu May 7 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.4-0]
- wifi: mt76: mt7925: fix incorrect TLV length in CLC command (Quan Zhou)
- ASoC: SOF: Don't allow pointer operations on unconfigured streams (Mark Brown)
- Turn on DVB_PT3 for Fedora at user request (Justin M. Forbes)
- Enable MEDIA_TUNER_MXL301RF for Fedora (Justin M. Forbes)
- mfd: bcm2835-pm: Add BCM2712 PM device support (Phil Elwell)
- mfd: bcm2835-pm: Introduce SoC-specific type identifier (Phil Elwell)
- Linux v7.0.4
* Thu Apr 30 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.3-0]
- Linux v7.0.3
* Mon Apr 27 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.2-0]
- drm/v3d: Reject empty multisync extension to prevent infinite loop (Ashutosh Desai)
- net: macb: Use napi_schedule_irqoff() in IRQ handler (Kevin Hao)
- net: macb: Use netif_napi_add_tx() instead of netif_napi_add() for TX NAPI (Kevin Hao)
- net: macb: Remove dedicated IRQ handler for WoL (Kevin Hao)
- net: macb: Factor out the handling of non-hot IRQ events into a separate function (Kevin Hao)
- net: macb: Introduce macb_queue_isr_clear() helper function (Kevin Hao)
- net: macb: Replace open-coded implementation with napi_schedule() (Kevin Hao)
- net: macb: fix use of at91_default_usrio without CONFIG_OF (Conor Dooley)
- net: macb: drop usrio pointer on EyeQ5 config (Th??o Lebrun)
- net: macb: set MACB_CAPS_USRIO_DISABLED if no usrio config is provided (Th??o Lebrun)
- net: macb: runtime detect MACB_CAPS_USRIO_DISABLED (Th??o Lebrun)
- net: macb: timer adjust mode is not supported (Conor Dooley)
- net: macb: clean up tsu clk rate acquisition (Conor Dooley)
- net: macb: warn on pclk use as a tsu_clk fallback (Conor Dooley)
- net: macb: add mpfs specific usrio configuration (Conor Dooley)
- net: macb: np4 doesn't need a usrio pointer (Conor Dooley)
- net: macb: rework usrio refclk selection code (Conor Dooley)
- net: macb: split USRIO_HAS_CLKEN capability in two (Conor Dooley)
- net: macb: rename macb_default_usrio to at91_default_usrio as not all platforms have mii mode control in usrio (Conor Dooley)
- Revert "net: macb: Clean up the .usrio settings in macb_config instances" (Conor Dooley)
- net: macb: add support for Microchip pic64hpsc ethernet endpoint (Charles Perry)
- net: macb: add safeguards for jumbo frame larger than 10240 (Charles Perry)
- net: macb: set default_an_inband to true for SGMII (Charles Perry)
- net: macb: Clean up the .usrio settings in macb_config instances (Kevin Hao)
- net: macb: Clean up the .init settings in macb_config instances (Kevin Hao)
- net: macb: Clean up the .clk_init setting in the macb_config instances (Kevin Hao)
- net: cadence: macb: enable EEE for Mobileye EyeQ5 (Nicolai Buchwitz)
- net: cadence: macb: enable EEE for Raspberry Pi RP1 (Nicolai Buchwitz)
- net: cadence: macb: add ethtool EEE support (Nicolai Buchwitz)
- net: cadence: macb: implement EEE TX LPI support (Nicolai Buchwitz)
- net: cadence: macb: add EEE LPI statistics counters (Nicolai Buchwitz)
- net: macb: use ethtool_sprintf to fill ethtool stats strings (Sean Chang)
- net: macb: add the .pcs_inband_caps() callback for SGMII (Charles Perry)
- net: macb: add support for reporting SGMII inband link status (Charles Perry)
- net: macb: fix SGMII with inband aneg disabled (Charles Perry)
- net: cadence: macb: add ethtool nway_reset support (Nicolai Buchwitz)
- ARM: dts: broadcom: bcm2835-rpi: Move non simple-bus nodes to root level (Rob Herring (Arm))
- arm64: dts: broadcom: bcm2712: Move non simple-bus nodes to root level (Rob Herring (Arm))
- arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt (Gregor Herburger)
- arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for pinctrl/pinctrl_aon (Gregor Herburger)
- arm64: dts: broadcom: bcm2712-rpi-5-b: add pinctrl properties for csi i2cs (Gregor Herburger)
- arm64: dts: broadcom: bcm2712: add camera backend node pispbe (Gregor Herburger)
- arm64: dts: broadcom: rp1: add csi nodes (Gregor Herburger)
- arm64: dts: broadcom: rp1: add i2c controller (Gregor Herburger)
- arm64: dts: broadcom: bcm2712: Add V3D device node (Ma??ra Canal)
- arm64: dts: freescale: imx93: Add Ethos-U65 NPU and SRAM nodes (Rob Herring (Arm))
- redhat: configs: fedora: Enable AMD ISP4 MIPI camera solution (Kate Hsuan)
- Documentation: add documentation of AMD isp 4 driver (Bin Du)
- media: platform: amd: isp4 debug fs logging and more descriptive errors (Bin Du)
- media: platform: amd: isp4 video node and buffers handling added (Bin Du)
- media: platform: amd: isp4 subdev and firmware loading handling added (Bin Du)
- media: platform: amd: Add isp4 fw and hw interface (Bin Du)
- media: platform: amd: low level support for isp4 firmware (Bin Du)
- media: platform: amd: Introduce amd isp4 capture driver (Bin Du)
- Linux v7.0.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2467807 - [Major Incident] kernel: "Dirty Frag" is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2467807
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8cffa03dad' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: proftpd-1.3.9a-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-549ee32ea1
2026-05-08 19:27:40.960911+00:00
--------------------------------------------------------------------------------

Name : proftpd
Product : Fedora 44
Version : 1.3.9a
Release : 1.fc44
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by systemd instead are included.

--------------------------------------------------------------------------------
Update Information:

Cumulative bug-fix release from upstream. Includes fix for a possible SQL-
injection issue via mod_sql (CVE-2026-42167). Note that mod_sql is not enabled
by default.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2026 Paul Howarth - 1.3.9a-1
- Update to 1.3.9a
- SCP transfers failed for files with spaces in their names (GH#1886)
- LDAPDefaultGID ignored since 1.3.9 (GH#1898)
- Compilation of mod_wrap2 failed when the --enable-wrapper-options configure
option was used (Bug #4512)
- mod_sftp failed to parse authorized user/host public keys with CRLF line
endings (GH#1904)
- Uploads using MODE Z sometimes resulted in corrupted files or broken
transfers (GH#1896)
- Remove usage of the deprecated MySQL_OPT_RECONNECT option for newer MySQL
versions (GH#1911)
- Update usage of MySQL API for SSL/TLS connections to server (GH#340)
- mod_sftp leaked file descriptor when reading SFTPHostKey file (GH#1959)
- Large/slow SCP downloads could be unnecessarily truncated by TimeoutStalled
(GH#1964)
- Handling of CRLs in mod_tls was incorrect, leading to confusing errors
(GH#1960)
- Resumed SSL_SESSION management in mod_tls lead to memory growth, infinite
loop using newer OpenSSL versions (GH#1963)
- mod_quotatab_ldap interactions could lead to segfault due to stale pointer
(GH#1984)
- RNTO before authentication lead to out-of-order response codes (GH#2003)
- MaxLoginAttemptsFromUser event never triggered in mod_ban for SFTP sessions
(GH#2009)
- Using toupper(3) on non-ASCII FTP command bytes might cause remote DoS
(GH#2019)
- Out-of-bounds single byte read when FTP command input buffer starts with LF
(GH#2020)
- FTP command LIST/NLST -B could cause buffer overflow when listing certain
crafted filenames (GH#2030)
- Memory exhaustion with mod_log_forensic when downloading very large files
via SFTP (GH#2043)
- Setting process groups during authentication crashed when using mod_radius
and (GH#2046)
- SQL injection possible via mod_sql because of is_escaped_text() logic error
(GH#2052, CVE-2026-42167)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466604 - CVE-2026-42167 proftpd: SQL injection due to logic error in is_escaped_text() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2466604
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-549ee32ea1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: nodejs22-22.22.2-3.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3b76d8047d
2026-05-08 19:27:40.960901+00:00
--------------------------------------------------------------------------------

Name : nodejs22
Product : Fedora 44
Version : 22.22.2
Release : 3.fc44
URL : https://nodejs.org
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome's JavaScript runtime
for easily building fast, scalable network applications.
Node.js uses an event-driven, non-blocking I/O model that
makes it lightweight and efficient, perfect for data-intensive
real-time applications that run across distributed devices.

--------------------------------------------------------------------------------
Update Information:

Update to version 22.22.2
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 8 2026 tjuhasz [tjuhasz@redhat.com] - 1:22.22.2-3
- Rework of update of nghttp2
* Wed Apr 8 2026 tjuhasz [tjuhasz@redhat.com] - 1:22.22.2-2
- Update bundled nghttp2 to 1.68.1
* Wed Apr 8 2026 tjuhasz [tjuhasz@redhat.com] - 1:22.22.2-1
- Update to version 22.22.2 (rhbz#2444849)
* Wed Apr 8 2026 tjuhasz [tjuhasz@redhat.com] - 1:22.22.1-1
- Update to version 22.22.1 (rhbz#2444849)
* Wed Apr 8 2026 tjuhasz [tjuhasz@redhat.com] - 1:22.22.0-9
- Remove disablement of LTO from specfile
* Wed Apr 8 2026 Andrei Radchenko [aradchen@redhat.com] - 1:22.22.0-8
- spec: remove obsolete requires
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2447160 - CVE-2026-1528 nodejs22: undici: Denial of Service via crafted WebSocket frame with large length [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447160
[ 2 ] Bug #2447163 - CVE-2026-2229 nodejs22: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447163
[ 3 ] Bug #2447170 - CVE-2026-1525 nodejs22: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447170
[ 4 ] Bug #2447175 - CVE-2026-1527 nodejs22: Undici: HTTP header injection and request smuggling vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447175
[ 5 ] Bug #2447181 - CVE-2026-1526 nodejs22: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447181
[ 6 ] Bug #2453565 - CVE-2026-21717 nodejs22: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453565
[ 7 ] Bug #2453568 - CVE-2026-21714 nodejs22: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453568
[ 8 ] Bug #2453572 - CVE-2026-21713 nodejs22: Node.js: Information disclosure via timing oracle in HMAC verification [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453572
[ 9 ] Bug #2453595 - CVE-2026-21716 nodejs22: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453595
[ 10 ] Bug #2453598 - CVE-2026-21715 nodejs22: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453598
[ 11 ] Bug #2453600 - CVE-2026-21710 nodejs22: Node.js: Denial of Service due to crafted HTTP `__proto__` header [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453600
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3b76d8047d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: SDL3_image-3.4.4-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-992a75bea6
2026-05-08 19:27:40.960935+00:00
--------------------------------------------------------------------------------

Name : SDL3_image
Product : Fedora 44
Version : 3.4.4
Release : 1.fc44
URL : https://github.com/libsdl-org/SDL_image
Summary : Image loading library for SDL
Description :
Simple DirectMedia Layer (SDL) is a cross-platform multimedia library designed
to provide fast access to the graphics frame buffer and audio device.

This is a simple library to load images of various formats as SDL surfaces.
It can load BMP, GIF, JPEG, LBM, PCX, PNG, PNM (PPM/PGM/PBM), QOI, TGA, XCF,
XPM, and simple SVG format images. It can also load AVIF, JPEG-XL, TIFF, and
WebP images.

--------------------------------------------------------------------------------
Update Information:

Update to 3.4.4.
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 2 2026 Simone Caronni [negativo17@gmail.com] - 3.4.4-1
- Update to 3.4.4
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2455135 - SDL3_image-3.4.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2455135
[ 2 ] Bug #2455890 - CVE-2026-35444 SDL3_image: SDL_image: Information disclosure via crafted XCF files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455890
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-992a75bea6' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new


Apache2, Postorius, PHP, and more updates for Debian

Iptables, LibPNG, Freeipmi, and more updates for Oracle Linux

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...