Fedora 43 Update: haveged-1.9.22-1.fc43
Fedora 43 Update: djvulibre-3.5.30-1.fc43
Fedora 43 Update: xrdp-0.10.6-2.fc43
Fedora 43 Update: pdns-5.0.5-1.fc43
Fedora 43 Update: docker-compose-5.1.4-1.fc43
Fedora 44 Update: xrdp-0.10.6-2.fc44
Fedora 44 Update: libssh2-1.11.1-6.fc44
Fedora 44 Update: djvulibre-3.5.30-1.fc44
Fedora 44 Update: pdns-5.0.5-1.fc44
Fedora 44 Update: docker-compose-5.1.4-1.fc44
Fedora 44 Update: giflib-6.1.3-2.fc44
[SECURITY] Fedora 43 Update: haveged-1.9.22-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5d9b0e2c17
2026-05-30 01:07:34.273959+00:00
--------------------------------------------------------------------------------
Name : haveged
Product : Fedora 43
Version : 1.9.22
Release : 1.fc43
URL : https://github.com/jirka-h/haveged
Summary : A Linux entropy source using the HAVEGE algorithm
Description :
A Linux entropy source using the HAVEGE algorithm
Haveged is a user space entropy daemon which is not dependent upon the
standard mechanisms for harvesting randomness for the system entropy
pool. This is important in systems with high entropy needs or limited
user interaction (e.g. headless servers).
Haveged uses HAVEGE (HArdware Volatile Entropy Gathering and Expansion)
to maintain a 1M pool of random bytes used to fill /dev/random
whenever the supply of random bits in /dev/random falls below the low
water mark of the device. The principle inputs to haveged are the
sizes of the processor instruction and data caches used to setup the
HAVEGE collector. The haveged default is a 4kb data cache and a 16kb
instruction cache. On machines with a cpuid instruction, haveged will
attempt to select appropriate values from internal tables.
--------------------------------------------------------------------------------
Update Information:
Update to 1.9.22 ??? fix systemd sandboxing: add ReadWritePaths=/dev/shm for
semaphore creation
Backport fix for CVE-2026-41054: privilege escalation via command socket
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 21 2026 Jirka Hladky [hladky.jiri@gmail.com] - 1.9.22-1
- Update to 1.9.22
- Fix systemd sandboxing: add ReadWritePaths=/dev/shm for semaphore creation
* Wed May 20 2026 Jirka Hladky [hladky.jiri@gmail.com] - 1.9.21-1
- Update to 1.9.21
- Security fix: CVE-2026-41054 ??? privilege escalation via command socket
- Fix semaphore error handling (SEM_FAILED vs NULL)
- Fix /dev/shm permissions (use 01777 with sticky bit)
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.9.18-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2480051 - CVE-2026-41054 haveged: privilege escalation via command socket
https://bugzilla.redhat.com/show_bug.cgi?id=2480051
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5d9b0e2c17' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 43 Update: djvulibre-3.5.30-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-bfa185dbb3
2026-05-30 01:07:34.273965+00:00
--------------------------------------------------------------------------------
Name : djvulibre
Product : Fedora 43
Version : 3.5.30
Release : 1.fc43
URL : http://djvu.sourceforge.net/
Summary : DjVu viewers, encoders, and utilities
Description :
DjVu is a web-centric format and software platform for distributing documents
and images. DjVu can advantageously replace PDF, PS, TIFF, JPEG, and GIF for
distributing scanned documents, digital documents, or high-resolution pictures.
DjVu content downloads faster, displays and renders faster, looks nicer on a
screen, and consume less client resources than competing formats. DjVu images
display instantly and can be smoothly zoomed and panned with no lengthy
re-rendering.
DjVuLibre is a free (GPL'ed) implementation of DjVu, including viewers,
decoders, simple encoders, and utilities. The browser plugin is in its own
separate sub-package.
--------------------------------------------------------------------------------
Update Information:
Update to 3.5.30.
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 21 2026 Marek Kasik [mkasik@redhat.com] - 3.5.30-1
- Rebase to 3.5.30
- Resolves: #2376253
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2376253 - CVE-2025-53367 djvulibre: DjVuLibre out of bounds write [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2376253
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-bfa185dbb3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: xrdp-0.10.6-2.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8aeca78af9
2026-05-30 01:07:34.273962+00:00
--------------------------------------------------------------------------------
Name : xrdp
Product : Fedora 43
Version : 0.10.6
Release : 2.fc43
URL : http://www.xrdp.org/
Summary : Open source remote desktop protocol (RDP) server
Description :
xrdp provides a fully functional RDP server compatible with a wide range
of RDP clients, including FreeRDP and Microsoft RDP client.
--------------------------------------------------------------------------------
Update Information:
Close TCP socket in default configuration, because we want just Unix domain
socket connections to Xvnc.
--------------------------------------------------------------------------------
ChangeLog:
* Fri May 22 2026 Bojan Smojver [bojan@rexursive.com] - 1:0.10.6-2
- close TCP port in default Xvnc config, Unix domain socket only
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2480423 - no authentication required to connect to Xvnc
https://bugzilla.redhat.com/show_bug.cgi?id=2480423
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8aeca78af9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: pdns-5.0.5-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-6458693037
2026-05-30 01:07:34.273953+00:00
--------------------------------------------------------------------------------
Name : pdns
Product : Fedora 43
Version : 5.0.5
Release : 1.fc43
URL : http://powerdns.com
Summary : A modern, advanced and high performance authoritative-only name server
Description :
The PowerDNS Nameserver is a modern, advanced and high performance
authoritative-only name server. It is written from scratch and conforms
to all relevant DNS standards documents.
Furthermore, PowerDNS interfaces with almost any database.
--------------------------------------------------------------------------------
Update Information:
Update to 5.0.5
Fix for CVE-2026-42000, CVE-2026-42001, CVE-2026-42002, CVE-2026-41999,
CVE-2026-42396
Security Advisory: https://doc.powerdns.com/authoritative/security-
advisories/powerdns-advisory-2026-06.html
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 21 2026 Morten Stevens [mstevens@fedoraproject.org] - 5.0.5-1
- Update to 5.0.5
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-6458693037' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: docker-compose-5.1.4-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-951a6725b8
2026-05-30 01:07:34.273912+00:00
--------------------------------------------------------------------------------
Name : docker-compose
Product : Fedora 43
Version : 5.1.4
Release : 1.fc43
URL : https://github.com/docker/compose
Summary : Define and run multi-container applications with Docker
Description :
Define and run multi-container applications with Docker.
--------------------------------------------------------------------------------
Update Information:
Update to release v5.1.4
Resolves: rhbz#2480186
Upstream fixes
Update to release v5.1.3
Resolves rhbz#2458697
Resolves CVE-2026-33747: rhbz#2452188, rhbz#2452199
Resolves CVE-2026-33748: rhbz#2453089
Upstream fixes
--------------------------------------------------------------------------------
ChangeLog:
* Wed May 20 2026 Bradley G Smith [bradley.g.smith@gmail.com] - 5.1.4-1
- Update to release v5.1.4
- Resolves: rhbz#2480186
- Upstream fixes
* Wed Apr 15 2026 Bradley G Smith [bradley.g.smith@gmail.com] - 5.1.3-1
- Update to release v5.1.3
- Resolves rhbz#2458697
- Resolves CVE-2026-33747: rhbz#2452188, rhbz#2452199
- Resolves CVE-2026-33748: rhbz#2453089
- Upstream fixes
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2452188 - CVE-2026-33747 docker-compose: BuildKit: Arbitrary file write and code execution via untrusted frontend [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2452188
[ 2 ] Bug #2452199 - CVE-2026-33747 docker-compose: BuildKit: Arbitrary file write and code execution via untrusted frontend [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2452199
[ 3 ] Bug #2453089 - CVE-2026-33748 docker-compose: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453089
[ 4 ] Bug #2458697 - docker-compose-5.1.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2458697
[ 5 ] Bug #2480186 - docker-compose-5.1.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2480186
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-951a6725b8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: xrdp-0.10.6-2.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9a3a98bc24
2026-05-30 00:54:46.011421+00:00
--------------------------------------------------------------------------------
Name : xrdp
Product : Fedora 44
Version : 0.10.6
Release : 2.fc44
URL : http://www.xrdp.org/
Summary : Open source remote desktop protocol (RDP) server
Description :
xrdp provides a fully functional RDP server compatible with a wide range
of RDP clients, including FreeRDP and Microsoft RDP client.
--------------------------------------------------------------------------------
Update Information:
Close TCP socket in default configuration, because we want just Unix domain
socket connections to Xvnc.
--------------------------------------------------------------------------------
ChangeLog:
* Fri May 22 2026 Bojan Smojver [bojan@rexursive.com] - 1:0.10.6-2
- close TCP port in default Xvnc config, Unix domain socket only
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2480423 - no authentication required to connect to Xvnc
https://bugzilla.redhat.com/show_bug.cgi?id=2480423
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9a3a98bc24' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: libssh2-1.11.1-6.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f87ac8187c
2026-05-30 00:54:46.011425+00:00
--------------------------------------------------------------------------------
Name : libssh2
Product : Fedora 44
Version : 1.11.1
Release : 6.fc44
URL : https://www.libssh2.org/
Summary : A library implementing the SSH2 protocol
Description :
libssh2 is a library implementing the SSH2 protocol as defined by
Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25),
SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*,
SECSH-DHGEX(04), and SECSH-NUMBERS(10).
--------------------------------------------------------------------------------
Update Information:
This update addresses CVE-2026-7598, a potential heap buffer overflow, which
could be triggered remotely by supplying very long username and/or password
strings.
--------------------------------------------------------------------------------
ChangeLog:
* Fri May 22 2026 Paul Howarth - 1.11.1-6
- Fix CVE-2026-7598: integer overflow via large username or password arguments
( https://github.com/libssh2/libssh2/pull/1858)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2468328 - CVE-2026-7598 libssh2: integer overflow via large username or password arguments [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2468328
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f87ac8187c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: djvulibre-3.5.30-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-956f05a733
2026-05-30 00:54:46.011423+00:00
--------------------------------------------------------------------------------
Name : djvulibre
Product : Fedora 44
Version : 3.5.30
Release : 1.fc44
URL : http://djvu.sourceforge.net/
Summary : DjVu viewers, encoders, and utilities
Description :
DjVu is a web-centric format and software platform for distributing documents
and images. DjVu can advantageously replace PDF, PS, TIFF, JPEG, and GIF for
distributing scanned documents, digital documents, or high-resolution pictures.
DjVu content downloads faster, displays and renders faster, looks nicer on a
screen, and consume less client resources than competing formats. DjVu images
display instantly and can be smoothly zoomed and panned with no lengthy
re-rendering.
DjVuLibre is a free (GPL'ed) implementation of DjVu, including viewers,
decoders, simple encoders, and utilities. The browser plugin is in its own
separate sub-package.
--------------------------------------------------------------------------------
Update Information:
Update to 3.5.30.
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 21 2026 Marek Kasik [mkasik@redhat.com] - 3.5.30-1
- Rebase to 3.5.30
- Resolves: #2376253
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2376253 - CVE-2025-53367 djvulibre: DjVuLibre out of bounds write [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2376253
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-956f05a733' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: pdns-5.0.5-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a6e5b1263b
2026-05-30 00:54:46.011413+00:00
--------------------------------------------------------------------------------
Name : pdns
Product : Fedora 44
Version : 5.0.5
Release : 1.fc44
URL : http://powerdns.com
Summary : A modern, advanced and high performance authoritative-only name server
Description :
The PowerDNS Nameserver is a modern, advanced and high performance
authoritative-only name server. It is written from scratch and conforms
to all relevant DNS standards documents.
Furthermore, PowerDNS interfaces with almost any database.
--------------------------------------------------------------------------------
Update Information:
Update to 5.0.5
Fix for CVE-2026-42000, CVE-2026-42001, CVE-2026-42002, CVE-2026-41999,
CVE-2026-42396
Security Advisory: https://doc.powerdns.com/authoritative/security-
advisories/powerdns-advisory-2026-06.html
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 21 2026 Morten Stevens [mstevens@fedoraproject.org] - 5.0.5-1
- Update to 5.0.5
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a6e5b1263b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: docker-compose-5.1.4-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3316f97296
2026-05-30 00:54:46.011360+00:00
--------------------------------------------------------------------------------
Name : docker-compose
Product : Fedora 44
Version : 5.1.4
Release : 1.fc44
URL : https://github.com/docker/compose
Summary : Define and run multi-container applications with Docker
Description :
Define and run multi-container applications with Docker.
--------------------------------------------------------------------------------
Update Information:
Update to release v5.1.4
Resolves: rhbz#2480186
Upstream fixes
Update to release v5.1.3
Resolves rhbz#2458697
Resolves CVE-2026-33747: rhbz#2452188, rhbz#2452199
Resolves CVE-2026-33748: rhbz#2453089
Upstream fixes
--------------------------------------------------------------------------------
ChangeLog:
* Wed May 20 2026 Bradley G Smith [bradley.g.smith@gmail.com] - 5.1.4-1
- Update to release v5.1.4
- Resolves: rhbz#2480186
- Upstream fixes
* Wed Apr 15 2026 Bradley G Smith [bradley.g.smith@gmail.com] - 5.1.3-1
- Update to release v5.1.3
- Resolves rhbz#2458697
- Resolves CVE-2026-33747: rhbz#2452188, rhbz#2452199
- Resolves CVE-2026-33748: rhbz#2453089
- Upstream fixes
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2452188 - CVE-2026-33747 docker-compose: BuildKit: Arbitrary file write and code execution via untrusted frontend [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2452188
[ 2 ] Bug #2452199 - CVE-2026-33747 docker-compose: BuildKit: Arbitrary file write and code execution via untrusted frontend [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2452199
[ 3 ] Bug #2453089 - CVE-2026-33748 docker-compose: BuildKit: Unauthorized file access via Git URL fragment subdir components [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453089
[ 4 ] Bug #2458697 - docker-compose-5.1.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2458697
[ 5 ] Bug #2480186 - docker-compose-5.1.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2480186
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3316f97296' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: giflib-6.1.3-2.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0be1222520
2026-05-30 00:54:46.011335+00:00
--------------------------------------------------------------------------------
Name : giflib
Product : Fedora 44
Version : 6.1.3
Release : 2.fc44
URL : http://www.sourceforge.net/projects/giflib/
Summary : A library and utilities for processing GIFs
Description :
giflib is a library for reading and writing gif images.
--------------------------------------------------------------------------------
Update Information:
Apply proposed fix for CVE-2026-26740.
--------------------------------------------------------------------------------
ChangeLog:
* Tue May 12 2026 Sandro Mani [manisandro@gmail.com] - 6.1.3-2
- Apply proposed fix for CVE-2026-26740
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2448830 - CVE-2026-26740 giflib: giflib: Denial of Service via buffer overflow in EGifGCBToExtension [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448830
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0be1222520' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
