Explore top 10 tips to secure your open-source projects now. Read More
×
Update to version 1.7.19. https://github.com/DaveGamble/cJSON/blob/v1.7.19/CHANGELOG.md. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-0c3f6c7c67 2026-07-11 01:06:30.201347+00:00 -------------------------------------------------------------------------------- Name : cjson Product : Fedora 44 Version : 1.7.19 Release : 1.fc44 URL : https://github.com/DaveGamble/cJSON Summary : Ultralightweight JSON parser in ANSI C Description : cJSON aims to be the dumbest possible parser that you can get your job done with. It's a single file of C, and a single header file. -------------------------------------------------------------------------------- Update Information: Update to version 1.7.19. https://github.com/DaveGamble/cJSON/blob/v1.7.19/CHANGELOG.md -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 1 2026 Carl George - 1.7.19-1 - Update to version 1.7.19 rhbz#2394084 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2495843 - CVE-2025-57052 cjson: out-of-bounds access in decode_array_index_from_pointer() in cJSON_Utils.c via crafted JSON pointer strings [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2495843 [ 2 ] Bug #2495846 - CVE-2023-26819 cjson: cJSON rejects a valid text [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2495846 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-0c3f6c7c67' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Update to 2.112.0.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-a5e27945f7 2026-07-11 01:06:30.201345+00:00 -------------------------------------------------------------------------------- Name : jfrog-cli Product : Fedora 44 Version : 2.112.0 Release : 1.fc44 URL : https://github.com/jfrog/jfrog-cli Summary : CLI to automate access to JFrog products Description : JFrog CLI is a client that provides a simple interface that automates access to the JFrog products. -------------------------------------------------------------------------------- Update Information: Update to 2.112.0. -------------------------------------------------------------------------------- ChangeLog: * Thu Jul 2 2026 Simone Caronni - 2.112.0-1 - Update to 2.112.0 * Tue Jun 30 2026 Simone Caronni - 2.111.0-1 - Update to 2.111.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2486209 - CVE-2026-45287 jfrog-cli: OpenTelemetry-Go: Denial of Service due to file descriptor leak [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2486209 [ 2 ] Bug #2486291 - CVE-2026-45287 jfrog-cli: OpenTelemetry-Go: Denial of Service due to file descriptor leak [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2486291 [ 3 ] Bug #2489886 - CVE-2026-39828 jfrog-cli: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2489886 [ 4 ] Bug #2489892 - CVE-2026-39828 jfrog-cli: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2489892 [ 5 ] Bug #2490031 - CVE-2026-39829 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490031 [ 6 ] Bug #2490064 - CVE-2026-39829 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490064 [ 7 ] Bug #2490392 - CVE-2026-39830 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490392 [ 8 ] Bug #2490478 - CVE-2026-39830 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490478 [ 9 ] Bug #2493082 - CVE-2026-39832 jfrog-cli: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2493082 [ 10 ] Bug #2493369 - jfrog-cli-2.112.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2493369 [ 11 ] Bug #2493527 - CVE-2026-39835 jfrog-cli: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2493527 [ 12 ] Bug #2493565 - CVE-2026-41567 jfrog-cli: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2493565 [ 13 ] Bug #2494437 - CVE-2026-39833 jfrog-cli: golang.org/x/crypto/ssh/agent: Security bypass due to unenforced key confirmation [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2494437 [ 14 ] Bug #2496444 - CVE-2026-47262 jfrog-cli: containerd: Denial of Service via maliciously crafted image leading to unbounded group parsing [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2496444 [ 15 ] Bug #2496513 - CVE-2026-44740 jfrog-cli: Billy: Denial of Service via crafted input due to insufficient validation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2496513 [ 16 ] Bug #2496560 - CVE-2026-53492 jfrog-cli: containerd: Security bypass via Container Device Interface (CDI) annotation smuggling during checkpoint restoration. [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2496560 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-a5e27945f7' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
This package provides the Perl module HTML::Gumbo. Versions before 0.19 disclose heap memory via type confusion. Support for the element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-75010c7f44 2026-07-11 01:06:30.201339+00:00 -------------------------------------------------------------------------------- Name : perl-HTML-Gumbo Product : Fedora 44 Version : 0.19 Release : 1.fc44 URL : https://metacpan.org/dist/HTML-Gumbo Summary : HTML5 parser based on gumbo C library Description : Gumbo is an implementation of the HTML5 parsing algorithm implemented as a pure C99 library with no outside dependencies. -------------------------------------------------------------------------------- Update Information: This package provides the Perl module HTML::Gumbo. Versions before 0.19 disclose heap memory via type confusion. Support for the element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. -------------------------------------------------------------------------------- ChangeLog: * Sat May 30 2026 Emmanuel Seyman - 0.19-1 - Update to 0.19 - Update dependencies - Use /usr/bin/perl instead of %{__perl} -------------------------------------------------------------------------------- References: [ 1 ] Bug #2496536 - CVE-2025-15646 perl-HTML-Gumbo: HTML::Gumbo: Information disclosure through HTML template processing [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2496536 -------------------------------------------------------------------------------- This update can beinstalled with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-75010c7f44' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Update to 3.13.0. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-01a1840582 2026-07-11 01:06:30.201315+00:00 -------------------------------------------------------------------------------- Name : prometheus Product : Fedora 44 Version : 3.13.0 Release : 1.fc44 URL : https://github.com/prometheus/prometheus Summary : Prometheus monitoring system and time series database Description : The Prometheus monitoring system and time series database. -------------------------------------------------------------------------------- Update Information: Update to 3.13.0 -------------------------------------------------------------------------------- ChangeLog: * Thu Jul 2 2026 Mikel Olasagasti Uranga - 3.13.0-1 - Update to 3.13.0 - Closes rhbz#2495979 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2489191 - CVE-2026-40186 prometheus: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2489191 [ 2 ] Bug #2492689 - CVE-2026-44990 prometheus: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2492689 [ 3 ] Bug #2493575 - CVE-2026-41567 prometheus: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2493575 [ 4 ] Bug #2495063 - CVE-2026-53606 prometheus: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2495063 [ 5 ] Bug #2495322 - CVE-2026-25681 prometheus: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2495322 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-01a1840582' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Version 0.17.0 - 2026-07-01 Security Fix size_t overflow in amqp_decode_bytes bounds check leading to out-of-bounds read (GHSA-jgjf-7fwf-f3c7, #888) Fix heap buffer overflow in amqp_frame_to_bytes for oversized body frames (GHSA-. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-fc2f661416 2026-07-11 01:06:30.201235+00:00 -------------------------------------------------------------------------------- Name : librabbitmq Product : Fedora 44 Version : 0.17.0 Release : 1.fc44 URL : https://github.com/alanxz/rabbitmq-c Summary : Client library for AMQP Description : This is a C-language AMQP client library for use with AMQP servers speaking protocol versions 0-9-1. -------------------------------------------------------------------------------- Update Information: Version 0.17.0 - 2026-07-01 Security Fix size_t overflow in amqp_decode_bytes bounds check leading to out-of-bounds read (GHSA-jgjf-7fwf-f3c7, #888) Fix heap buffer overflow in amqp_frame_to_bytes for oversized body frames (GHSA- hfjv-vcp3-39wh, #892) Added librabbitmq-tools fall back to the AMQP_URL environment variable when no connection options are given on the command line (#887) Fixed Fix undefined behavior in amqp_decode_properties when decoding content-header property flags (#883, #885) Fix ioctlsocket type mismatch on Windows (#890) Document buffer lifetime requirement of amqp_decode_table's encoded buffer to prevent use-after-free misuse (#895) Changed librabbitmq-tools now enable default SSL certificate verification paths unless --no-default-cert-paths is passed (fixes #868, #893) Building the tools now requires POPT v1.14 or newer (#889) -------------------------------------------------------------------------------- ChangeLog: * Thu Jul 2 2026 Remi Collet - 0.17.0-1 - update to 0.17.0 -------------------------------------------------------------------------------- This update can beinstalled with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-fc2f661416' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Version 2.10.2 - 2026-07-01 Security: Validate package names (GHSA-499r-g7pc-vmp9) Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp- rrxx) Security: Sanitize URL-embedded usernames/token in verbose output. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-22ba02bee3 2026-07-11 01:06:30.201230+00:00 -------------------------------------------------------------------------------- Name : composer Product : Fedora 44 Version : 2.10.2 Release : 1.fc44 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.10.2 - 2026-07-01 Security: Validate package names (GHSA-499r-g7pc-vmp9) Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp- rrxx) Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3) Security: Only follow HTTP redirects from HTTP responses (#12948) Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946) Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959) Added warning output in self-update command when using a soon-to-be EOL version (#12920) Added download retry when a GitHub codeload URL returns a 400 (#12962) Fixed audit command to output the audit result to stdout (#12904) Fixed backspace characters being output to non-decorated output (#12925) Fixed security advisory blocking causing issues with xdebug enabled (#12935) Fixed provider packages hiding suggestions for the package they provide themselves (#12933) Fixed security advisory blocking causing issues with xdebug enabled(#12935) -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 1 2026 Remi Collet - 2.10.2-1 - update to 2.10.2 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-22ba02bee3' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
https://github.com/AcademySoftwareFoundation/OpenImageIO/releases/tag/v3.1.15.0. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-25954ebccf 2026-07-11 01:06:30.201222+00:00 -------------------------------------------------------------------------------- Name : OpenImageIO Product : Fedora 44 Version : 3.1.15.0 Release : 1.fc44 URL : https://openimageio.org/ Summary : Library for reading and writing images Description : OpenImageIO is a library for reading and writing images, and a bunch of related classes, utilities, and applications. Main features include: - Extremely simple but powerful ImageInput and ImageOutput APIs for reading and writing 2D images that is format agnostic. - Format plugins for TIFF, JPEG/JFIF, OpenEXR, PNG, HDR/RGBE, Targa, JPEG-2000, DPX, Cineon, FITS, BMP, ICO, RMan Zfile, Softimage PIC, DDS, SGI, PNM/PPM/PGM/PBM. - An ImageCache class that transparently manages a cache so that it can access truly vast amounts of image data. -------------------------------------------------------------------------------- Update Information: https://github.com/AcademySoftwareFoundation/OpenImageIO/releases/tag/v3.1.15.0 -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 1 2026 Richard Shaw - 1:3.1.15.0-1 - Update to 3.1.15.0. * Thu Jun 25 2026 František Zatloukal - 1:3.1.14.0-6 - Rebuilt for fmt/spdlog * Wed Jun 17 2026 Yaakov Selkowitz - 1:3.1.14.0-5 - Rebuilt for openssl 4.0 * Wed Jun 17 2026 Simone Caronni - 1:3.1.14.0-4 - Rebuild for OpenJPH update. * Fri Jun 12 2026 Yaakov Selkowitz - 1:3.1.14.0-3 - Rebuilt for openssl 4.0 * Fri Jun 5 2026 Python Maint - 1:3.1.14.0-2 - Rebuilt for Python 3.15 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2341889 - CVE-2024-55195 OpenImageIO: An allocation-size-too-big bug in the component /imagebuf.cpp of OpenImageIO [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2341889 [ 2 ] Bug #2341890 - CVE-2024-55195 OpenImageIO: An allocation-size-too-big bug in the component /imagebuf.cpp of OpenImageIO [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2341890 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-25954ebccf' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Update OpenImageIO on Fedora 44 to resolve an allocation size issue. Ensure your system is secure and patched effectively.. OpenImageIO update, Fedora security, image library issue, software patching, allocation size bug. . LinuxSecurity.com Team
CVE-2026-55653: Fix double free in openssh DH-GEX client path during FIPS known- group validation that leads to client-side denial of service CVE-2026-55654: Fix heap out-of-bounds read during GSSAPI indicator cleanup due to missing NULL terminator CVE-2026-55655: Fix MITM of X11 forwarding via abstract UNIX socket pre-binding. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-95b955a09b 2026-07-11 00:52:57.708578+00:00 -------------------------------------------------------------------------------- Name : openssh Product : Fedora 43 Version : 10.0p1 Release : 10.fc43 URL : http://www.openssh.com/portable.html Summary : An open source implementation of SSH protocol version 2 Description : SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. -------------------------------------------------------------------------------- Update Information: CVE-2026-55653: Fix double free in openssh DH-GEX client path during FIPS known- group validation that leads to client-side denial of service CVE-2026-55654: Fix heap out-of-bounds read during GSSAPI indicator cleanup due to missing NULL terminator CVE-2026-55655: Fix MITM of X11 forwarding via abstract UNIX socket pre-binding -------------------------------------------------------------------------------- ChangeLog: * Tue Jul 7 2026 Zoltan Fridrich - 10.0p1-10 -CVE-2026-55653: Fix double free in openssh DH-GEX client path during FIPS known-group validation that leads to client-side denial of service - CVE-2026-55654: Fix heap out-of-bounds read during GSSAPI indicator cleanup due to missing NULL terminator - CVE-2026-55655: Fix MITM of X11 forwarding via abstract UNIX socket pre-binding -------------------------------------------------------------------------------- References: [ 1 ] Bug #2442505 - 0043-openssh-8.7p1-ssh-manpage.patch introduces duplicates in documentation https://bugzilla.redhat.com/show_bug.cgi?id=2442505 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-95b955a09b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Get the latest Linux and open source security news straight to your inbox.