Fedora 42 Update: python3.9-3.9.25-9.fc42
Fedora 42 Update: lemonldap-ng-2.22.3-1.fc42
Fedora 42 Update: binaryen-126-1.fc42
Fedora 42 Update: buildah-1.43.1-1.fc42
Fedora 42 Update: miniupnpd-2.3.10-1.fc42
Fedora 42 Update: skopeo-1.22.2-1.fc42
Fedora 42 Update: xdg-dbus-proxy-0.1.7-1.fc42
Fedora 42 Update: libexif-0.6.26-1.fc42
Fedora 42 Update: podman-5.8.2-1.fc42
Fedora 42 Update: asterisk-18.26.4-1.fc42
Fedora 43 Update: libgcrypt-1.11.1-4.fc43
Fedora 43 Update: rust-rpm-sequoia-1.10.2-1.fc43
Fedora 43 Update: dokuwiki-20250514b-3.fc43
Fedora 43 Update: python3.9-3.9.25-9.fc43
Fedora 43 Update: lemonldap-ng-2.22.3-1.fc43
Fedora 43 Update: miniupnpd-2.3.10-1.fc43
Fedora 43 Update: binaryen-126-1.fc43
Fedora 43 Update: asterisk-18.26.4-1.fc43
Fedora 44 Update: openvpn-2.7.3-1.fc44
Fedora 44 Update: libgcrypt-1.12.2-1.fc44
Fedora 44 Update: rust-rpm-sequoia-1.10.2-1.fc44
Fedora 44 Update: miniupnpd-2.3.10-1.fc44
Fedora 44 Update: dokuwiki-20250514b-5.fc44
Fedora 44 Update: python3.9-3.9.25-9.fc44
Fedora 44 Update: lemonldap-ng-2.22.3-1.fc44
Fedora 44 Update: asterisk-18.26.4-1.fc44
[SECURITY] Fedora 42 Update: python3.9-3.9.25-9.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-60a694a385
2026-04-30 01:28:38.068282+00:00
--------------------------------------------------------------------------------
Name : python3.9
Product : Fedora 42
Version : 3.9.25
Release : 9.fc42
URL : https://www.python.org/
Summary : Version 3.9 of the Python interpreter
Description :
Python 3.9 package for developers.
This package exists to allow developers to test their code against an older
version of Python. This is not a full Python stack and if you wish to run
your applications with Python 3.9, see other distributions
that support it, such as CentOS or RHEL or older Fedora releases.
--------------------------------------------------------------------------------
Update Information:
Security fixes for CVE-2026-4786 and CVE-2026-6100
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 17 2026 Charalampos Stratakis [cstratak@redhat.com] - 3.9.25-9
- Security fixes for CVE-2026-4786 and CVE-2026-6100
Resolves: rhbz#2458019, rhbz#2458227
* Sat Apr 11 2026 Miro Hron??ok [mhroncok@redhat.com] - 3.9.25-8
- Explicitly build with OpenSSL 3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2458019 - CVE-2026-6100 python3.9: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458019
[ 2 ] Bug #2458227 - CVE-2026-4786 python3.9: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458227
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-60a694a385' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 42 Update: lemonldap-ng-2.22.3-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-69743812a7
2026-04-30 01:28:38.068269+00:00
--------------------------------------------------------------------------------
Name : lemonldap-ng
Product : Fedora 42
Version : 2.22.3
Release : 1.fc42
URL : https://lemonldap-ng.org
Summary : Web Single Sign On (SSO) and Access Management
Description :
LemonLdap::NG is a modular Web-SSO based on Apache::Session modules. It
simplifies the build of a protected area with a few changes in the
application. It manages both authentication and authorization and provides
headers for accounting.
So you can have a full AAA protection for your web space as described below.
--------------------------------------------------------------------------------
Update Information:
Update to 2.22.3
https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-22-3-is-out/
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 20 2026 Clement Oudot [clement.oudot@worteks.com] - 2.22.3-1
- Update to 2.22.3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2459684 - lemonldap-ng-2.22.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2459684
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-69743812a7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: binaryen-126-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3831e11232
2026-04-30 01:28:38.068267+00:00
--------------------------------------------------------------------------------
Name : binaryen
Product : Fedora 42
Version : 126
Release : 1.fc42
URL : https://github.com/WebAssembly/binaryen
Summary : Compiler and toolchain infrastructure library for WebAssembly
Description :
Binaryen is a compiler and toolchain infrastructure library for WebAssembly,
written in C++. It aims to make compiling to WebAssembly easy, fast, and
effective:
* Easy: Binaryen has a simple C API in a single header, and can also be used
from JavaScript. It accepts input in WebAssembly-like form but also accepts
a general control flow graph for compilers that prefer that.
* Fast: Binaryen's internal IR uses compact data structures and is designed for
completely parallel codegen and optimization, using all available CPU cores.
Binaryen's IR also compiles down to WebAssembly extremely easily and quickly
because it is essentially a subset of WebAssembly.
* Effective: Binaryen's optimizer has many passes that can improve code very
significantly (e.g. local coloring to coalesce local variables; dead code
elimination; precomputing expressions when possible at compile time; etc.).
These optimizations aim to make Binaryen powerful enough to be used as a
compiler backend by itself. One specific area of focus is on
WebAssembly-specific optimizations (that general-purpose compilers might not
do), which you can think of as wasm minification , similar to minification for
JavaScript, CSS, etc., all of which are language-specific (an example of such
an optimization is block return value generation in SimplifyLocals).
--------------------------------------------------------------------------------
Update Information:
Fixes CVE-2025-14956 .
--------------------------------------------------------------------------------
ChangeLog:
* Sun Feb 22 2026 Dominik Mierzejewski [dominik@greysector.net] - 126-1
- update to 126 (resolves rhbz#2439791)
- backport upstream fix for https://github.com/WebAssembly/binaryen/issues/8360
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 125-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 125-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Wed Nov 26 2025 Dominik Mierzejewski [dominik@greysector.net] - 125-1
- update to 125 (resolves rhbz#2416026)
* Sat Sep 27 2025 Dominik Mierzejewski [dominik@greysector.net] - 124-1
- update to 124 (resolves rhbz#2392739)
* Wed Jul 23 2025 Fedora Release Engineering [releng@fedoraproject.org] - 123-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Sun Mar 30 2025 Dominik Mierzejewski [dominik@greysector.net] - 123-1
- update to 123 (resolves rhbz#2354967)
* Tue Mar 4 2025 Dominik Mierzejewski [dominik@greysector.net] - 122-2
- unbundle FP16
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2429126 - CVE-2025-14956 binaryen: heap-based buffer overflow in WasmBinaryReader::readExpression() when parsing a malformed WebAssembly binary [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2429126
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3831e11232' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: buildah-1.43.1-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-156e6bfb27
2026-04-30 01:28:38.068244+00:00
--------------------------------------------------------------------------------
Name : buildah
Product : Fedora 42
Version : 1.43.1
Release : 1.fc42
URL : https://buildah.io
Summary : A command line tool used for creating OCI Images
Description :
The buildah package provides a command line tool which can be used to
* create a working container from scratch
or
* create a working container from an image as a starting point
* mount/umount a working container's root file system for manipulation
* save container's root file system layer to create a new image
* delete a working container or an image
--------------------------------------------------------------------------------
Update Information:
Automatic update for buildah-1.43.1-1.fc42, skopeo-1.22.2-1.fc42,
podman-5.8.2-1.fc42.
Changelog for buildah
* Wed Apr 08 2026 Packit [hello@packit.dev] - 2:1.43.1-1
- Update to 1.43.1 upstream release
Changelog for skopeo
* Tue Apr 14 2026 Packit [hello@packit.dev] - 1:1.22.2-1
- Update to 1.22.2 upstream release
* Fri Apr 10 2026 Lokesh Mandvekar [lsm5@redhat.com] - 1:1.22.1-2
- TMT: fix ref in plan
* Thu Apr 09 2026 Packit [hello@packit.dev] - 1:1.22.1-1
- Update to 1.22.1 upstream release
Changelog for podman
* Tue Apr 14 2026 Packit [hello@packit.dev] - 5:5.8.2-1
- Update to 5.8.2 upstream release
Security fix for CVE-2026-34986
--------------------------------------------------------------------------------
ChangeLog:
* Wed Apr 8 2026 Packit [hello@packit.dev] - 2:1.43.1-1
- Update to 1.43.1 upstream release
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2455675 - CVE-2026-34986 skopeo: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455675
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-156e6bfb27' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: miniupnpd-2.3.10-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2e8a8fd35b
2026-04-30 01:28:38.068264+00:00
--------------------------------------------------------------------------------
Name : miniupnpd
Product : Fedora 42
Version : 2.3.10
Release : 1.fc42
URL : https://miniupnp.tuxfamily.org/
Summary : Lightweight UPnP IGD & PCP/NAT-PMP daemon
Description :
The MiniUPnP daemon is an UPnP IGD & PCP/NAT-PMP daemon for gateway routers.
UPnP IGD & PCP/NAT-PMP are used to improve internet connectivity for devices behind
a NAT router. Any peer to peer network application such as games, IM, etc. can
benefit from a NAT router supporting UPnP IGD & PCP/NAT-PMP.
--------------------------------------------------------------------------------
Update Information:
2026/03/24:
fix missing fclose and potential double free in option file parsing
2026/03/23:
upnphttp.c: fix removal of quotes in ParseHttpHeaders()
minixml.c: fix buffer read overflow
2026/02/05:
Rewrite permission line parser
2025/05/26:
Fix false negative filtered STUN CGNAT test result for
unsupported servers #825
2025/05/24:
Fix Mac OS X 10.9 build
2025/05/15:
build: teststun executable
2025/04/28:
pf: fix delete_pinhole for openbsd. Was broken since miniupnpd 2.3.7
2025/04/26
Fix parsing of interfaces names starting with a digit
nftables: add counter for DNAT rule (ENABLE_NFT_RULE_COUNTER in config.h)
nftables: improve scripts to support already existing tables
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 20 2026 - Michael Cronenworth [mike@cchtml.com] - 2.3.10-1
- Version update
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 2.3.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Thu Jul 24 2025 Fedora Release Engineering [releng@fedoraproject.org] - 2.3.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2459688 - CVE-2026-5720 miniupnpd: miniupnpd: Denial of service or information disclosure due to integer underflow in SOAPAction header parsing. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459688
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2e8a8fd35b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: skopeo-1.22.2-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-156e6bfb27
2026-04-30 01:28:38.068244+00:00
--------------------------------------------------------------------------------
Name : skopeo
Product : Fedora 42
Version : 1.22.2
Release : 1.fc42
URL : https://github.com/containers/skopeo
Summary : Inspect container images and repositories on registries
Description :
Command line utility to inspect images and repositories directly on Docker
registries without the need to pull them.
--------------------------------------------------------------------------------
Update Information:
Automatic update for buildah-1.43.1-1.fc42, skopeo-1.22.2-1.fc42,
podman-5.8.2-1.fc42.
Changelog for buildah
* Wed Apr 08 2026 Packit [hello@packit.dev] - 2:1.43.1-1
- Update to 1.43.1 upstream release
Changelog for skopeo
* Tue Apr 14 2026 Packit [hello@packit.dev] - 1:1.22.2-1
- Update to 1.22.2 upstream release
* Fri Apr 10 2026 Lokesh Mandvekar [lsm5@redhat.com] - 1:1.22.1-2
- TMT: fix ref in plan
* Thu Apr 09 2026 Packit [hello@packit.dev] - 1:1.22.1-1
- Update to 1.22.1 upstream release
Changelog for podman
* Tue Apr 14 2026 Packit [hello@packit.dev] - 5:5.8.2-1
- Update to 5.8.2 upstream release
Security fix for CVE-2026-34986
--------------------------------------------------------------------------------
ChangeLog:
* Tue Apr 14 2026 Packit [hello@packit.dev] - 1:1.22.2-1
- Update to 1.22.2 upstream release
* Fri Apr 10 2026 Lokesh Mandvekar [lsm5@redhat.com] - 1:1.22.1-2
- TMT: fix ref in plan
* Thu Apr 9 2026 Packit [hello@packit.dev] - 1:1.22.1-1
- Update to 1.22.1 upstream release
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2455675 - CVE-2026-34986 skopeo: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455675
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-156e6bfb27' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: xdg-dbus-proxy-0.1.7-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-adc66b374a
2026-04-30 01:28:38.068251+00:00
--------------------------------------------------------------------------------
Name : xdg-dbus-proxy
Product : Fedora 42
Version : 0.1.7
Release : 1.fc42
URL : https://github.com/flatpak/xdg-dbus-proxy/
Summary : Filtering proxy for D-Bus connections
Description :
xdg-dbus-proxy is a filtering proxy for D-Bus connections. It was originally
part of the flatpak project, but it has been broken out as a standalone module
to facilitate using it in other contexts.
--------------------------------------------------------------------------------
Update Information:
Update the package, including fix for CVE-2026-34080. See also: upstream
security advisory
--------------------------------------------------------------------------------
ChangeLog:
* Tue Apr 14 2026 Adrian Vovk [adrianvovk@gmail.com] - 0.1.7-1
- Update to 0.1.7
* Wed Mar 25 2026 Jan Grulich [jgrulich@redhat.com] - 0.1.6-6
- Add configuration for release-monitoring
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 0.1.6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jul 25 2025 Fedora Release Engineering [releng@fedoraproject.org] - 0.1.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2456381 - CVE-2026-34080 xdg-dbus-proxy: xdg-dbus-proxy: Information disclosure due to policy parser vulnerability [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2456381
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-adc66b374a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: libexif-0.6.26-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b01307dc4d
2026-04-30 01:28:38.068248+00:00
--------------------------------------------------------------------------------
Name : libexif
Product : Fedora 42
Version : 0.6.26
Release : 1.fc42
URL : https://libexif.github.io/
Summary : Library for extracting extra information from image files
Description :
Most digital cameras produce EXIF files, which are JPEG files with
extra tags that contain information about the image. The EXIF library
allows you to parse an EXIF file and read the data from those tags.
--------------------------------------------------------------------------------
Update Information:
Update to 0.6.26, fixing several CVEs
https://github.com/libexif/libexif/releases/tag/v0.6.26
--------------------------------------------------------------------------------
ChangeLog:
* Tue Apr 14 2026 Packit [hello@packit.dev] - 0.6.26-1
- Update to 0.6.26 upstream release
- Resolves: rhbz#2458177
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 0.6.25-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Thu Jul 24 2025 Fedora Release Engineering [releng@fedoraproject.org] - 0.6.25-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2457746 - CVE-2026-40386 libexif: libexif: Denial of Service and information disclosure via integer underflow in MakerNote decoding [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457746
[ 2 ] Bug #2457747 - CVE-2026-40385 libexif: libexif: Information disclosure and crashes via integer overflow in Nikon MakerNote handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457747
[ 3 ] Bug #2458177 - libexif-0.6.26 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2458177
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b01307dc4d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: podman-5.8.2-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-156e6bfb27
2026-04-30 01:28:38.068244+00:00
--------------------------------------------------------------------------------
Name : podman
Product : Fedora 42
Version : 5.8.2
Release : 1.fc42
URL : https://podman.io/
Summary : Manage Pods, Containers and Container Images
Description :
podman (Pod Manager) is a fully featured container engine that is a simple
daemonless tool. podman provides a Docker-CLI comparable command line that
eases the transition from other container engines and allows the management of
pods, containers and images. Simply put: alias docker=podman.
Most podman commands can be run as a regular user, without requiring
additional privileges.
podman uses Buildah(1) internally to create container images.
Both tools share image (not container) storage, hence each can use or
manipulate images (but not containers) created by the other.
--------------------------------------------------------------------------------
Update Information:
Automatic update for buildah-1.43.1-1.fc42, skopeo-1.22.2-1.fc42,
podman-5.8.2-1.fc42.
Changelog for buildah
* Wed Apr 08 2026 Packit [hello@packit.dev] - 2:1.43.1-1
- Update to 1.43.1 upstream release
Changelog for skopeo
* Tue Apr 14 2026 Packit [hello@packit.dev] - 1:1.22.2-1
- Update to 1.22.2 upstream release
* Fri Apr 10 2026 Lokesh Mandvekar [lsm5@redhat.com] - 1:1.22.1-2
- TMT: fix ref in plan
* Thu Apr 09 2026 Packit [hello@packit.dev] - 1:1.22.1-1
- Update to 1.22.1 upstream release
Changelog for podman
* Tue Apr 14 2026 Packit [hello@packit.dev] - 5:5.8.2-1
- Update to 5.8.2 upstream release
Security fix for CVE-2026-34986
--------------------------------------------------------------------------------
ChangeLog:
* Tue Apr 14 2026 Packit [hello@packit.dev] - 5:5.8.2-1
- Update to 5.8.2 upstream release
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2455675 - CVE-2026-34986 skopeo: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455675
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-156e6bfb27' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: asterisk-18.26.4-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-98decbde87
2026-04-30 01:28:38.068222+00:00
--------------------------------------------------------------------------------
Name : asterisk
Product : Fedora 42
Version : 18.26.4
Release : 1.fc42
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.
--------------------------------------------------------------------------------
Update Information:
Update to Asterisk 18.26.4, addressing numerous security vulnerabilities
accumulated since the long-stale 18.12.1 package. The following CVEs are fixed
in this update:
CVE-2022-26498 (fixed in 18.13.0): use-after-free in chan_ooh323
CVE-2022-42705 (fixed in 18.15.0): use-after-free in res_pjsip_pubsub
CVE-2022-37325 (fixed in 18.15.1): crash in H323 channel via malformed IE
CVE-2023-37457 (fixed in 18.20.0): buffer overflow in PJSIP_HEADER function
CVE-2023-49294 (fixed in 18.20.1): arbitrary file read via AMI GetConfig
CVE-2023-49786 (fixed in 18.20.1): DTLS race condition causing DoS
CVE-2024-35190 (fixed in 18.23.1): unauthorized SIP requests matched as endpoint
CVE-2024-42365 (fixed in 18.24.2): Write=originate allows code execution
CVE-2024-42491 (fixed in 18.25.0): crash via malformed Contact/Record-Route URI
CVE-2025-49832 (fixed in 18.26.3): DoS/RCE in res_stir_shaken
CVE-2025-47779 (fixed in 18.26.2): identity forging via malformed From header
CVE-2025-1131 (fixed in 18.26.3): local privilege escalation via safe_asterisk
CVE-2025-54995 (fixed in 18.26.4): resource exhaustion via RTP port leak
Also fixes F44FailsToInstall for asterisk-snmp (BZ#2433748).
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2026 Peter Lemenkov [lemenkov@gmail.com] - 18.26.4-1
- Update to upstream 18.26.4 release.
* Fri Jan 23 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 18.12.1-1.18
- Rebuilt for net-snmp 5.9.5.2
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 18.12.1-1.17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 18.12.1-1.16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Wed Jul 23 2025 Fedora Release Engineering [releng@fedoraproject.org] - 18.12.1-1.15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Tue Feb 11 2025 Zbigniew J??drzejewski-Szmek [zbyszek@in.waw.pl] - 18.12.1-1.14
- Add sysusers.d config file to allow rpm to create users/groups automatically
* Sat Feb 1 2025 Bj??rn Esser [besser82@fedoraproject.org] - 18.12.1-1.13
- Add explicit BR: libxcrypt-devel
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2076245 - CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 asterisk: multiple vulnerabilities [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2076245
[ 2 ] Bug #2150945 - CVE-2022-42705 asterisk: Use after free in res_pjsip_pubsub.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2150945
[ 3 ] Bug #2150951 - CVE-2022-37325 asterisk: Remote Crash Vulnerability in H323 channel add on [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2150951
[ 4 ] Bug #2254627 - TRIAGE CVE-2023-37457 asterisk: potential buffer overflow in PJSIP_HEADER dialplan function [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2254627
[ 5 ] Bug #2254632 - TRIAGE CVE-2023-49294 asterisk: access to arbitrary files via directory traversal [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2254632
[ 6 ] Bug #2254635 - TRIAGE CVE-2023-49786 asterisk: race condition in the hello handshake phase of the DTLS protocol triggers denial of service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2254635
[ 7 ] Bug #2281497 - CVE-2024-35190 asterisk: wrongly matches ALL unauthorized SIP requests [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2281497
[ 8 ] Bug #2303919 - CVE-2024-42365 asterisk: Write=originate, is sufficient permissions for code execution / System() dialplan [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303919
[ 9 ] Bug #2310293 - CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2310293
[ 10 ] Bug #2310294 - CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2310294
[ 11 ] Bug #2386209 - CVE-2025-49832 asterisk: Asterisk SIP Profile Remote Code Execution [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2386209
[ 12 ] Bug #2386210 - CVE-2025-49832 asterisk: Asterisk SIP Profile Remote Code Execution [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2386210
[ 13 ] Bug #2391521 - CVE-2025-54995 asterisk: Asterisk resource exhaustion [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2391521
[ 14 ] Bug #2391522 - CVE-2025-54995 asterisk: Asterisk resource exhaustion [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2391522
[ 15 ] Bug #2395449 - CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2395449
[ 16 ] Bug #2395450 - CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2395450
[ 17 ] Bug #2397958 - CVE-2025-1131 asterisk: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2397958
[ 18 ] Bug #2397959 - CVE-2025-1131 asterisk-sounds-core: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2397959
[ 19 ] Bug #2397961 - CVE-2025-1131 asterisk: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2397961
[ 20 ] Bug #2397962 - CVE-2025-1131 asterisk-sounds-core: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2397962
[ 21 ] Bug #2433748 - F44FailsToInstall: asterisk-snmp
https://bugzilla.redhat.com/show_bug.cgi?id=2433748
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-98decbde87' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 43 Update: libgcrypt-1.11.1-4.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8409145c11
2026-04-30 01:19:30.574325+00:00
--------------------------------------------------------------------------------
Name : libgcrypt
Product : Fedora 43
Version : 1.11.1
Release : 4.fc43
URL : https://www.gnupg.org/
Summary : A general-purpose cryptography library
Description :
Libgcrypt is a general purpose crypto library based on the code used
in GNU Privacy Guard. This is a development version.
--------------------------------------------------------------------------------
Update Information:
Fix CVE-2026-41989 (#2461782)
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 27 2026 Jakub Jelen [jjelen@redhat.com] - 1.11.1-4
- Fix CVE-2026-41989 (#2461782)
- Skip annochecks
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2461782 - CVE-2026-41989 libgcrypt: Libgcrypt: Denial of Service and buffer overflow via crafted ECDH ciphertext [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2461782
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8409145c11' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: rust-rpm-sequoia-1.10.2-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a80c26d6f3
2026-04-30 01:19:30.574317+00:00
--------------------------------------------------------------------------------
Name : rust-rpm-sequoia
Product : Fedora 43
Version : 1.10.2
Release : 1.fc43
URL : https://crates.io/crates/rpm-sequoia
Summary : Implementation of the RPM PGP interface using Sequoia
Description :
An implementation of the RPM PGP interface using Sequoia.
--------------------------------------------------------------------------------
Update Information:
Update to version 1.10.2. Addresses CVE-2026-2625.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Apr 25 2026 Fabio Valentini [decathorpe@gmail.com] - 1.10.2-1
- Update to version 1.10.2; Fixes RHBZ#2461620
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2461620 - rust-rpm-sequoia-1.10.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2461620
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a80c26d6f3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: dokuwiki-20250514b-3.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-511c8bd939
2026-04-30 01:19:30.574304+00:00
--------------------------------------------------------------------------------
Name : dokuwiki
Product : Fedora 43
Version : 20250514b
Release : 3.fc43
URL : https://www.dokuwiki.org/dokuwiki
Summary : Standards compliant simple to use wiki
Description :
DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating
documentation of any kind. It has a simple but powerful syntax which makes sure
the data-files remain readable outside the Wiki and eases the creation of
structured texts.
All data is stored in plain text files no database is required.
--------------------------------------------------------------------------------
Update Information:
Add a patch for CVE-2026-26477
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 20 2026 Artur Frenszek-Iwicki [fedora@svgames.pl] - 20250514b-3
- Add a patch for CVE-2026-26477
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2454794 - CVE-2026-26477 dokuwiki: Dokuwiki: Denial of Service via media_upload_xhr() function [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454794
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-511c8bd939' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: python3.9-3.9.25-9.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7986d7f994
2026-04-30 01:19:30.574307+00:00
--------------------------------------------------------------------------------
Name : python3.9
Product : Fedora 43
Version : 3.9.25
Release : 9.fc43
URL : https://www.python.org/
Summary : Version 3.9 of the Python interpreter
Description :
Python 3.9 package for developers.
This package exists to allow developers to test their code against an older
version of Python. This is not a full Python stack and if you wish to run
your applications with Python 3.9, see other distributions
that support it, such as CentOS or RHEL or older Fedora releases.
--------------------------------------------------------------------------------
Update Information:
Security fixes for CVE-2026-4786 and CVE-2026-6100
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 17 2026 Charalampos Stratakis [cstratak@redhat.com] - 3.9.25-9
- Security fixes for CVE-2026-4786 and CVE-2026-6100
Resolves: rhbz#2458019, rhbz#2458227
* Sat Apr 11 2026 Miro Hron??ok [mhroncok@redhat.com] - 3.9.25-8
- Explicitly build with OpenSSL 3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2458019 - CVE-2026-6100 python3.9: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458019
[ 2 ] Bug #2458227 - CVE-2026-4786 python3.9: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458227
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7986d7f994' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 43 Update: lemonldap-ng-2.22.3-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-38914f4e04
2026-04-30 01:19:30.574299+00:00
--------------------------------------------------------------------------------
Name : lemonldap-ng
Product : Fedora 43
Version : 2.22.3
Release : 1.fc43
URL : https://lemonldap-ng.org
Summary : Web Single Sign On (SSO) and Access Management
Description :
LemonLdap::NG is a modular Web-SSO based on Apache::Session modules. It
simplifies the build of a protected area with a few changes in the
application. It manages both authentication and authorization and provides
headers for accounting.
So you can have a full AAA protection for your web space as described below.
--------------------------------------------------------------------------------
Update Information:
Update to 2.22.3
https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-22-3-is-out/
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 20 2026 Clement Oudot [clement.oudot@worteks.com] - 2.22.3-1
- Update to 2.22.3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2459684 - lemonldap-ng-2.22.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2459684
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-38914f4e04' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: miniupnpd-2.3.10-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5f908cb040
2026-04-30 01:19:30.574294+00:00
--------------------------------------------------------------------------------
Name : miniupnpd
Product : Fedora 43
Version : 2.3.10
Release : 1.fc43
URL : https://miniupnp.tuxfamily.org/
Summary : Lightweight UPnP IGD & PCP/NAT-PMP daemon
Description :
The MiniUPnP daemon is an UPnP IGD & PCP/NAT-PMP daemon for gateway routers.
UPnP IGD & PCP/NAT-PMP are used to improve internet connectivity for devices behind
a NAT router. Any peer to peer network application such as games, IM, etc. can
benefit from a NAT router supporting UPnP IGD & PCP/NAT-PMP.
--------------------------------------------------------------------------------
Update Information:
2026/03/24:
fix missing fclose and potential double free in option file parsing
2026/03/23:
upnphttp.c: fix removal of quotes in ParseHttpHeaders()
minixml.c: fix buffer read overflow
2026/02/05:
Rewrite permission line parser
2025/05/26:
Fix false negative filtered STUN CGNAT test result for
unsupported servers #825
2025/05/24:
Fix Mac OS X 10.9 build
2025/05/15:
build: teststun executable
2025/04/28:
pf: fix delete_pinhole for openbsd. Was broken since miniupnpd 2.3.7
2025/04/26
Fix parsing of interfaces names starting with a digit
nftables: add counter for DNAT rule (ENABLE_NFT_RULE_COUNTER in config.h)
nftables: improve scripts to support already existing tables
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 20 2026 - Michael Cronenworth [mike@cchtml.com] - 2.3.10-1
- Version update
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 2.3.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2459688 - CVE-2026-5720 miniupnpd: miniupnpd: Denial of service or information disclosure due to integer underflow in SOAPAction header parsing. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459688
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5f908cb040' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: binaryen-126-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-fb3e461878
2026-04-30 01:19:30.574296+00:00
--------------------------------------------------------------------------------
Name : binaryen
Product : Fedora 43
Version : 126
Release : 1.fc43
URL : https://github.com/WebAssembly/binaryen
Summary : Compiler and toolchain infrastructure library for WebAssembly
Description :
Binaryen is a compiler and toolchain infrastructure library for WebAssembly,
written in C++. It aims to make compiling to WebAssembly easy, fast, and
effective:
* Easy: Binaryen has a simple C API in a single header, and can also be used
from JavaScript. It accepts input in WebAssembly-like form but also accepts
a general control flow graph for compilers that prefer that.
* Fast: Binaryen's internal IR uses compact data structures and is designed for
completely parallel codegen and optimization, using all available CPU cores.
Binaryen's IR also compiles down to WebAssembly extremely easily and quickly
because it is essentially a subset of WebAssembly.
* Effective: Binaryen's optimizer has many passes that can improve code very
significantly (e.g. local coloring to coalesce local variables; dead code
elimination; precomputing expressions when possible at compile time; etc.).
These optimizations aim to make Binaryen powerful enough to be used as a
compiler backend by itself. One specific area of focus is on
WebAssembly-specific optimizations (that general-purpose compilers might not
do), which you can think of as wasm minification , similar to minification for
JavaScript, CSS, etc., all of which are language-specific (an example of such
an optimization is block return value generation in SimplifyLocals).
--------------------------------------------------------------------------------
Update Information:
Fixes CVE-2025-14956 .
--------------------------------------------------------------------------------
ChangeLog:
* Sun Feb 22 2026 Dominik Mierzejewski [dominik@greysector.net] - 126-1
- update to 126 (resolves rhbz#2439791)
- backport upstream fix for https://github.com/WebAssembly/binaryen/issues/8360
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 125-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 125-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2429127 - CVE-2025-14956 binaryen: heap-based buffer overflow in WasmBinaryReader::readExpression() when parsing a malformed WebAssembly binary [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2429127
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-fb3e461878' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: asterisk-18.26.4-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-80b21debe7
2026-04-30 01:19:30.574257+00:00
--------------------------------------------------------------------------------
Name : asterisk
Product : Fedora 43
Version : 18.26.4
Release : 1.fc43
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.
--------------------------------------------------------------------------------
Update Information:
Update to Asterisk 18.26.4, addressing numerous security vulnerabilities
accumulated since the long-stale 18.12.1 package. The following CVEs are fixed
in this update:
CVE-2022-26498 (fixed in 18.13.0): use-after-free in chan_ooh323
CVE-2022-42705 (fixed in 18.15.0): use-after-free in res_pjsip_pubsub
CVE-2022-37325 (fixed in 18.15.1): crash in H323 channel via malformed IE
CVE-2023-37457 (fixed in 18.20.0): buffer overflow in PJSIP_HEADER function
CVE-2023-49294 (fixed in 18.20.1): arbitrary file read via AMI GetConfig
CVE-2023-49786 (fixed in 18.20.1): DTLS race condition causing DoS
CVE-2024-35190 (fixed in 18.23.1): unauthorized SIP requests matched as endpoint
CVE-2024-42365 (fixed in 18.24.2): Write=originate allows code execution
CVE-2024-42491 (fixed in 18.25.0): crash via malformed Contact/Record-Route URI
CVE-2025-49832 (fixed in 18.26.3): DoS/RCE in res_stir_shaken
CVE-2025-47779 (fixed in 18.26.2): identity forging via malformed From header
CVE-2025-1131 (fixed in 18.26.3): local privilege escalation via safe_asterisk
CVE-2025-54995 (fixed in 18.26.4): resource exhaustion via RTP port leak
Also fixes F44FailsToInstall for asterisk-snmp (BZ#2433748).
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2026 Peter Lemenkov [lemenkov@gmail.com] - 18.26.4-1
- Update to upstream 18.26.4 release.
* Fri Jan 23 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 18.12.1-1.18
- Rebuilt for net-snmp 5.9.5.2
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 18.12.1-1.17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 18.12.1-1.16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2076245 - CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 asterisk: multiple vulnerabilities [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2076245
[ 2 ] Bug #2150945 - CVE-2022-42705 asterisk: Use after free in res_pjsip_pubsub.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2150945
[ 3 ] Bug #2150951 - CVE-2022-37325 asterisk: Remote Crash Vulnerability in H323 channel add on [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2150951
[ 4 ] Bug #2254627 - TRIAGE CVE-2023-37457 asterisk: potential buffer overflow in PJSIP_HEADER dialplan function [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2254627
[ 5 ] Bug #2254632 - TRIAGE CVE-2023-49294 asterisk: access to arbitrary files via directory traversal [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2254632
[ 6 ] Bug #2254635 - TRIAGE CVE-2023-49786 asterisk: race condition in the hello handshake phase of the DTLS protocol triggers denial of service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2254635
[ 7 ] Bug #2281497 - CVE-2024-35190 asterisk: wrongly matches ALL unauthorized SIP requests [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2281497
[ 8 ] Bug #2303919 - CVE-2024-42365 asterisk: Write=originate, is sufficient permissions for code execution / System() dialplan [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303919
[ 9 ] Bug #2310293 - CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2310293
[ 10 ] Bug #2310294 - CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2310294
[ 11 ] Bug #2386209 - CVE-2025-49832 asterisk: Asterisk SIP Profile Remote Code Execution [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2386209
[ 12 ] Bug #2386210 - CVE-2025-49832 asterisk: Asterisk SIP Profile Remote Code Execution [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2386210
[ 13 ] Bug #2391521 - CVE-2025-54995 asterisk: Asterisk resource exhaustion [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2391521
[ 14 ] Bug #2391522 - CVE-2025-54995 asterisk: Asterisk resource exhaustion [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2391522
[ 15 ] Bug #2395449 - CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2395449
[ 16 ] Bug #2395450 - CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2395450
[ 17 ] Bug #2397958 - CVE-2025-1131 asterisk: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2397958
[ 18 ] Bug #2397959 - CVE-2025-1131 asterisk-sounds-core: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2397959
[ 19 ] Bug #2397961 - CVE-2025-1131 asterisk: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2397961
[ 20 ] Bug #2397962 - CVE-2025-1131 asterisk-sounds-core: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2397962
[ 21 ] Bug #2433748 - F44FailsToInstall: asterisk-snmp
https://bugzilla.redhat.com/show_bug.cgi?id=2433748
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-80b21debe7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: openvpn-2.7.3-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-086acf3001
2026-04-30 00:52:11.847730+00:00
--------------------------------------------------------------------------------
Name : openvpn
Product : Fedora 44
Version : 2.7.3
Release : 1.fc44
URL : https://community.openvpn.net/
Summary : A full-featured TLS VPN solution
Description :
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
for compression.
--------------------------------------------------------------------------------
Update Information:
Update to upstream 2.7.3 release
Update to upstream 2.7.2 release
CVE-2026-40215
CVE-2026-35058
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 27 2026 Frank Lichtenheld [frank@lichtenheld.com] - 2.7.3
- Update to upstream 2.7.3 release
* Thu Apr 23 2026 Frank Lichtenheld [frank@lichtenheld.com] - 2.7.2
- Update to upstream 2.7.2 release
- CVE-2026-40215
- CVE-2026-35058
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-086acf3001' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: libgcrypt-1.12.2-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9a79c58afd
2026-04-30 00:52:11.847722+00:00
--------------------------------------------------------------------------------
Name : libgcrypt
Product : Fedora 44
Version : 1.12.2
Release : 1.fc44
URL : https://www.gnupg.org/
Summary : A general-purpose cryptography library
Description :
Libgcrypt is a general purpose crypto library based on the code used
in GNU Privacy Guard. This is a development version.
--------------------------------------------------------------------------------
Update Information:
New upstream release (#2458643) fixing CVE-2026-41989 (#2461782)
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr 16 2026 Jakub Jelen [jjelen@redhat.com] - 1.12.2-1
- New upstream release (#2458643)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2461782 - CVE-2026-41989 libgcrypt: Libgcrypt: Denial of Service and buffer overflow via crafted ECDH ciphertext [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2461782
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9a79c58afd' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: rust-rpm-sequoia-1.10.2-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a15009ab19
2026-04-30 00:52:11.847715+00:00
--------------------------------------------------------------------------------
Name : rust-rpm-sequoia
Product : Fedora 44
Version : 1.10.2
Release : 1.fc44
URL : https://crates.io/crates/rpm-sequoia
Summary : Implementation of the RPM PGP interface using Sequoia
Description :
An implementation of the RPM PGP interface using Sequoia.
--------------------------------------------------------------------------------
Update Information:
Update to version 1.10.2. Addresses CVE-2026-2625.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Apr 25 2026 Fabio Valentini [decathorpe@gmail.com] - 1.10.2-1
- Update to version 1.10.2; Fixes RHBZ#2461620
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2461620 - rust-rpm-sequoia-1.10.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2461620
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a15009ab19' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: miniupnpd-2.3.10-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f933979509
2026-04-30 00:52:11.847682+00:00
--------------------------------------------------------------------------------
Name : miniupnpd
Product : Fedora 44
Version : 2.3.10
Release : 1.fc44
URL : https://miniupnp.tuxfamily.org/
Summary : Lightweight UPnP IGD & PCP/NAT-PMP daemon
Description :
The MiniUPnP daemon is an UPnP IGD & PCP/NAT-PMP daemon for gateway routers.
UPnP IGD & PCP/NAT-PMP are used to improve internet connectivity for devices behind
a NAT router. Any peer to peer network application such as games, IM, etc. can
benefit from a NAT router supporting UPnP IGD & PCP/NAT-PMP.
--------------------------------------------------------------------------------
Update Information:
2026/03/24:
fix missing fclose and potential double free in option file parsing
2026/03/23:
upnphttp.c: fix removal of quotes in ParseHttpHeaders()
minixml.c: fix buffer read overflow
2026/02/05:
Rewrite permission line parser
2025/05/26:
Fix false negative filtered STUN CGNAT test result for
unsupported servers #825
2025/05/24:
Fix Mac OS X 10.9 build
2025/05/15:
build: teststun executable
2025/04/28:
pf: fix delete_pinhole for openbsd. Was broken since miniupnpd 2.3.7
2025/04/26
Fix parsing of interfaces names starting with a digit
nftables: add counter for DNAT rule (ENABLE_NFT_RULE_COUNTER in config.h)
nftables: improve scripts to support already existing tables
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 20 2026 - Michael Cronenworth [mike@cchtml.com] - 2.3.10-1
- Version update
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2459688 - CVE-2026-5720 miniupnpd: miniupnpd: Denial of service or information disclosure due to integer underflow in SOAPAction header parsing. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459688
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f933979509' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: dokuwiki-20250514b-5.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-e1f1cff72a
2026-04-30 00:52:11.847700+00:00
--------------------------------------------------------------------------------
Name : dokuwiki
Product : Fedora 44
Version : 20250514b
Release : 5.fc44
URL : https://www.dokuwiki.org/dokuwiki
Summary : Standards compliant simple to use wiki
Description :
DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating
documentation of any kind. It has a simple but powerful syntax which makes sure
the data-files remain readable outside the Wiki and eases the creation of
structured texts.
All data is stored in plain text files no database is required.
--------------------------------------------------------------------------------
Update Information:
Add a patch for CVE-2026-26477
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 20 2026 Artur Frenszek-Iwicki [fedora@svgames.pl] - 20250514b-5
- Add a patch for CVE-2026-26477
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2454794 - CVE-2026-26477 dokuwiki: Dokuwiki: Denial of Service via media_upload_xhr() function [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454794
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-e1f1cff72a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: python3.9-3.9.25-9.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-85cf3694d8
2026-04-30 00:52:11.847703+00:00
--------------------------------------------------------------------------------
Name : python3.9
Product : Fedora 44
Version : 3.9.25
Release : 9.fc44
URL : https://www.python.org/
Summary : Version 3.9 of the Python interpreter
Description :
Python 3.9 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.
The python3.9 package provides the "python3.9" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.9-libs package,
which should be installed automatically along with python3.9.
The remaining parts of the Python standard library are broken out into the
python3.9-tkinter and python3.9-test packages, which may need to be installed
separately.
Documentation for Python is provided in the python3.9-docs package.
Packages containing additional libraries for Python are generally named with
the "python3.9-" prefix.
--------------------------------------------------------------------------------
Update Information:
Security fixes for CVE-2026-4786 and CVE-2026-6100
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 17 2026 Charalampos Stratakis [cstratak@redhat.com] - 3.9.25-9
- Security fixes for CVE-2026-4786 and CVE-2026-6100
Resolves: rhbz#2458019, rhbz#2458227
* Sat Apr 11 2026 Miro Hron??ok [mhroncok@redhat.com] - 3.9.25-8
- Explicitly build with OpenSSL 3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2458019 - CVE-2026-6100 python3.9: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458019
[ 2 ] Bug #2458227 - CVE-2026-4786 python3.9: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458227
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-85cf3694d8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 44 Update: lemonldap-ng-2.22.3-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-6c8dcaf023
2026-04-30 00:52:11.847689+00:00
--------------------------------------------------------------------------------
Name : lemonldap-ng
Product : Fedora 44
Version : 2.22.3
Release : 1.fc44
URL : https://lemonldap-ng.org
Summary : Web Single Sign On (SSO) and Access Management
Description :
LemonLdap::NG is a modular Web-SSO based on Apache::Session modules. It
simplifies the build of a protected area with a few changes in the
application. It manages both authentication and authorization and provides
headers for accounting.
So you can have a full AAA protection for your web space as described below.
--------------------------------------------------------------------------------
Update Information:
Update to 2.22.3
https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-22-3-is-out/
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 20 2026 Clement Oudot [clement.oudot@worteks.com] - 2.22.3-1
- Update to 2.22.3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2459684 - lemonldap-ng-2.22.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2459684
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-6c8dcaf023' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: asterisk-18.26.4-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-38d71393c1
2026-04-30 00:52:11.847662+00:00
--------------------------------------------------------------------------------
Name : asterisk
Product : Fedora 44
Version : 18.26.4
Release : 1.fc44
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.
--------------------------------------------------------------------------------
Update Information:
Update to Asterisk 18.26.4, addressing numerous security vulnerabilities
accumulated since the long-stale 18.12.1 package. The following CVEs are fixed
in this update:
CVE-2022-26498 (fixed in 18.13.0): use-after-free in chan_ooh323
CVE-2022-42705 (fixed in 18.15.0): use-after-free in res_pjsip_pubsub
CVE-2022-37325 (fixed in 18.15.1): crash in H323 channel via malformed IE
CVE-2023-37457 (fixed in 18.20.0): buffer overflow in PJSIP_HEADER function
CVE-2023-49294 (fixed in 18.20.1): arbitrary file read via AMI GetConfig
CVE-2023-49786 (fixed in 18.20.1): DTLS race condition causing DoS
CVE-2024-35190 (fixed in 18.23.1): unauthorized SIP requests matched as endpoint
CVE-2024-42365 (fixed in 18.24.2): Write=originate allows code execution
CVE-2024-42491 (fixed in 18.25.0): crash via malformed Contact/Record-Route URI
CVE-2025-49832 (fixed in 18.26.3): DoS/RCE in res_stir_shaken
CVE-2025-47779 (fixed in 18.26.2): identity forging via malformed From header
CVE-2025-1131 (fixed in 18.26.3): local privilege escalation via safe_asterisk
CVE-2025-54995 (fixed in 18.26.4): resource exhaustion via RTP port leak
Also fixes F44FailsToInstall for asterisk-snmp (BZ#2433748).
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 10 2026 Peter Lemenkov [lemenkov@gmail.com] - 18.26.4-1
- Update to upstream 18.26.4 release.
* Fri Jan 23 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 18.12.1-1.18
- Rebuilt for net-snmp 5.9.5.2
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2076245 - CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 asterisk: multiple vulnerabilities [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2076245
[ 2 ] Bug #2150945 - CVE-2022-42705 asterisk: Use after free in res_pjsip_pubsub.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2150945
[ 3 ] Bug #2150951 - CVE-2022-37325 asterisk: Remote Crash Vulnerability in H323 channel add on [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2150951
[ 4 ] Bug #2254627 - TRIAGE CVE-2023-37457 asterisk: potential buffer overflow in PJSIP_HEADER dialplan function [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2254627
[ 5 ] Bug #2254632 - TRIAGE CVE-2023-49294 asterisk: access to arbitrary files via directory traversal [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2254632
[ 6 ] Bug #2254635 - TRIAGE CVE-2023-49786 asterisk: race condition in the hello handshake phase of the DTLS protocol triggers denial of service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2254635
[ 7 ] Bug #2281497 - CVE-2024-35190 asterisk: wrongly matches ALL unauthorized SIP requests [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2281497
[ 8 ] Bug #2303919 - CVE-2024-42365 asterisk: Write=originate, is sufficient permissions for code execution / System() dialplan [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2303919
[ 9 ] Bug #2310293 - CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-39]
https://bugzilla.redhat.com/show_bug.cgi?id=2310293
[ 10 ] Bug #2310294 - CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2310294
[ 11 ] Bug #2386209 - CVE-2025-49832 asterisk: Asterisk SIP Profile Remote Code Execution [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2386209
[ 12 ] Bug #2386210 - CVE-2025-49832 asterisk: Asterisk SIP Profile Remote Code Execution [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2386210
[ 13 ] Bug #2391521 - CVE-2025-54995 asterisk: Asterisk resource exhaustion [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2391521
[ 14 ] Bug #2391522 - CVE-2025-54995 asterisk: Asterisk resource exhaustion [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2391522
[ 15 ] Bug #2395449 - CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2395449
[ 16 ] Bug #2395450 - CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2395450
[ 17 ] Bug #2397958 - CVE-2025-1131 asterisk: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2397958
[ 18 ] Bug #2397959 - CVE-2025-1131 asterisk-sounds-core: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2397959
[ 19 ] Bug #2397961 - CVE-2025-1131 asterisk: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2397961
[ 20 ] Bug #2397962 - CVE-2025-1131 asterisk-sounds-core: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2397962
[ 21 ] Bug #2433748 - F44FailsToInstall: asterisk-snmp
https://bugzilla.redhat.com/show_bug.cgi?id=2433748
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-38d71393c1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
