Fedora Security Advisories

FEDORA-2026-14941c1cf3 Packages in this update:

• rust-bon-3.9.3-1.fc45
• rust-bon-macros-3.9.3-1.fc45
• rust-openssl-0.10.81-1.fc45
• rust-openssl-sys-0.9.117-1.fc45
• rust-zeroize-1.9.0-1.fc45
• rust-zeroize_derive-1.5.0-1.fc45

Update description:

• Update the openssl crate to version 0.10.81 and the openssl-sys crate to version 0.9.117.
• Update the zeroize crate to version 1.9.0 and the zeroize_derive crate to version 1.5.0.
• Update the bon and bon-macros crates to version 3.9.3.

FEDORA-2026-3cca6f41d4 Packages in this update:

• docker-buildx-0.35.0-1.fc43

Update description:

• Update to release v0.35.0
• Resolves: rhbz#2487819
• Resolves CVE-2026-39828: rhbz#2489918, rhbz#2490102
• Upstream enhancements, new features, and fixes

FEDORA-2026-1a714d39b0 Packages in this update:

• docker-buildkit-0.31.0-1.fc43

Update description:

• Update to release v0.31.0
• Resolve CVE-2026-39829: rhbz#2489939, rhbz#2490056
• Upstream new features and fixes

FEDORA-2026-105f7df940 Packages in this update:

• docker-buildx-0.35.0-1.fc44

Update description:

• Update to release v0.35.0
• Resolves: rhbz#2487819
• Resolves CVE-2026-39828: rhbz#2489918, rhbz#2490102
• Upstream enhancements, new features, and fixes

FEDORA-2026-33cccee12b Packages in this update:

• docker-buildx-0.35.0-1.fc45

Update description:

Automatic update for docker-buildx-0.35.0-1.fc45.

Changelog * Thu Jun 18 2026 Bradley G Smith <bradley.g.smith@gmail.com> - 0.35.0-1 - Update to release v0.35.0 - Resolves: rhbz#2487819 - Resolves CVE-2026-39828: rhbz#2489918, rhbz#2490102 - Upstream enhancements, new features, and fixes

FEDORA-2026-1e00728616 Packages in this update:

• docker-buildkit-0.31.0-1.fc44

Update description:

• Update to release v0.31.0
• Resolve CVE-2026-39829: rhbz#2489939, rhbz#2490056
• Upstream new features and fixes

FEDORA-2026-d7d472853a Packages in this update:

• lighttpd-1.4.84-1.fc43

Update description:

1.4.84

1.4.83

https://wiki.lighttpd.net/Release-1_4_83

FEDORA-2026-1907dd9339 Packages in this update:

• lighttpd-1.4.84-1.fc44

Update description:

1.4.84

1.4.83

https://wiki.lighttpd.net/Release-1_4_83

FEDORA-2026-c6481c190e Packages in this update:

• docker-buildkit-0.31.0-1.fc45

Update description:

Automatic update for docker-buildkit-0.31.0-1.fc45.

Changelog * Wed Jun 17 2026 Bradley G Smith <bradley.g.smith@gmail.com> - 0.31.0-1 - Update to release v0.31.0 - Resolve CVE-2026-39829: rhbz#2489939, rhbz#2490056 - Upstream new features and fixes

FEDORA-2026-e7c97d043e Packages in this update:

• tigervnc-1.16.2-4.fc44

Update description:

Fixes CVE-2026-50256 CVE-2026-50257 CVE-2026-50258 CVE-2026-50259 CVE-2026-50260 CVE-2026-50261 CVE-2026-50262 CVE-2026-50263 CVE-2026-50264.

FEDORA-2026-ad10afa9cd Packages in this update:

• tigervnc-1.16.2-4.fc43

Update description:

Fixes CVE-2026-50256 CVE-2026-50257 CVE-2026-50258 CVE-2026-50259 CVE-2026-50260 CVE-2026-50261 CVE-2026-50262 CVE-2026-50263 CVE-2026-50264.

FEDORA-2026-9c6082d92d Packages in this update:

• freerdp-3.27.1-1.fc44

Update description:

Update to 3.27.1

It fixes CVE-2026-55191, CVE-2026-55192, CVE-2026-55193, CVE-2026-55194, CVE-2026-55648 and CVE-2026-55827.

FEDORA-2026-78a12ffec8 Packages in this update:

• freerdp-3.27.1-1.fc43

Update description:

Update to 3.27.1

It fixes CVE-2026-55191, CVE-2026-55192, CVE-2026-55193, CVE-2026-55194, CVE-2026-55648 and CVE-2026-55827.

FEDORA-2026-f9a0af40b2 Packages in this update:

• chromium-149.0.7827.155-1.fc43

Update description:

Update to 149.0.7827.155

• CVE-2026-12437: Use after free in WebShare
• CVE-2026-12438: Inappropriate implementation in WebView
• CVE-2026-12439: Use after free in Digital Credentials
• CVE-2026-12440: Use after free in DigitalCredentials
• CVE-2026-12441: Use after free in File Input
• CVE-2026-12442: Use after free in Passwords
• CVE-2026-12443: Use after free in Web Authentication
• CVE-2026-12444: Out of bounds read in Chromoting
• CVE-2026-12445: Use after free in Extensions
• CVE-2026-12446: Insufficient data validation in Passwords
• CVE-2026-12447: Heap buffer overflow in WebRTC
• CVE-2026-12448: Inappropriate implementation in WebView
• CVE-2026-12449: Use after free in Chromoting
• CVE-2026-12450: Inappropriate implementation in Media
• CVE-2026-12451: Use after free in DigitalCredentials
• CVE-2026-12452: Use after free in Downloads
• CVE-2026-12453: Insufficient validation of untrusted input in Input
• CVE-2026-12454: Race in Safe Browsing
• CVE-2026-12455: Use after free in Tab Strip
• CVE-2026-12456: Insufficient validation of untrusted input in Extensions
• CVE-2026-12457: Insufficient data validation in Extensions
• CVE-2026-12458: Incorrect security UI in Passwords
• CVE-2026-12459: Inappropriate implementation in Serial
• CVE-2026-12460: Insufficient policy enforcement in File System Access
• CVE-2026-12461: Out of bounds read in WebRTC
• CVE-2026-12462: Use after free in Media
• CVE-2026-12463: Inappropriate implementation in Views
• CVE-2026-12464: Use after free in Browser
• CVE-2026-12465: Insufficient validation of untrusted input in Metrics
• CVE-2026-12466: Heap buffer overflow in WebRTC
• CVE-2026-12467: Use after free in Extensions
• CVE-2026-12468: Inappropriate implementation in Updater
• CVE-2026-12469: Uninitialized Use in GPU

FEDORA-2026-650bd96540 Packages in this update:

• chromium-149.0.7827.155-1.fc44

Update description:

Update to 149.0.7827.155

• CVE-2026-12437: Use after free in WebShare
• CVE-2026-12438: Inappropriate implementation in WebView
• CVE-2026-12439: Use after free in Digital Credentials
• CVE-2026-12440: Use after free in DigitalCredentials
• CVE-2026-12441: Use after free in File Input
• CVE-2026-12442: Use after free in Passwords
• CVE-2026-12443: Use after free in Web Authentication
• CVE-2026-12444: Out of bounds read in Chromoting
• CVE-2026-12445: Use after free in Extensions
• CVE-2026-12446: Insufficient data validation in Passwords
• CVE-2026-12447: Heap buffer overflow in WebRTC
• CVE-2026-12448: Inappropriate implementation in WebView
• CVE-2026-12449: Use after free in Chromoting
• CVE-2026-12450: Inappropriate implementation in Media
• CVE-2026-12451: Use after free in DigitalCredentials
• CVE-2026-12452: Use after free in Downloads
• CVE-2026-12453: Insufficient validation of untrusted input in Input
• CVE-2026-12454: Race in Safe Browsing
• CVE-2026-12455: Use after free in Tab Strip
• CVE-2026-12456: Insufficient validation of untrusted input in Extensions
• CVE-2026-12457: Insufficient data validation in Extensions
• CVE-2026-12458: Incorrect security UI in Passwords
• CVE-2026-12459: Inappropriate implementation in Serial
• CVE-2026-12460: Insufficient policy enforcement in File System Access
• CVE-2026-12461: Out of bounds read in WebRTC
• CVE-2026-12462: Use after free in Media
• CVE-2026-12463: Inappropriate implementation in Views
• CVE-2026-12464: Use after free in Browser
• CVE-2026-12465: Insufficient validation of untrusted input in Metrics
• CVE-2026-12466: Heap buffer overflow in WebRTC
• CVE-2026-12467: Use after free in Extensions
• CVE-2026-12468: Inappropriate implementation in Updater
• CVE-2026-12469: Uninitialized Use in GPU

FEDORA-2026-6a4bfb1309 Packages in this update:

• pacemaker-3.0.2-3.fc43

Update description: * Wed Jun 17 2026 Klaus Wenninger <klaus.wenninger@aon.at> - 3.0.2-3 - fix CVE-2026-10649: Fix integer overflows in remote message code

FEDORA-2026-d8f8abf763 Packages in this update:

• xdg-desktop-portal-1.22.1-1.fc44

Update description:

Update to 1.22.1

It fixes CVE-2026-55888 and CVE-2026-55889.

FEDORA-EPEL-2026-0638da5c88 Packages in this update:

• haveged-1.9.23-1.el8

Update description:

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-6c01f75372 Packages in this update:

• haveged-1.9.23-1.el10_2

Update description:

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined

FEDORA-EPEL-2026-d206fb8dbe Packages in this update:

• haveged-1.9.23-1.el10_3

Update description:

Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined