Fedora Security Advisories

FEDORA-2026-ce6cab40ac Packages in this update:

• libsoup3-3.6.6-8.fc44

Update description:

Patch for CVE-2026-5119

FEDORA-2026-3bfb774625 Packages in this update:

• perl-HTTP-Tiny-0.094-1.fc43

Update description:

0.094 - fix to prevent invalid characters in all headers, and prevent header smuggling (CVE-2026-7010)

FEDORA-2026-49c4be8260 Packages in this update:

• perl-Sereal-5.005-1.fc43
• perl-Sereal-Decoder-5.005-1.fc43
• perl-Sereal-Encoder-5.005-1.fc43

Update description:

This update includes a security fix to make sure that COPY tags cannot be used to read past end of the buffer.

FEDORA-2026-26bb3fe2c6 Packages in this update:

• perl-Sereal-5.005-1.fc44
• perl-Sereal-Decoder-5.005-1.fc44
• perl-Sereal-Encoder-5.005-1.fc44

Update description:

This update includes a security fix to make sure that COPY tags cannot be used to read past end of the buffer.

FEDORA-2026-ac9d9c87c8 Packages in this update:

• cockpit-362-1.fc44

Update description:

Automatic update for cockpit-362-1.fc44.

Changelog for cockpit * Wed May 20 2026 Packit <hello@packit.dev> - 362-1 - Bug fixes and translation updates - Fix arbitrary code execution via specially crafted logs page link (CVE-2026-4802)

FEDORA-2026-58cee40a55 Packages in this update:

• cockpit-362-1.fc43

Update description:

Automatic update for cockpit-362-1.fc43.

Changelog for cockpit * Wed May 20 2026 Packit <hello@packit.dev> - 362-1 - Bug fixes and translation updates - Fix arbitrary code execution via specially crafted logs page link (CVE-2026-4802)

FEDORA-2026-49f37e16aa Packages in this update:

• unbound-1.25.1-1.fc44

Update description: Update to 1.25.1 (rhbz#2480119)

• Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report.
• Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report.
• Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report.
• Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

Swapped sources signature source number with systemd unit to have them close.

Update to 1.25.0 (rhbz#2463781) Feature changes:

• Improved TTL 0 handling
• Reload also certificates on reload if they have changed
• Allow control-interface specification also of port.
• Added new tls-protocols option. Can disable TLS 1.2 explicitly.

And bug fixes.

Remove merged patches.

Source: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-0

FEDORA-2026-3223ded15e Packages in this update:

• unbound-1.25.1-1.fc43

Update description: Update to 1.25.1 (rhbz#2480119)

• Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report.
• Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report.
• Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report.
• Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

Swapped sources signature source number with systemd unit to have them close.

FEDORA-2026-86596f9cbc Packages in this update:

• CImg-3.7.6-2.fc43
• gmic-3.7.6-3.fc43

Update description:

bump version + fix two cves

FEDORA-2026-703a749924 Packages in this update:

• perl-HTTP-Tiny-0.094-1.fc44

Update description:

0.094 - fix to prevent invalid characters in all headers, and prevent header smuggling (CVE-2026-7010)

FEDORA-2026-f3409cf313 Packages in this update:

• firefox-151.0-2.fc44

Update description:

Updated to latest upstream (151.0)

FEDORA-2026-43e2722e8f Packages in this update:

• haveged-1.9.21-1.fc43

Update description:

Backport fix for CVE-2026-41054: privilege escalation via command socket

FEDORA-2026-12643837bd Packages in this update:

• haveged-1.9.21-1.fc44

Update description:

Backport fix for CVE-2026-41054: privilege escalation via command socket

FEDORA-2026-7fcffd5c31 Packages in this update:

• haveged-1.9.21-1.fc42

Update description:

Backport fix for CVE-2026-41054: privilege escalation via command socket

FEDORA-EPEL-2026-ca77194ac0 Packages in this update:

• haveged-1.9.21-1.el10_2

Update description:

Backport fix for CVE-2026-41054: privilege escalation via command socket

FEDORA-EPEL-2026-b3a94630f0 Packages in this update:

• haveged-1.9.21-1.el10_3

Update description:

Backport fix for CVE-2026-41054: privilege escalation via command socket

FEDORA-EPEL-2026-efe6be3dfa Packages in this update:

• haveged-1.9.21-1.el9

Update description:

Backport fix for CVE-2026-41054: privilege escalation via command socket

FEDORA-EPEL-2026-56fb074420 Packages in this update:

• haveged-1.9.14-2.el8

Update description:

Backport fix for CVE-2026-41054: privilege escalation via command socket

FEDORA-2026-3f85a4eba7 Packages in this update:

• kernel-7.0.9-104.fc43

Update description:

The 7.0.9-104/204 kernels contain a fix for a SKBFL_SHARED_FRAG page-cache corruption vulnerability as well as some mitigations for PinTheft

FEDORA-2026-57965ac9f7 Packages in this update:

• kernel-7.0.9-204.fc44

Update description:

The 7.0.9-104/204 kernels contain a fix for a SKBFL_SHARED_FRAG page-cache corruption vulnerability as well as some mitigations for PinTheft