Explore top 10 tips to secure your open-source projects now. Read More
×Update to 4.53.3. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-990cdd8329 2026-07-18 00:27:50.464596+00:00 -------------------------------------------------------------------------------- Name : yq Product : Fedora 43 Version : 4.53.3 Release : 1.fc43 URL : https://github.com/mikefarah/yq Summary : Yq is a portable command-line YAML, JSON, XML, CSV, TOML, HCL and properties processor Description : Yq is a portable command-line YAML, JSON, XML, CSV, TOML, HCL and properties processor. -------------------------------------------------------------------------------- Update Information: Update to 4.53.3 -------------------------------------------------------------------------------- ChangeLog: * Tue Jul 14 2026 Mikel Olasagasti Uranga - 4.53.3-1 - Update to 4.53.3 and add packit integration * Tue Feb 3 2026 Maxwell G - 4.47.1-5 - Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26 * Sat Jan 17 2026 Fedora Release Engineering - 4.47.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Oct 10 2025 Alejandro Sáez - 4.47.1-3 - rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2495328 - CVE-2026-25681 yq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2495328 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-990cdd8329' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Update for Fedora 43 addresses important security issue in yq, fixing potential cross-site scripting vulnerabilities.. fedora update,yq security,arbitrary code execution,yq bug fix,cross-site scripting. . Severity: Important. LinuxSecurity.com Team
Important: nodejs:24 security, bug fix, and enhancement update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2026:39868", "synopsis": "Important: nodejs:24 security, bug fix, and enhancement update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for nodejs, module.nodejs, nodejs-packaging, nodejs-nodemon, module.nodejs-packaging, module.nodejs-nodemon.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nSecurity Fix(es):\n\n* ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)\n\n* undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)\n\n* undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)\n\n* undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)\n\n* undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)\n\n* undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy (CVE-2026-9697)\n\n* undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing (CVE-2026-6734)\n\n* nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)\n\n* nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)\n\n* nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)\n\n* nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)\n\n* nodejs: Node.js: Certification validation bypass in TLS host verification(CVE-2026-48934)\n\n* Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)\n\n* nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)\n\n* nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)\n\nBug Fix(es) and Enhancement(s):\n\n* nodejs:24/nodejs: Rebase to the latest Node.js 24 release [rhel-8] (JIRA:Rocky Linux-168744)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 8"], "fixes": [{"ticket": "2476810", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810", "description": ""}, {"ticket": "2489980", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2489980", "description": ""}, {"ticket": "2490000", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2490000", "description": ""}, {"ticket": "2490006", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2490006", "description": ""}, {"ticket": "2490008", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2490008", "description": ""}, {"ticket": "2490018", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2490018", "description": ""}, {"ticket": "2490024", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2490024", "description": ""}, {"ticket": "2493325", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2493325", "description": ""}, {"ticket": "2493326", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2493326", "description": ""}, {"ticket": "2493329", "sourceBy": "Red Hat", "sourceLink":"https://bugzilla.redhat.com/show_bug.cgi?id=2493329", "description": ""}, {"ticket": "2493331", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2493331", "description": ""}, {"ticket": "2493332", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2493332", "description": ""}, {"ticket": "2493333", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2493333", "description": ""}, {"ticket": "2493335", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2493335", "description": ""}, {"ticket": "2493337", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2493337", "description": ""}], "cves": [{"name": "CVE-2026-11525", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11525", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "cvss3BaseScore": "3.7", "cwe": "CWE-1286"}, {"name": "CVE-2026-12151", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-12151", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-770"}, {"name": "CVE-2026-42338", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42338", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "cvss3BaseScore": "8.1", "cwe": "CWE-79"}, {"name": "CVE-2026-48615", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48615", "cvss3ScoringVector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "cvss3BaseScore": "5.9", "cwe": "CWE-209"}, {"name": "CVE-2026-48618", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48618", "cvss3ScoringVector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "cvss3BaseScore": "7.7", "cwe": "CWE-289"}, {"name": "CVE-2026-48619", "sourceBy": "MITRE", "sourceLink":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48619", "cvss3ScoringVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "cvss3BaseScore": "5.3", "cwe": "CWE-770"}, {"name": "CVE-2026-48928", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48928", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "cvss3BaseScore": "4.2", "cwe": "CWE-289"}, {"name": "CVE-2026-48930", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48930", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "cvss3BaseScore": "5.6", "cwe": "CWE-170"}, {"name": "CVE-2026-48933", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48933", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-770"}, {"name": "CVE-2026-48934", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48934", "cvss3ScoringVector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "cvss3BaseScore": "4.3", "cwe": "CWE-295"}, {"name": "CVE-2026-48935", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48935", "cvss3ScoringVector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "cvss3BaseScore": "3.3", "cwe": "CWE-279"}, {"name": "CVE-2026-6733", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6733", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "cvss3BaseScore": "3.7", "cwe": "CWE-940"}, {"name": "CVE-2026-6734", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6734", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-940"}, {"name": "CVE-2026-9678", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9678", "cvss3ScoringVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "cvss3BaseScore": "5.9", "cwe": "CWE-1286"}, {"name": "CVE-2026-9697", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9697", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "cvss3BaseScore": "7.4", "cwe": "CWE-295"}], "references": [], "publishedAt": "2026-07-16T00:01:09.519027Z", "rpms": {"Rocky Linux 8": {"nvras": ["nodejs-1:24.18.0-1.module+el8.10.0+40252+a58646bc.aarch64.rpm", "nodejs-1:24.18.0-1.module+el8.10.0+40252+a58646bc.src.rpm", "nodejs-1:24.18.0-1.module+el8.10.0+40252+a58646bc.x86_64.rpm", "nodejs-debuginfo-1:24.18.0-1.module+el8.10.0+40252+a58646bc.aarch64.rpm", "nodejs-debuginfo-1:24.18.0-1.module+el8.10.0+40252+a58646bc.x86_64.rpm", "nodejs-debugsource-1:24.18.0-1.module+el8.10.0+40252+a58646bc.aarch64.rpm", "nodejs-debugsource-1:24.18.0-1.module+el8.10.0+40252+a58646bc.x86_64.rpm", "nodejs-devel-1:24.18.0-1.module+el8.10.0+40252+a58646bc.aarch64.rpm", "nodejs-devel-1:24.18.0-1.module+el8.10.0+40252+a58646bc.x86_64.rpm", "nodejs-docs-1:24.18.0-1.module+el8.10.0+40252+a58646bc.noarch.rpm", "nodejs-full-i18n-1:24.18.0-1.module+el8.10.0+40252+a58646bc.aarch64.rpm", "nodejs-full-i18n-1:24.18.0-1.module+el8.10.0+40252+a58646bc.x86_64.rpm", "nodejs-libs-1:24.18.0-1.module+el8.10.0+40252+a58646bc.aarch64.rpm", "nodejs-libs-1:24.18.0-1.module+el8.10.0+40252+a58646bc.x86_64.rpm", "nodejs-libs-debuginfo-1:24.18.0-1.module+el8.10.0+40252+a58646bc.aarch64.rpm", "nodejs-libs-debuginfo-1:24.18.0-1.module+el8.10.0+40252+a58646bc.x86_64.rpm", "nodejs-nodemon-0:3.0.3-1.module+el8.10.0+2084+ab509703.noarch.rpm", "nodejs-nodemon-0:3.0.3-1.module+el8.10.0+2084+ab509703.src.rpm", "nodejs-packaging-0:2021.06-6.module+el8.10.0+40172+38f6fdd1.noarch.rpm", "nodejs-packaging-0:2021.06-6.module+el8.10.0+40048+6d99f608.noarch.rpm", "nodejs-packaging-0:2021.06-6.module+el8.10.0+40171+8fa9c325.noarch.rpm", "nodejs-packaging-0:2021.06-6.module+el8.10.0+40171+8fa9c325.src.rpm","nodejs-packaging-0:2021.06-6.module+el8.10.0+40172+38f6fdd1.src.rpm", "nodejs-packaging-0:2021.06-6.module+el8.10.0+40048+6d99f608.src.rpm", "nodejs-packaging-bundler-0:2021.06-6.module+el8.10.0+40171+8fa9c325.noarch.rpm", "nodejs-packaging-bundler-0:2021.06-6.module+el8.10.0+40048+6d99f608.noarch.rpm", "nodejs-packaging-bundler-0:2021.06-6.module+el8.10.0+40172+38f6fdd1.noarch.rpm", "npm-1:11.16.0-1.24.18.0.1.module+el8.10.0+40252+a58646bc.noarch.rpm", "v8-13.6-devel-3:13.6.233.17-1.24.18.0.1.module+el8.10.0+40252+a58646bc.aarch64.rpm", "v8-13.6-devel-3:13.6.233.17-1.24.18.0.1.module+el8.10.0+40252+a58646bc.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Critical security updates for nodejs on Rocky Linux 8 resolve multiple issues including Denial of Service and XSS vulnerabilities. Prompt action recommended.. Rocky Linux nodejs security update, security advisories nodejs, nodejs vulnerabilities details, Rockylinux security fixes. . Severity: Important. LinuxSecurity.com Team
Release 1.7.2 Add HEAD request handler to the static.php Fix so the oauth_password_claim claim is retrieved via token or userinfo request (#9631) Fix bug where static.php would return a 416 error on a specific Range request. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-517daa8d64 2026-07-16 01:19:18.912120+00:00 -------------------------------------------------------------------------------- Name : roundcubemail Product : Fedora 44 Version : 1.7.2 Release : 1.fc44 URL : http://www.roundcube.net Summary : Round Cube Webmail is a browser-based multilingual IMAP client Description : RoundCube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking. RoundCube Webmail is written in PHP and requires a database: MySQL, PostgreSQL and SQLite are known to work. The user interface is fully skinnable using XHTML and CSS 2. -------------------------------------------------------------------------------- Update Information: Release 1.7.2 Add HEAD request handler to the static.php Fix so the oauth_password_claim claim is retrieved via token or userinfo request (#9631) Fix bug where static.php would return a 416 error on a specific Range request (#10194) Fix bug where configured skin logo wasn't loaded via static.php resulting in 404 error (#10191) Fix bug where installto.sh would fail if public_html folder does not exist in the target directory (#10202) Revert "Prefer 8bit over quoted-printable for HTML parts, when force_7bit is disabled (#8477)" (#10198) Fix incorrect unfolding of folded lines when importing vCard 2.1 contacts (#9647) Fix bug where Imagick could leave large temporary files on failure (#10230) Fix bug where redis/memcache session could have been updated more oftenthan needed Fix support for untyped tokens in OIDC backchannel logout, require unset nonce (#10097) Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193) Security: Fix various vulnerabilities in the password plugin using session- injected username Security: Fix stored XSS via unescaped attachment MIME type on the attachment- validation warning page [CVE-2026-54432] Security: Fix SSRF bypass via specific local address URLs - two new cases Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433] Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file -------------------------------------------------------------------------------- ChangeLog: * Mon Jul 6 2026 Remi Collet - 1.7.2-1 - update to 1.7.2 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2500063 - CVE-2026-54433 roundcubemail: Roundcube Webmail: Arbitrary code execution via zero-click cross-site scripting [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500063 [ 2 ] Bug #2500065 - CVE-2026-62642 roundcubemail: Roundcube Webmail: Denial of Service via infinite loop in TNEF decoder [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500065 [ 3 ] Bug #2500067 - CVE-2026-62644 roundcubemail: Roundcube Webmail: Account takeover via username spoofing in password plugin [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500067 [ 4 ] Bug #2500068 - CVE-2026-54432 roundcubemail: Roundcube Webmail: Stored Cross-Site Scripting via unescaped attachment MIME type [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500068 [ 5 ] Bug #2500071 - CVE-2026-62641 roundcubemail: Roundcube Webmail: Denial of Service via crafted TNEF compressed-RTF size [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500071 [ 6 ] Bug #2500072 - CVE-2026-62643 roundcubemail: Roundcube Webmail: Server-Side Request Forgery via insufficient CSS sanitization[fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500072 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-517daa8d64' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Several security issues were fixed in Tomcat.. ========================================================================== Ubuntu Security Notice USN-8551-1 July 15, 2026 tomcat8 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Tomcat. Software Description: - tomcat8: Servlet and JSP engine Details: It was discovered that Tomcat incorrectly handled authorization when multiple method constraints defined the same HTTP method. A remote attacker could possibly use this issue to bypass authorization restrictions. (CVE-2026-43515) It was discovered that the Tomcat number guess example application did not properly sanitize user-supplied input. An attacker could possibly use this issue to inject malicious scripts, resulting in cross-site scripting. (CVE-2026-50229) It was discovered that Tomcat incorrectly evaluated rewrite valve conditions in certain configurations. An attacker could possibly use this issue to bypass rewrite rules, resulting in unauthorized access. (CVE-2026-53404) It was discovered that Tomcat incorrectly omitted certain authorization information when logging the effective web.xml configuration. An attacker could possibly use this issue to hide authorization constraints, resulting in reduced auditability. (CVE-2026-55276) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS libtomcat8-embed-java 8.5.39-1ubuntu1~18.04.3+esm6 Available with Ubuntu Pro libtomcat8-java 8.5.39-1ubuntu1~18.04.3+esm6 Available with Ubuntu Pro tomcat8-examples 8.5.39-1ubuntu1~18.04.3+esm6 Available with Ubuntu Pro Ubuntu 16.04 LTS libtomcat8-java 8.0.32-1ubuntu1.13+esm2 Available with Ubuntu Pro tomcat8-examples 8.0.32-1ubuntu1.13+esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8551-1 CVE-2026-43515, CVE-2026-50229, CVE-2026-53404, CVE-2026-55276 . Several security issues in Tomcat on Ubuntu could be exploited, necessitating prompt updates to prevent unauthorized access and script injections.. Tomcat security, Ubuntu patch, Tomcat vulnerabilities, web application security. . Severity: Important. LinuxSecurity.com Team
An update that solves one vulnerability can now be installed.. # Security update for python-mistune Announcement ID: SUSE-SU-2026:2949-1 Release Date: 2026-07-14T09:23:51Z Rating: moderate References: * bsc#1265052 Cross-References: * CVE-2026-44898 CVSS scores: * CVE-2026-44898 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-44898 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-44898 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Products: * openSUSE Leap 15.4 * Python 3 Module 15-SP7 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 An update that solves one vulnerability can now be installed. ## Description: This update for python-mistune fixes the following issue * CVE-2026-44898: improper sanitization of user-supplied HTML input in `render_toc_ul` can lead to XSS (bsc#1265052). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Python 3 Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2026-2949=1 * openSUSE Leap 15.4 zypper in -t patch SUSE-2026-2949=1 ## Package List: * Python 3 Module 15-SP7 (noarch) * python311-mistune-2.0.5-150400.11.8.1 * openSUSE Leap 15.4 (noarch) * python311-mistune-2.0.5-150400.11.8.1 ## References: * https://www.suse.com/security/cve/CVE-2026-44898.html * https://bugzilla.suse.com/show_bug.cgi?id=1265052 . A security update for python-mistune addresses a moderate severity XSS vulnerability in openSUSE. Install now!. Python Mistune, openSUSE Advisory, XSS Threat, Moderate Severity Update. . Severity: moderate. LinuxSecurity.com Team
Update to 3.13.0. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-4179e03375 2026-07-11 00:52:57.708547+00:00 -------------------------------------------------------------------------------- Name : prometheus Product : Fedora 43 Version : 3.13.0 Release : 1.fc43 URL : https://github.com/prometheus/prometheus Summary : Prometheus monitoring system and time series database Description : The Prometheus monitoring system and time series database. -------------------------------------------------------------------------------- Update Information: Update to 3.13.0 -------------------------------------------------------------------------------- ChangeLog: * Thu Jul 2 2026 Mikel Olasagasti Uranga - 3.13.0-1 - Update to 3.13.0 - Closes rhbz#2495979 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2489191 - CVE-2026-40186 prometheus: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2489191 [ 2 ] Bug #2492689 - CVE-2026-44990 prometheus: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2492689 [ 3 ] Bug #2493575 - CVE-2026-41567 prometheus: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2493575 [ 4 ] Bug #2495063 - CVE-2026-53606 prometheus: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2495063 [ 5 ] Bug #2495322 - CVE-2026-25681 prometheus: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2495322 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-4179e03375' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Several security issues were fixed in Request Tracker.. ========================================================================== Ubuntu Security Notice USN-8506-1 July 06, 2026 request-tracker5 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Request Tracker. Software Description: - request-tracker5: extensible trouble-ticket tracking system Details: Aleksander Iwicki discovered that Request Tracker did not properly sanitize the search "Page" URL parameter. A remote attacker could possibly use this issue to conduct a reflected cross-site scripting attack. (CVE-2026-6841) It was discovered that Request Tracker did not properly sanitize user- controlled data written to spreadsheet exports of search results. A remote attacker could possibly use this issue to conduct a spreadsheet (CSV/formula) injection attack, causing spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. (CVE-2026-41073) It was discovered that Request Tracker did not properly validate input incorporated into database queries via the entry_aggregator parameter in JSON search. An authenticated user could possibly use this issue to perform SQL injection attacks and read or modify data in the RT database. (CVE-2026-41075) It was discovered that Request Tracker contained an authentication bypass when configured to authenticate users against an LDAP or Active Directory server. Under certain LDAP server configurations, a remote attacker could possibly use this issue to authenticate as any LDAP-backed RT user without supplying valid credentials. (CVE-2026-41076) It was discovered that Request Tracker served certain uploaded content inline rather than as an attachment. A remote attacker could possibly use this issue to conduct a cross-site scripting attack. (CVE-2026-44229) It wasdiscovered that Request Tracker did not properly sanitize input on search-results chart pages. A remote attacker could possibly use this issue to conduct a reflected cross-site scripting attack. (CVE-2026-44230) Jeroen Gui discovered that Request Tracker did not properly restrict access to the REST 2.0 user collection endpoint. A privileged user could possibly use this issue to obtain authentication credentials belonging to other users, including administrators, resulting in privilege escalation and information disclosure. (CVE-2026-44231) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS request-tracker5 5.0.7+dfsg-6ubuntu0.1~esm1 Available with Ubuntu Pro rt5-apache2 5.0.7+dfsg-6ubuntu0.1~esm1 Available with Ubuntu Pro rt5-clients 5.0.7+dfsg-6ubuntu0.1~esm1 Available with Ubuntu Pro rt5-db-mysql 5.0.7+dfsg-6ubuntu0.1~esm1 Available with Ubuntu Pro rt5-db-postgresql 5.0.7+dfsg-6ubuntu0.1~esm1 Available with Ubuntu Pro rt5-db-sqlite 5.0.7+dfsg-6ubuntu0.1~esm1 Available with Ubuntu Pro rt5-fcgi 5.0.7+dfsg-6ubuntu0.1~esm1 Available with Ubuntu Pro rt5-standalone 5.0.7+dfsg-6ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 24.04 LTS request-tracker5 5.0.5+dfsg-2ubuntu0.1~esm2 Available with Ubuntu Pro rt5-apache2 5.0.5+dfsg-2ubuntu0.1~esm2 Available with Ubuntu Pro rt5-clients 5.0.5+dfsg-2ubuntu0.1~esm2 Available with Ubuntu Pro rt5-db-mysql 5.0.5+dfsg-2ubuntu0.1~esm2 Available with Ubuntu Pro rt5-db-postgresql 5.0.5+dfsg-2ubuntu0.1~esm2 Available with Ubuntu Pro rt5-db-sqlite 5.0.5+dfsg-2ubuntu0.1~esm2 Available with Ubuntu Pro rt5-fcgi 5.0.5+dfsg-2ubuntu0.1~esm2 Available with Ubuntu Pro rt5-standalone 5.0.5+dfsg-2ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 22.04 LTS request-tracker5 5.0.1+dfsg-1ubuntu1+esm2 Available with Ubuntu Pro rt5-apache2 5.0.1+dfsg-1ubuntu1+esm2 Available with Ubuntu Pro rt5-clients 5.0.1+dfsg-1ubuntu1+esm2 Available with Ubuntu Pro rt5-db-mysql 5.0.1+dfsg-1ubuntu1+esm2 Available with Ubuntu Pro rt5-db-postgresql 5.0.1+dfsg-1ubuntu1+esm2 Available with Ubuntu Pro rt5-db-sqlite 5.0.1+dfsg-1ubuntu1+esm2 Available with Ubuntu Pro rt5-fcgi 5.0.1+dfsg-1ubuntu1+esm2 Available with Ubuntu Pro rt5-standalone 5.0.1+dfsg-1ubuntu1+esm2 Available with Ubuntu Pro After a standard system update you need to restart request-tracker5 to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8506-1 CVE-2026-41073, CVE-2026-41075, CVE-2026-41076, CVE-2026-44229, CVE-2026-44230, CVE-2026-44231, CVE-2026-6841 . Request Tracker on Ubuntu vulnerabilities fixed. Update your systems to protect against security issues. Critical threat details included.. Ubuntu vulnerabilities, Request Tracker security, cybersecuritythreats, system updates, cross-site scripting. . Severity: Critical. LinuxSecurity.com Team
Several security issues were fixed in SOGo.. ========================================================================== Ubuntu Security Notice USN-8504-1 July 05, 2026 sogo vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in SOGo. Software Description: - sogo: Open Source Webmail for businesses and communities Details: It was discovered that SOGo did not properly sanitize categories used for events, tasks, and contacts. A remote authenticated attacker could possibly use this issue to perform cross-site scripting attacks. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 26.04 LTS. (CVE-2025-71276) It was discovered that SOGo did not properly sanitize the hint query parameter. A remote attacker could possibly use this issue to perform cross-site scripting attacks. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-3054) It was discovered that SOGo did not renew the one-time password when a user disabled and re-enabled it, and used a shorter length than recommended. A remote attacker could possibly use this issue to bypass authentication. This issue only affected Ubuntu 22.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-33550) It was discovered that SOGo did not properly use the SQL adaptor for the user source, resulting in SQL injection when certain databases were used. A remote authenticated attacker could possibly use this issue to obtain sensitive information or execute arbitrary SQL commands. (CVE-2026-46445, CVE-2026-46446) It was discovered that SOGo did not properly sanitize mail containing ICS calendar invitations. A remote attacker could possibly use this issue to perform cross-site scripting attacks. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-8496) It was discovered that SOGo did not properlyvalidate identifiers when managing access control lists. A remote authenticated attacker could possibly use this issue to perform SQL injection attacks and obtain sensitive information. (CVE-2026-8851) It was discovered that SOGo did not properly sanitize the theme parameter. A remote attacker could possibly use this issue to perform cross-site scripting attacks. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2025-63499) It was discovered that SOGo did not properly sanitize the userName parameter on the login page. A remote attacker could possibly use this issue to perform cross-site scripting attacks. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2025-63498) It was discovered that SOGo did not properly sanitize attachments when previewing them. A remote attacker could possibly use this issue to perform cross-site scripting attacks. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2024-34462) It was discovered that SOGo did not validate the signatures of SAML assertions it received when SAML was used for authentication. A remote attacker could possibly use this issue to impersonate other users. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-33054) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS sogo 5.12.4-1.2ubuntu0.1~esm1 Available with Ubuntu Pro sogo-activesync 5.12.4-1.2ubuntu0.1~esm1 Available with Ubuntu Pro sogo-common 5.12.4-1.2ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS sogo 5.5.1-1ubuntu0.1~esm1 Available with Ubuntu Pro sogo-activesync 5.5.1-1ubuntu0.1~esm1 Available with Ubuntu Pro sogo-common 5.5.1-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS sogo 4.3.0-1ubuntu0.1~esm1 Available with Ubuntu Pro sogo-common 4.3.0-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS sogo 3.2.10-1ubuntu0.1~esm1 Available with Ubuntu Pro sogo-common 3.2.10-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS sogo 2.2.17a-1.1ubuntu0.1~esm1 Available with Ubuntu Pro sogo-common 2.2.17a-1.1ubuntu0.1~esm1 Available with Ubuntu Pro After a standard system update you need to restart SOGo to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8504-1 CVE-2021-33054, CVE-2024-34462, CVE-2025-63498, CVE-2025-63499, CVE-2025-71276, CVE-2026-3054, CVE-2026-33550, CVE-2026-46445, CVE-2026-46446, CVE-2026-8496, CVE-2026-8851 . Critical updates available for SOGo on various Ubuntu LTS versions to address significant security issues and risks.. Ubuntu Security,SOGo Updates,Cross-Site Scripting,SQL Injection,Security Advisories. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.