Fedora Security Advisories

chromium-146.0.7680.153-1.fc43

1 hour 34 minutes ago
FEDORA-2026-ae897eb928 Packages in this update:
  • chromium-146.0.7680.153-1.fc43
Update description:

Update to 146.0.7680.153

* CVE-2026-4439: Out of bounds memory access in WebGL * CVE-2026-4440: Out of bounds read and write in WebGL * CVE-2026-4441: Use after free in Base * CVE-2026-4442: Heap buffer overflow in CSS * CVE-2026-4443: Heap buffer overflow in WebAudio * CVE-2026-4444: Stack buffer overflow in WebRTC * CVE-2026-4445: Use after free in WebRTC * CVE-2026-4446: Use after free in WebRTC * CVE-2026-4447: Inappropriate implementation in V8 * CVE-2026-4448: Heap buffer overflow in ANGLE * CVE-2026-4449: Use after free in Blink * CVE-2026-4450: Out of bounds write in V8 * CVE-2026-4451: Insufficient validation of untrusted input in Navigation * CVE-2026-4452: Integer overflow in ANGLE * CVE-2026-4453: Integer overflow in Dawn * CVE-2026-4454: Use after free in Network * CVE-2026-4455: Heap buffer overflow in PDFium * CVE-2026-4456: Use after free in Digital Credentials API * CVE-2026-4457: Type Confusion in V8 * CVE-2026-4458: Use after free in Extensions * CVE-2026-4459: Out of bounds read and write in WebAudio * CVE-2026-4460: Out of bounds read in Skia * CVE-2026-4461: Inappropriate implementation in V8 * CVE-2026-4462: Out of bounds read in Blink * CVE-2026-4463: Heap buffer overflow in WebRTC * CVE-2026-4464: Integer overflow in ANGLE

chromium-146.0.7680.153-1.fc44

1 hour 34 minutes ago
FEDORA-2026-920df14fb5 Packages in this update:
  • chromium-146.0.7680.153-1.fc44
Update description:

Update to 146.0.7680.153

* CVE-2026-4439: Out of bounds memory access in WebGL * CVE-2026-4440: Out of bounds read and write in WebGL * CVE-2026-4441: Use after free in Base * CVE-2026-4442: Heap buffer overflow in CSS * CVE-2026-4443: Heap buffer overflow in WebAudio * CVE-2026-4444: Stack buffer overflow in WebRTC * CVE-2026-4445: Use after free in WebRTC * CVE-2026-4446: Use after free in WebRTC * CVE-2026-4447: Inappropriate implementation in V8 * CVE-2026-4448: Heap buffer overflow in ANGLE * CVE-2026-4449: Use after free in Blink * CVE-2026-4450: Out of bounds write in V8 * CVE-2026-4451: Insufficient validation of untrusted input in Navigation * CVE-2026-4452: Integer overflow in ANGLE * CVE-2026-4453: Integer overflow in Dawn * CVE-2026-4454: Use after free in Network * CVE-2026-4455: Heap buffer overflow in PDFium * CVE-2026-4456: Use after free in Digital Credentials API * CVE-2026-4457: Type Confusion in V8 * CVE-2026-4458: Use after free in Extensions * CVE-2026-4459: Out of bounds read and write in WebAudio * CVE-2026-4460: Out of bounds read in Skia * CVE-2026-4461: Inappropriate implementation in V8 * CVE-2026-4462: Out of bounds read in Blink * CVE-2026-4463: Heap buffer overflow in WebRTC * CVE-2026-4464: Integer overflow in ANGLE

chromium-146.0.7680.153-1.fc42

1 hour 34 minutes ago
FEDORA-2026-3bed78d162 Packages in this update:
  • chromium-146.0.7680.153-1.fc42
Update description:

Update to 146.0.7680.153

* CVE-2026-4439: Out of bounds memory access in WebGL * CVE-2026-4440: Out of bounds read and write in WebGL * CVE-2026-4441: Use after free in Base * CVE-2026-4442: Heap buffer overflow in CSS * CVE-2026-4443: Heap buffer overflow in WebAudio * CVE-2026-4444: Stack buffer overflow in WebRTC * CVE-2026-4445: Use after free in WebRTC * CVE-2026-4446: Use after free in WebRTC * CVE-2026-4447: Inappropriate implementation in V8 * CVE-2026-4448: Heap buffer overflow in ANGLE * CVE-2026-4449: Use after free in Blink * CVE-2026-4450: Out of bounds write in V8 * CVE-2026-4451: Insufficient validation of untrusted input in Navigation * CVE-2026-4452: Integer overflow in ANGLE * CVE-2026-4453: Integer overflow in Dawn * CVE-2026-4454: Use after free in Network * CVE-2026-4455: Heap buffer overflow in PDFium * CVE-2026-4456: Use after free in Digital Credentials API * CVE-2026-4457: Type Confusion in V8 * CVE-2026-4458: Use after free in Extensions * CVE-2026-4459: Out of bounds read and write in WebAudio * CVE-2026-4460: Out of bounds read in Skia * CVE-2026-4461: Inappropriate implementation in V8 * CVE-2026-4462: Out of bounds read in Blink * CVE-2026-4463: Heap buffer overflow in WebRTC * CVE-2026-4464: Integer overflow in ANGLE

python-scitokens-1.9.7-1.el10_1

2 hours 6 minutes ago
FEDORA-EPEL-2026-6359c6d24a Packages in this update:
  • python-scitokens-1.9.7-1.el10_1
Update description:
  • 1.9.7-1
  • Remove legacy parent SciToken chaining behavior from token initialization and claim handling
  • Harden Enforcer scope path traversal validation (including encoded traversal checks)
  • Clean up documentation references to parent/chained SciTokens

  • 1.9.6-1

  • Fix SQL injection risk in KeyCache by using parameterized SQLite queries
  • Prevent sibling-path authorization bypass in Enforcer scope checks

python-scitokens-1.9.7-1.el10_2

2 hours 6 minutes ago
FEDORA-EPEL-2026-d766064a6e Packages in this update:
  • python-scitokens-1.9.7-1.el10_2
Update description:
  • 1.9.7-1
  • Remove legacy parent SciToken chaining behavior from token initialization and claim handling
  • Harden Enforcer scope path traversal validation (including encoded traversal checks)
  • Clean up documentation references to parent/chained SciTokens

  • 1.9.6-1

  • Fix SQL injection risk in KeyCache by using parameterized SQLite queries
  • Prevent sibling-path authorization bypass in Enforcer scope checks

chunkah-0.3.2-1.fc43

3 hours 57 minutes ago
FEDORA-2026-1269948465 Packages in this update:
  • chunkah-0.3.2-1.fc43
Update description:

Automatic update for chunkah-0.3.2-1.fc43.

Changelog for chunkah * Mon Mar 23 2026 Packit <hello@packit.dev> - 0.3.2-1 - Update to 0.3.2 upstream release * Fri Mar 20 2026 Packit <hello@packit.dev> - 0.3.1-1 - Update to 0.3.1 upstream release

Automatic update for chunkah-0.3.1-1.fc43.

Changelog for chunkah * Fri Mar 20 2026 Packit <hello@packit.dev> - 0.3.1-1 - Update to 0.3.1 upstream release

cpp-httplib-0.38.0-1.el10_3

4 hours 21 minutes ago
FEDORA-EPEL-2026-82eb23fb67 Packages in this update:
  • cpp-httplib-0.38.0-1.el10_3
Update description: Update to 0.38.0 (rhbz#2447261)
  • Filename sanitization for path traversal prevention — Added sanitize_filename() to prevent path traversal attacks via malicious filenames in multipart uploads (83e98a2)
  • Symlink protection in static file server — Static file serving now detects and rejects symlinks that point outside the mount directory, preventing symlink-based directory traversal (f787f31)

  • Brotli compression support — Added Brotli (br) as a supported content encoding alongside gzip and deflate (ec1ffbc)

  • Accept-Encoding quality parameter parsing — The server now parses q= quality values in the Accept-Encoding header and selects the best encoding accordingly (bb7c7ab)
  • SSL proxy connection support — SSLClient can now establish connections through HTTPS proxies, with a new setup_proxy_connection method for cleaner proxy handling (f6ed5fc, b1bb2b7)
  • WebSocket ping interval runtime configuration — WebSocket ping interval can now be configured at runtime instead of only at compile time (257b266)

  • Benchmark test suite — Added benchmark tests and configurations for performance evaluation (ba0d0b8)

  • Unicode path component decoding tests — Added test coverage for Unicode characters in decode_path_component (43a54a3)
  • Documentation updates — Enhanced TLS backend documentation with platform-specific certificate handling details; clarified progress callback usage and user data handling in examples (511e3ef, 2e61fd3)

  • Fix port conflict in test — Fixed port number in OpenStreamMalformedContentLength test to avoid conflicts (4978f26)

  • Removed large data tests for GzipDecompressor and SSLClientServerTest that caused memory issues (5ecba74, 69d468f)

  • Enabled BindDualStack test (69d468f)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.38.0

  • Fixes silent TLS certificate verification bypass on HTTPS Redirect via proxy (CVE-2026-32627, rhbz#2448105)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.2

cpp-httplib-0.38.0-1.fc43

6 hours 31 minutes ago
FEDORA-2026-e76feaf213 Packages in this update:
  • cpp-httplib-0.38.0-1.fc43
Update description: Update to 0.38.0 (rhbz#2447261)
  • Filename sanitization for path traversal prevention — Added sanitize_filename() to prevent path traversal attacks via malicious filenames in multipart uploads (83e98a2)
  • Symlink protection in static file server — Static file serving now detects and rejects symlinks that point outside the mount directory, preventing symlink-based directory traversal (f787f31)

  • Brotli compression support — Added Brotli (br) as a supported content encoding alongside gzip and deflate (ec1ffbc)

  • Accept-Encoding quality parameter parsing — The server now parses q= quality values in the Accept-Encoding header and selects the best encoding accordingly (bb7c7ab)
  • SSL proxy connection support — SSLClient can now establish connections through HTTPS proxies, with a new setup_proxy_connection method for cleaner proxy handling (f6ed5fc, b1bb2b7)
  • WebSocket ping interval runtime configuration — WebSocket ping interval can now be configured at runtime instead of only at compile time (257b266)

  • Benchmark test suite — Added benchmark tests and configurations for performance evaluation (ba0d0b8)

  • Unicode path component decoding tests — Added test coverage for Unicode characters in decode_path_component (43a54a3)
  • Documentation updates — Enhanced TLS backend documentation with platform-specific certificate handling details; clarified progress callback usage and user data handling in examples (511e3ef, 2e61fd3)

  • Fix port conflict in test — Fixed port number in OpenStreamMalformedContentLength test to avoid conflicts (4978f26)

  • Removed large data tests for GzipDecompressor and SSLClientServerTest that caused memory issues (5ecba74, 69d468f)

  • Enabled BindDualStack test (69d468f)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.38.0

  • Fixes silent TLS certificate verification bypass on HTTPS Redirect via proxy (CVE-2026-32627, rhbz#2448105)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.2

cpp-httplib-0.38.0-1.fc44

7 hours 30 minutes ago
FEDORA-2026-03599f0b32 Packages in this update:
  • cpp-httplib-0.38.0-1.fc44
Update description: Update to 0.38.0 (rhbz#2447261)
  • Filename sanitization for path traversal prevention — Added sanitize_filename() to prevent path traversal attacks via malicious filenames in multipart uploads (83e98a2)
  • Symlink protection in static file server — Static file serving now detects and rejects symlinks that point outside the mount directory, preventing symlink-based directory traversal (f787f31)

  • Brotli compression support — Added Brotli (br) as a supported content encoding alongside gzip and deflate (ec1ffbc)

  • Accept-Encoding quality parameter parsing — The server now parses q= quality values in the Accept-Encoding header and selects the best encoding accordingly (bb7c7ab)
  • SSL proxy connection support — SSLClient can now establish connections through HTTPS proxies, with a new setup_proxy_connection method for cleaner proxy handling (f6ed5fc, b1bb2b7)
  • WebSocket ping interval runtime configuration — WebSocket ping interval can now be configured at runtime instead of only at compile time (257b266)

  • Benchmark test suite — Added benchmark tests and configurations for performance evaluation (ba0d0b8)

  • Unicode path component decoding tests — Added test coverage for Unicode characters in decode_path_component (43a54a3)
  • Documentation updates — Enhanced TLS backend documentation with platform-specific certificate handling details; clarified progress callback usage and user data handling in examples (511e3ef, 2e61fd3)

  • Fix port conflict in test — Fixed port number in OpenStreamMalformedContentLength test to avoid conflicts (4978f26)

  • Removed large data tests for GzipDecompressor and SSLClientServerTest that caused memory issues (5ecba74, 69d468f)

  • Enabled BindDualStack test (69d468f)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.38.0

  • Fixes silent TLS certificate verification bypass on HTTPS Redirect via proxy (CVE-2026-32627, rhbz#2448105)

Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.2

Checked
46 minutes 41 seconds ago