ELSA-2026-22420 Moderate: Oracle Linux 7 libxml2 security update
ELSA-2026-24722 Moderate: Oracle Linux 7 libsoup security update
ELSA-2026-19589 Important: Oracle Linux 7 python security update
ELSA-2026-32992 Important: Oracle Linux 8 python3.12-urllib3 security update
ELSA-2026-30858 Important: Oracle Linux 8 perl-IO-Compress security update
ELSA-2026-30853 Important: Oracle Linux 8 git-lfs security update
ELSA-2026-30852 Important: Oracle Linux 8 perl-Archive-Tar security update
ELSA-2026-30844 Moderate: Oracle Linux 9 mod_md security update
ELSA-2026-20574 Important: Oracle Linux 9 firefox security update
ELSA-2026-21378 Important: Oracle Linux 9 firefox security update
ELSA-2026-19370 Important: Oracle Linux 9 firefox security update
ELSA-2026-19368 Important: Oracle Linux 9 rsync security update
ELSA-2026-19343 Important: Oracle Linux 9 xorg-x11-server security update
ELSA-2026-18916 Important: Oracle Linux 9 tomcat security update
ELSA-2026-22420 Moderate: Oracle Linux 7 libxml2 security update
Oracle Linux Security Advisory ELSA-2026-22420
http://linux.oracle.com/errata/ELSA-2026-22420.html
The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:
x86_64:
libxml2-2.9.1-6.0.13.el7_9.6.i686.rpm
libxml2-2.9.1-6.0.13.el7_9.6.x86_64.rpm
libxml2-devel-2.9.1-6.0.13.el7_9.6.i686.rpm
libxml2-devel-2.9.1-6.0.13.el7_9.6.x86_64.rpm
libxml2-python-2.9.1-6.0.13.el7_9.6.x86_64.rpm
libxml2-static-2.9.1-6.0.13.el7_9.6.i686.rpm
libxml2-static-2.9.1-6.0.13.el7_9.6.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/libxml2-2.9.1-6.0.13.el7_9.6.src.rpm
Related CVEs:
CVE-2025-9714
Description of changes:
[2.9.1-6.0.13.6]
- Backport fix for CVE-2025-9714 [Orabug: 39476695]
[2.9.1-6.0.11.6]
- Fix CVE-2025-32415: Fix heap buffer overflow [Orabug: 38310750]
[2.9.1-6.0.9.6]
- Fix CVE-2025-7425: heap-use-after-free in xmlFreeID [Orabug: 38290330]
[2.9.1-6.0.7.6]
- Fix CVE-2025-6021, CVE-2025-32414, CVE-2025-49794, CVE-2025-49796
- [Orabug: 38255814]
[2.9.1-6.0.5]
- Fix CVE-2024-56171 [Orabug: 37694105]
- Fix CVE-2025-24928 [Orabug: 37694105]
ELSA-2026-24722 Moderate: Oracle Linux 7 libsoup security update
Oracle Linux Security Advisory ELSA-2026-24722
http://linux.oracle.com/errata/ELSA-2026-24722.html
The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:
x86_64:
libsoup-2.62.2-2.0.13.el7.i686.rpm
libsoup-2.62.2-2.0.13.el7.x86_64.rpm
libsoup-devel-2.62.2-2.0.13.el7.i686.rpm
libsoup-devel-2.62.2-2.0.13.el7.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/libsoup-2.62.2-2.0.13.el7.src.rpm
Related CVEs:
CVE-2026-5119
Description of changes:
[2.62.2-2.0.13]
- Backport fix for CVE-2026-5119 [Orabug: 39527088]
[2.62.2-2.0.11]
- Fixes CVE-2026-0719 CVE-2026-1761 [Orabug: 38958074]
[2.62.2-2.0.9]
- Fix CVE-2025-14523 [Orabug: 38873507]
[2.62.2-2.0.7]
- Backport patch for CVE-2025-4945 and CVE-2025-11021 [Orabug: 38664275]
[2.62.2-2.0.5]
- Fixes CVE-2025-2784 CVE-2025-4948 CVE-2025-32049 [Orabug: 38085184]
- CVE-2025-32906 CVE-2025-32911 CVE-2025-32913 CVE-2025-32914
[2.62.2-2.0.3]
- Fixed CVE-2024-52531 buffer overflow via UTF-8 conversion in
- soup_header_parse_param_list_strict [Orabug: 37557504]
ELSA-2026-19589 Important: Oracle Linux 7 python security update
Oracle Linux Security Advisory ELSA-2026-19589
http://linux.oracle.com/errata/ELSA-2026-19589.html
The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:
x86_64:
python-2.7.5-94.0.9.el7_9.x86_64.rpm
python-debug-2.7.5-94.0.9.el7_9.x86_64.rpm
python-devel-2.7.5-94.0.9.el7_9.x86_64.rpm
python-libs-2.7.5-94.0.9.el7_9.i686.rpm
python-libs-2.7.5-94.0.9.el7_9.x86_64.rpm
python-test-2.7.5-94.0.9.el7_9.x86_64.rpm
python-tools-2.7.5-94.0.9.el7_9.x86_64.rpm
tkinter-2.7.5-94.0.9.el7_9.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/python-2.7.5-94.0.9.el7_9.src.rpm
Related CVEs:
CVE-2026-4786
Description of changes:
[2.7.5-94.0.9]
- Fix for CVE-2026-4786 [Orabug: 39418723]
[2.7.5-94.0.7]
- Fix for CVE-2026-4519 [Orabug: 39243798]
[2.7.5-94.0.5]
- Fix for CVE-2025-15366 and CVE-2025-15367 [Orabug: 39114639]
[2.7.5-94.0.3]
- Fix for CVE-2025-12084 [Orabug: 38902314]
ELSA-2026-32992 Important: Oracle Linux 8 python3.12-urllib3 security update
Oracle Linux Security Advisory ELSA-2026-32992
http://linux.oracle.com/errata/ELSA-2026-32992.html
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:
x86_64:
python3.12-urllib3-1.26.19-3.el8_10.noarch.rpm
aarch64:
python3.12-urllib3-1.26.19-3.el8_10.noarch.rpm
SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/python3.12-urllib3-1.26.19-3.el8_10.src.rpm
Related CVEs:
CVE-2026-44431
CVE-2026-44432
Description of changes:
[1.26.19-3]
- Security fixes for CVE-2026-44431 and CVE-2026-44432
Resolves: RHEL-185125, RHEL-184900
ELSA-2026-30858 Important: Oracle Linux 8 perl-IO-Compress security update
Oracle Linux Security Advisory ELSA-2026-30858
http://linux.oracle.com/errata/ELSA-2026-30858.html
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:
x86_64:
perl-IO-Compress-2.081-2.el8_10.noarch.rpm
aarch64:
perl-IO-Compress-2.081-2.el8_10.noarch.rpm
SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/perl-IO-Compress-2.081-2.el8_10.src.rpm
Related CVEs:
CVE-2026-48962
Description of changes:
[2.081-2]
- Remove use of eval in File::GlobMapper for safer string interpolation
- Resolves: RHEL-180411
ELSA-2026-30853 Important: Oracle Linux 8 git-lfs security update
Oracle Linux Security Advisory ELSA-2026-30853
http://linux.oracle.com/errata/ELSA-2026-30853.html
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:
x86_64:
git-lfs-3.4.1-11.el8_10.x86_64.rpm
aarch64:
git-lfs-3.4.1-11.el8_10.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/git-lfs-3.4.1-11.el8_10.src.rpm
Related CVEs:
CVE-2026-39821
Description of changes:
[3.4.1-11]
- Backport CVE-2026-39821 fix (vendored golang.org/x/net IDNA)
- Resolves: RHEL-183731
ELSA-2026-30852 Important: Oracle Linux 8 perl-Archive-Tar security update
Oracle Linux Security Advisory ELSA-2026-30852
http://linux.oracle.com/errata/ELSA-2026-30852.html
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:
x86_64:
perl-Archive-Tar-2.30-2.el8_10.noarch.rpm
aarch64:
perl-Archive-Tar-2.30-2.el8_10.noarch.rpm
SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/perl-Archive-Tar-2.30-2.el8_10.src.rpm
Related CVEs:
CVE-2026-42496
Description of changes:
[2.30-2]
- Fix CVE-2026-42496: validate symlink and hardlink targets in secure
extract mode
- Resolves: RHEL-181654
[2.30-1]
- 2.30 bump
[2.28-1]
- 2.28 bump
- Fixes CVE-2018-12015 (directory traversal) (bug #1588761)
[2.26-6]
- Do not run optional test on RHEL
[2.26-5]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
[2.26-4]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
[2.26-3]
- Perl 5.26 re-rebuild of bootstrapped packages
[2.26-2]
- Perl 5.26 rebuild
[2.26-1]
- 2.26 bump
[2.24-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
ELSA-2026-30844 Moderate: Oracle Linux 9 mod_md security update
Oracle Linux Security Advisory ELSA-2026-30844
http://linux.oracle.com/errata/ELSA-2026-30844.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:
x86_64:
mod_md-2.4.26-2.el9_8.1.x86_64.rpm
aarch64:
mod_md-2.4.26-2.el9_8.1.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/mod_md-2.4.26-2.el9_8.1.src.rpm
Related CVEs:
CVE-2026-29168
Description of changes:
[1:2.4.26-2.1]
- Resolves: RHEL-175644 - mod_md: OCSP response limits
(CVE-2026-29168)
[1:2.4.26-2]
- Resolves: RHEL-134497 - httpd: Apache HTTP Server: mod_md (ACME), unintended
retry intervals (CVE-2025-55753)
ELSA-2026-20574 Important: Oracle Linux 9 firefox security update
Oracle Linux Security Advisory ELSA-2026-20574
http://linux.oracle.com/errata/ELSA-2026-20574.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:
x86_64:
firefox-140.12.0-1.0.1.el9_8.x86_64.rpm
firefox-x11-140.12.0-1.0.1.el9_8.x86_64.rpm
aarch64:
firefox-140.12.0-1.0.1.el9_8.aarch64.rpm
firefox-x11-140.12.0-1.0.1.el9_8.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/firefox-140.12.0-1.0.1.el9_8.src.rpm
Related CVEs:
CVE-2026-8090
CVE-2026-8092
CVE-2026-8094
Description of changes:
[140.12.0-1.0.1]
- Fix firefox-oracle-default-prefs.js for new nss [Orabug: 37079773]
- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file
[140.12.0]
- Add debranding patches (Mustafa Gezen)
- Add OpenELA default preferences (Louis Abel)
[140.12.0-1]
- Update to 140.12.0 ESR
[140.11.0-1]
- Update to 140.11.0 ESR
[140.10.2-1]
- Update to 140.10.2 ESR
[140.10.1-1]
- Update to 140.10.1 ESR
ELSA-2026-21378 Important: Oracle Linux 9 firefox security update
Oracle Linux Security Advisory ELSA-2026-21378
http://linux.oracle.com/errata/ELSA-2026-21378.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:
x86_64:
firefox-140.12.0-1.0.1.el9_8.x86_64.rpm
firefox-x11-140.12.0-1.0.1.el9_8.x86_64.rpm
aarch64:
firefox-140.12.0-1.0.1.el9_8.aarch64.rpm
firefox-x11-140.12.0-1.0.1.el9_8.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/firefox-140.12.0-1.0.1.el9_8.src.rpm
Related CVEs:
CVE-2026-8388
CVE-2026-8391
CVE-2026-8401
CVE-2026-8946
CVE-2026-8947
CVE-2026-8950
CVE-2026-8953
CVE-2026-8954
CVE-2026-8955
CVE-2026-8956
CVE-2026-8957
CVE-2026-8958
CVE-2026-8961
CVE-2026-8962
CVE-2026-8968
CVE-2026-8970
CVE-2026-8974
CVE-2026-8975
Description of changes:
[140.12.0-1.0.1]
- Fix firefox-oracle-default-prefs.js for new nss [Orabug: 37079773]
- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file
[140.12.0]
- Add debranding patches (Mustafa Gezen)
- Add OpenELA default preferences (Louis Abel)
[140.12.0-1]
- Update to 140.12.0 ESR
[140.11.0-1]
- Update to 140.11.0 ESR
[140.10.2-1]
- Update to 140.10.2 ESR
[140.10.1-1]
- Update to 140.10.1 ESR
ELSA-2026-19370 Important: Oracle Linux 9 firefox security update
Oracle Linux Security Advisory ELSA-2026-19370
http://linux.oracle.com/errata/ELSA-2026-19370.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:
x86_64:
firefox-140.12.0-1.0.1.el9_8.x86_64.rpm
firefox-x11-140.12.0-1.0.1.el9_8.x86_64.rpm
aarch64:
firefox-140.12.0-1.0.1.el9_8.aarch64.rpm
firefox-x11-140.12.0-1.0.1.el9_8.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/firefox-140.12.0-1.0.1.el9_8.src.rpm
Related CVEs:
CVE-2026-7320
CVE-2026-7321
CVE-2026-7322
CVE-2026-7323
Description of changes:
[140.12.0-1.0.1]
- Fix firefox-oracle-default-prefs.js for new nss [Orabug: 37079773]
- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file
[140.12.0]
- Add debranding patches (Mustafa Gezen)
- Add OpenELA default preferences (Louis Abel)
[140.12.0-1]
- Update to 140.12.0 ESR
[140.11.0-1]
- Update to 140.11.0 ESR
[140.10.2-1]
- Update to 140.10.2 ESR
[140.10.1-1]
- Update to 140.10.1 ESR
ELSA-2026-19368 Important: Oracle Linux 9 rsync security update
Oracle Linux Security Advisory ELSA-2026-19368
http://linux.oracle.com/errata/ELSA-2026-19368.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:
x86_64:
rsync-3.2.5-7.el9_8.2.x86_64.rpm
rsync-daemon-3.2.5-7.el9_8.2.noarch.rpm
rsync-rrsync-3.2.5-7.el9_8.2.noarch.rpm
aarch64:
rsync-3.2.5-7.el9_8.2.aarch64.rpm
rsync-daemon-3.2.5-7.el9_8.2.noarch.rpm
rsync-rrsync-3.2.5-7.el9_8.2.noarch.rpm
SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/rsync-3.2.5-7.el9_8.2.src.rpm
Related CVEs:
CVE-2024-12086
CVE-2026-41035
Description of changes:
[3.2.5-7.2]
- Fix integer overflow in compressed-token decoding (CVE-2026-43618)
- Resolves: RHEL-174932
[3.2.5-7.1]
- Fix TOCTOU symlink race in daemon no-chroot mode (CVE-2026-29518)
- Resolves: RHEL-174952
[3.2.5-4]
- Resolves: RHEL-104404 - Do not clear DISPLAY unconditionally
ELSA-2026-19343 Important: Oracle Linux 9 xorg-x11-server security update
Oracle Linux Security Advisory ELSA-2026-19343
http://linux.oracle.com/errata/ELSA-2026-19343.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:
x86_64:
xorg-x11-server-Xdmx-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-Xephyr-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-Xnest-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-Xorg-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-Xvfb-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-common-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-devel-1.20.11-34.el9_8.2.i686.rpm
xorg-x11-server-devel-1.20.11-34.el9_8.2.x86_64.rpm
xorg-x11-server-source-1.20.11-34.el9_8.2.noarch.rpm
aarch64:
xorg-x11-server-Xdmx-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-Xephyr-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-Xnest-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-Xorg-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-Xvfb-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-common-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-devel-1.20.11-34.el9_8.2.aarch64.rpm
xorg-x11-server-source-1.20.11-34.el9_8.2.noarch.rpm
SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/xorg-x11-server-1.20.11-34.el9_8.2.src.rpm
Related CVEs:
CVE-2026-33999
CVE-2026-34001
CVE-2026-34003
Description of changes:
[1.20.11-34.2]
- Other security related fixes
Resolves: https://redhat.atlassian.net/browse/RHEL-184288
[1.20.11-34.1]
- CVE fix for: CVE-2026-50256, CVE-2026-50257, CVE-2026-50258,
CVE-2026-50259, CVE-2026-50260, CVE-2026-50261,
CVE-2026-50262, CVE-2026-50263, CVE-2026-50264
Resolves: https://redhat.atlassian.net/browse/RHEL-182435
[1.20.11-34]
- CVE fix for: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001
CVE-2026-34002, CVE-2026-34003
Resolves: https://redhat.atlassian.net/browse/RHEL-163226
Resolves: https://redhat.atlassian.net/browse/RHEL-163308
Resolves: https://redhat.atlassian.net/browse/RHEL-163239
ELSA-2026-18916 Important: Oracle Linux 9 tomcat security update
Oracle Linux Security Advisory ELSA-2026-18916
http://linux.oracle.com/errata/ELSA-2026-18916.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:
x86_64:
tomcat-9.0.117-1.el9_8.noarch.rpm
tomcat-admin-webapps-9.0.117-1.el9_8.noarch.rpm
tomcat-docs-webapp-9.0.117-1.el9_8.noarch.rpm
tomcat-el-3.0-api-9.0.117-1.el9_8.noarch.rpm
tomcat-jsp-2.3-api-9.0.117-1.el9_8.noarch.rpm
tomcat-lib-9.0.117-1.el9_8.noarch.rpm
tomcat-servlet-4.0-api-9.0.117-1.el9_8.noarch.rpm
tomcat-webapps-9.0.117-1.el9_8.noarch.rpm
aarch64:
tomcat-9.0.117-1.el9_8.noarch.rpm
tomcat-admin-webapps-9.0.117-1.el9_8.noarch.rpm
tomcat-docs-webapp-9.0.117-1.el9_8.noarch.rpm
tomcat-el-3.0-api-9.0.117-1.el9_8.noarch.rpm
tomcat-jsp-2.3-api-9.0.117-1.el9_8.noarch.rpm
tomcat-lib-9.0.117-1.el9_8.noarch.rpm
tomcat-servlet-4.0-api-9.0.117-1.el9_8.noarch.rpm
tomcat-webapps-9.0.117-1.el9_8.noarch.rpm
SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/tomcat-9.0.117-1.el9_8.src.rpm
Related CVEs:
CVE-2025-46701
CVE-2025-55668
CVE-2025-55754
Description of changes:
[1:9.0.117-1]
- Resolves: RHEL-150714 Certificate revocation bypass due to improper OCSP response validation
- Resolves:
Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500)
- Resolves:
Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487)
- Resolves:
Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486)
- Resolves:
Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483)
- Resolves:
Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990)
- Resolves:
Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146)
- Resolves:
Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145)
- Resolves:
Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129)
- Resolves:
Tomcat: Occasionally open redirect (CVE-2026-25854)
- Resolves:
Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880)
- Resolves:
Tomcat: Incomplete OCSP verification checks (CVE-2026-24734)
- Resolves:
Tomcat: Security constraint bypass (CVE-2026-24733)
- Resolves:
Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614)