Fedora Security Advisories

roundcubemail-1.7~rc5-1.fc44

2 hours 31 minutes ago
FEDORA-2026-9b0f520716 Packages in this update:
  • roundcubemail-1.7~rc5-1.fc44
Update description:

Version 1.7-rc5

  • Password: Add nt-binary hashing method (#10096)
  • Fix URL matching for domain names with port numbers (#10105)
  • Fix PHP fatal error when using IMAP cache (#10102)
  • Fix Postgres connection using IPv6 address (#10104)
  • Fix bug where rel=stylesheet part of a <link> could get removed
  • Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
  • Security: Fix bug where a password could get changed without providing the old password
  • Security: Fix IMAP Injection + CSRF bypass in mail search
  • Security: Fix remote image blocking bypass via various SVG animate attributes
  • Security: Fix remote image blocking bypass via a crafted body background attribute
  • Security: Fix fixed position mitigation bypass via use of !important
  • Security: Fix XSS issue in a HTML attachment preview
  • Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

roundcubemail-1.6.14-1.el10_2

2 hours 32 minutes ago
FEDORA-EPEL-2026-95071cd05c Packages in this update:
  • roundcubemail-1.6.14-1.el10_2
Update description:

Version 1.6.14

  • Fix Postgres connection using IPv6 address (#10104)
  • Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
  • Security: Fix bug where a password could get changed without providing the old password
  • Security: Fix IMAP Injection + CSRF bypass in mail search
  • Security: Fix remote image blocking bypass via various SVG animate attributes
  • Security: Fix remote image blocking bypass via a crafted body background attribute
  • Security: Fix fixed position mitigation bypass via use of !important
  • Security: Fix XSS issue in a HTML attachment preview
  • Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

roundcubemail-1.6.14-1.fc42

2 hours 32 minutes ago
FEDORA-2026-c283cce7fd Packages in this update:
  • roundcubemail-1.6.14-1.fc42
Update description:

Version 1.6.14

  • Fix Postgres connection using IPv6 address (#10104)
  • Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
  • Security: Fix bug where a password could get changed without providing the old password
  • Security: Fix IMAP Injection + CSRF bypass in mail search
  • Security: Fix remote image blocking bypass via various SVG animate attributes
  • Security: Fix remote image blocking bypass via a crafted body background attribute
  • Security: Fix fixed position mitigation bypass via use of !important
  • Security: Fix XSS issue in a HTML attachment preview
  • Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

roundcubemail-1.6.14-1.fc43

2 hours 32 minutes ago
FEDORA-2026-2decd38070 Packages in this update:
  • roundcubemail-1.6.14-1.fc43
Update description:

Version 1.6.14

  • Fix Postgres connection using IPv6 address (#10104)
  • Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
  • Security: Fix bug where a password could get changed without providing the old password
  • Security: Fix IMAP Injection + CSRF bypass in mail search
  • Security: Fix remote image blocking bypass via various SVG animate attributes
  • Security: Fix remote image blocking bypass via a crafted body background attribute
  • Security: Fix fixed position mitigation bypass via use of !important
  • Security: Fix XSS issue in a HTML attachment preview
  • Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

roundcubemail-1.6.14-1.el10_1

2 hours 32 minutes ago
FEDORA-EPEL-2026-31c7836113 Packages in this update:
  • roundcubemail-1.6.14-1.el10_1
Update description:

Version 1.6.14

  • Fix Postgres connection using IPv6 address (#10104)
  • Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
  • Security: Fix bug where a password could get changed without providing the old password
  • Security: Fix IMAP Injection + CSRF bypass in mail search
  • Security: Fix remote image blocking bypass via various SVG animate attributes
  • Security: Fix remote image blocking bypass via a crafted body background attribute
  • Security: Fix fixed position mitigation bypass via use of !important
  • Security: Fix XSS issue in a HTML attachment preview
  • Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

roundcubemail-1.6.14-1.el10_3

2 hours 32 minutes ago
FEDORA-EPEL-2026-b318120749 Packages in this update:
  • roundcubemail-1.6.14-1.el10_3
Update description:

Version 1.6.14

  • Fix Postgres connection using IPv6 address (#10104)
  • Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
  • Security: Fix bug where a password could get changed without providing the old password
  • Security: Fix IMAP Injection + CSRF bypass in mail search
  • Security: Fix remote image blocking bypass via various SVG animate attributes
  • Security: Fix remote image blocking bypass via a crafted body background attribute
  • Security: Fix fixed position mitigation bypass via use of !important
  • Security: Fix XSS issue in a HTML attachment preview
  • Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

roundcubemail-1.5.14-1.el9

2 hours 43 minutes ago
FEDORA-EPEL-2026-34a0375273 Packages in this update:
  • roundcubemail-1.5.14-1.el9
Update description:

Version 1.5.14

  • Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
  • Security: Fix bug where a password could get changed without providing the old password
  • Security: Fix IMAP Injection + CSRF bypass in mail search
  • Security: Fix remote image blocking bypass via various SVG animate attributes
  • Security: Fix remote image blocking bypass via a crafted body background attribute
  • Security: Fix fixed position mitigation bypass via use of !important
  • Security: Fix XSS issue in a HTML attachment preview

xen-4.19.4-3.fc42

10 hours 54 minutes ago
FEDORA-2026-f4371b21f0 Packages in this update:
  • xen-4.19.4-3.fc42
Update description:

Use after free of paging structures in EPT [XSA-480, CVE-2026-23554] Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]

xen-4.20.2-4.fc43

13 hours 26 minutes ago
FEDORA-2026-8ae1a1c3d7 Packages in this update:
  • xen-4.20.2-4.fc43
Update description:

Use after free of paging structures in EPT [XSA-480, CVE-2026-23554] Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]

pyOpenSSL-26.0.0-1.fc44

14 hours 39 minutes ago
FEDORA-2026-5697f4e025 Packages in this update:
  • pyOpenSSL-26.0.0-1.fc44
Update description:

Update to version 26.0.0

  • Added support for using aws-lc instead of OpenSSL.
  • Properly raise an error if a DTLS cookie callback returned a cookie longer than DTLS1_COOKIE_LENGTH bytes. Previously this would result in a buffer-overflow. Credit to dark_haxor for reporting the issue. CVE-2026-27459
  • Added OpenSSL.SSL.Connection.get_group_name to determine which group name was negotiated.
  • Context.set_tlsext_servername_callback now handles exceptions raised in the callback by calling sys.excepthook and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. Credit to Leury Castillo for reporting this issue. CVE-2026-27448

openssh-10.2p1-6.fc44

22 hours 17 minutes ago
FEDORA-2026-62fb46caac Packages in this update:
  • openssh-10.2p1-6.fc44
Update description:
  • CVE-2026-3497: Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex

openssh-9.9p1-13.fc42

22 hours 17 minutes ago
FEDORA-2026-39819a3d62 Packages in this update:
  • openssh-9.9p1-13.fc42
Update description:
  • CVE-2026-3497: Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex

openssh-10.0p1-7.fc43

22 hours 17 minutes ago
FEDORA-2026-bab4aa5da7 Packages in this update:
  • openssh-10.0p1-7.fc43
Update description:
  • CVE-2026-3497: Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex
Checked
13 minutes 59 seconds ago