Fedora Linux 9418 Published by

Fedora administrators must apply immediate security patches across Fedora 43 and Fedora 44 distributions. The xrdp package resolves ten reported vulnerabilities and fixes a segmentation fault that occurred during TLS connections. Roundcube Webmail updates close multiple security gaps involving stored cross-site scripting, server-side request forgery, and infinite loop denial-of-service attacks. Additional updates for perl-Imager, python-bcrypt, python-tiktoken, and firefox address critical CVEs, memory leaks, and dependency compatibility issues.

Fedora 43 Update: perl-Imager-1.033-1.fc43
Fedora 43 Update: xrdp-0.10.6.1-1.fc43
Fedora 43 Update: python-bcrypt-4.3.0-14.fc43
Fedora 43 Update: roundcubemail-1.6.17-1.fc43
Fedora 43 Update: python-tiktoken-0.13.0-2.fc43
Fedora 44 Update: firefox-152.0.6-1.fc44
Fedora 44 Update: perl-Imager-1.033-1.fc44
Fedora 44 Update: xrdp-0.10.6.1-1.fc44
Fedora 44 Update: python-bcrypt-4.3.0-14.fc44
Fedora 44 Update: roundcubemail-1.7.2-1.fc44
Fedora 44 Update: python-tiktoken-0.13.0-2.fc44



[SECURITY] Fedora 43 Update: perl-Imager-1.033-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-38f958d25a
2026-07-16 01:28:35.510772+00:00
--------------------------------------------------------------------------------

Name : perl-Imager
Product : Fedora 43
Version : 1.033
Release : 1.fc43
URL : https://metacpan.org/release/Imager
Summary : Perl extension for Generating 24 bit Images
Description :
Imager is a module for creating and altering images. It can read and
write various image formats, draw primitive shapes like lines,and
polygons, blend multiple images together in various ways, scale, crop,
render text and more.

--------------------------------------------------------------------------------
Update Information:

1.033
- CVE-2026-14454: Fix mishandling of large EXIF IFD entry count values ??? treated
as negative numbers, could lead to allocation failure and program exit
- JPEG: depend on Imager 1.033 for the EXIF fix
- Fix thread context object reference count leak in bumpmap and bumpmap_complex
filters
- TIFF: fix a leak from processing the TIFF warnings buffer (introduced in
Imager 1.021)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 7 2026 Jitka Plesnikova [jplesnik@redhat.com] - 1.033-1
- 1.033 bump (rhbz#2497664) - Fix CVE-2026-14454
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2497664 - perl-Imager-1.033 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2497664
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-38f958d25a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: xrdp-0.10.6.1-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-bd0a75766f
2026-07-16 01:28:35.510767+00:00
--------------------------------------------------------------------------------

Name : xrdp
Product : Fedora 43
Version : 0.10.6.1
Release : 1.fc43
URL : http://www.xrdp.org/
Summary : Open source remote desktop protocol (RDP) server
Description :
xrdp provides a fully functional RDP server compatible with a wide range
of RDP clients, including FreeRDP and Microsoft RDP client.

--------------------------------------------------------------------------------
Update Information:

Release notes for xrdp v0.10.6.1 (2026/07/06)
General announcements
This release fixes 10 vulnerabilities and 1 regression introduced by a
vulnerability fix in the previous release.
If you like xrdp, please consider sponsoring or donating to the project. We
accept financial contributions through Open Collective, and direct donations to
individual developers via GitHub Sponsors are also welcome.
Security fixes
CVE-2026-41252
CVE-2026-41521
CVE-2026-44178
CVE-2026-42218
CVE-2026-44978
CVE-2026-54538
CVE-2026-55238
CVE-2026-55626
CVE-2026-55639
CVE-2026-55645
New features
None
Bug fixes
regression: Fix SEGV in xrdp when running over TLS (#3793)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 7 2026 Bojan Smojver [bojan@rexursive.com] - 1:0.10.6.1-1
- Update to 0.10.6.1
- CVE-2026-41252, CVE-2026-41521, CVE-2026-44178, CVE-2026-42218
- CVE-2026-44978, CVE-2026-54538, CVE-2026-55238, CVE-2026-55626
- CVE-2026-55639, CVE-2026-55645
* Sat Jun 13 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 1:0.10.6-3
- Rebuilt for openssl 4.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-bd0a75766f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: python-bcrypt-4.3.0-14.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-31ec71cf0b
2026-07-16 01:28:35.510742+00:00
--------------------------------------------------------------------------------

Name : python-bcrypt
Product : Fedora 43
Version : 4.3.0
Release : 14.fc43
URL : https://pypi.python.org/pypi/bcrypt
Summary : Modern password hashing for your software and your servers
Description :
Modern password hashing for your software and your servers.

--------------------------------------------------------------------------------
Update Information:

Update PyO3 to 0.29; addresses RUSTSEC-2026-0176 and RUSTSEC-2026-0177
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.0-14
- Update PyO3 to 0.29; addresses RUSTSEC-2026-0176 and RUSTSEC-2026-0177
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.0-13
- Replace BuildRequires: rust-packaging with cargo-rpm-macros
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.0-12
- Drop manual BuildRequires on python3-devel
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.0-10
- Switch URL from HTTP to HTTPS
* Wed Jun 3 2026 Python Maint - 4.3.0-8
- Rebuilt for Python 3.15
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.3.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-31ec71cf0b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: roundcubemail-1.6.17-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c3351f4ae4
2026-07-16 01:28:35.510729+00:00
--------------------------------------------------------------------------------

Name : roundcubemail
Product : Fedora 43
Version : 1.6.17
Release : 1.fc43
URL : http://www.roundcube.net
Summary : Round Cube Webmail is a browser-based multilingual IMAP client
Description :
RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.

--------------------------------------------------------------------------------
Update Information:

Release 1.6.17
Enigma: Support automatic public key lookup (import) using HKP v1 protocol
(#5314)
Enigma: Kolab WOAT Support (#8626)
Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
Security: Fix various vulnerabilities in the password plugin using session-
injected username
Security: Fix stored XSS via unescaped attachment MIME type on the attachment-
validation warning page [CVE-2026-54432]
Security: Fix SSRF bypass via specific local address URLs - two new cases
Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jul 6 2026 Remi Collet [remi@remirepo.net] - 1.6.17-1
- update to 1.6.17
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2500063 - CVE-2026-54433 roundcubemail: Roundcube Webmail: Arbitrary code execution via zero-click cross-site scripting [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500063
[ 2 ] Bug #2500065 - CVE-2026-62642 roundcubemail: Roundcube Webmail: Denial of Service via infinite loop in TNEF decoder [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500065
[ 3 ] Bug #2500067 - CVE-2026-62644 roundcubemail: Roundcube Webmail: Account takeover via username spoofing in password plugin [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500067
[ 4 ] Bug #2500068 - CVE-2026-54432 roundcubemail: Roundcube Webmail: Stored Cross-Site Scripting via unescaped attachment MIME type [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500068
[ 5 ] Bug #2500071 - CVE-2026-62641 roundcubemail: Roundcube Webmail: Denial of Service via crafted TNEF compressed-RTF size [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500071
[ 6 ] Bug #2500072 - CVE-2026-62643 roundcubemail: Roundcube Webmail: Server-Side Request Forgery via insufficient CSS sanitization [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500072
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c3351f4ae4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: python-tiktoken-0.13.0-2.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8abedbcc4f
2026-07-16 01:28:35.510726+00:00
--------------------------------------------------------------------------------

Name : python-tiktoken
Product : Fedora 43
Version : 0.13.0
Release : 2.fc43
URL : https://pypi.org/project/tiktoken/
Summary : tiktoken is a fast BPE tokeniser for use with OpenAI's models
Description :
tiktoken is a fast BPE tokeniser for use with OpenAI's models.

--------------------------------------------------------------------------------
Update Information:

Update to upstream release 0.13.0; update PyO3 to 0.29, fixing RUSTSEC-2026-0176
and RUSTSEC-2026-0177.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jul 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.13.0-2
- Update PyO3 to 0.29
- Fixes RUSTSEC-2026-0176 and RUSTSEC-2026-0177
* Mon Jul 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.13.0-1
- Update to 0.13.0 (close RHBZ#2477785)
* Mon Jul 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.12.0-6
- Add a comment to justify not running the tests
* Mon Jul 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.12.0-5
- Avoid installing duplicate license files
* Mon Jul 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.12.0-4
- Improve/simplify handling of Rust dependency licenses
* Wed Jun 3 2026 Python Maint - 0.12.0-3
- Rebuilt for Python 3.15
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 0.12.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Tue Oct 7 2025 Lumir Balhar [lbalhar@redhat.com] - 0.12.0-1
- Update to 0.12.0 (rhbz#2402015)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2477785 - python-tiktoken-0.13.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2477785
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8abedbcc4f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: firefox-152.0.6-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-51c2920764
2026-07-16 01:19:18.912230+00:00
--------------------------------------------------------------------------------

Name : firefox
Product : Fedora 44
Version : 152.0.6
Release : 1.fc44
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

--------------------------------------------------------------------------------
Update Information:

New upstream release (152.0.6)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 14 2026 Martin Stransky [stransky@redhat.com] - 152.0.6-1
- Updated to latest upstream (152.0.6)
* Fri Jul 10 2026 Martin Stransky [stransky@redhat.com] - 152.0.4-3
- Added rhbz#2458184 - Drop -fcf-protection flag
* Tue Jul 7 2026 Martin Stransky [stransky@redhat.com] - 152.0.4-2
- Remove Fedora 40/41 tweaks.
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-51c2920764' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: perl-Imager-1.033-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5f5efe281d
2026-07-16 01:19:18.912170+00:00
--------------------------------------------------------------------------------

Name : perl-Imager
Product : Fedora 44
Version : 1.033
Release : 1.fc44
URL : https://metacpan.org/release/Imager
Summary : Perl extension for Generating 24 bit Images
Description :
Imager is a module for creating and altering images. It can read and
write various image formats, draw primitive shapes like lines,and
polygons, blend multiple images together in various ways, scale, crop,
render text and more.

--------------------------------------------------------------------------------
Update Information:

1.033
- CVE-2026-14454: Fix mishandling of large EXIF IFD entry count values ??? treated
as negative numbers, could lead to allocation failure and program exit
- JPEG: depend on Imager 1.033 for the EXIF fix
- Fix thread context object reference count leak in bumpmap and bumpmap_complex
filters
- TIFF: fix a leak from processing the TIFF warnings buffer (introduced in
Imager 1.021)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 7 2026 Jitka Plesnikova [jplesnik@redhat.com] - 1.033-1
- 1.033 bump (rhbz#2497664) - Fix CVE-2026-14454
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2497664 - perl-Imager-1.033 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2497664
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5f5efe281d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: xrdp-0.10.6.1-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-05c06fa0a8
2026-07-16 01:19:18.912160+00:00
--------------------------------------------------------------------------------

Name : xrdp
Product : Fedora 44
Version : 0.10.6.1
Release : 1.fc44
URL : http://www.xrdp.org/
Summary : Open source remote desktop protocol (RDP) server
Description :
xrdp provides a fully functional RDP server compatible with a wide range
of RDP clients, including FreeRDP and Microsoft RDP client.

--------------------------------------------------------------------------------
Update Information:

Release notes for xrdp v0.10.6.1 (2026/07/06)
General announcements
This release fixes 10 vulnerabilities and 1 regression introduced by a
vulnerability fix in the previous release.
If you like xrdp, please consider sponsoring or donating to the project. We
accept financial contributions through Open Collective, and direct donations to
individual developers via GitHub Sponsors are also welcome.
Security fixes
CVE-2026-41252
CVE-2026-41521
CVE-2026-44178
CVE-2026-42218
CVE-2026-44978
CVE-2026-54538
CVE-2026-55238
CVE-2026-55626
CVE-2026-55639
CVE-2026-55645
New features
None
Bug fixes
regression: Fix SEGV in xrdp when running over TLS (#3793)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 7 2026 Bojan Smojver [bojan@rexursive.com] - 1:0.10.6.1-1
- Update to 0.10.6.1
- CVE-2026-41252, CVE-2026-41521, CVE-2026-44178, CVE-2026-42218
- CVE-2026-44978, CVE-2026-54538, CVE-2026-55238, CVE-2026-55626
- CVE-2026-55639, CVE-2026-55645
* Sat Jun 13 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 1:0.10.6-3
- Rebuilt for openssl 4.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-05c06fa0a8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: python-bcrypt-4.3.0-14.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-65b6511854
2026-07-16 01:19:18.912130+00:00
--------------------------------------------------------------------------------

Name : python-bcrypt
Product : Fedora 44
Version : 4.3.0
Release : 14.fc44
URL : https://pypi.python.org/pypi/bcrypt
Summary : Modern password hashing for your software and your servers
Description :
Modern password hashing for your software and your servers.

--------------------------------------------------------------------------------
Update Information:

Update PyO3 to 0.29; addresses RUSTSEC-2026-0176 and RUSTSEC-2026-0177
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.0-14
- Update PyO3 to 0.29; addresses RUSTSEC-2026-0176 and RUSTSEC-2026-0177
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.0-13
- Replace BuildRequires: rust-packaging with cargo-rpm-macros
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.0-12
- Drop manual BuildRequires on python3-devel
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.3.0-10
- Switch URL from HTTP to HTTPS
* Wed Jun 3 2026 Python Maint - 4.3.0-8
- Rebuilt for Python 3.15
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-65b6511854' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: roundcubemail-1.7.2-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-517daa8d64
2026-07-16 01:19:18.912120+00:00
--------------------------------------------------------------------------------

Name : roundcubemail
Product : Fedora 44
Version : 1.7.2
Release : 1.fc44
URL : http://www.roundcube.net
Summary : Round Cube Webmail is a browser-based multilingual IMAP client
Description :
RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.

--------------------------------------------------------------------------------
Update Information:

Release 1.7.2
Add HEAD request handler to the static.php
Fix so the oauth_password_claim claim is retrieved via token or userinfo request
(#9631)
Fix bug where static.php would return a 416 error on a specific Range request
(#10194)
Fix bug where configured skin logo wasn't loaded via static.php resulting in 404
error (#10191)
Fix bug where installto.sh would fail if public_html folder does not exist in
the target directory (#10202)
Revert "Prefer 8bit over quoted-printable for HTML parts, when force_7bit is
disabled (#8477)" (#10198)
Fix incorrect unfolding of folded lines when importing vCard 2.1 contacts
(#9647)
Fix bug where Imagick could leave large temporary files on failure (#10230)
Fix bug where redis/memcache session could have been updated more often than
needed
Fix support for untyped tokens in OIDC backchannel logout, require unset nonce
(#10097)
Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
Security: Fix various vulnerabilities in the password plugin using session-
injected username
Security: Fix stored XSS via unescaped attachment MIME type on the attachment-
validation warning page [CVE-2026-54432]
Security: Fix SSRF bypass via specific local address URLs - two new cases
Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jul 6 2026 Remi Collet [remi@remirepo.net] - 1.7.2-1
- update to 1.7.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2500063 - CVE-2026-54433 roundcubemail: Roundcube Webmail: Arbitrary code execution via zero-click cross-site scripting [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500063
[ 2 ] Bug #2500065 - CVE-2026-62642 roundcubemail: Roundcube Webmail: Denial of Service via infinite loop in TNEF decoder [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500065
[ 3 ] Bug #2500067 - CVE-2026-62644 roundcubemail: Roundcube Webmail: Account takeover via username spoofing in password plugin [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500067
[ 4 ] Bug #2500068 - CVE-2026-54432 roundcubemail: Roundcube Webmail: Stored Cross-Site Scripting via unescaped attachment MIME type [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500068
[ 5 ] Bug #2500071 - CVE-2026-62641 roundcubemail: Roundcube Webmail: Denial of Service via crafted TNEF compressed-RTF size [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500071
[ 6 ] Bug #2500072 - CVE-2026-62643 roundcubemail: Roundcube Webmail: Server-Side Request Forgery via insufficient CSS sanitization [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500072
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-517daa8d64' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: python-tiktoken-0.13.0-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-e0bcb90c9f
2026-07-16 01:19:18.912113+00:00
--------------------------------------------------------------------------------

Name : python-tiktoken
Product : Fedora 44
Version : 0.13.0
Release : 2.fc44
URL : https://pypi.org/project/tiktoken/
Summary : tiktoken is a fast BPE tokeniser for use with OpenAI's models
Description :
tiktoken is a fast BPE tokeniser for use with OpenAI's models.

--------------------------------------------------------------------------------
Update Information:

Update to upstream release 0.13.0; update PyO3 to 0.29, fixing RUSTSEC-2026-0176
and RUSTSEC-2026-0177.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jul 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.13.0-2
- Update PyO3 to 0.29
- Fixes RUSTSEC-2026-0176 and RUSTSEC-2026-0177
* Mon Jul 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.13.0-1
- Update to 0.13.0 (close RHBZ#2477785)
* Mon Jul 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.12.0-6
- Add a comment to justify not running the tests
* Mon Jul 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.12.0-5
- Avoid installing duplicate license files
* Mon Jul 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.12.0-4
- Improve/simplify handling of Rust dependency licenses
* Wed Jun 3 2026 Python Maint - 0.12.0-3
- Rebuilt for Python 3.15
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2477785 - python-tiktoken-0.13.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2477785
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-e0bcb90c9f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new