Aggregator

It was discovered that Emacs could trigger unsafe Lisp macro expansion, when a user invoked elisp-completion-at-point on untrusted Emacs Lisp source code. An attacker could possibly use this issue to execute arbitrary code. (CVE-2024-53920) It was discovered that Emacs did not properly sanitize input when handling certain URI schemes. An attacker could possibly use this issue to execute arbitrary shell commands by tricking a user into opening a specially crafted URL. (CVE-2025-1244)

FEDORA-2026-66cb8ecfc2 Packages in this update:

• python-aiohttp-3.13.3-4.fc43

Update description:

https://github.com/aio-libs/aiohttp/blob/v3.13.3/CHANGES.rst

Several security issues were discovered in the libraries bundled in pip. An attacker could possibly use these issues to perform a variety of attacks, such as denial of service or arbitrary code execution.

Version:next-20260203 (linux-next) Released:2026-02-03

It was discovered that Django exposed timing information when checking passwords. An attacker could possibly use this issue to obtain sensitive information. (CVE-2025-13473) Jiyong Yang discovered that Django incorrectly handled malformed requests with duplicate headers. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2025-14550) Tarek Nakkouch discovered that Django incorrectly parsed raster lookups. An attacker could possibly use this issue to perform SQL injection attacks. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1207) Seokchan Yoon discovered that Django incorrectly handled malformed HTML inputs containing a large amount of unmatched HTML end tags. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1285) Solomon Kebede discovered that Django incorrectly handled control characters in the dictionary expansion of certain QuerySet methods. An attacker could possibly use this issue to perform SQL injection attacks. (CVE-2026-1287) Solomon Kebede discovered that Django incorrectly handled column alias parsing with dictionary expansion. An attacker could possibly use this issue to perform SQL injection attacks. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-1312)

FEDORA-2026-f5514402fd Packages in this update:

• python3.6-3.6.15-52.fc42

Update description:

• Security fixes for CVE-2026-0865, CVE-2025-15366, CVE-2025-15367, CVE-2026-1299

FEDORA-2026-d68ca022b1 Packages in this update:

• python3.6-3.6.15-52.fc43

Update description:

• Security fixes for CVE-2026-0865, CVE-2025-15366, CVE-2025-15367, CVE-2026-1299

Grzegorz Grasza discovered that the Keystone Middleware incorrectly sanitized authentication headers before processing OAuth 2.0 tokens. An attacker could possibly use this issue to escalate privileges or impersonate other users.

FEDORA-2026-59fdfa64f5 Packages in this update:

• gnupg2-2.4.9-2.fc42

Update description:

Fix CVE-2026-24882: Stack-based buffer overflow in tpm2daemon allows arbitrary code execution

FEDORA-2026-d5c00a447f Packages in this update:

• gnupg2-2.4.9-5.fc43

Update description:

Fix CVE-2026-24882: Stack-based buffer overflow in tpm2daemon allows arbitrary code execution

It was discovered that ImageMagick incorrectly handled image depth values when processing MIFF image files. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2025-43965) It was discovered that ImageMagick incorrectly processed SVG images and MSL files. An attacker could possibly use this issue to cause a denial of service. (CVE-2025-68618) It was discovered that ImageMagick incorrectly handled memory when converting MVG files. An attacker could possibly use this issue to cause a denial of service. (CVE-2025-69204)

Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 8.0.45 in Ubuntu 20.04 LTS. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-45.html https://www.oracle.com/security-alerts/cpujan2026.html

Vitaly Simonovich discovered that the GNU C Library did not properly initialize the input when WRDE_REUSE is used. An attacker could possibly use this issue to cause applications to crash, leading to a denial of service. (CVE-2025-15281) Anastasia Belova discovered that the GNU C Library incorrectly handled the regcomp function when memory allocation failures occured. An attacker could possibly use this issue to cause applications to crash, leading to a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2025-8058) Igor Morgenstern discovered that the GNU C Library incorrectly handled the memalign function when doing memory allocation. An attacker could possibly use this issue to cause applications to crash, leading to a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-0861) Igor Morgenstern discovered that the GNU C Library incorrectly handled certain DNS backend when queries for a zero-valued network. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-0915)

Kim Dong Han discovered that FreeRDP did not correctly validate the size of certain variables, which could cause a buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

It was discovered that the RMI component of OpenJDK 17 would establish RMI TCP endpoint connections to a remote host without setting an endpoint identification algorithm. An unauthenticated remote attacker could possibly use this issue to steal sensitive information. (CVE-2026-21925) Mingijung discovered that the AWT and JavaFX componenets of OpenJDK 17 could run programs if Desktop.browse() was supplied a filename as a URI. An unauthenticated remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-21932) Zhihui Chen discovered that the Networking component of OpenJDK 17 was suceptible to a CRLF injection vulnerability via the HttpServer class. An unauthenticated remote attacker could possibly use this issue to modify files or leak sensitive information. (CVE-2026-21933) Ireneusz Pastusiak discovered that the Security component of OpenJDK 17 failed to verify provided URIs point to a legitimate source when AIA is enabled. An unauthenticated remote attacker could possibly use this issue to redirect users to malicious hosts. (CVE-2026-21945) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-01-20

FEDORA-2026-ab67a4d8b3 Packages in this update:

• osslsigncode-2.12-1.fc42

Update description:

See commit history

FEDORA-EPEL-2026-5cd59d2965 Packages in this update:

• osslsigncode-2.12-1.el9

Update description:

See commit history

FEDORA-2026-3c6cc85b52 Packages in this update:

• osslsigncode-2.12-1.fc43

Update description:

See commit history

It was discovered that the RMI component of CRaC JDK 21 would establish RMI TCP endpoint connections to a remote host without setting an endpoint identification algorithm. An unauthenticated remote attacker could possibly use this issue to steal sensitive information. (CVE-2026-21925) Mingijung discovered that the AWT and JavaFX componenets of CRaC JDK 21 could run programs if Desktop.browse() was supplied a filename as a URI. An unauthenticated remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-21932) Zhihui Chen discovered that the Networking component of CRaC JDK 21 was suceptible to a CRLF injection vulnerability via the HttpServer class. An unauthenticated remote attacker could possibly use this issue to modify files or leak sensitive information. (CVE-2026-21933) Ireneusz Pastusiak discovered that the Security component of CRaC JDK 21 failed to verify provided URIs point to a legitimate source when AIA is enabled. An unauthenticated remote attacker could possibly use this issue to redirect users to malicious hosts. (CVE-2026-21945) In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2026-01-20