Fedora Security Advisories

• perl-GD-2.86-1.el9

This update fixes a command injection issue resulting from the use of the 2-argument form of open (CVE-2026-11526).

• perl-GD-2.86-1.el8

This update fixes a command injection issue resulting from the use of the 2-argument form of open (CVE-2026-11526).

• perl-GD-2.86-1.el10_3

This update fixes a command injection issue resulting from the use of the 2-argument form of open (CVE-2026-11526).

• perl-GD-2.86-1.el10_2

This update fixes a command injection issue resulting from the use of the 2-argument form of open (CVE-2026-11526).

• perl-GD-2.86-1.fc44

This update fixes a command injection issue resulting from the use of the 2-argument form of open (CVE-2026-11526).

• perl-GD-2.86-1.fc43

This update fixes a command injection issue resulting from the use of the 2-argument form of open (CVE-2026-11526).

• librabbitmq-0.16.0-1.fc44

• Fix out-of-bounds read via undersized frames in amqp_handle_input (GHSA-9mmv-r8g3-qp46, #878)
• Fix client crash when server negotiates frame_max below the AMQP protocol minimum (GHSA-jh48-qjf5-fx5v)

• Add amqp_bytes_from_buffer macro to create amqp_bytes_t from an arbitrary byte buffer with explicit length (#856, #866)

• Fix NULL pointer dereferences on allocation failure in tools/publish.c (#860, #861)
• Fix NULL pointer dereference in tools/consume.c stringify_bytes() on allocation failure (#858)
• Fix file stream leak in tools/common.c read_authfile() (#859)
• Fix handling of absolute CMAKE_INSTALL_INCLUDEDIR in exported CMake targets (#849)

• amqp_literal_bytes macro now uses an explicit (void *) cast (#853)

• librabbitmq-0.16.0-1.fc43

• Fix out-of-bounds read via undersized frames in amqp_handle_input (GHSA-9mmv-r8g3-qp46, #878)
• Fix client crash when server negotiates frame_max below the AMQP protocol minimum (GHSA-jh48-qjf5-fx5v)

• Add amqp_bytes_from_buffer macro to create amqp_bytes_t from an arbitrary byte buffer with explicit length (#856, #866)

• Fix NULL pointer dereferences on allocation failure in tools/publish.c (#860, #861)
• Fix NULL pointer dereference in tools/consume.c stringify_bytes() on allocation failure (#858)
• Fix file stream leak in tools/common.c read_authfile() (#859)
• Fix handling of absolute CMAKE_INSTALL_INCLUDEDIR in exported CMake targets (#849)

• amqp_literal_bytes macro now uses an explicit (void *) cast (#853)

• bird-3.3.1-1.fc44

• BGP: Fix crash when incoming connection for disabled protocol arrives
• BGP: Fix parsing labelled NLRIs with no next hop
• BGP: Fix cork behavior in collision with graceful restart
• BGP: Fix crash on dumping pending export statistics
• BGP: Fix several issues in Flowspec handling
• BMP/Nest: No refeed after listener or protocol restart
• MPLS: Fix crash on reconfiguring CS_DOWN channel
• OSPF: Fix handling of LLS data length field
• OSPF: Fix OOB read in authentication check
• OSPF: Fix OOB read in Router-LSA validation
• Proto: Fix regression in protocol enabling
• Channel: Fix refeeds and reloads during graceful restart
• Export: Mitigate duplicate withdrawals
• Filters: Fix crash when setting gateway on recursive nexthops
• Filters: Fix path matching when AS path is too long
• Table: Fix RCU double-anchor
• Table: Propagate thread group config into aux
• RCU: Catch leaks sooner

See also: https://trubka.network.cz/pipermail/bird-users/2026-June/018790.html

• bird-3.3.1-1.el9

• BGP: Fix crash when incoming connection for disabled protocol arrives
• BGP: Fix parsing labelled NLRIs with no next hop
• BGP: Fix cork behavior in collision with graceful restart
• BGP: Fix crash on dumping pending export statistics
• BGP: Fix several issues in Flowspec handling
• BMP/Nest: No refeed after listener or protocol restart
• MPLS: Fix crash on reconfiguring CS_DOWN channel
• OSPF: Fix handling of LLS data length field
• OSPF: Fix OOB read in authentication check
• OSPF: Fix OOB read in Router-LSA validation
• Proto: Fix regression in protocol enabling
• Channel: Fix refeeds and reloads during graceful restart
• Export: Mitigate duplicate withdrawals
• Filters: Fix crash when setting gateway on recursive nexthops
• Filters: Fix path matching when AS path is too long
• Table: Fix RCU double-anchor
• Table: Propagate thread group config into aux
• RCU: Catch leaks sooner

See also: https://trubka.network.cz/pipermail/bird-users/2026-June/018790.html

• bird-3.3.1-1.el10_2

• BGP: Fix crash when incoming connection for disabled protocol arrives
• BGP: Fix parsing labelled NLRIs with no next hop
• BGP: Fix cork behavior in collision with graceful restart
• BGP: Fix crash on dumping pending export statistics
• BGP: Fix several issues in Flowspec handling
• BMP/Nest: No refeed after listener or protocol restart
• MPLS: Fix crash on reconfiguring CS_DOWN channel
• OSPF: Fix handling of LLS data length field
• OSPF: Fix OOB read in authentication check
• OSPF: Fix OOB read in Router-LSA validation
• Proto: Fix regression in protocol enabling
• Channel: Fix refeeds and reloads during graceful restart
• Export: Mitigate duplicate withdrawals
• Filters: Fix crash when setting gateway on recursive nexthops
• Filters: Fix path matching when AS path is too long
• Table: Fix RCU double-anchor
• Table: Propagate thread group config into aux
• RCU: Catch leaks sooner

See also: https://trubka.network.cz/pipermail/bird-users/2026-June/018790.html

• bird-3.3.1-1.fc43

• BGP: Fix crash when incoming connection for disabled protocol arrives
• BGP: Fix parsing labelled NLRIs with no next hop
• BGP: Fix cork behavior in collision with graceful restart
• BGP: Fix crash on dumping pending export statistics
• BGP: Fix several issues in Flowspec handling
• BMP/Nest: No refeed after listener or protocol restart
• MPLS: Fix crash on reconfiguring CS_DOWN channel
• OSPF: Fix handling of LLS data length field
• OSPF: Fix OOB read in authentication check
• OSPF: Fix OOB read in Router-LSA validation
• Proto: Fix regression in protocol enabling
• Channel: Fix refeeds and reloads during graceful restart
• Export: Mitigate duplicate withdrawals
• Filters: Fix crash when setting gateway on recursive nexthops
• Filters: Fix path matching when AS path is too long
• Table: Fix RCU double-anchor
• Table: Propagate thread group config into aux
• RCU: Catch leaks sooner

See also: https://trubka.network.cz/pipermail/bird-users/2026-June/018790.html

• bird-3.3.1-1.el10_3

• BGP: Fix crash when incoming connection for disabled protocol arrives
• BGP: Fix parsing labelled NLRIs with no next hop
• BGP: Fix cork behavior in collision with graceful restart
• BGP: Fix crash on dumping pending export statistics
• BGP: Fix several issues in Flowspec handling
• BMP/Nest: No refeed after listener or protocol restart
• MPLS: Fix crash on reconfiguring CS_DOWN channel
• OSPF: Fix handling of LLS data length field
• OSPF: Fix OOB read in authentication check
• OSPF: Fix OOB read in Router-LSA validation
• Proto: Fix regression in protocol enabling
• Channel: Fix refeeds and reloads during graceful restart
• Export: Mitigate duplicate withdrawals
• Filters: Fix crash when setting gateway on recursive nexthops
• Filters: Fix path matching when AS path is too long
• Table: Fix RCU double-anchor
• Table: Propagate thread group config into aux
• RCU: Catch leaks sooner

See also: https://trubka.network.cz/pipermail/bird-users/2026-June/018790.html

• bird-3.3.1-1.el8

• BGP: Fix crash when incoming connection for disabled protocol arrives
• BGP: Fix parsing labelled NLRIs with no next hop
• BGP: Fix cork behavior in collision with graceful restart
• BGP: Fix crash on dumping pending export statistics
• BGP: Fix several issues in Flowspec handling
• BMP/Nest: No refeed after listener or protocol restart
• MPLS: Fix crash on reconfiguring CS_DOWN channel
• OSPF: Fix handling of LLS data length field
• OSPF: Fix OOB read in authentication check
• OSPF: Fix OOB read in Router-LSA validation
• Proto: Fix regression in protocol enabling
• Channel: Fix refeeds and reloads during graceful restart
• Export: Mitigate duplicate withdrawals
• Filters: Fix crash when setting gateway on recursive nexthops
• Filters: Fix path matching when AS path is too long
• Table: Fix RCU double-anchor
• Table: Propagate thread group config into aux
• RCU: Catch leaks sooner

See also: https://trubka.network.cz/pipermail/bird-users/2026-June/018790.html

• perl-HTTP-Daemon-6.17-1.fc43

Changes:

6.17 2026-05-19 23:11:06Z

• Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when a string argument was derived from attacker- influenced input. send_file() now uses 3-arg open() with an explicit '<' read mode, so the path is always treated as a literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |', '> path', etc.) are no longer interpreted. send_file() now also returns '0E0' (true zero) on a successful zero-byte transfer so callers can distinguish empty file from open failure (undef). See https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory. Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist, Olaf Alders)

• perl-HTTP-Daemon-6.17-1.fc44

Changes:

6.17 2026-05-19 23:11:06Z

• Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when a string argument was derived from attacker- influenced input. send_file() now uses 3-arg open() with an explicit '<' read mode, so the path is always treated as a literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |', '> path', etc.) are no longer interpreted. send_file() now also returns '0E0' (true zero) on a successful zero-byte transfer so callers can distinguish empty file from open failure (undef). See https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory. Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist, Olaf Alders)

• perl-Net-Statsd-0.13-1.fc44

Metric names and values are now validated to ensure they do not contain characters below ASCII 32 (including newlines), colon (":") or pipe ("|") characters that might allow metric injection. Offending calls now croak.

• perl-Net-Statsd-0.13-1.fc43

Metric names and values are now validated to ensure they do not contain characters below ASCII 32 (including newlines), colon (":") or pipe ("|") characters that might allow metric injection. Offending calls now croak.

• ImageMagick-6.9.13.49-1.el9

This update fixes several security vulnerabilities, including multiple high-severity CVEs: Security fixes

• CVE-2026-33901 (High) — Heap buffer overflow in the MVG decoder that could result in an out-of-bounds write when processing a crafted image.
• CVE-2026-33908 (High) — Recursive DestroyXMLTree() call with no depth limit causes stack exhaustion when processing deeply nested XML structures, resulting in a Denial of Service (DoS).
• CVE-2026-40310 (High) — Heap out-of-bounds write in the JP2 encoder triggered when a user specifies an invalid sampling index.

Additional security and bug fixes are included in the upstream releases between 6.9.13.25 and 6.9.13.49. See the upstream release history at: https://github.com/ImageMagick/ImageMagick6/releases

• ImageMagick-6.9.13.49-1.el8

This update fixes several security vulnerabilities, including multiple high-severity CVEs: Security fixes

• CVE-2026-33901 (High) — Heap buffer overflow in the MVG decoder that could result in an out-of-bounds write when processing a crafted image.
• CVE-2026-33908 (High) — Recursive DestroyXMLTree() call with no depth limit causes stack exhaustion when processing deeply nested XML structures, resulting in a Denial of Service (DoS).
• CVE-2026-40310 (High) — Heap out-of-bounds write in the JP2 encoder triggered when a user specifies an invalid sampling index.

Additional security and bug fixes are included in the upstream releases between 6.9.13.25 and 6.9.13.49. See the upstream release history at: https://github.com/ImageMagick/ImageMagick6/releases