Explore top 10 tips to secure your open-source projects now. Read More
×
Fixed CVE-2026-42496 - Path traversal via crafted symlinks allows arbitrary file access Backported from 3.08. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-6988e8f652 2026-06-19 01:08:57.989060+00:00 -------------------------------------------------------------------------------- Name : perl-Archive-Tar Product : Fedora 43 Version : 3.04 Release : 522.fc43 URL : https://metacpan.org/release/Archive-Tar Summary : A module for Perl manipulation of .tar files Description : Archive::Tar provides an object oriented mechanism for handling tar files. It provides class methods for quick and easy files handling while also allowing for the creation of tar file objects for custom manipulation. If you have the IO::Zlib module installed, Archive::Tar will also support compressed or gzipped tar files. -------------------------------------------------------------------------------- Update Information: Fixed CVE-2026-42496 - Path traversal via crafted symlinks allows arbitrary file access Backported from 3.08 -------------------------------------------------------------------------------- ChangeLog: * Wed Jun 3 2026 Jitka Plesnikova - 3.04-522 - Fix CVE-2026-42496 (rhbz#2484320) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2484320 - CVE-2026-42496 perl-Archive-Tar: perl-archive-tar: Path traversal via crafted symlinks allows arbitrary file access [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2484320 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-6988e8f652' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with theFedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands could write to files visible outside the current Git working tree if symbolic or hard links existed which collided with the paths of files tracked by Git LFS.. Debian LTS Advisory DLA-4610-1
Update rust-astral-tokio-tar to 0.6.0, fixing CVE-2026-32766. Update rust-tar to 0.4.45, fixing CVE-2026-33056. Update rust-nix to 0.31.2. Update uv and python- uv-build to 0.10.2, rebuilding them with the latest rust-astral-tokio-tar and rust-tar. Update python-fastar to 0.9.0, rebuilding it with the lastest rust- tar. Rebuild maturin with the latest rust-tar.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-d18cf572b8 2026-03-28 00:45:01.877972+00:00 -------------------------------------------------------------------------------- Name : rust-nix Product : Fedora 43 Version : 0.31.2 Release : 1.fc43 URL : https://crates.io/crates/nix Summary : Rust friendly bindings to *nix APIs Description : Rust friendly bindings to *nix APIs. -------------------------------------------------------------------------------- Update Information: Update rust-astral-tokio-tar to 0.6.0, fixing CVE-2026-32766. Update rust-tar to 0.4.45, fixing CVE-2026-33056. Update rust-nix to 0.31.2. Update uv and python- uv-build to 0.10.2, rebuilding them with the latest rust-astral-tokio-tar and rust-tar. Update python-fastar to 0.9.0, rebuilding it with the lastest rust- tar. Rebuild maturin with the latest rust-tar. Update to 0.9.0 -------------------------------------------------------------------------------- ChangeLog: * Tue Mar 17 2026 Benjamin A. Beasley - 0.31.2-1 - Update to verison 0.31.2; Fixes RHBZ#2443509 * Thu Feb 12 2026 Fabio Valentini - 0.31.1-2 - Skip one additional test that fails on RHEL 9 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2448054 - rust-astral-tokio-tar-0.6.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2448054 [ 2 ] Bug #2449243 - uv-0.10.12 is available https://bugzilla.redhat.com/show_bug.cgi?id=2449243 [ 3 ] Bug #2449274 - rust-tar-0.4.45 is available https://bugzilla.redhat.com/show_bug.cgi?id=2449274 [ 4 ] Bug #2449338 - python-uv-build-0.10.12 is available https://bugzilla.redhat.com/show_bug.cgi?id=2449338 [ 5 ] Bug #2449551 - CVE-2026-32766 python-uv-build: astral-tokio-tar: Potential archive misinterpretation via malformed PAX extensions [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2449551 [ 6 ] Bug #2449553 - CVE-2026-32766 uv: astral-tokio-tar: Potential archive misinterpretation via malformed PAX extensions [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2449553 [ 7 ] Bug #2449645 - python-fastar-0.9.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2449645 [ 8 ] Bug #2449681 - CVE-2026-33056 maturin: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449681 [ 9 ] Bug #2449683 - CVE-2026-33056 python-fastar: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449683 [ 10 ] Bug #2449684 - CVE-2026-33056 python-uv-build: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449684 [ 11 ] Bug #2449694 - CVE-2026-33056 uv: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449694 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-d18cf572b8' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Update rust-astral-tokio-tar to 0.6.0, fixing CVE-2026-32766. Update rust-tar to 0.4.45, fixing CVE-2026-33056. Update rust-nix to 0.31.2. Update uv and python- uv-build to 0.10.2, rebuilding them with the latest rust-astral-tokio-tar and rust-tar. Update python-fastar to 0.9.0, rebuilding it with the lastest rust- tar. Rebuild maturin with the latest rust-tar.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-e22a7dbf2d 2026-03-28 00:15:26.019772+00:00 -------------------------------------------------------------------------------- Name : rust-nix Product : Fedora 44 Version : 0.31.2 Release : 1.fc44 URL : https://crates.io/crates/nix Summary : Rust friendly bindings to *nix APIs Description : Rust friendly bindings to *nix APIs. -------------------------------------------------------------------------------- Update Information: Update rust-astral-tokio-tar to 0.6.0, fixing CVE-2026-32766. Update rust-tar to 0.4.45, fixing CVE-2026-33056. Update rust-nix to 0.31.2. Update uv and python- uv-build to 0.10.2, rebuilding them with the latest rust-astral-tokio-tar and rust-tar. Update python-fastar to 0.9.0, rebuilding it with the lastest rust- tar. Rebuild maturin with the latest rust-tar. -------------------------------------------------------------------------------- ChangeLog: * Tue Mar 17 2026 Benjamin A. Beasley - 0.31.2-1 - Update to verison 0.31.2; Fixes RHBZ#2443509 * Thu Feb 12 2026 Fabio Valentini - 0.31.1-2 - Skip one additional test that fails on RHEL 9 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2448054 - rust-astral-tokio-tar-0.6.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2448054 [ 2 ] Bug #2449243 - uv-0.10.12 is available https://bugzilla.redhat.com/show_bug.cgi?id=2449243 [ 3 ] Bug #2449274 - rust-tar-0.4.45 is available https://bugzilla.redhat.com/show_bug.cgi?id=2449274 [ 4 ] Bug #2449338 - python-uv-build-0.10.12 is available https://bugzilla.redhat.com/show_bug.cgi?id=2449338 [ 5 ] Bug #2449645 - python-fastar-0.9.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2449645 [ 6 ] Bug #2449681 - CVE-2026-33056 maturin: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449681 [ 7 ] Bug #2449683 - CVE-2026-33056 python-fastar: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449683 [ 8 ] Bug #2449684 - CVE-2026-33056 python-uv-build: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449684 [ 9 ] Bug #2449694 - CVE-2026-33056 uv: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449694 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-e22a7dbf2d' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
An update that solves one vulnerability can now be installed.. # Security update for python313-wheel Announcement ID: SUSE-SU-2026:0425-1 Release Date: 2026-02-11T08:30:17Z Rating: important References: * bsc#1257100 Cross-References: * CVE-2026-24049 CVSS scores: * CVE-2026-24049 ( SUSE ): 7.2 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2026-24049 ( SUSE ): 7.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H * CVE-2026-24049 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Affected Products: * Python 3 Module 15-SP7 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 An update that solves one vulnerability can now be installed. ## Description: This update for python313-wheel fixes the following issues: * CVE-2026-24049: Fixed absent path sanitization can cause arbitrary file permission modification (bsc#1257100). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Python 3 Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2026-425=1 ## Package List: * Python 3 Module 15-SP7 (noarch) * python313-wheel-0.44.0-150700.3.3.1 ## References: * https://www.suse.com/security/cve/CVE-2026-24049.html * https://bugzilla.suse.com/show_bug.cgi?id=1257100 . A vital security update for python313-wheel is available, addressing an important vulnerability impacting SUSE systems.. SUSE Update, python313-wheel, Security Fix. . Severity: Important. LinuxSecurity.com Team
Fix CVE-2011-10007. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-047d8f57ea 2025-06-21 02:10:24.663081+00:00 -------------------------------------------------------------------------------- Name : perl-File-Find-Rule Product : Fedora 41 Version : 0.35 Release : 1.fc41 URL : https://metacpan.org/dist/File-Find-Rule Summary : Perl module implementing an alternative interface to File::Find Description : File::Find::Rule is a friendlier interface to File::Find. It allows you to build rules which specify the desired files and directories. -------------------------------------------------------------------------------- Update Information: Fix CVE-2011-10007 -------------------------------------------------------------------------------- ChangeLog: * Wed Jun 11 2025 Jitka Plesnikova - 0.35-1 - 0.35 bump (rhbz#2371137) - fix CVE-2011-10007 - Updated BRs -------------------------------------------------------------------------------- References: [ 1 ] Bug #2370473 - CVE-2011-10007 perl-File-Find-Rule: File::Find::Rule Arbitrary Code Execution [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2370473 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-047d8f57ea' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Fix CVE-2025-3155 - arbitrary file-read.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-e788608959 2025-05-21 02:16:05.620124+00:00 -------------------------------------------------------------------------------- Name : yelp-xsl Product : Fedora 42 Version : 42.1 Release : 7.fc42 URL : https://download.gnome.org/sources/yelp-xsl Summary : XSL stylesheets for the yelp help browser Description : This package contains XSL stylesheets that are used by the yelp help browser. -------------------------------------------------------------------------------- Update Information: Fix CVE-2025-3155 - arbitrary file-read. -------------------------------------------------------------------------------- ChangeLog: * Thu May 15 2025 Jan Grulich - 42.1-7 - Fix CVE-2025-3155 - arbitrary file-read -------------------------------------------------------------------------------- References: [ 1 ] Bug #2357092 - CVE-2025-3155 yelp: Arbitrary file read [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2357092 [ 2 ] Bug #2366258 - yelp-42.2-9.fc42 breaks rendering https://bugzilla.redhat.com/show_bug.cgi?id=2366258 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-e788608959' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Several security issues were fixed in ruby-doorkeeper.. ========================================================================== Ubuntu Security Notice USN-7394-1 March 31, 2025 ruby-doorkeeper vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in ruby-doorkeeper. Software Description: - ruby-doorkeeper: OAuth 2 provider for Rails and Grape Details: Jonathan Clem and Justin Bull discovered that Doorkeeper could allow arbitrary token revocation and replay attacks. An attacker could possibly use this issue to gain unauthorized access to a system. (CVE-2016-6582) It was discovered that Doorkeeper incorrectly handled storing client names. An attacker could possibly use this issue to execute a cross-site scripting (XSS) attack. (CVE-2018-1000088) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS ruby-doorkeeper 2.2.1-1ubuntu0.1~esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7394-1 CVE-2016-6582, CVE-2018-1000088 . Security fixes for ruby-doorkeeper vulnerabilities addressed in Ubuntu Security Notice USN-7394-1, March 31, 2025.. security, ruby-doorkeeper, =============================================. . Severity: Critical. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.