Oracle Linux 6506 Published by

Oracle has released new security advisories for Oracle Linux 7, 8, and 9, delivering patched RPMs for libxml2, libsoup, Python, Python 3.12 urllib3, perl-IO-Compress, git-lfs, perl-Archive-Tar, mod_md, Firefox, rsync, xorg-x11-server, and Tomcat. Administrators should apply these updates immediately to resolve dozens of publicly tracked vulnerabilities, including heap buffer overflows, use-after-free errors, request smuggling flaws, and client certificate verification bypasses. The advisory ratings range from moderate to important, with the Firefox and Tomcat patches addressing the largest number of open issues across the affected systems.

ELSA-2026-22420 Moderate: Oracle Linux 7 libxml2 security update
ELSA-2026-24722 Moderate: Oracle Linux 7 libsoup security update
ELSA-2026-19589 Important: Oracle Linux 7 python security update
ELSA-2026-32992 Important: Oracle Linux 8 python3.12-urllib3 security update
ELSA-2026-30858 Important: Oracle Linux 8 perl-IO-Compress security update
ELSA-2026-30853 Important: Oracle Linux 8 git-lfs security update
ELSA-2026-30852 Important: Oracle Linux 8 perl-Archive-Tar security update
ELSA-2026-30844 Moderate: Oracle Linux 9 mod_md security update
ELSA-2026-20574 Important: Oracle Linux 9 firefox security update
ELSA-2026-21378 Important: Oracle Linux 9 firefox security update
ELSA-2026-19370 Important: Oracle Linux 9 firefox security update
ELSA-2026-19368 Important: Oracle Linux 9 rsync security update
ELSA-2026-19343 Important: Oracle Linux 9 xorg-x11-server security update
ELSA-2026-18916 Important: Oracle Linux 9 tomcat security update




ELSA-2026-22420 Moderate: Oracle Linux 7 libxml2 security update


Oracle Linux Security Advisory ELSA-2026-22420

http://linux.oracle.com/errata/ELSA-2026-22420.html

The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:

x86_64:
libxml2-2.9.1-6.0.13.el7_9.6.i686.rpm
libxml2-2.9.1-6.0.13.el7_9.6.x86_64.rpm
libxml2-devel-2.9.1-6.0.13.el7_9.6.i686.rpm
libxml2-devel-2.9.1-6.0.13.el7_9.6.x86_64.rpm
libxml2-python-2.9.1-6.0.13.el7_9.6.x86_64.rpm
libxml2-static-2.9.1-6.0.13.el7_9.6.i686.rpm
libxml2-static-2.9.1-6.0.13.el7_9.6.x86_64.rpm

SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/libxml2-2.9.1-6.0.13.el7_9.6.src.rpm

Related CVEs:

CVE-2025-9714

Description of changes:

[2.9.1-6.0.13.6]
- Backport fix for CVE-2025-9714 [Orabug: 39476695]

[2.9.1-6.0.11.6]
- Fix CVE-2025-32415: Fix heap buffer overflow [Orabug: 38310750]

[2.9.1-6.0.9.6]
- Fix CVE-2025-7425: heap-use-after-free in xmlFreeID [Orabug: 38290330]

[2.9.1-6.0.7.6]
- Fix CVE-2025-6021, CVE-2025-32414, CVE-2025-49794, CVE-2025-49796
- [Orabug: 38255814]

[2.9.1-6.0.5]
- Fix CVE-2024-56171 [Orabug: 37694105]
- Fix CVE-2025-24928 [Orabug: 37694105]



ELSA-2026-24722 Moderate: Oracle Linux 7 libsoup security update


Oracle Linux Security Advisory ELSA-2026-24722

http://linux.oracle.com/errata/ELSA-2026-24722.html

The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:

x86_64:
libsoup-2.62.2-2.0.13.el7.i686.rpm
libsoup-2.62.2-2.0.13.el7.x86_64.rpm
libsoup-devel-2.62.2-2.0.13.el7.i686.rpm
libsoup-devel-2.62.2-2.0.13.el7.x86_64.rpm

SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/libsoup-2.62.2-2.0.13.el7.src.rpm

Related CVEs:

CVE-2026-5119

Description of changes:

[2.62.2-2.0.13]
- Backport fix for CVE-2026-5119 [Orabug: 39527088]

[2.62.2-2.0.11]
- Fixes CVE-2026-0719 CVE-2026-1761 [Orabug: 38958074]

[2.62.2-2.0.9]
- Fix CVE-2025-14523 [Orabug: 38873507]

[2.62.2-2.0.7]
- Backport patch for CVE-2025-4945 and CVE-2025-11021 [Orabug: 38664275]

[2.62.2-2.0.5]
- Fixes CVE-2025-2784 CVE-2025-4948 CVE-2025-32049 [Orabug: 38085184]
- CVE-2025-32906 CVE-2025-32911 CVE-2025-32913 CVE-2025-32914

[2.62.2-2.0.3]
- Fixed CVE-2024-52531 buffer overflow via UTF-8 conversion in
- soup_header_parse_param_list_strict [Orabug: 37557504]



ELSA-2026-19589 Important: Oracle Linux 7 python security update


Oracle Linux Security Advisory ELSA-2026-19589

http://linux.oracle.com/errata/ELSA-2026-19589.html

The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:

x86_64:
python-2.7.5-94.0.9.el7_9.x86_64.rpm
python-debug-2.7.5-94.0.9.el7_9.x86_64.rpm
python-devel-2.7.5-94.0.9.el7_9.x86_64.rpm
python-libs-2.7.5-94.0.9.el7_9.i686.rpm
python-libs-2.7.5-94.0.9.el7_9.x86_64.rpm
python-test-2.7.5-94.0.9.el7_9.x86_64.rpm
python-tools-2.7.5-94.0.9.el7_9.x86_64.rpm
tkinter-2.7.5-94.0.9.el7_9.x86_64.rpm

SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/python-2.7.5-94.0.9.el7_9.src.rpm

Related CVEs:

CVE-2026-4786

Description of changes:

[2.7.5-94.0.9]
- Fix for CVE-2026-4786 [Orabug: 39418723]

[2.7.5-94.0.7]
- Fix for CVE-2026-4519 [Orabug: 39243798]

[2.7.5-94.0.5]
- Fix for CVE-2025-15366 and CVE-2025-15367 [Orabug: 39114639]

[2.7.5-94.0.3]
- Fix for CVE-2025-12084 [Orabug: 38902314]



ELSA-2026-32992 Important: Oracle Linux 8 python3.12-urllib3 security update


Oracle Linux Security Advisory ELSA-2026-32992

http://linux.oracle.com/errata/ELSA-2026-32992.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
python3.12-urllib3-1.26.19-3.el8_10.noarch.rpm

aarch64:
python3.12-urllib3-1.26.19-3.el8_10.noarch.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/python3.12-urllib3-1.26.19-3.el8_10.src.rpm

Related CVEs:

CVE-2026-44431
CVE-2026-44432

Description of changes:

[1.26.19-3]
- Security fixes for CVE-2026-44431 and CVE-2026-44432
Resolves: RHEL-185125, RHEL-184900



ELSA-2026-30858 Important: Oracle Linux 8 perl-IO-Compress security update


Oracle Linux Security Advisory ELSA-2026-30858

http://linux.oracle.com/errata/ELSA-2026-30858.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
perl-IO-Compress-2.081-2.el8_10.noarch.rpm

aarch64:
perl-IO-Compress-2.081-2.el8_10.noarch.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/perl-IO-Compress-2.081-2.el8_10.src.rpm

Related CVEs:

CVE-2026-48962

Description of changes:

[2.081-2]
- Remove use of eval in File::GlobMapper for safer string interpolation
- Resolves: RHEL-180411



ELSA-2026-30853 Important: Oracle Linux 8 git-lfs security update


Oracle Linux Security Advisory ELSA-2026-30853

http://linux.oracle.com/errata/ELSA-2026-30853.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
git-lfs-3.4.1-11.el8_10.x86_64.rpm

aarch64:
git-lfs-3.4.1-11.el8_10.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/git-lfs-3.4.1-11.el8_10.src.rpm

Related CVEs:

CVE-2026-39821

Description of changes:

[3.4.1-11]
- Backport CVE-2026-39821 fix (vendored golang.org/x/net IDNA)
- Resolves: RHEL-183731



ELSA-2026-30852 Important: Oracle Linux 8 perl-Archive-Tar security update


Oracle Linux Security Advisory ELSA-2026-30852

http://linux.oracle.com/errata/ELSA-2026-30852.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
perl-Archive-Tar-2.30-2.el8_10.noarch.rpm

aarch64:
perl-Archive-Tar-2.30-2.el8_10.noarch.rpm

SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/perl-Archive-Tar-2.30-2.el8_10.src.rpm

Related CVEs:

CVE-2026-42496

Description of changes:

[2.30-2]
- Fix CVE-2026-42496: validate symlink and hardlink targets in secure
extract mode
- Resolves: RHEL-181654

[2.30-1]
- 2.30 bump

[2.28-1]
- 2.28 bump
- Fixes CVE-2018-12015 (directory traversal) (bug #1588761)

[2.26-6]
- Do not run optional test on RHEL

[2.26-5]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

[2.26-4]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

[2.26-3]
- Perl 5.26 re-rebuild of bootstrapped packages

[2.26-2]
- Perl 5.26 rebuild

[2.26-1]
- 2.26 bump

[2.24-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild



ELSA-2026-30844 Moderate: Oracle Linux 9 mod_md security update


Oracle Linux Security Advisory ELSA-2026-30844

http://linux.oracle.com/errata/ELSA-2026-30844.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
mod_md-2.4.26-2.el9_8.1.x86_64.rpm

aarch64:
mod_md-2.4.26-2.el9_8.1.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/mod_md-2.4.26-2.el9_8.1.src.rpm

Related CVEs:

CVE-2026-29168

Description of changes:

[1:2.4.26-2.1]
- Resolves: RHEL-175644 - mod_md: OCSP response limits
(CVE-2026-29168)

[1:2.4.26-2]
- Resolves: RHEL-134497 - httpd: Apache HTTP Server: mod_md (ACME), unintended
retry intervals (CVE-2025-55753)



ELSA-2026-20574 Important: Oracle Linux 9 firefox security update


Oracle Linux Security Advisory ELSA-2026-20574

http://linux.oracle.com/errata/ELSA-2026-20574.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
firefox-140.12.0-1.0.1.el9_8.x86_64.rpm
firefox-x11-140.12.0-1.0.1.el9_8.x86_64.rpm

aarch64:
firefox-140.12.0-1.0.1.el9_8.aarch64.rpm
firefox-x11-140.12.0-1.0.1.el9_8.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/firefox-140.12.0-1.0.1.el9_8.src.rpm

Related CVEs:

CVE-2026-8090
CVE-2026-8092
CVE-2026-8094

Description of changes:

[140.12.0-1.0.1]
- Fix firefox-oracle-default-prefs.js for new nss [Orabug: 37079773]
- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file

[140.12.0]
- Add debranding patches (Mustafa Gezen)
- Add OpenELA default preferences (Louis Abel)

[140.12.0-1]
- Update to 140.12.0 ESR

[140.11.0-1]
- Update to 140.11.0 ESR

[140.10.2-1]
- Update to 140.10.2 ESR

[140.10.1-1]
- Update to 140.10.1 ESR



ELSA-2026-21378 Important: Oracle Linux 9 firefox security update


Oracle Linux Security Advisory ELSA-2026-21378

http://linux.oracle.com/errata/ELSA-2026-21378.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
firefox-140.12.0-1.0.1.el9_8.x86_64.rpm
firefox-x11-140.12.0-1.0.1.el9_8.x86_64.rpm

aarch64:
firefox-140.12.0-1.0.1.el9_8.aarch64.rpm
firefox-x11-140.12.0-1.0.1.el9_8.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/firefox-140.12.0-1.0.1.el9_8.src.rpm

Related CVEs:

CVE-2026-8388
CVE-2026-8391
CVE-2026-8401
CVE-2026-8946
CVE-2026-8947
CVE-2026-8950
CVE-2026-8953
CVE-2026-8954
CVE-2026-8955
CVE-2026-8956
CVE-2026-8957
CVE-2026-8958
CVE-2026-8961
CVE-2026-8962
CVE-2026-8968
CVE-2026-8970
CVE-2026-8974
CVE-2026-8975

Description of changes:

[140.12.0-1.0.1]
- Fix firefox-oracle-default-prefs.js for new nss [Orabug: 37079773]
- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file

[140.12.0]
- Add debranding patches (Mustafa Gezen)
- Add OpenELA default preferences (Louis Abel)

[140.12.0-1]
- Update to 140.12.0 ESR

[140.11.0-1]
- Update to 140.11.0 ESR

[140.10.2-1]
- Update to 140.10.2 ESR

[140.10.1-1]
- Update to 140.10.1 ESR



ELSA-2026-19370 Important: Oracle Linux 9 firefox security update


Oracle Linux Security Advisory ELSA-2026-19370

http://linux.oracle.com/errata/ELSA-2026-19370.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
firefox-140.12.0-1.0.1.el9_8.x86_64.rpm
firefox-x11-140.12.0-1.0.1.el9_8.x86_64.rpm

aarch64:
firefox-140.12.0-1.0.1.el9_8.aarch64.rpm
firefox-x11-140.12.0-1.0.1.el9_8.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/firefox-140.12.0-1.0.1.el9_8.src.rpm

Related CVEs:

CVE-2026-7320
CVE-2026-7321
CVE-2026-7322
CVE-2026-7323

Description of changes:

[140.12.0-1.0.1]
- Fix firefox-oracle-default-prefs.js for new nss [Orabug: 37079773]
- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file

[140.12.0]
- Add debranding patches (Mustafa Gezen)
- Add OpenELA default preferences (Louis Abel)

[140.12.0-1]
- Update to 140.12.0 ESR

[140.11.0-1]
- Update to 140.11.0 ESR

[140.10.2-1]
- Update to 140.10.2 ESR

[140.10.1-1]
- Update to 140.10.1 ESR



ELSA-2026-19368 Important: Oracle Linux 9 rsync security update


Oracle Linux Security Advisory ELSA-2026-19368

http://linux.oracle.com/errata/ELSA-2026-19368.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
rsync-3.2.5-7.el9_8.2.x86_64.rpm
rsync-daemon-3.2.5-7.el9_8.2.noarch.rpm
rsync-rrsync-3.2.5-7.el9_8.2.noarch.rpm

aarch64:
rsync-3.2.5-7.el9_8.2.aarch64.rpm
rsync-daemon-3.2.5-7.el9_8.2.noarch.rpm
rsync-rrsync-3.2.5-7.el9_8.2.noarch.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/rsync-3.2.5-7.el9_8.2.src.rpm

Related CVEs:

CVE-2024-12086
CVE-2026-41035

Description of changes:

[3.2.5-7.2]
- Fix integer overflow in compressed-token decoding (CVE-2026-43618)
- Resolves: RHEL-174932

[3.2.5-7.1]
- Fix TOCTOU symlink race in daemon no-chroot mode (CVE-2026-29518)
- Resolves: RHEL-174952

[3.2.5-4]
- Resolves: RHEL-104404 - Do not clear DISPLAY unconditionally



ELSA-2026-19343 Important: Oracle Linux 9 xorg-x11-server security update


Oracle Linux Security Advisory ELSA-2026-19343

http://linux.oracle.com/errata/ELSA-2026-19343.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
xorg-x11-server-Xdmx-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-Xephyr-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-Xnest-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-Xorg-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-Xvfb-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-common-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-devel-1.20.11-34.el9_8.2.i686.rpm
xorg-x11-server-devel-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-source-1.20.11-34.el9_8.2.noarch.rpm

aarch64:
xorg-x11-server-Xdmx-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-Xephyr-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-Xnest-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-Xorg-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-Xvfb-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-common-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-devel-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-source-1.20.11-34.el9_8.2.noarch.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/xorg-x11-server-1.20.11-34.el9_8.2.src.rpm

Related CVEs:

CVE-2026-33999
CVE-2026-34001
CVE-2026-34003

Description of changes:

[1.20.11-34.2]
- Other security related fixes
Resolves: https://redhat.atlassian.net/browse/RHEL-184288

[1.20.11-34.1]
- CVE fix for: CVE-2026-50256, CVE-2026-50257, CVE-2026-50258,
CVE-2026-50259, CVE-2026-50260, CVE-2026-50261,
CVE-2026-50262, CVE-2026-50263, CVE-2026-50264
Resolves: https://redhat.atlassian.net/browse/RHEL-182435

[1.20.11-34]
- CVE fix for: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001
CVE-2026-34002, CVE-2026-34003
Resolves: https://redhat.atlassian.net/browse/RHEL-163226
Resolves: https://redhat.atlassian.net/browse/RHEL-163308
Resolves: https://redhat.atlassian.net/browse/RHEL-163239



ELSA-2026-18916 Important: Oracle Linux 9 tomcat security update


Oracle Linux Security Advisory ELSA-2026-18916

http://linux.oracle.com/errata/ELSA-2026-18916.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
tomcat-9.0.117-1.el9_8.noarch.rpm
tomcat-admin-webapps-9.0.117-1.el9_8.noarch.rpm
tomcat-docs-webapp-9.0.117-1.el9_8.noarch.rpm
tomcat-el-3.0-api-9.0.117-1.el9_8.noarch.rpm
tomcat-jsp-2.3-api-9.0.117-1.el9_8.noarch.rpm
tomcat-lib-9.0.117-1.el9_8.noarch.rpm
tomcat-servlet-4.0-api-9.0.117-1.el9_8.noarch.rpm
tomcat-webapps-9.0.117-1.el9_8.noarch.rpm

aarch64:
tomcat-9.0.117-1.el9_8.noarch.rpm
tomcat-admin-webapps-9.0.117-1.el9_8.noarch.rpm
tomcat-docs-webapp-9.0.117-1.el9_8.noarch.rpm
tomcat-el-3.0-api-9.0.117-1.el9_8.noarch.rpm
tomcat-jsp-2.3-api-9.0.117-1.el9_8.noarch.rpm
tomcat-lib-9.0.117-1.el9_8.noarch.rpm
tomcat-servlet-4.0-api-9.0.117-1.el9_8.noarch.rpm
tomcat-webapps-9.0.117-1.el9_8.noarch.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/tomcat-9.0.117-1.el9_8.src.rpm

Related CVEs:

CVE-2025-46701
CVE-2025-55668
CVE-2025-55754

Description of changes:

[1:9.0.117-1]
- Resolves: RHEL-150714 Certificate revocation bypass due to improper OCSP response validation
- Resolves:
Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500)
- Resolves:
Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487)
- Resolves:
Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486)
- Resolves:
Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483)
- Resolves:
Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990)
- Resolves:
Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146)
- Resolves:
Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145)
- Resolves:
Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129)
- Resolves:
Tomcat: Occasionally open redirect (CVE-2026-25854)
- Resolves:
Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880)
- Resolves:
Tomcat: Incomplete OCSP verification checks (CVE-2026-24734)
- Resolves:
Tomcat: Security constraint bypass (CVE-2026-24733)
- Resolves:
Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614)