Fedora 44 Update: tmux-3.7b-2.fc44
Fedora 44 Update: sssd-2.13.1-2.fc44
Fedora 44 Update: attr-2.6.0-1.fc44
Fedora 44 Update: acl-2.4.0-1.fc44
Fedora 44 Update: python-pillow-12.3.0-1.fc44
Fedora 44 Update: jfrog-cli-2.112.0-1.fc44
Fedora 44 Update: cjson-1.7.19-1.fc44
Fedora 44 Update: perl-HTML-Gumbo-0.19-1.fc44
Fedora 44 Update: prometheus-3.13.0-1.fc44
Fedora 44 Update: librabbitmq-0.17.0-1.fc44
Fedora 44 Update: composer-2.10.2-1.fc44
Fedora 44 Update: OpenImageIO-3.1.15.0-1.fc44
Fedora 43 Update: openssh-10.0p1-10.fc43
Fedora 43 Update: docker-compose-5.3.0-1.fc43
Fedora 43 Update: perl-HTML-Gumbo-0.19-1.fc43
Fedora 43 Update: prometheus-3.13.0-1.fc43
Fedora 43 Update: composer-2.10.2-1.fc43
[SECURITY] Fedora 44 Update: tmux-3.7b-2.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f5dd9fb83f
2026-07-11 01:06:30.201379+00:00
--------------------------------------------------------------------------------
Name : tmux
Product : Fedora 44
Version : 3.7b
Release : 2.fc44
URL : https://tmux.github.io/
Summary : A terminal multiplexer
Description :
tmux is a "terminal multiplexer." It enables a number of terminals (or
windows) to be accessed and controlled from a single terminal. tmux is
intended to be a simple, modern, BSD-licensed alternative to programs such
as GNU Screen.
--------------------------------------------------------------------------------
Update Information:
fdf6afc update to 3.7b fixes rhbz#2498485
CHANGES FROM 3.7a TO 3.7b
Fix so that the end of a synchronized update again triggers a redraw.
CHANGES FROM 3.7 TO 3.7a
Fix crash in break-pane when no name is provided.
Scrollbar options are now cached rather than being looked up for every redraw
(issue 5298).
Only forbid #( in names, allow #[, empty names, : and .
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jul 9 2026 Filipe Rosset [filiperosset@fedoraproject.org] - 3.7b-2
- fix 3.7b build
* Thu Jul 9 2026 Filipe Rosset [filiperosset@fedoraproject.org] - 3.7b-1
- update to 3.7b fixes rhbz#2498485
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2487530 - CVE-2026-11623 tmux: tmux: Use-after-free vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2487530
[ 2 ] Bug #2498485 - update to 3.7b
https://bugzilla.redhat.com/show_bug.cgi?id=2498485
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f5dd9fb83f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: sssd-2.13.1-2.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5acfb0243b
2026-07-11 01:06:30.201372+00:00
--------------------------------------------------------------------------------
Name : sssd
Product : Fedora 44
Version : 2.13.1
Release : 2.fc44
URL : https://github.com/SSSD/sssd/
Summary : System Security Services Daemon
Description :
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a pluggable back end system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.
The sssd subpackage is a meta-package that contains the daemon as well as all
the existing back ends.
--------------------------------------------------------------------------------
Update Information:
CVE fixes: CVE-2026-12610 CVE-2026-14474 CVE-2026-14476
- rhbz#2494777: CVE-2026-12610 sssd: Use-after-free crash in SSSD' 'sssd_pam'
process
- rhbz#2497650: CVE-2026-14476 sssd: sssd: GPO cache path traversal via
unsanitized
gPCFileSysPath allows Kerberos authentication bypass
- rhbz#2497651: CVE-2026-14474 sssd: sssd: sudo LDAP provider searches entire
directory
tree for sudoRole objects by default, enabling privilege escalation
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 8 2026 Sumit Bose [sbose@redhat.com] - 2.13.1-2
- CVE fixes: CVE-2026-12610 CVE-2026-14474 CVE-2026-14476
- rhbz#2494777: CVE-2026-12610 sssd: Use-after-free crash in SSSD'
'sssd_pam' process
- rhbz#2497650: CVE-2026-14476 sssd: sssd: GPO cache path traversal via
unsanitized gPCFileSysPath allows Kerberos authentication bypass
- rhbz#2497651: CVE-2026-14474 sssd: sssd: sudo LDAP provider searches
entire directory tree for sudoRole objects by default, enabling privilege
escalation
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2494777 - CVE-2026-12610 sssd: Use-after-free crash in SSSD' 'sssd_pam' process [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494777
[ 2 ] Bug #2497650 - CVE-2026-14476 sssd: sssd: GPO cache path traversal via unsanitized gPCFileSysPath allows Kerberos authentication bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2497650
[ 3 ] Bug #2497651 - CVE-2026-14474 sssd: sssd: sudo LDAP provider searches entire directory tree for sudoRole objects by default, enabling privilege escalation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2497651
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5acfb0243b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: attr-2.6.0-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-daa458d11d
2026-07-11 01:06:30.201361+00:00
--------------------------------------------------------------------------------
Name : attr
Product : Fedora 44
Version : 2.6.0
Release : 1.fc44
URL : https://savannah.nongnu.org/projects/attr
Summary : Utilities for managing filesystem extended attributes
Description :
A set of tools for manipulating extended attributes on filesystem
objects, in particular getfattr(1) and setfattr(1).
An attr(1) command is also provided which is largely compatible
with the SGI IRIX tool of the same name.
--------------------------------------------------------------------------------
Update Information:
rebase to v2.6.0 to fix CVE-2026-54371
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jul 9 2026 Luk???? Zaoral [lzaoral@redhat.com] - 2.6.0-1
- rebase to v2.6.0 to fix the following CVEs:
- CVE-2026-54371 - Symlink Traversal Privilege Escalation via getfattr (rhbz#2494172)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2494172 - CVE-2026-54371 attr: Symlink Traversal Privilege Escalation via getfattr [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494172
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-daa458d11d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 44 Update: acl-2.4.0-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-6b9a652463
2026-07-11 01:06:30.201359+00:00
--------------------------------------------------------------------------------
Name : acl
Product : Fedora 44
Version : 2.4.0
Release : 1.fc44
URL : https://savannah.nongnu.org/projects/acl
Summary : Access control list utilities
Description :
This package contains the getfacl and setfacl utilities needed for
manipulating access control lists.
--------------------------------------------------------------------------------
Update Information:
rebase to v2.4.0 to fix CVE-2026-54369 and CVE-2026-54370
Resolves: CVE-2026-54369
Resolves: CVE-2026-54370
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jul 9 2026 Luk???? Zaoral [lzaoral@redhat.com] - 2.4.0-1
- rebase to v2.4.0 to fix the following CVEs:
- CVE-2026-54369 - Symlink traversal privilege escalation via libacl functions
- CVE-2026-54370 - TOCTOU Symlink Traversal via getfacl/setfacl
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2494173 - CVE-2026-54370 acl: TOCTOU Symlink Traversal via getfacl/setfacl [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494173
[ 2 ] Bug #2494174 - CVE-2026-54369 acl: Symlink traversal privilege escalation via libacl functions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494174
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-6b9a652463' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 44 Update: python-pillow-12.3.0-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-46c4892063
2026-07-11 01:06:30.201352+00:00
--------------------------------------------------------------------------------
Name : python-pillow
Product : Fedora 44
Version : 12.3.0
Release : 1.fc44
URL : http://python-pillow.github.io/
Summary : Python image processing library
Description :
Python image processing library, fork of the Python Imaging Library (PIL)
This library provides extensive file format support, an efficient
internal representation, and powerful image processing capabilities.
There are four subpackages: tk (tk interface), qt (PIL image wrapper for Qt),
devel (development) and doc (documentation).
--------------------------------------------------------------------------------
Update Information:
Fix CVE-2026-55380, CVE-2026-54060, CVE-2026-54059, CVE-2026-55379,
CVE-2026-55798
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jul 2 2026 Sandro Mani [manisandro@gmail.com] - 12.3.0-1
- Update to 12.3.0
* Wed Jun 3 2026 Python Maint - 12.2.0-2
- Rebuilt for Python 3.15
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2497649 - CVE-2026-55379 python-pillow: Pillow: Denial of Service via crafted BDF font file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2497649
[ 2 ] Bug #2497660 - CVE-2026-55380 python-pillow: Pillow: Denial of Service via crafted GD 2.x image file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2497660
[ 3 ] Bug #2497665 - CVE-2026-54060 python-pillow: Pillow: Denial of Service via excessive memory allocation when processing font files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2497665
[ 4 ] Bug #2497682 - CVE-2026-54059 python-pillow: Pillow: Denial of Service via crafted PCF font data [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2497682
[ 5 ] Bug #2497699 - CVE-2026-55798 python-pillow: Pillow: Arbitrary command injection via shell metacharacters in file paths [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2497699
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-46c4892063' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: jfrog-cli-2.112.0-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a5e27945f7
2026-07-11 01:06:30.201345+00:00
--------------------------------------------------------------------------------
Name : jfrog-cli
Product : Fedora 44
Version : 2.112.0
Release : 1.fc44
URL : https://github.com/jfrog/jfrog-cli
Summary : CLI to automate access to JFrog products
Description :
JFrog CLI is a client that provides a simple interface that automates access to
the JFrog products.
--------------------------------------------------------------------------------
Update Information:
Update to 2.112.0.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jul 2 2026 Simone Caronni [negativo17@gmail.com] - 2.112.0-1
- Update to 2.112.0
* Tue Jun 30 2026 Simone Caronni [negativo17@gmail.com] - 2.111.0-1
- Update to 2.111.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2486209 - CVE-2026-45287 jfrog-cli: OpenTelemetry-Go: Denial of Service due to file descriptor leak [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486209
[ 2 ] Bug #2486291 - CVE-2026-45287 jfrog-cli: OpenTelemetry-Go: Denial of Service due to file descriptor leak [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486291
[ 3 ] Bug #2489886 - CVE-2026-39828 jfrog-cli: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489886
[ 4 ] Bug #2489892 - CVE-2026-39828 jfrog-cli: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489892
[ 5 ] Bug #2490031 - CVE-2026-39829 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490031
[ 6 ] Bug #2490064 - CVE-2026-39829 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490064
[ 7 ] Bug #2490392 - CVE-2026-39830 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490392
[ 8 ] Bug #2490478 - CVE-2026-39830 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490478
[ 9 ] Bug #2493082 - CVE-2026-39832 jfrog-cli: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493082
[ 10 ] Bug #2493369 - jfrog-cli-2.112.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2493369
[ 11 ] Bug #2493527 - CVE-2026-39835 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493527
[ 12 ] Bug #2493565 - CVE-2026-41567 jfrog-cli: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493565
[ 13 ] Bug #2494437 - CVE-2026-39833 jfrog-cli: golang.org/x/crypto/ssh/agent: Security bypass due to unenforced key confirmation [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494437
[ 14 ] Bug #2496444 - CVE-2026-47262 jfrog-cli: containerd: Denial of Service via maliciously crafted image leading to unbounded group parsing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2496444
[ 15 ] Bug #2496513 - CVE-2026-44740 jfrog-cli: Billy: Denial of Service via crafted input due to insufficient validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2496513
[ 16 ] Bug #2496560 - CVE-2026-53492 jfrog-cli: containerd: Security bypass via Container Device Interface (CDI) annotation smuggling during checkpoint restoration. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2496560
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a5e27945f7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: cjson-1.7.19-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0c3f6c7c67
2026-07-11 01:06:30.201347+00:00
--------------------------------------------------------------------------------
Name : cjson
Product : Fedora 44
Version : 1.7.19
Release : 1.fc44
URL : https://github.com/DaveGamble/cJSON
Summary : Ultralightweight JSON parser in ANSI C
Description :
cJSON aims to be the dumbest possible parser that you can get your job
done with. It's a single file of C, and a single header file.
--------------------------------------------------------------------------------
Update Information:
Update to version 1.7.19.
https://github.com/DaveGamble/cJSON/blob/v1.7.19/CHANGELOG.md
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 1 2026 Carl George [carlwgeorge@gmail.com] - 1.7.19-1
- Update to version 1.7.19 rhbz#2394084
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2495843 - CVE-2025-57052 cjson: out-of-bounds access in decode_array_index_from_pointer() in cJSON_Utils.c via crafted JSON pointer strings [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2495843
[ 2 ] Bug #2495846 - CVE-2023-26819 cjson: cJSON rejects a valid text [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2495846
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0c3f6c7c67' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: perl-HTML-Gumbo-0.19-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-75010c7f44
2026-07-11 01:06:30.201339+00:00
--------------------------------------------------------------------------------
Name : perl-HTML-Gumbo
Product : Fedora 44
Version : 0.19
Release : 1.fc44
URL : https://metacpan.org/dist/HTML-Gumbo
Summary : HTML5 parser based on gumbo C library
Description :
Gumbo is an implementation of the HTML5 parsing algorithm implemented as a
pure C99 library with no outside dependencies.
--------------------------------------------------------------------------------
Update Information:
This package provides the Perl module HTML::Gumbo. Versions before 0.19 disclose
heap memory via type confusion.
Support for the element was added to libgumbo 0.10.0 in 2015, but the walk_tree
function in lib/HTML/Gumbo.xs was not updated to support it. The element was
treated as a text-node, where strlen() over-reads the heap block that the
pointer addresses.
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 30 2026 Emmanuel Seyman [emmanuel@seyman.fr] - 0.19-1
- Update to 0.19
- Update dependencies
- Use /usr/bin/perl instead of %{__perl}
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2496536 - CVE-2025-15646 perl-HTML-Gumbo: HTML::Gumbo: Information disclosure through HTML template processing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2496536
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-75010c7f44' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: prometheus-3.13.0-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-01a1840582
2026-07-11 01:06:30.201315+00:00
--------------------------------------------------------------------------------
Name : prometheus
Product : Fedora 44
Version : 3.13.0
Release : 1.fc44
URL : https://github.com/prometheus/prometheus
Summary : Prometheus monitoring system and time series database
Description :
The Prometheus monitoring system and time series database.
--------------------------------------------------------------------------------
Update Information:
Update to 3.13.0
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jul 2 2026 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 3.13.0-1
- Update to 3.13.0 - Closes rhbz#2495979
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2489191 - CVE-2026-40186 prometheus: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489191
[ 2 ] Bug #2492689 - CVE-2026-44990 prometheus: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2492689
[ 3 ] Bug #2493575 - CVE-2026-41567 prometheus: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493575
[ 4 ] Bug #2495063 - CVE-2026-53606 prometheus: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2495063
[ 5 ] Bug #2495322 - CVE-2026-25681 prometheus: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2495322
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-01a1840582' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: librabbitmq-0.17.0-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-fc2f661416
2026-07-11 01:06:30.201235+00:00
--------------------------------------------------------------------------------
Name : librabbitmq
Product : Fedora 44
Version : 0.17.0
Release : 1.fc44
URL : https://github.com/alanxz/rabbitmq-c
Summary : Client library for AMQP
Description :
This is a C-language AMQP client library for use with AMQP servers
speaking protocol versions 0-9-1.
--------------------------------------------------------------------------------
Update Information:
Version 0.17.0 - 2026-07-01
Security
Fix size_t overflow in amqp_decode_bytes bounds check leading to out-of-bounds
read (GHSA-jgjf-7fwf-f3c7, #888)
Fix heap buffer overflow in amqp_frame_to_bytes for oversized body frames (GHSA-
hfjv-vcp3-39wh, #892)
Added
librabbitmq-tools fall back to the AMQP_URL environment variable when no
connection options are given on the command line (#887)
Fixed
Fix undefined behavior in amqp_decode_properties when decoding content-header
property flags (#883, #885)
Fix ioctlsocket type mismatch on Windows (#890)
Document buffer lifetime requirement of amqp_decode_table's encoded buffer to
prevent use-after-free misuse (#895)
Changed
librabbitmq-tools now enable default SSL certificate verification paths unless
--no-default-cert-paths is passed (fixes #868, #893)
Building the tools now requires POPT v1.14 or newer (#889)
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jul 2 2026 Remi Collet [remi@remirepo.net] - 0.17.0-1
- update to 0.17.0
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-fc2f661416' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: composer-2.10.2-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-22ba02bee3
2026-07-11 01:06:30.201230+00:00
--------------------------------------------------------------------------------
Name : composer
Product : Fedora 44
Version : 2.10.2
Release : 1.fc44
URL : https://getcomposer.org/
Summary : Dependency Manager for PHP
Description :
Composer helps you declare, manage and install dependencies of PHP projects,
ensuring you have the right stack everywhere.
Documentation: https://getcomposer.org/doc/
--------------------------------------------------------------------------------
Update Information:
Version 2.10.2 - 2026-07-01
Security: Validate package names (GHSA-499r-g7pc-vmp9)
Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-
rrxx)
Security: Sanitize URL-embedded usernames/token in verbose output
(GHSA-g6xq-892h-64w3)
Security: Only follow HTTP redirects from HTTP responses (#12948)
Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
Security: Sanitize JSON parse errors in http responses to avoid leaking response
body data (#12959)
Added warning output in self-update command when using a soon-to-be EOL version
(#12920)
Added download retry when a GitHub codeload URL returns a 400 (#12962)
Fixed audit command to output the audit result to stdout (#12904)
Fixed backspace characters being output to non-decorated output (#12925)
Fixed security advisory blocking causing issues with xdebug enabled (#12935)
Fixed provider packages hiding suggestions for the package they provide
themselves (#12933)
Fixed security advisory blocking causing issues with xdebug enabled (#12935)
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 1 2026 Remi Collet [remi@remirepo.net] - 2.10.2-1
- update to 2.10.2
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-22ba02bee3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: OpenImageIO-3.1.15.0-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-25954ebccf
2026-07-11 01:06:30.201222+00:00
--------------------------------------------------------------------------------
Name : OpenImageIO
Product : Fedora 44
Version : 3.1.15.0
Release : 1.fc44
URL : https://openimageio.org/
Summary : Library for reading and writing images
Description :
OpenImageIO is a library for reading and writing images, and a bunch of related
classes, utilities, and applications. Main features include:
- Extremely simple but powerful ImageInput and ImageOutput APIs for reading and
writing 2D images that is format agnostic.
- Format plugins for TIFF, JPEG/JFIF, OpenEXR, PNG, HDR/RGBE, Targa, JPEG-2000,
DPX, Cineon, FITS, BMP, ICO, RMan Zfile, Softimage PIC, DDS, SGI,
PNM/PPM/PGM/PBM.
- An ImageCache class that transparently manages a cache so that it can access
truly vast amounts of image data.
--------------------------------------------------------------------------------
Update Information:
https://github.com/AcademySoftwareFoundation/OpenImageIO/releases/tag/v3.1.15.0
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 1 2026 Richard Shaw [hobbes1069@gmail.com] - 1:3.1.15.0-1
- Update to 3.1.15.0.
* Thu Jun 25 2026 Franti??ek Zatloukal [fzatlouk@redhat.com] - 1:3.1.14.0-6
- Rebuilt for fmt/spdlog
* Wed Jun 17 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 1:3.1.14.0-5
- Rebuilt for openssl 4.0
* Wed Jun 17 2026 Simone Caronni [negativo17@gmail.com] - 1:3.1.14.0-4
- Rebuild for OpenJPH update.
* Fri Jun 12 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 1:3.1.14.0-3
- Rebuilt for openssl 4.0
* Fri Jun 5 2026 Python Maint - 1:3.1.14.0-2
- Rebuilt for Python 3.15
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2341889 - CVE-2024-55195 OpenImageIO: An allocation-size-too-big bug in the component /imagebuf.cpp of OpenImageIO [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2341889
[ 2 ] Bug #2341890 - CVE-2024-55195 OpenImageIO: An allocation-size-too-big bug in the component /imagebuf.cpp of OpenImageIO [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2341890
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-25954ebccf' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 43 Update: openssh-10.0p1-10.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-95b955a09b
2026-07-11 00:52:57.708578+00:00
--------------------------------------------------------------------------------
Name : openssh
Product : Fedora 43
Version : 10.0p1
Release : 10.fc43
URL : http://www.openssh.com/portable.html
Summary : An open source implementation of SSH protocol version 2
Description :
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features.
This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.
--------------------------------------------------------------------------------
Update Information:
CVE-2026-55653: Fix double free in openssh DH-GEX client path during FIPS known-
group validation that leads to client-side denial of service
CVE-2026-55654: Fix heap out-of-bounds read during GSSAPI indicator cleanup due
to missing NULL terminator
CVE-2026-55655: Fix MITM of X11 forwarding via abstract UNIX socket pre-binding
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jul 7 2026 Zoltan Fridrich [zfridric@redhat.com] - 10.0p1-10
- CVE-2026-55653: Fix double free in openssh DH-GEX client path during
FIPS known-group validation that leads to client-side denial of service
- CVE-2026-55654: Fix heap out-of-bounds read during GSSAPI indicator
cleanup due to missing NULL terminator
- CVE-2026-55655: Fix MITM of X11 forwarding via abstract UNIX socket
pre-binding
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2442505 - 0043-openssh-8.7p1-ssh-manpage.patch introduces duplicates in documentation
https://bugzilla.redhat.com/show_bug.cgi?id=2442505
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-95b955a09b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: docker-compose-5.3.0-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8e7eb40534
2026-07-11 00:52:57.708574+00:00
--------------------------------------------------------------------------------
Name : docker-compose
Product : Fedora 43
Version : 5.3.0
Release : 1.fc43
URL : https://github.com/docker/compose
Summary : Define and run multi-container applications with Docker
Description :
Define and run multi-container applications with Docker.
--------------------------------------------------------------------------------
Update Information:
Update to release v5.3.0
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jul 2 2026 Bradley G Smith [bradley.g.smith@gmail.com] - 5.3.0-1
- Update to release v5.3.0
- Resolves: rhbz#2496535
- Resolves CVE-2026-53492: rhbz#2496550
- Resolves CVE-2026-47262: rhbz#2496433
- Upstream note: This release introduces native support for init
containers.
- Additional upstream fixes and new features
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2496535 - docker-compose-5.3.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2496535
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8e7eb40534' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: perl-HTML-Gumbo-0.19-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a457bf78b4
2026-07-11 00:52:57.708567+00:00
--------------------------------------------------------------------------------
Name : perl-HTML-Gumbo
Product : Fedora 43
Version : 0.19
Release : 1.fc43
URL : https://metacpan.org/dist/HTML-Gumbo
Summary : HTML5 parser based on gumbo C library
Description :
Gumbo is an implementation of the HTML5 parsing algorithm implemented as a
pure C99 library with no outside dependencies.
--------------------------------------------------------------------------------
Update Information:
This package provides the Perl module HTML::Gumbo. Versions before 0.19 disclose
heap memory via type confusion.
Support for the element was added to libgumbo 0.10.0 in 2015, but the walk_tree
function in lib/HTML/Gumbo.xs was not updated to support it. The element was
treated as a text-node, where strlen() over-reads the heap block that the
pointer addresses.
--------------------------------------------------------------------------------
ChangeLog:
* Sat May 30 2026 Emmanuel Seyman [emmanuel@seyman.fr] - 0.19-1
- Update to 0.19
- Update dependencies
- Use /usr/bin/perl instead of %{__perl}
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2496536 - CVE-2025-15646 perl-HTML-Gumbo: HTML::Gumbo: Information disclosure through HTML template processing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2496536
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a457bf78b4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: prometheus-3.13.0-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4179e03375
2026-07-11 00:52:57.708547+00:00
--------------------------------------------------------------------------------
Name : prometheus
Product : Fedora 43
Version : 3.13.0
Release : 1.fc43
URL : https://github.com/prometheus/prometheus
Summary : Prometheus monitoring system and time series database
Description :
The Prometheus monitoring system and time series database.
--------------------------------------------------------------------------------
Update Information:
Update to 3.13.0
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jul 2 2026 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 3.13.0-1
- Update to 3.13.0 - Closes rhbz#2495979
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2489191 - CVE-2026-40186 prometheus: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489191
[ 2 ] Bug #2492689 - CVE-2026-44990 prometheus: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2492689
[ 3 ] Bug #2493575 - CVE-2026-41567 prometheus: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493575
[ 4 ] Bug #2495063 - CVE-2026-53606 prometheus: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2495063
[ 5 ] Bug #2495322 - CVE-2026-25681 prometheus: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2495322
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4179e03375' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: composer-2.10.2-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3017b1bec1
2026-07-11 00:52:57.708467+00:00
--------------------------------------------------------------------------------
Name : composer
Product : Fedora 43
Version : 2.10.2
Release : 1.fc43
URL : https://getcomposer.org/
Summary : Dependency Manager for PHP
Description :
Composer helps you declare, manage and install dependencies of PHP projects,
ensuring you have the right stack everywhere.
Documentation: https://getcomposer.org/doc/
--------------------------------------------------------------------------------
Update Information:
Version 2.10.2 - 2026-07-01
Security: Validate package names (GHSA-499r-g7pc-vmp9)
Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-
rrxx)
Security: Sanitize URL-embedded usernames/token in verbose output
(GHSA-g6xq-892h-64w3)
Security: Only follow HTTP redirects from HTTP responses (#12948)
Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
Security: Sanitize JSON parse errors in http responses to avoid leaking response
body data (#12959)
Added warning output in self-update command when using a soon-to-be EOL version
(#12920)
Added download retry when a GitHub codeload URL returns a 400 (#12962)
Fixed audit command to output the audit result to stdout (#12904)
Fixed backspace characters being output to non-decorated output (#12925)
Fixed security advisory blocking causing issues with xdebug enabled (#12935)
Fixed provider packages hiding suggestions for the package they provide
themselves (#12933)
Fixed security advisory blocking causing issues with xdebug enabled (#12935)
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 1 2026 Remi Collet [remi@remirepo.net] - 2.10.2-1
- update to 2.10.2
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3017b1bec1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new