Explore top 10 tips to secure your open-source projects now. Read More
×
Fixes five low-severity CVEs CVE-2026-6873: Signed cookie salt namespace collision CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-f140cb16b6 2026-06-15 01:10:25.755889+00:00 -------------------------------------------------------------------------------- Name : python-django5 Product : Fedora 43 Version : 5.2.15 Release : 1.fc43 URL : https://www.djangoproject.com/ Summary : A high-level Python Web framework Description : Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle. -------------------------------------------------------------------------------- Update Information: Fixes five low-severity CVEs CVE-2026-6873: Signed cookie salt namespace collision CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend CVE-2026-8404: Potential exposure of private data via case-sensitive Cache- Control directives CVE-2026-35193: Potential exposure of private data via missing Vary: Authorization CVE-2026-48587: Potential exposure of private data via whitespace padding in Vary header -------------------------------------------------------------------------------- ChangeLog: * Fri Jun 5 2026 Michel Lind - 5.2.15-1 - Update to version 5.2.15; Resolves RHBZ#2484354 - Fixes five low-severity CVEs - CVE-2026-6873: Signed cookie salt namespace collision - CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend - CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives - CVE-2026-35193: Potential exposure of private data via missing Vary: Authorization - CVE-2026-48587: Potential exposure of private data via whitespace padding in Vary header * Fri Jun 5 2026 Python Maint - 5.2.14-3 - Rebuilt for Python 3.15 * Thu Jun 4 2026 Python Maint - 5.2.14-2 - Bootstrap for Python 3.15 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2484354 - python-django5-5.2.15 is available https://bugzilla.redhat.com/show_bug.cgi?id=2484354 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-f140cb16b6' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
It was discovered that an incorrect implementation of ECDH encryption (with NIST, Brainpool, X448, or X25519 curves) within Libgcrypt could result in denial of service. For the oldstable distribution (bookworm), this problem has been fixed in version 1.10.1-3+deb12u1.. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6294-1
Validate RSA_public_encrypt() result in RSASVE. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-7af660d639 2026-05-08 01:24:13.569769+00:00 -------------------------------------------------------------------------------- Name : openssl Product : Fedora 42 Version : 3.2.6 Release : 4.fc42 URL : http://www.openssl.org/ Summary : Utilities from the general purpose cryptography library with TLS implementation Description : The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. -------------------------------------------------------------------------------- Update Information: Validate RSA_public_encrypt() result in RSASVE -------------------------------------------------------------------------------- ChangeLog: * Mon Apr 20 2026 Pavol \u017d\u010dik - 1:3.2.6-4 - Validate RSA_public_encrypt() result in RSASVE Resolves: CVE-2026-31790 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-7af660d639' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . OpenSSL update for Fedora 42 addresses critical security issue related to RSA encryption validation.. OpenSSL security, Fedora updates, RSA encryption, critical security risks, encryption flaws. . Severity: Critical. LinuxSecurity.com Team
Frameworks 6.25.0 + KDE Plasma 6.6.4. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-fe3d8d4767 2026-04-16 23:40:54.273526+00:00 -------------------------------------------------------------------------------- Name : plasma-vault Product : Fedora 44 Version : 6.6.4 Release : 1.fc44 URL : https://invent.kde.org/plasma/plasma-vault Summary : Plasma Vault offers strong encryption features in a user-friendly way Description : Plasma Vault allows to lock and encrypt sets of documents and hide them from prying eyes even when the user is logged in. -------------------------------------------------------------------------------- Update Information: Frameworks 6.25.0 + KDE Plasma 6.6.4 -------------------------------------------------------------------------------- ChangeLog: * Fri Apr 10 2026 Steve Cossette - 6.6.4-1 - 6.6.4 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2455469 - Configuring WifI network via Network pane appears to not work https://bugzilla.redhat.com/show_bug.cgi?id=2455469 [ 2 ] Bug #2457573 - FE: KDE Frameworks 6.25.0 + Plasma 6.6.4 https://bugzilla.redhat.com/show_bug.cgi?id=2457573 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-fe3d8d4767' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list
The Firefox extension HTTPS Everywhere used to enforce encryption over HTTPS in major web browsers, a feature which has become obsolete because a HTTPS-only mode is built-in nowadays. Consequently HTTPS Everywhere has been removed from Debian in 2023. . ------------------------------------------------------------------------- Debian LTS Advisory DLA-4331-1
Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Windows Server 2025 Fix generation of RADIUS Message-Authenticator in FIPS mode. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-3de9fe91ff 2025-06-09 02:34:27.502391+00:00 -------------------------------------------------------------------------------- Name : krb5 Product : Fedora 42 Version : 1.21.3 Release : 6.fc42 URL : https://web.mit.edu/kerberos/www/ Summary : The Kerberos network authentication system Description : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of sending passwords over the network in unencrypted form. -------------------------------------------------------------------------------- Update Information: Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Windows Server 2025 Fix generation of RADIUS Message-Authenticator in FIPS mode -------------------------------------------------------------------------------- ChangeLog: * Wed Jun 4 2025 Julien Rische - 1.21.3-6 - Do not block HMAC-MD4/5 in FIPS mode Resolves: rhbz#2370259 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 Resolves: rhbz#2357215 - Disallow RC4 HMAC-MD5 session keys by default (CVE-2025-3576) Resolves: rhbz#2359705 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2357215 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 [fedora] https://bugzilla.redhat.com/show_bug.cgi?id=2357215 [ 2 ] Bug #2359705 - CVE-2025-3576 krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5Collisions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2359705 [ 3 ] Bug #2370259 - Do not block HMAC-MD4/5 in FIPS mode [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2370259 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-3de9fe91ff' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
An update that solves one vulnerability can now be installed.. # Security update for libcryptopp Announcement ID: SUSE-SU-2025:01816-1 Release Date: 2025-06-04T17:04:07Z Rating: important References: * bsc#1224280 Cross-References: * CVE-2024-28285 CVSS scores: * CVE-2024-28285 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * Basesystem Module 15-SP6 * Basesystem Module 15-SP7 * openSUSE Leap 15.4 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP5 LTSS * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves one vulnerability can now be installed. ## Description: This update for libcryptopp fixes the following issues: * CVE-2024-28285: Fixed potential leak of secret key of ElGamal encryption via fault injection (bsc#1224280) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2025-1816=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-1816=1 * Basesystem Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-1816=1 * Basesystem Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2025-1816=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-1816=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-1816=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-1816=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-1816=1 * SUSE Linux Enterprise Server 15 SP4 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-1816=1 * SUSE Linux Enterprise Server 15 SP5 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-1816=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-1816=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-1816=1 * SUSE Manager Proxy 4.3 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2025-1816=1 * SUSE Manager Retail Branch Server 4.3 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch- Server-4.3-2025-1816=1 * SUSE Manager Server 4.3 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-1816=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 *libcryptopp-debugsource-8.6.0-150400.3.9.1 * openSUSE Leap 15.4 (x86_64) * libcryptopp8_6_0-32bit-8.6.0-150400.3.9.1 * libcryptopp8_6_0-32bit-debuginfo-8.6.0-150400.3.9.1 * openSUSE Leap 15.4 (aarch64_ilp32) * libcryptopp8_6_0-64bit-8.6.0-150400.3.9.1 * libcryptopp8_6_0-64bit-debuginfo-8.6.0-150400.3.9.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * openSUSE Leap 15.6 (x86_64) * libcryptopp8_6_0-32bit-8.6.0-150400.3.9.1 * libcryptopp8_6_0-32bit-debuginfo-8.6.0-150400.3.9.1 * Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * SUSE Linux Enterprise HighPerformance Computing LTSS 15 SP5 (aarch64 x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * SUSE Manager Proxy 4.3 (x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * SUSE Manager Retail Branch Server 4.3 (x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 * SUSE Manager Server 4.3 (ppc64le s390x x86_64) * libcryptopp8_6_0-debuginfo-8.6.0-150400.3.9.1 * libcryptopp-devel-8.6.0-150400.3.9.1 * libcryptopp8_6_0-8.6.0-150400.3.9.1 * libcryptopp-debugsource-8.6.0-150400.3.9.1 ## References: *https://www.suse.com/security/cve/CVE-2024-28285.html * https://bugzilla.suse.com/show_bug.cgi?id=1224280 . Canonical has released an urgent security update for the libssl package to fix a potential data disclosure flaw caused by side-channel attacks. Critical fix ready for deployment.. Linux Security, Cybersecurity, Open Source Software, Encryption Issues. . Severity: Important. LinuxSecurity.com Team
Update to upstream OpenVPN 2.6.14 Fixes CVE-2025-2704. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-e439589b9d 2025-04-11 18:19:12.062451+00:00 -------------------------------------------------------------------------------- Name : openvpn Product : Fedora 42 Version : 2.6.14 Release : 1.fc42 URL : Summary : A full-featured TLS VPN solution Description : OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library for compression. -------------------------------------------------------------------------------- Update Information: Update to upstream OpenVPN 2.6.14 Fixes CVE-2025-2704 -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 2 2025 Frank Lichtenheld - 2.6.14-1 - Update to upstream OpenVPN 2.6.14 - Fixes CVE-2025-2704 * Tue Feb 11 2025 Zbigniew JÄdrzejewski-Szmek - 2.6.13-2 - Add sysusers.d config file to allow rpm to create users/groups automatically -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-e439589b9d' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- . OpenVPN 2.6.14 on Fedora 42 resolves a critical vulnerability identified as CVE-2025-2704 and introduces upgraded security capabilities.. Fedora OpenVPN 2.6.14security advisory CVE-2025-2704. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.