Fedora Security Advisories

coturn-4.10.0-1.el10_3

2 hours 2 minutes ago
FEDORA-EPEL-2026-8022001aef Packages in this update:
  • coturn-4.10.0-1.el10_3
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.fc42

2 hours 2 minutes ago
FEDORA-2026-e673311164 Packages in this update:
  • coturn-4.10.0-1.fc42
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.el10_1

2 hours 2 minutes ago
FEDORA-EPEL-2026-63737a3630 Packages in this update:
  • coturn-4.10.0-1.el10_1
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.fc44

2 hours 2 minutes ago
FEDORA-2026-1c11dc3e37 Packages in this update:
  • coturn-4.10.0-1.fc44
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.el9

2 hours 2 minutes ago
FEDORA-EPEL-2026-e0c1b77ba1 Packages in this update:
  • coturn-4.10.0-1.el9
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.el10_2

2 hours 2 minutes ago
FEDORA-EPEL-2026-5e71b7731b Packages in this update:
  • coturn-4.10.0-1.el10_2
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.fc43

2 hours 2 minutes ago
FEDORA-2026-1adc5f1ef8 Packages in this update:
  • coturn-4.10.0-1.fc43
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

coturn-4.10.0-1.el8

2 hours 2 minutes ago
FEDORA-EPEL-2026-84fff0d811 Packages in this update:
  • coturn-4.10.0-1.el8
Update description: Coturn 4.10.0 Performance
  • Add Linux-only recvmmsg client receive path for DTLS/UDP listener
  • Skip response buffer allocation for STUN indications
  • Remove mutex from per-thread super_memory allocator
  • Eliminate mutex and reduce copies on auth message dispatch
  • Replace mutex_bps with lock-free atomics for bandwidth tracking
  • Remove unused mutex from ur_map structure
  • WebRTC Auth optimization path
  • Improve worst case scenario - avoid memory allocation
Memory issues
  • Fix null pointer dereferences in post_parse()
  • Fix stack buffer overflow in OAuth token decoding
  • Fix uint16_t truncation overflow in stun_get_message_len_str()
  • Initialize variables before use
Security
  • CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser
General Improvements
  • Disable reason string in response messages to reduce amplification factor
  • Keep only NEV_UDP_SOCKET_PER_THREAD network engine
  • Replace perror with logging
  • Extend seed corpus and add more fuzzing scenarios
  • Update config and Readme files about deprecated TLSv1/1.1
  • Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0
  • Change port identifiers to use uint16_t
  • Fixes: run_tests.sh and no db
  • Improve PostgreSQL.md clarity
  • Add session usage reporting callback to TURN database driver
  • CLI interface is disabled by default

tigervnc-1.16.2-2.fc42

17 hours 56 minutes ago
FEDORA-2026-0b633ecc7c Packages in this update:
  • tigervnc-1.16.2-2.fc42
Update description:

Update to xserver 21.1.22, CVE fix for: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003

tigervnc-1.16.2-2.fc43

17 hours 56 minutes ago
FEDORA-2026-492e92b32d Packages in this update:
  • tigervnc-1.16.2-2.fc43
Update description:

Update to xserver 21.1.22, CVE fix for: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003

rpki-client-9.8-1.el10_3

1 day 2 hours ago
FEDORA-EPEL-2026-d987e77392 Packages in this update:
  • rpki-client-9.8-1.el10_3
Update description: rpki-client 9.8
  • Various refactoring for improved compatibility with various libcrypto implementations and in CA/BGPsec certificate handling.
  • Fixed an accounting issue in HTTP gzip compression detection.
  • Added a warning in extra verbose mode (-vv) about standards non-compliant Issuer and Subject ASN.1 string encodings.
  • Added a check for canonical encoding of ASPA eContent in alignment with draft-ietf-sidrops-aspa-profile-22.
  • Ensure that a repository timeout correctly stops repository processing.
  • Fixed a defect in Canonical Cache Representation ROAIPAddressFamily sort order. As a result, rpki-client 9.8 cannot parse rpki-client 9.7's .ccr files and vice versa.
  • Fixed an issue in the parser for the locally configured constraints.
  • A malicious RRDP Publication Server can cause a NULL dereference.
  • A malicious RPKI Publication Server can cause an incorrect error exit.

rpki-client-9.8-1.fc42

1 day 2 hours ago
FEDORA-2026-f7b4693f9d Packages in this update:
  • rpki-client-9.8-1.fc42
Update description: rpki-client 9.8
  • Various refactoring for improved compatibility with various libcrypto implementations and in CA/BGPsec certificate handling.
  • Fixed an accounting issue in HTTP gzip compression detection.
  • Added a warning in extra verbose mode (-vv) about standards non-compliant Issuer and Subject ASN.1 string encodings.
  • Added a check for canonical encoding of ASPA eContent in alignment with draft-ietf-sidrops-aspa-profile-22.
  • Ensure that a repository timeout correctly stops repository processing.
  • Fixed a defect in Canonical Cache Representation ROAIPAddressFamily sort order. As a result, rpki-client 9.8 cannot parse rpki-client 9.7's .ccr files and vice versa.
  • Fixed an issue in the parser for the locally configured constraints.
  • A malicious RRDP Publication Server can cause a NULL dereference.
  • A malicious RPKI Publication Server can cause an incorrect error exit.
Checked
23 minutes 30 seconds ago