Fedora Security Advisories

• rubygem-json-2.19.2-1.fc44

New version 2.19.2 is released. This fixes a format string injection vulnerability in JSON.parse, which is now assigned as CVE-2026-33210

• bcftools-1.23.1-1.el10_3
• htslib-1.23.1-1.el10_3
• samtools-1.23.1-1.el10_3

Update to 1.23.1

• bcftools-1.23.1-1.el10_1
• htslib-1.23.1-1.el10_1
• samtools-1.23.1-1.el10_1

Update to 1.23.1

• mongo-c-driver-1.30.7-2.fc44

• Fix handling in HTTP response parser CVE-2026-4359

• mongo-c-driver-1.30.7-2.el10_2

• Fix handling in HTTP response parser CVE-2026-4359

• mongo-c-driver-1.30.7-2.el8

• Fix handling in HTTP response parser CVE-2026-4359

• mongo-c-driver-1.30.7-2.fc43

• Fix handling in HTTP response parser CVE-2026-4359

• mongo-c-driver-1.30.7-2.el9

• Fix handling in HTTP response parser CVE-2026-4359

• mongo-c-driver-1.30.7-2.el10_1

• Fix handling in HTTP response parser CVE-2026-4359

• mongo-c-driver-1.30.7-2.fc42

• Fix handling in HTTP response parser CVE-2026-4359

• kryoptic-1.5.0-2.fc43
• pyOpenSSL-26.0.0-1.fc43
• python-cryptography-46.0.5-1.fc43
• rust-asn1-0.22.0-1.fc43
• rust-asn1_derive-0.22.0-1.fc43
• rust-cryptoki-0.12.0-2.fc43
• rust-cryptoki-sys-0.5.0-2.fc43
• rust-wycheproof-0.6.0-1.fc43

• Update pyOpenSSL to v26.0.0 (security update)
• Update python-cryptography to v46.0.5 (dependency of pyOpenSSL 26)
• Update rust-asn1 to 0.22 (dependency of python-cryptography)
• Update kryoptic to v1.5 (required for rust-asn1 bump to 0.22)

The security status of this update is only for pyOpenSSL.

• localsearch-3.10.2-2.fc43

Add a patch for several CVEs:

• CVE-2026-1764 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor
• CVE-2026-1765 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor (TXXX Tags)
• CVE-2026-1766 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor (ID3v2.3 COMM Tags)
• CVE-2026-1767 - Heap Buffer Overflow in GNOME localsearch MP3 Extractor

• bcftools-1.23.1-1.el10_2
• htslib-1.23.1-1.el10_2
• samtools-1.23.1-1.el10_2

Update to 1.23.1

• bcftools-1.23.1-1.fc45
• htslib-1.23.1-1.fc45
• samtools-1.23.1-1.fc45

Update to 1.23.1

• glib2-2.86.4-2.fc43

Add patch for CVE-2026-0988 (Integer overflow in g_buffered_input_stream_peek() leads to segmentation fault)

• suricata-8.0.3-1.el10_2

Upstream security/bugfix release

• roundcubemail-1.7~rc5-1.fc44

Version 1.7-rc5

• Password: Add nt-binary hashing method (#10096)
• Fix URL matching for domain names with port numbers (#10105)
• Fix PHP fatal error when using IMAP cache (#10102)
• Fix Postgres connection using IPv6 address (#10104)
• Fix bug where rel=stylesheet part of a <link> could get removed
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

• roundcubemail-1.6.14-1.el10_2

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

• roundcubemail-1.6.14-1.fc42

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

• roundcubemail-1.6.14-1.fc43

Version 1.6.14

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts