Fedora Linux has been updated with two security updates: tigervnc-1.15.0-2.fc41 for Fedora 41 and expat-2.7.0-1.fc42 for Fedora 42.

Fedora 41 Update: tigervnc-1.15.0-2.fc41
Fedora 42 Update: expat-2.7.0-1.fc42

[SECURITY] Fedora 41 Update: tigervnc-1.15.0-2.fc41

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-96f8a2da96
2025-03-19 02:05:01.597227+00:00
--------------------------------------------------------------------------------

Name : tigervnc
Product : Fedora 41
Version : 1.15.0
Release : 2.fc41
URL : http://www.tigervnc.com
Summary : A TigerVNC remote display system
Description :
Virtual Network Computing (VNC) is a remote display system which
allows you to view a computing 'desktop' environment not only on the
machine where it is running, but from anywhere on the Internet and
from a wide variety of machine architectures. This package contains a
client which will allow you to connect to other desktops running a VNC
server.

--------------------------------------------------------------------------------
Update Information:

Tigervnc 1.15.0 update.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Mar 3 2025 Jan Grulich [jgrulich@redhat.com] - 1.15.0-2
- Rebuild (xorg-x11-server)
Fixes CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597,
CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601
* Tue Feb 18 2025 Jan Grulich [jgrulich@redhat.com] - 1.15.0-1
- 1.15.0
* Tue Jan 21 2025 Jan Grulich [jgrulich@redhat.com] - 1.14.1-5
- Adjust paths for vncsession binary for /sbin and /bin merge
* Sun Jan 19 2025 Fedora Release Engineering [releng@fedoraproject.org] - 1.14.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2337822 - tigervnc-1.15.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2337822
[ 2 ] Bug #2349366 - CVE-2025-26598 tigervnc: Out-of-bounds write in CreatePointerBarrierClient() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2349366
[ 3 ] Bug #2349369 - CVE-2025-26594 tigervnc: Use-after-free of the root cursor [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2349369
[ 4 ] Bug #2349372 - CVE-2025-26596 tigervnc: Heap overflow in XkbWriteKeySyms() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2349372
[ 5 ] Bug #2349375 - CVE-2025-26595 tigervnc: Buffer overflow in XkbVModMaskText() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2349375
[ 6 ] Bug #2349378 - CVE-2025-26597 tigervnc: Buffer overflow in XkbChangeTypesOfKey() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2349378
[ 7 ] Bug #2349455 - CVE-2025-26599 tigervnc: Use of uninitialized pointer in compRedirectWindow() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2349455
[ 8 ] Bug #2349460 - CVE-2025-26601 tigervnc: Use-after-free in SyncInitTrigger() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2349460
[ 9 ] Bug #2349461 - CVE-2025-26600 tigervnc: Use-after-free in PlayReleasedEvents() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2349461
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-96f8a2da96' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 42 Update: expat-2.7.0-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-f2ea2821cc
2025-03-19 00:16:05.337365+00:00
--------------------------------------------------------------------------------

Name : expat
Product : Fedora 42
Version : 2.7.0
Release : 1.fc42
URL : https://libexpat.github.io/
Summary : An XML parser library
Description :
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
the parser prior to starting the parse. These handlers are called when the
parser discovers the associated structures in the document being parsed. A
start tag is an example of the kind of structures for which you may
register handlers.

--------------------------------------------------------------------------------
Update Information:

Rebase to 2.7.0
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 14 2025 Tomas Korbar [tkorbar@redhat.com] - 2.7.0-1
- Rebase to 2.7.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2352474 - expat-2.7.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2352474
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-f2ea2821cc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--