Fedora Security Advisories

• xen-4.19.4-2.fc42

x86: buffer overrun with shadow paging + tracing [XSA-477, CVE-2025-58150] x86: incomplete IBPB for vCPU isolation [XSA-479, CVE-2026-23553]

• k9s-0.50.18-1.fc43

Update to version 0.50.18

• mingw-glib2-2.84.3-3.fc42

Backport fixes for CVE-2026-1484, CVE-2026-1485, CVE-2026-1489.

• mingw-glib2-2.86.3-3.fc43

Backport fixes for CVE-2026-1484, CVE-2026-1485, CVE-2026-1489.

• libgit2-1.9.2-1.fc43

Update to version 1.9.2.

Release notes: https://github.com/libgit2/libgit2/releases/tag/v1.9.2

• libgit2-1.9.2-1.fc42

Update to version 1.9.2.

Release notes: https://github.com/libgit2/libgit2/releases/tag/v1.9.2

• xen-4.20.2-3.fc43

x86: buffer overrun with shadow paging + tracing [XSA-477, CVE-2025-58150] x86: incomplete IBPB for vCPU isolation [XSA-479, CVE-2026-23553]

• xorgxrdp-0.10.5-1.el9
• xrdp-0.10.5-1.el9

Release notes for xrdp v0.10.5 (2026/01/27)

Security fixes

• CVE-2025-68670: Improper bounds checking of domain string length leads to Stack-based Buffer Overflow

New features

• It is now possible to start the xrdp daemon entirely unprivileged from the service manager (#3599 #3603). If you do this certain restrictions will apply. See https://github.com/neutrinolabs/xrdp/wiki/Running-the-xrdp-process-as-non-root for details.
• TLS pre-master secrets can now be recorded for packet captures (#3617)
• Add a FuseRootReportMaxFree to work around 'no free space' issues with some file managers (#3639)
• Alternate shell names can now be passed to startwm.sh in an environment variable for more system management control (#3624 #3651)
• Updated Xorg paths in sesman.ini to include more recent distros (#3663)
• Add Slovenian keyboard (#3668 #3670)
• xrdpapi: Add a way to monitor connect/disconnect events (#3693)

Bug fixes

• Allow an empty X11 UTF8_STRING to be pasted to the clipboard (#3580 #3582)
• Fix a regression introduced in v0.10.x, where it became impossible to connect to a VNC server which did not support the ExtendedDesktopSize encoding (#3540 #3584)
• Fix a regression introduced in v0.10.x related to PAM groups handling (#3594)
• Inconsistencies with [MS-RDPBCGR] have been addressed (#3608)
• A reference to uninitialised data within the verify_user_pam_userpass.c module has been fixed (#3638)
• Prevent some possible crashes when the RFX encoder is resized (#3590 #3644)
• Fixes a regression introduced by GFX development which prevented the JPEG encoder from working correctly (#3649)
• Fixes a regression introduced by #2974 which resulted in the xrdp PID file being deleted unexpectedly (#3650)
• Do not overwrite a VNC port set by the user when not using sesman (#3674)
• Fix regression from 0.9.x when freerdp client uses /workarea (#3618 #3676)
• Fixes a crash where a resize is attempted with drdynvc disabled (#3672 #3680)
• getgrouplist() now compiles on MacOS (#3575)
• Various Coverity warnings have been addressed (#3656)
• Documentation improvements (#3665)

Internal changes

• An unnecessary include of sys/signal.h causing a compile warning on MUSL-C has been removed (#3679)

Release notes for xorgxrdp v0.10.5 (2026/01/28)

Bug fixes

• Fix bug in Chrome pointer detection (#394 #396)

Internal changes

• CI: Update FreeBSD xrdp dependency (#398)

• xorgxrdp-0.10.5-1.fc42
• xrdp-0.10.5-1.fc42

Release notes for xrdp v0.10.5 (2026/01/27)

Security fixes

• CVE-2025-68670: Improper bounds checking of domain string length leads to Stack-based Buffer Overflow

New features

• It is now possible to start the xrdp daemon entirely unprivileged from the service manager (#3599 #3603). If you do this certain restrictions will apply. See https://github.com/neutrinolabs/xrdp/wiki/Running-the-xrdp-process-as-non-root for details.
• TLS pre-master secrets can now be recorded for packet captures (#3617)
• Add a FuseRootReportMaxFree to work around 'no free space' issues with some file managers (#3639)
• Alternate shell names can now be passed to startwm.sh in an environment variable for more system management control (#3624 #3651)
• Updated Xorg paths in sesman.ini to include more recent distros (#3663)
• Add Slovenian keyboard (#3668 #3670)
• xrdpapi: Add a way to monitor connect/disconnect events (#3693)

Bug fixes

• Allow an empty X11 UTF8_STRING to be pasted to the clipboard (#3580 #3582)
• Fix a regression introduced in v0.10.x, where it became impossible to connect to a VNC server which did not support the ExtendedDesktopSize encoding (#3540 #3584)
• Fix a regression introduced in v0.10.x related to PAM groups handling (#3594)
• Inconsistencies with [MS-RDPBCGR] have been addressed (#3608)
• A reference to uninitialised data within the verify_user_pam_userpass.c module has been fixed (#3638)
• Prevent some possible crashes when the RFX encoder is resized (#3590 #3644)
• Fixes a regression introduced by GFX development which prevented the JPEG encoder from working correctly (#3649)
• Fixes a regression introduced by #2974 which resulted in the xrdp PID file being deleted unexpectedly (#3650)
• Do not overwrite a VNC port set by the user when not using sesman (#3674)
• Fix regression from 0.9.x when freerdp client uses /workarea (#3618 #3676)
• Fixes a crash where a resize is attempted with drdynvc disabled (#3672 #3680)
• getgrouplist() now compiles on MacOS (#3575)
• Various Coverity warnings have been addressed (#3656)
• Documentation improvements (#3665)

Internal changes

• An unnecessary include of sys/signal.h causing a compile warning on MUSL-C has been removed (#3679)

Release notes for xorgxrdp v0.10.5 (2026/01/28)

Bug fixes

• Fix bug in Chrome pointer detection (#394 #396)

Internal changes

• CI: Update FreeBSD xrdp dependency (#398)

• xorgxrdp-0.10.5-1.el8
• xrdp-0.10.5-1.el8

Release notes for xrdp v0.10.5 (2026/01/27)

Security fixes

• CVE-2025-68670: Improper bounds checking of domain string length leads to Stack-based Buffer Overflow

New features

• It is now possible to start the xrdp daemon entirely unprivileged from the service manager (#3599 #3603). If you do this certain restrictions will apply. See https://github.com/neutrinolabs/xrdp/wiki/Running-the-xrdp-process-as-non-root for details.
• TLS pre-master secrets can now be recorded for packet captures (#3617)
• Add a FuseRootReportMaxFree to work around 'no free space' issues with some file managers (#3639)
• Alternate shell names can now be passed to startwm.sh in an environment variable for more system management control (#3624 #3651)
• Updated Xorg paths in sesman.ini to include more recent distros (#3663)
• Add Slovenian keyboard (#3668 #3670)
• xrdpapi: Add a way to monitor connect/disconnect events (#3693)

Bug fixes

• Allow an empty X11 UTF8_STRING to be pasted to the clipboard (#3580 #3582)
• Fix a regression introduced in v0.10.x, where it became impossible to connect to a VNC server which did not support the ExtendedDesktopSize encoding (#3540 #3584)
• Fix a regression introduced in v0.10.x related to PAM groups handling (#3594)
• Inconsistencies with [MS-RDPBCGR] have been addressed (#3608)
• A reference to uninitialised data within the verify_user_pam_userpass.c module has been fixed (#3638)
• Prevent some possible crashes when the RFX encoder is resized (#3590 #3644)
• Fixes a regression introduced by GFX development which prevented the JPEG encoder from working correctly (#3649)
• Fixes a regression introduced by #2974 which resulted in the xrdp PID file being deleted unexpectedly (#3650)
• Do not overwrite a VNC port set by the user when not using sesman (#3674)
• Fix regression from 0.9.x when freerdp client uses /workarea (#3618 #3676)
• Fixes a crash where a resize is attempted with drdynvc disabled (#3672 #3680)
• getgrouplist() now compiles on MacOS (#3575)
• Various Coverity warnings have been addressed (#3656)
• Documentation improvements (#3665)

Internal changes

• An unnecessary include of sys/signal.h causing a compile warning on MUSL-C has been removed (#3679)

Release notes for xorgxrdp v0.10.5 (2026/01/28)

Bug fixes

• Fix bug in Chrome pointer detection (#394 #396)

Internal changes

• CI: Update FreeBSD xrdp dependency (#398)

• xorgxrdp-0.10.5-1.fc43
• xrdp-0.10.5-1.fc43

Release notes for xrdp v0.10.5 (2026/01/27)

Security fixes

• CVE-2025-68670: Improper bounds checking of domain string length leads to Stack-based Buffer Overflow

New features

• It is now possible to start the xrdp daemon entirely unprivileged from the service manager (#3599 #3603). If you do this certain restrictions will apply. See https://github.com/neutrinolabs/xrdp/wiki/Running-the-xrdp-process-as-non-root for details.
• TLS pre-master secrets can now be recorded for packet captures (#3617)
• Add a FuseRootReportMaxFree to work around 'no free space' issues with some file managers (#3639)
• Alternate shell names can now be passed to startwm.sh in an environment variable for more system management control (#3624 #3651)
• Updated Xorg paths in sesman.ini to include more recent distros (#3663)
• Add Slovenian keyboard (#3668 #3670)
• xrdpapi: Add a way to monitor connect/disconnect events (#3693)

Bug fixes

• Allow an empty X11 UTF8_STRING to be pasted to the clipboard (#3580 #3582)
• Fix a regression introduced in v0.10.x, where it became impossible to connect to a VNC server which did not support the ExtendedDesktopSize encoding (#3540 #3584)
• Fix a regression introduced in v0.10.x related to PAM groups handling (#3594)
• Inconsistencies with [MS-RDPBCGR] have been addressed (#3608)
• A reference to uninitialised data within the verify_user_pam_userpass.c module has been fixed (#3638)
• Prevent some possible crashes when the RFX encoder is resized (#3590 #3644)
• Fixes a regression introduced by GFX development which prevented the JPEG encoder from working correctly (#3649)
• Fixes a regression introduced by #2974 which resulted in the xrdp PID file being deleted unexpectedly (#3650)
• Do not overwrite a VNC port set by the user when not using sesman (#3674)
• Fix regression from 0.9.x when freerdp client uses /workarea (#3618 #3676)
• Fixes a crash where a resize is attempted with drdynvc disabled (#3672 #3680)
• getgrouplist() now compiles on MacOS (#3575)
• Various Coverity warnings have been addressed (#3656)
• Documentation improvements (#3665)

Internal changes

• An unnecessary include of sys/signal.h causing a compile warning on MUSL-C has been removed (#3679)

Release notes for xorgxrdp v0.10.5 (2026/01/28)

Bug fixes

• Fix bug in Chrome pointer detection (#394 #396)

Internal changes

• CI: Update FreeBSD xrdp dependency (#398)

• python-python-multipart-0.0.20-2.el9

Backport the fix for CVE-2026-24486 / GHSA-wp53-j4wj-2cfg: drop directory path from filename in File.

• openqa-5^20250711git28a0214-4.fc42

This update bumps the bundled lodash to 4.17.23 to ensure openQA is protected against CVE-2025-13465. It likely was not vulnerable in any case, though, as I don't believe the vulnerable codepaths were exposed by openQA's use of lodash.

• openssl-3.2.6-3.fc42

Don't crash on parsing PKCS#12 without MAC Resolves: CVE-2025-11187 Resolves: CVE-2025-15467 Resolves: CVE-2025-69419

• openssl-3.5.4-2.fc43

Resolves: CVE-2025-15467 Resolves: CVE-2025-15468 Resolves: CVE-2025-15469 Resolves: CVE-2025-66199 Resolves: CVE-2025-68160 Resolves: CVE-2025-69418 Resolves: CVE-2025-69420 Resolves: CVE-2025-69421 Resolves: CVE-2025-69419 Resolves: CVE-2026-22795 Resolves: CVE-2026-22796 Resolves: CVE-2025-11187

• java-latest-openjdk-26.0.0.0.32-0.0.1.ea.el8

January 2026 annual updates

• java-latest-openjdk-26.0.0.0.32-0.0.1.ea.el10_2
• java-latest-openjdk-portable-26.0.0.0.32-0.1.ea.rolling.el8

January 2026 annual updates

• java-latest-openjdk-26.0.0.0.32-0.0.1.ea.el9

January 2026 annual updates

• java-21-openjdk-21.0.10.0.7-2.fc43
• java-25-openjdk-25.0.2.0.10-2.fc43
• java-latest-openjdk-26.0.0.0.32-0.0.1.ea.fc43

January 2026 annual updates

January 2026 security update

• java-21-openjdk-21.0.10.0.7-2.fc42
• java-25-openjdk-25.0.2.0.10-2.fc42
• java-latest-openjdk-26.0.0.0.32-0.0.1.ea.fc42

January 2026 annual updates

January 2026 security update