Update bundled golang.org/x/crypto to 0.53.0. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-12d4cde449 2026-07-02 01:07:29.331951+00:00 -------------------------------------------------------------------------------- Name : opkssh Product : Fedora 43 Version : 0.14.0 Release : 3.fc43 URL : https://github.com/openpubkey/opkssh Summary : OpenPubkey SSH Description : OpenPubkey SSH is a tool which enables ssh to be used with OpenID Connect allowing SSH access to be managed via identities like
The 7.0.14-101/201 kernel builds contain a fix for an unprivileged container / jail escape. This has not been assigned a CVE number yet, but a POC is in the wild. The 7.0.14 stable kernel update contains a number of important fixes across the tree.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-7ae597d1d2 2026-07-02 01:05:29.984027+00:00 -------------------------------------------------------------------------------- Name : kernel Product : Fedora 44 Version : 7.0.14 Release : 201.fc44 URL : https://www.kernel.org/ Summary : The Linux kernel Description : The kernel meta package -------------------------------------------------------------------------------- Update Information: The 7.0.14-101/201 kernel builds contain a fix for an unprivileged container / jail escape. This has not been assigned a CVE number yet, but a POC is in the wild. The 7.0.14 stable kernel update contains a number of important fixes across the tree. -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 1 2026 Justin M. Forbes [7.0.14-1] - ipv6: account for fraggap on the paged allocation path (Wongi Lee) - ipv4: account for fraggap on the paged allocation path (Wongi Lee) * Sat Jun 27 2026 Justin M. Forbes [7.0.14-0] - Revert "Input: rmi4 - remove the need for artificial IRQ in case of HID" (Justin M. Forbes) - Linux v7.0.14 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-7ae597d1d2' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Update! Close Go standard library CVE bugs that are solved by a rebuild. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-32113d4817 2026-07-02 01:07:29.331944+00:00 -------------------------------------------------------------------------------- Name : hut Product : Fedora 43 Version : 0.8.0 Release : 1.fc43 URL : https://git.sr.ht/~xenrox/hut Summary : A CLI tool for Sourcehut Description : hut is a CLI tool for interacting with Sourcehut instances. It supports git.sr.ht as well as self-hosted Sourcehut instances. -------------------------------------------------------------------------------- Update Information: Update! Close Go standard library CVE bugs that are solved by a rebuild -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 23 2026 Javier Olaechea - 0.8.0-1 - Update to 0.8.0. Fixes rhbz#2451702. * Tue Feb 3 2026 Maxwell G - 0.7.0-4 - Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26 * Fri Jan 16 2026 Fedora Release Engineering - 0.7.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Oct 10 2025 Alejandro Sáez - 0.7.0-2 - rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2408304 - CVE-2025-58189 hut: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2408304 [ 2 ] Bug #2408723 - CVE-2025-61725 hut: Excessive CPU consumption in ParseAddress in net/mail [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2408723 [ 3 ] Bug #2409777 - CVE-2025-61723 hut: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2409777 [ 4 ] Bug #2410727 - CVE-2025-58185 hut: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2410727 [ 5 ] Bug #2411623 - CVE-2025-58188 hut: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2411623 [ 6 ] Bug #2412711 - CVE-2025-58183 hut: Unbounded allocation when parsing GNU sparse map [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2412711 [ 7 ] Bug #2451702 - hut-0.8.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2451702 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-32113d4817' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Update for hut on Fedora 43 addresses critical CVE issues to enhance security and performance.. Fedora updates, hut tool, CLI Sourcehut, CVE fixes. . LinuxSecurity.com Team
Fixed a CORS bug that leaked the anti-CSRF nonce. (#8938) Fixed a use-after-free bug in peer code. (#8921) Fixed build error when compiling with fmt 12.2.0. (#8942). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-0c067e5040 2026-07-02 01:05:29.984018+00:00 -------------------------------------------------------------------------------- Name : transmission Product : Fedora 44 Version : 4.1.3 Release : 1.fc44 URL : http://www.transmissionbt.com Summary : A lightweight GTK+ BitTorrent client Description : Transmission is a free, lightweight BitTorrent client. It features a simple, intuitive interface on top on an efficient, cross-platform back-end. -------------------------------------------------------------------------------- Update Information: Fixed a CORS bug that leaked the anti-CSRF nonce. (#8938) Fixed a use-after-free bug in peer code. (#8921) Fixed build error when compiling with fmt 12.2.0. (#8942) -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 30 2026 Gwyn Ciesla - 4.1.3-1 - 4.1.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2494743 - transmission-4.1.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2494743 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-0c067e5040' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
0.9.34 - security fix for CVE-2026-27145. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-00901a5e8f 2026-07-02 01:05:29.984014+00:00 -------------------------------------------------------------------------------- Name : ipp-usb Product : Fedora 44 Version : 0.9.34 Release : 2.fc44 URL : https://github.com/OpenPrinting/ipp-usb Summary : HTTP reverse proxy, backed by IPP-over-USB connection to device Description : HTTP reverse proxy, backed by IPP-over-USB connection to device. It enables driverless support for USB devices capable of using IPP-over-USB protocol. -------------------------------------------------------------------------------- Update Information: 0.9.34 - security fix for CVE-2026-27145 -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 30 2026 Zdenek Dohnal - 0.9.34-2 - ipp-usb-0.9.34 is available (fedora#2463247, fedora#2484207, fedora#2494316) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2484207 - CVE-2026-27145 crypto/x509: golang: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries https://bugzilla.redhat.com/show_bug.cgi?id=2484207 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-00901a5e8f' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Security update resolving 17 CVEs across both caddy itself and its vendored libraries.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-950cac64f2 2026-07-02 01:05:29.983957+00:00 -------------------------------------------------------------------------------- Name : caddy Product : Fedora 44 Version : 2.10.2 Release : 9.fc44 URL : https://caddyserver.com Summary : Web server with automatic HTTPS Description : Caddy is an extensible server platform that uses TLS by default. -------------------------------------------------------------------------------- Update Information: Security update resolving 17 CVEs across both caddy itself and its vendored libraries. -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 23 2026 Carl George - 2.10.2-9 - Port to new golang packaging guidelines - Backport upstream fix for CVE-2026-27585 - Backport upstream fix for CVE-2026-27586 - Backport upstream fix for CVE-2026-27587 - Backport upstream fix for CVE-2026-27588 - Backport upstream fix for CVE-2026-27589 - Backport upstream fix for CVE-2026-27590 - Backport upstream fix for CVE-2026-30851 - Backport upstream fix for CVE-2026-30852 - Update vendored github.com/quic-go/quic-go to v0.57.0 for CVE-2025-64702 - Update vendored golang.org/x/crypto to v0.52.0 for CVE-2025-47913, CVE-2026-39828, CVE-2026-39829, and CVE-2026-39830 - Update vendored github.com/smallstep/certificates to v0.30.0 for CVE-2025-44005 and CVE-2026-40097 - Update vendored github.com/go-chi/chi/v5 to v5.2.5 for CVE-2025-69725 - Update vendored github.com/yuin/goldmark/renderer/html to v1.7.17 for CVE-2026-5160 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2488094 - CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488094 [ 2 ] Bug #2488095 - CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488095 [ 3 ] Bug #2488141 - CVE-2026-40097 caddy: Step CA: Denial of Service via crafted attestation key certificate [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488141 [ 4 ] Bug #2488502 - CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488502 [ 5 ] Bug #2488503 - CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488503 [ 6 ] Bug #2488514 - CVE-2026-27587 caddy: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488514 [ 7 ] Bug #2488516 - CVE-2026-27588 caddy: Caddy: Access control bypass due to case-sensitive host matching [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488516 [ 8 ] Bug #2488517 - CVE-2026-27589 caddy: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488517 [ 9 ] Bug #2488518 - CVE-2026-27590 caddy: Caddy: Remote Code Execution via FastCGI path confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488518 [ 10 ] Bug #2488661 - CVE-2025-64702 caddy: quic-go HTTP/3 QPACK Header Expansion DoS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488661 [ 11 ] Bug #2488663 - CVE-2025-47913 caddy: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488663 [ 12 ] Bug #2488665 - CVE-2025-44005 caddy:github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488665 [ 13 ] Bug #2488666 - CVE-2025-69725 caddy: Go-chi/chi: Open Redirect vulnerability allows redirection to malicious websites [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488666 [ 14 ] Bug #2488667 - CVE-2026-5160 caddy: github.com/yuin/goldmark/renderer/html: Cross-site Scripting due to improper URL validation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488667 [ 15 ] Bug #2489962 - CVE-2026-39828 caddy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2489962 [ 16 ] Bug #2490067 - CVE-2026-39829 caddy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490067 [ 17 ] Bug #2490486 - CVE-2026-39830 caddy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490486 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-950cac64f2' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Update to 1.74.3. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-6145ae14ca 2026-07-02 01:05:29.983954+00:00 -------------------------------------------------------------------------------- Name : rclone Product : Fedora 44 Version : 1.74.3 Release : 1.fc44 URL : https://github.com/rclone/rclone Summary : Rsync for cloud storage Description : "rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Drive, Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex Files. -------------------------------------------------------------------------------- Update Information: Update to 1.74.3 -------------------------------------------------------------------------------- ChangeLog: * Sat Jun 6 2026 Packit - 1.74.3-1 - Update to 1.74.3 upstream release - Resolves: rhbz#2485621 * Sat May 23 2026 Packit - 1.74.2-1 - Update to 1.74.2 upstream release - Resolves: rhbz#2468412 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2486295 - CVE-2026-45287 rclone: OpenTelemetry-Go: Denial of Service due to file descriptor leak [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2486295 [ 2 ] Bug #2489905 - CVE-2026-39828 rclone: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2489905 [ 3 ] Bug #2490091 - CVE-2026-39829 rclone: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490091 [ 4 ] Bug #2490402 - CVE-2026-39830 rclone: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490402 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-6145ae14ca' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Update bundled golang.org/x/crypto to 0.53.0. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-7794729685 2026-07-02 01:05:29.983902+00:00 -------------------------------------------------------------------------------- Name : opkssh Product : Fedora 44 Version : 0.14.0 Release : 3.fc44 URL : https://github.com/openpubkey/opkssh Summary : OpenPubkey SSH Description : OpenPubkey SSH is a tool which enables ssh to be used with OpenID Connect allowing SSH access to be managed via identities like
Get the latest Linux and open source security news straight to your inbox.