Vim, Samba, Dovecot, Postfix, Unbound, and Core System Libraries updates for Fedora

Fedora Linux 9370 Published by

Fedora administrators need to apply a fresh wave of critical security patches across both Fedora 43 and Fedora 44 environments right away. These releases tackle dangerous vulnerabilities in widely used tools such as Vim, Samba, Dovecot, Postfix, Unbound, and HP imaging software by closing gaps that could lead to remote code execution or unauthorized access. Several updates also resolve tricky memory handling errors and timing side channels that previously allowed attackers to bypass authentication checks or crash network services. You can install all the necessary fixes quickly by running standard dnf upgrade commands with the advisory codes listed in each notification block.

Fedora 43 Update: vim-9.2.530-1.fc43
Fedora 43 Update: libpng-1.6.58-1.fc43
Fedora 43 Update: perl-Catalyst-Plugin-Authentication-0.10026-1.fc43
Fedora 43 Update: unbound-1.25.1-1.fc43
Fedora 43 Update: dovecot-2.4.4-1.fc43
Fedora 43 Update: postfix-3.10.10-1.fc43
Fedora 44 Update: samba-4.24.3-1.fc44
Fedora 44 Update: freeipa-4.13.1-12.fc44
Fedora 44 Update: hplip-3.26.4-2.fc44
Fedora 44 Update: perl-Catalyst-Plugin-Authentication-0.10026-1.fc44
Fedora 44 Update: postfix-3.10.10-1.fc44
Fedora 44 Update: dovecot-2.4.4-1.fc44



[SECURITY] Fedora 43 Update: vim-9.2.530-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-75b5ddf8c3
2026-06-02 01:10:43.197459+00:00
--------------------------------------------------------------------------------

Name : vim
Product : Fedora 43
Version : 9.2.530
Release : 1.fc43
URL : https://www.vim.org/
Summary : The VIM editor
Description :
VIM (VIsual editor iMproved) is an updated and improved version of the
vi editor. Vi was the first real screen-based editor for UNIX, and is
still very popular. VIM improves on vi by adding new features:
multiple windows, multi-level undo, block highlighting and more.

--------------------------------------------------------------------------------
Update Information:

keep GTK4 in rawhide for now
switch to GTK4 for GVim
Fix CVE-2026-46483
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 25 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.530-1
- patchlevel 530
* Mon May 25 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.506-3
- keep GTK4 in rawhide for now
* Thu May 21 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.506-2
- switch to GTK4 for GVim
* Thu May 21 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.506-1
- patchlevel 506
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2477915 - CVE-2026-46483 vim: command injection when decompressing .tgz archives
https://bugzilla.redhat.com/show_bug.cgi?id=2477915
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-75b5ddf8c3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: libpng-1.6.58-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a109a9ac2c
2026-06-02 01:10:43.197462+00:00
--------------------------------------------------------------------------------

Name : libpng
Product : Fedora 43
Version : 1.6.58
Release : 1.fc43
URL : http://www.libpng.org/pub/png/
Summary : A library of functions for manipulating PNG image format files
Description :
The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files. PNG
is a bit-mapped graphics format similar to the GIF format. PNG was
created to replace the GIF format, since GIF uses a patented data
compression algorithm.

Libpng should be installed if you need to manipulate PNG format image
files.

--------------------------------------------------------------------------------
Update Information:

updated to 1.6.58
1.6.58 is released with a fix for a simple correctness bug (not a security
issue) this time: png_get_PLTE() returns stale palette data when either gamma
correction or alpha-compositing is the only transform applied. Like the issues
addressed in the previous release, this bug was a regression introduced in the
fix for CVE-2026-33416 in 1.6.56.
1.6.57 is released with fixes for the following security vulnerability:
CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter
API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS
ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).
--------------------------------------------------------------------------------
ChangeLog:

* Thu May 21 2026 Michal Hlavinka [mhlavink@redhat.com] - 2:1.6.58-1
- updated to 1.6.58 (#2456815)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2460625 - CVE-2026-22020 libpng: OpenJDK: Update LibPNG (Oracle CPU 2026-04) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2460625
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a109a9ac2c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: perl-Catalyst-Plugin-Authentication-0.10026-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-af4f5feae8
2026-06-02 01:10:43.197453+00:00
--------------------------------------------------------------------------------

Name : perl-Catalyst-Plugin-Authentication
Product : Fedora 43
Version : 0.10026
Release : 1.fc43
URL : https://metacpan.org/release/Catalyst-Plugin-Authentication
Summary : Infrastructure plugin for the Catalyst authentication framework
Description :
The authentication plugin provides generic user support for Catalyst apps.
It is the basis for both authentication (checking the user is who they
claim to be), and authorization (allowing the user to do what the system
authorizes them to do).

--------------------------------------------------------------------------------
Update Information:

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is
susceptible to timing attacks since these versions use Perl's built-in eq
comparison. Discrepencies in timing could be used to guess the underlying hash
or password. Version 0.10026 of the module fixes this issue.
--------------------------------------------------------------------------------
ChangeLog:

* Sun May 24 2026 Emmanuel Seyman [emmanuel@seyman.fr] - 0.10026-1
- Update to 0.10026 (fixes CVE-2026-5091)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2483712 - CVE-2026-5091 perl-Catalyst-Plugin-Authentication: Catalyst::Plugin::Authentication: Information disclosure via timing attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2483712
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-af4f5feae8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: unbound-1.25.1-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3223ded15e
2026-06-02 01:10:43.197439+00:00
--------------------------------------------------------------------------------

Name : unbound
Product : Fedora 43
Version : 1.25.1
Release : 1.fc43
URL : https://nlnetlabs.nl/projects/unbound/
Summary : Validating, recursive, and caching DNS(SEC) resolver
Description :
Unbound is a validating, recursive, and caching DNS(SEC) resolver.

The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.

Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.

--------------------------------------------------------------------------------
Update Information:

Update to 1.25.1 (rhbz#2480119)
Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation.
Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding
EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks
to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths
from 'calif.io' for the report.
Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo
Alto Networks, for the report.
Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades
performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto
Networks, for the report.
Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks
to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash
calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-42960, Possible cache poisoning attack while following delegation.
Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua
University, for the report.
Fix CVE-2026-44390, Unbounded name compression in certain cases causes
degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the
report.
Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang,
Palo Alto Networks, for the report.
Swapped sources signature source number with systemd unit to have them
close.
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 20 2026 Petr Men????k [pemensik@redhat.com] - 1.25.1-1
- Update to 1.25.1 (rhbz#2480119)
* Tue May 19 2026 Petr Men????k [pemensik@redhat.com] - 1.25.0-3
- Remove the key of Yorgos, one should be enough
* Tue May 19 2026 Petr Men????k [pemensik@redhat.com] - 1.25.0-2
- Replace Wouter's key with release-g2 key
* Tue May 19 2026 Petr Men????k [pemensik@redhat.com] - 1.25.0-1
- Update to 1.25.0 (rhbz#2463781)
* Mon Feb 9 2026 Petr Men????k [pemensik@redhat.com] - 1.24.2-3
- Change the default of tls-use-system-policy-versions at build-time
* Mon Feb 9 2026 Petr Men????k [pemensik@redhat.com] - 1.24.2-2
- Switch TLS configuration to follow TLS sockets by crypto-policy again
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2480119 - unbound-1.25.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2480119
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3223ded15e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: dovecot-2.4.4-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-693373747f
2026-06-02 01:10:43.197425+00:00
--------------------------------------------------------------------------------

Name : dovecot
Product : Fedora 43
Version : 2.4.4
Release : 1.fc43
URL : https://www.dovecot.org/
Summary : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

--------------------------------------------------------------------------------
Update Information:

CVE-2026-27851: lib-var-expand: Safe filter marks all following pipelines safe.
CVE-2026-33603: auth: CRAM-SHA-*-PLUS channel binding could be faked.
MITM attacker with a certificate trusted by the client could have
bypassed the requirement for channel binding.
CVE-2026-40020: IMAP folders can be shared-spammed to everyone.
CVE-2026-42006: An attacker can cause uncontrolled memory usage with
excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete.
indexer-worker, quota-status, script-login, program-client-local: Root
privileges are now dropped permanently before serving requests.
indexer-worker: Default restart_request_count changed to 1 to work
correctly after permanent root privilege drop.
lmtp: Add back service_extra_groups=$SET:default_internal_group that was
incorrectly removed in v2.4.3.
master: inet_listener_reuse_port has been replaced by service_reuse_port.
The new setting properly pre-creates all listener sockets at startup and
assigns one unique socket per process. Using this allows evenly distributing
incoming connections to login processes.
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 15 2026 Michal Hlavinka [mhlavink@redhat.com] - 1:2.4.4-1
- updated to 2.4.4 (#2476459)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2479583 - CVE-2026-33603 dovecot: Dovecot: Information disclosure via SCRAM TLS channel binding bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2479583
[ 2 ] Bug #2479588 - CVE-2026-40020 dovecot: dovecot: Denial of Service via IMAP SETACL command injection [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2479588
[ 3 ] Bug #2481123 - CVE-2026-40016 dovecot: Dovecot: Denial of Service due to Sieve script CPU limit bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481123
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-693373747f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: postfix-3.10.10-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-e9fc21d7e2
2026-06-02 01:10:43.197431+00:00
--------------------------------------------------------------------------------

Name : postfix
Product : Fedora 43
Version : 3.10.10
Release : 1.fc43
URL : http://www.postfix.org
Summary : Postfix Mail Transport Agent
Description :
Postfix is a Mail Transport Agent (MTA).

--------------------------------------------------------------------------------
Update Information:

This is an update fixing CVE-2026-43964.
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 18 2026 Jaroslav ??karvada [jskarvad@redhat.com] - 2:3.10.10-1
- New version
Resolves: CVE-2026-43964
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2477885 - CVE-2026-43964 postfix: buffer over-read via malformed enhanced status code [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2477885
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-e9fc21d7e2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: samba-4.24.3-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7567819345
2026-06-02 00:53:32.834931+00:00
--------------------------------------------------------------------------------

Name : samba
Product : Fedora 44
Version : 4.24.3
Release : 1.fc44
URL : https://www.samba.org
Summary : Server and Client software to interoperate with Windows machines
Description :
Samba is the standard Windows interoperability suite of programs for Linux and
Unix.

--------------------------------------------------------------------------------
Update Information:

Update to Samba 4.24.3 - Security fix for CVE-2026-4480, CVE-2026-2340,
CVE-2026-3012, CVE-2026-1933, CVE-2026-4408, and CVE-2026-3238
--------------------------------------------------------------------------------
ChangeLog:

* Thu May 28 2026 G??nther Deschner [gd@samba.org] - 2:4.24.3-1
- Update to Samba 4.24.3
- resolves: rhbz#2481468
- resolves: rhbz#2481447 - Security fix for CVE-2026-4480
- resolves: rhbz#2481875 - Security fix for CVE-2026-2340
- resolves: rhbz#2481857 - Security fix for CVE-2026-3012
- resolves: rhbz#2481876 - Security fix for CVE-2026-1933
- Security fix for CVE-2026-4408
- Security fix for CVE-2026-3238
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2481447 - CVE-2026-4480 samba: Samba: Remote Code Execution in printing subsystem via unescaped job description [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481447
[ 2 ] Bug #2481468 - samba-4.24.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2481468
[ 3 ] Bug #2481857 - CVE-2026-3012 samba: group policy certificate enrollment uses http:// without validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481857
[ 4 ] Bug #2481875 - CVE-2026-2340 samba: vfs_worm does not block directory modification [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481875
[ 5 ] Bug #2481876 - CVE-2026-1933 samba: Missing access check on reparse point operations [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481876
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7567819345' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: freeipa-4.13.1-12.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7567819345
2026-06-02 00:53:32.834931+00:00
--------------------------------------------------------------------------------

Name : freeipa
Product : Fedora 44
Version : 4.13.1
Release : 12.fc44
URL : http://www.freeipa.org/
Summary : The Identity, Policy and Audit system
Description :
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).

--------------------------------------------------------------------------------
Update Information:

Update to Samba 4.24.3 - Security fix for CVE-2026-4480, CVE-2026-2340,
CVE-2026-3012, CVE-2026-1933, CVE-2026-4408, and CVE-2026-3238
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 29 2026 Alexander Bokovoy [abokovoy@redhat.com] - 4.13.1-12
- Rebuild against Samba 4.24.3
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2481447 - CVE-2026-4480 samba: Samba: Remote Code Execution in printing subsystem via unescaped job description [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481447
[ 2 ] Bug #2481468 - samba-4.24.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2481468
[ 3 ] Bug #2481857 - CVE-2026-3012 samba: group policy certificate enrollment uses http:// without validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481857
[ 4 ] Bug #2481875 - CVE-2026-2340 samba: vfs_worm does not block directory modification [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481875
[ 5 ] Bug #2481876 - CVE-2026-1933 samba: Missing access check on reparse point operations [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481876
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7567819345' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: hplip-3.26.4-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-df2e96fe77
2026-06-02 00:53:32.834864+00:00
--------------------------------------------------------------------------------

Name : hplip
Product : Fedora 44
Version : 3.26.4
Release : 2.fc44
URL : https://developers.hp.com/hp-linux-imaging-and-printing
Summary : HP Linux Imaging and Printing Project
Description :
The Hewlett-Packard Linux Imaging and Printing Project provides
drivers for HP printers and multi-function peripherals.

--------------------------------------------------------------------------------
Update Information:

Update to 3.26.4, fixes CVE-2026-8631, CVE-2026-8632
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 26 2026 Zdenek Dohnal [zdohnal@redhat.com] - 3.26.4-2
- Fix location+user-agent of plugin in hp-plugin-download
* Mon May 25 2026 Zdenek Dohnal [zdohnal@redhat.com] - 3.26.4-1
- 3.26.4 (fedora#2480158), fixes CVE-2026-8631, CVE-2026-8632
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2480300 - CVE-2026-8631 HPLIP: HPLIP: Arbitrary code execution and privilege escalation via integer overflow in hpcups
https://bugzilla.redhat.com/show_bug.cgi?id=2480300
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-df2e96fe77' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: perl-Catalyst-Plugin-Authentication-0.10026-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-26666575ae
2026-06-02 00:53:32.834847+00:00
--------------------------------------------------------------------------------

Name : perl-Catalyst-Plugin-Authentication
Product : Fedora 44
Version : 0.10026
Release : 1.fc44
URL : https://metacpan.org/release/Catalyst-Plugin-Authentication
Summary : Infrastructure plugin for the Catalyst authentication framework
Description :
The authentication plugin provides generic user support for Catalyst apps.
It is the basis for both authentication (checking the user is who they
claim to be), and authorization (allowing the user to do what the system
authorizes them to do).

--------------------------------------------------------------------------------
Update Information:

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is
susceptible to timing attacks since these versions use Perl's built-in eq
comparison. Discrepencies in timing could be used to guess the underlying hash
or password. Version 0.10026 of the module fixes this issue.
--------------------------------------------------------------------------------
ChangeLog:

* Sun May 24 2026 Emmanuel Seyman [emmanuel@seyman.fr] - 0.10026-1
- Update to 0.10026 (fixes CVE-2026-5091)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2483712 - CVE-2026-5091 perl-Catalyst-Plugin-Authentication: Catalyst::Plugin::Authentication: Information disclosure via timing attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2483712
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-26666575ae' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: postfix-3.10.10-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5cf8cc5f32
2026-06-02 00:53:32.834820+00:00
--------------------------------------------------------------------------------

Name : postfix
Product : Fedora 44
Version : 3.10.10
Release : 1.fc44
URL : http://www.postfix.org
Summary : Postfix Mail Transport Agent
Description :
Postfix is a Mail Transport Agent (MTA).

--------------------------------------------------------------------------------
Update Information:

This is an update fixing CVE-2026-43964.
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 18 2026 Jaroslav ??karvada [jskarvad@redhat.com] - 2:3.10.10-1
- New version
Resolves: CVE-2026-43964
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2477885 - CVE-2026-43964 postfix: buffer over-read via malformed enhanced status code [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2477885
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5cf8cc5f32' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: dovecot-2.4.4-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-96eeb03b88
2026-06-02 00:53:32.834786+00:00
--------------------------------------------------------------------------------

Name : dovecot
Product : Fedora 44
Version : 2.4.4
Release : 1.fc44
URL : https://www.dovecot.org/
Summary : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

--------------------------------------------------------------------------------
Update Information:

CVE-2026-27851: lib-var-expand: Safe filter marks all following pipelines safe.
CVE-2026-33603: auth: CRAM-SHA-*-PLUS channel binding could be faked.
MITM attacker with a certificate trusted by the client could have
bypassed the requirement for channel binding.
CVE-2026-40020: IMAP folders can be shared-spammed to everyone.
CVE-2026-42006: An attacker can cause uncontrolled memory usage with
excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete.
indexer-worker, quota-status, script-login, program-client-local: Root
privileges are now dropped permanently before serving requests.
indexer-worker: Default restart_request_count changed to 1 to work
correctly after permanent root privilege drop.
lmtp: Add back service_extra_groups=$SET:default_internal_group that was
incorrectly removed in v2.4.3.
master: inet_listener_reuse_port has been replaced by service_reuse_port.
The new setting properly pre-creates all listener sockets at startup and
assigns one unique socket per process. Using this allows evenly distributing
incoming connections to login processes.
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 15 2026 Michal Hlavinka [mhlavink@redhat.com] - 1:2.4.4-1
- updated to 2.4.4 (#2476459)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2479583 - CVE-2026-33603 dovecot: Dovecot: Information disclosure via SCRAM TLS channel binding bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2479583
[ 2 ] Bug #2479588 - CVE-2026-40020 dovecot: dovecot: Denial of Service via IMAP SETACL command injection [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2479588
[ 3 ] Bug #2481123 - CVE-2026-40016 dovecot: Dovecot: Denial of Service due to Sieve script CPU limit bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481123
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-96eeb03b88' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new


Python aiohttp, ImageMagick, Node.js, p7zip, GStreamer, and Symfony updates for Debian

PHP, Kernel, OpenSSL, and Core Services updates for RHEL

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...