ALSA-2026:3476: udisks2 security update (Important)
ALSA-2026:3551: libpng security update (Important)
ALSA-2026:3443: valkey security update (Important)
ALSA-2026:3517: thunderbird security update (Important)
ALSA-2026:3669: go-rpm-macros security update (Important)
ALSA-2026:3515: thunderbird security update (Important)
ALSA-2026:3476: udisks2 security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-03-05
Summary:
The Udisks project provides a daemon, tools, and libraries to access and manipulate disks, storage devices, and technologies.
Security Fix(es):
* udisks: Missing Authorization Check Allows Unprivileged Users to Back Up LUKS Headers via udisks D-Bus API (CVE-2026-26104)
* udisks: Missing Authorization Check Allows Unprivileged Users to Restore LUKS Headers via udisks D-Bus API (CVE-2026-26103)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-3476.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:3551: libpng security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-03-04
Summary:
The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics (PNG) image format files.
Security Fix(es):
* libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API (CVE-2026-22801)
* libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read (CVE-2026-22695)
* libpng: LIBPNG has a heap buffer overflow in png_set_quantize (CVE-2026-25646)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-3551.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:3443: valkey security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-03-05
Summary:
Valkey is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Valkey works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Valkey also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Valkey behave like a cache. You can use Valkey from most programming languages also.
Security Fix(es):
* Valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts (CVE-2025-67733)
* valkey: Valkey: Denial of Service via invalid clusterbus packet (CVE-2026-21863)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-3443.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:3517: thunderbird security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-03-05
Summary:
Mozilla Thunderbird is a standalone mail and newsgroup client.
Security Fix(es):
* libvpx: Heap buffer overflow in libvpx (CVE-2026-2447)
* firefox: Invalid pointer in the JavaScript Engine component (CVE-2026-2785)
* firefox: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2793)
* firefox: Undefined behavior in the DOM: Core & HTML component (CVE-2026-2771)
* firefox: Integer overflow in the Audio/Video component (CVE-2026-2774)
* firefox: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software (CVE-2026-2776)
* firefox: Integer overflow in the Libraries component in NSS (CVE-2026-2781)
* firefox: Use-after-free in the JavaScript Engine: JIT component (CVE-2026-2766)
* firefox: Use-after-free in the Storage: IndexedDB component (CVE-2026-2769)
* firefox: Use-after-free in the DOM: Window and Location component (CVE-2026-2787)
* firefox: Sandbox escape in the Storage: IndexedDB component (CVE-2026-2768)
* firefox: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component (CVE-2026-2783)
* firefox: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-2788)
* firefox: Mitigation bypass in the DOM: Security component (CVE-2026-2784)
* firefox: Incorrect boundary conditions in the Graphics: ImageLib component (CVE-2026-2759)
* firefox: Integer overflow in the JavaScript: Standard Library component (CVE-2026-2762)
* firefox: Sandbox escape in the Graphics: WebRender component (CVE-2026-2761)
* firefox: Privilege escalation in the Messaging System component (CVE-2026-2777)
* firefox: Same-origin policy bypass in the Networking: JAR component (CVE-2026-2790)
* firefox: Mitigation bypass in the DOM: HTML Parser component (CVE-2026-2775)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2763)
* firefox: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2792)
* firefox: Incorrect boundary conditions in the Web Audio component (CVE-2026-2773)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2786)
* firefox: Use-after-free in the Graphics: ImageLib component (CVE-2026-2789)
* firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Audio/Video component (CVE-2026-2757)
* firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component (CVE-2026-2760)
* firefox: Use-after-free in the Audio/Video: Playback component (CVE-2026-2772)
* firefox: Incorrect boundary conditions in the Networking: JAR component (CVE-2026-2779)
* firefox: Use-after-free in the JavaScript: WebAssembly component (CVE-2026-2767)
* firefox: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component (CVE-2026-2764)
* firefox: Privilege escalation in the Netmonitor component (CVE-2026-2782)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2765)
* firefox: Privilege escalation in the Netmonitor component (CVE-2026-2780)
* firefox: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component (CVE-2026-2778)
* firefox: Use-after-free in the JavaScript: GC component (CVE-2026-2758)
* firefox: Mitigation bypass in the Networking: Cache component (CVE-2026-2791)
* firefox: Use-after-free in the DOM: Bindings (WebIDL) component (CVE-2026-2770)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-3517.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:3669: go-rpm-macros security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-03-04
Summary:
This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.
Security Fix(es):
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-3669.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
ALSA-2026:3515: thunderbird security update (Important)
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2026-03-04
Summary:
Mozilla Thunderbird is a standalone mail and newsgroup client.
Security Fix(es):
* libvpx: Heap buffer overflow in libvpx (CVE-2026-2447)
* firefox: Invalid pointer in the JavaScript Engine component (CVE-2026-2785)
* firefox: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2793)
* firefox: Undefined behavior in the DOM: Core & HTML component (CVE-2026-2771)
* firefox: Integer overflow in the Audio/Video component (CVE-2026-2774)
* firefox: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software (CVE-2026-2776)
* firefox: Integer overflow in the Libraries component in NSS (CVE-2026-2781)
* firefox: Use-after-free in the JavaScript Engine: JIT component (CVE-2026-2766)
* firefox: Use-after-free in the Storage: IndexedDB component (CVE-2026-2769)
* firefox: Use-after-free in the DOM: Window and Location component (CVE-2026-2787)
* firefox: Sandbox escape in the Storage: IndexedDB component (CVE-2026-2768)
* firefox: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component (CVE-2026-2783)
* firefox: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-2788)
* firefox: Mitigation bypass in the DOM: Security component (CVE-2026-2784)
* firefox: Incorrect boundary conditions in the Graphics: ImageLib component (CVE-2026-2759)
* firefox: Integer overflow in the JavaScript: Standard Library component (CVE-2026-2762)
* firefox: Sandbox escape in the Graphics: WebRender component (CVE-2026-2761)
* firefox: Privilege escalation in the Messaging System component (CVE-2026-2777)
* firefox: Same-origin policy bypass in the Networking: JAR component (CVE-2026-2790)
* firefox: Mitigation bypass in the DOM: HTML Parser component (CVE-2026-2775)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2763)
* firefox: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2792)
* firefox: Incorrect boundary conditions in the Web Audio component (CVE-2026-2773)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2786)
* firefox: Use-after-free in the Graphics: ImageLib component (CVE-2026-2789)
* firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Audio/Video component (CVE-2026-2757)
* firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component (CVE-2026-2760)
* firefox: Use-after-free in the Audio/Video: Playback component (CVE-2026-2772)
* firefox: Incorrect boundary conditions in the Networking: JAR component (CVE-2026-2779)
* firefox: Use-after-free in the JavaScript: WebAssembly component (CVE-2026-2767)
* firefox: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component (CVE-2026-2764)
* firefox: Privilege escalation in the Netmonitor component (CVE-2026-2782)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2765)
* firefox: Privilege escalation in the Netmonitor component (CVE-2026-2780)
* firefox: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component (CVE-2026-2778)
* firefox: Use-after-free in the JavaScript: GC component (CVE-2026-2758)
* firefox: Mitigation bypass in the Networking: Cache component (CVE-2026-2791)
* firefox: Use-after-free in the DOM: Bindings (WebIDL) component (CVE-2026-2770)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-3515.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
