Explore top 10 tips to secure your open-source projects now. Read More
×Security update. Publication date: 13 Jul 2026 URL: https://advisories.mageia.org/MGAA-2026-0046.html Type: bugfix Affected Mageia releases: 9 Description: These updates couldn't be provided sooner (QA was overwhelmed by Security updates). Since they are necessary for Sailors' safety they can't wait for an upgrade to Mageia 10. References: - https://bugs.mageia.org/show_bug.cgi?id=35828 SRPMS: - 9/core/opencpn-climatology-plugin-1.6.36.1-1.git20260510.mga9 - 9/core/opencpn-dashboardsk-plugin-0.3.5-1.mga9 - 9/core/opencpn-iacfleet-plugin-0.33.1-1.mga9 - 9/core/opencpn-meteovache-plugin-1.6.8-1.1.mga9 - 9/core/opencpn-polar-plugin-1.2.38.0-1.mga9 - 9/core/opencpn-radar-plugin-5.7.0-1.mga9 - 9/core/opencpn-sar-plugin-4.4.0-1.mga9 - 9/core/opencpn-watchdog-plugin-2.5.4.0-1.mga9 - 9/core/opencpn-weatherfax-plugin-1.10.18.0-1.mga9 . Critical security updates in Mageia for multiple opencpn plugins ensure sailors' safety before upgrading to Mageia 10.. Mageia updates, security patches, bugfix release. . Severity: Critical. LinuxSecurity.com Team
Version 2.10.2 - 2026-07-01 Security: Validate package names (GHSA-499r-g7pc-vmp9) Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp- rrxx) Security: Sanitize URL-embedded usernames/token in verbose output. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-22ba02bee3 2026-07-11 01:06:30.201230+00:00 -------------------------------------------------------------------------------- Name : composer Product : Fedora 44 Version : 2.10.2 Release : 1.fc44 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.10.2 - 2026-07-01 Security: Validate package names (GHSA-499r-g7pc-vmp9) Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp- rrxx) Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3) Security: Only follow HTTP redirects from HTTP responses (#12948) Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946) Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959) Added warning output in self-update command when using a soon-to-be EOL version (#12920) Added download retry when a GitHub codeload URL returns a 400 (#12962) Fixed audit command to output the audit result to stdout (#12904) Fixed backspace characters being output to non-decorated output (#12925) Fixed security advisory blocking causing issues with xdebug enabled (#12935) Fixed provider packages hiding suggestions for the package they provide themselves (#12933) Fixed security advisory blocking causing issues with xdebug enabled(#12935) -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 1 2026 Remi Collet - 2.10.2-1 - update to 2.10.2 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-22ba02bee3' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Update quick-xml for two security advisories, rebuild dependents, and update sandogasa to the latest https://rustsec.org/advisories/RUSTSEC-2026-0194.html https://rustsec.org/advisories/RUSTSEC-2026-0195.html sandogasa. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-b25dca4806 2026-07-06 14:53:30.168848+00:00 -------------------------------------------------------------------------------- Name : rust-quick-xml Product : Fedora 44 Version : 0.41.0 Release : 1.fc44 URL : https://crates.io/crates/quick-xml Summary : High performance xml reader and writer Description : High performance xml reader and writer. -------------------------------------------------------------------------------- Update Information: Update quick-xml for two security advisories, rebuild dependents, and update sandogasa to the latest https://rustsec.org/advisories/RUSTSEC-2026-0194.html https://rustsec.org/advisories/RUSTSEC-2026-0195.html sandogasa v0.15.3 ebranch base-distro guard — resolve/file-requests now know EPEL must not replace RHEL/CentOS Stream packages: deps present in the base at a too-old version are blocked with clear options (alternate package via --override, or lower the requirement) instead of becoming CANTFIX branch requests; file-requests re-checks the base before filing New sandogasa-sourcehut crate — sr.ht GraphQL client; sandogasa-report gains a Sourcehut section (patches, tickets, commits split yours vs third-party, git_emails attribution) ebranch check-crate — human report on stderr alongside --koji/--copr machine output, so build scripts stay pipeable dbranch rebuild — creates debian/gbp.conf when the Debian branch has none and handles the modern single-line salsa-ci.yml Robustness: 120s HTTP timeout on every client; --version on every tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195 sandogasa-report: consistent commit detail levels across forges Fulldetails: https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153 v0.15.2 New sandogasa-review crate — shared keep/explain/remove resolution for reviewer-curated findings; adopted by fedora-review-digest, ebranch check-update, and fedora-cve-triage New sandogasa-forgejo crate — Forgejo/Gitea REST API client (PR activity issue filing); powers sandogasa-report's Forgejo accounting ebranch check-update overhaul — condensed output (counts + version grouping), reviewer curation of blocking findings before karma, branch inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus fixes for stale-side-tag and rich-dep installability false positives and large-update performance fedora-cve-triage — per-bug keep/explain/remove review before closing detected false positives sandogasa-report — Forgejo PR-merge and issue accounting Full details: https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152 -------------------------------------------------------------------------------- ChangeLog: * Fri Jul 3 2026 Michel Lind - 0.41.0-1 - Update to version 0.41.0; Resolves RHBZ#2494601 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2494601 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-b25dca4806' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Update quick-xml in Fedora 44 to address high-severity security issues andimprove dependent packages.. Fedora advisory, rust-quick-xml update, security update, security advisories, software dependencies. . Severity: high. LinuxSecurity.com Team
New version fixing high-severity CVE.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-275d2ecbbd 2026-07-05 00:49:16.510800+00:00 -------------------------------------------------------------------------------- Name : python-jupyter-server Product : Fedora 43 Version : 2.20.0 Release : 1.fc43 URL : https://jupyter-server.readthedocs.io Summary : The backend for Jupyter web applications Description : The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. -------------------------------------------------------------------------------- Update Information: New version fixing high-severity CVE. -------------------------------------------------------------------------------- ChangeLog: * Fri Jun 19 2026 Lumir Balhar - 2.20.0-1 - Update to 2.20.0 (rhbz#2489836) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2491991 - CVE-2026-44727 python-jupyter-server: Jupyter Server: Remote Code Execution via stored Cross-Site Scripting in nbconvert handlers [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2491991 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-275d2ecbbd' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list
Several security issues were fixed in containerd.. ========================================================================== Ubuntu Security Notice USN-8472-1 June 25, 2026 containerd-app vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in containerd. Software Description: - containerd-app: open and reliable container runtime Details: It was discovered that containerd incorrectly handled HTTP/2 SETTINGS frames. A remote attacker could possibly use this issue to cause containerd to enter an infinite loop, resulting in a denial of service. (CVE-2026-33814) Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly handled group parsing when creating containers from images. An attacker could possibly use this issue to cause containerd to consume excessive memory, resulting in a denial of service. (CVE-2026-47262) Henry Beberman and Robert Prast discovered that containerd incorrectly validated image references when importing container checkpoints. An attacker could possibly use this issue to poison the local image cache and execute arbitrary code in other pods. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-50195) Robert Prast discovered that containerd incorrectly propagated labels from image configurations to containers. An attacker could possibly use this issue to execute arbitrary code on the host. (CVE-2026-53488) Yuming Zhang, Song Li, Sangwon Ryu, Henry Beberman, Robert Prast, Kyle Elliott and Zhenchen Wang discovered that containerd incorrectly validated symlinked paths when restoring container checkpoints. An attacker could possibly use this issue to read arbitrary files on the host, resulting in information disclosure. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-53489) Robert Prast discovered that containerd incorrectly trusted device interface annotations when restoring container checkpoints. An attacker could possibly use this issue to bypass resource allocation restrictions and inject devices or host mounts into a container. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-53492) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS containerd 2.2.2-0ubuntu1.1 Ubuntu 25.10 containerd 2.2.1-0ubuntu1~25.10.2 Ubuntu 24.04 LTS containerd 2.2.1-0ubuntu1~24.04.3 Ubuntu 22.04 LTS containerd 2.2.1-0ubuntu1~22.04.2 Ubuntu 20.04 LTS containerd 1.7.24-0ubuntu1~20.04.2+esm2 Available with Ubuntu Pro After a standard system update you need to restart containerd to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8472-1 CVE-2026-33814, CVE-2026-47262, CVE-2026-50195, CVE-2026-53488, CVE-2026-53489, CVE-2026-53492 Package Information: https://launchpad.net/ubuntu/+source/containerd-app/2.2.2-0ubuntu1.1 https://launchpad.net/ubuntu/+source/containerd-app/2.2.1-0ubuntu1~25.10.2 https://launchpad.net/ubuntu/+source/containerd-app/2.2.1-0ubuntu1~24.04.3 https://launchpad.net/ubuntu/+source/containerd-app/2.2.1-0ubuntu1~22.04.2 . Multiple security concerns fixed in containerd affecting Ubuntu LTS versions. Immediate updates are essential!. Ubuntu security issues, containerd update, denial of service, memory exhaustion. . Severity: high. LinuxSecurity.com Team
Several security issues were fixed in the Linux kernel.. ========================================================================== Ubuntu Security Notice USN-8388-2 June 22, 2026 linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-lowlatency: Linux low latency kernel - linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms - linux-lowlatency-hwe-5.15: Linux low latency kernel Details: It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43284, CVE-2026-43500) It was discovered that a logic flaw existed in the XFRM ESP-in-TCP subsystem in the Linux kernel when handling socket buffer fragments. This flaw is known as Fragnesia. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43503, CVE-2026-46300) Qualys discovered that a race condition existed in the ptrace subsystem of the Linux kernel when privileged processes are exiting. An unprivileged local attacker could use this issue to expose sensitive information. (CVE-2026-46333) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - RDS protocol; (CVE-2026-43494) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS linux-image-5.15.0-181-lowlatency 5.15.0-181.191 linux-image-5.15.0-181-lowlatency-64k 5.15.0-181.191 linux-image-lowlatency 5.15.0.181.152 linux-image-lowlatency-5.15 5.15.0.181.152 linux-image-lowlatency-64k 5.15.0.181.152 linux-image-lowlatency-64k-5.15 5.15.0.181.152 Ubuntu 20.04 LTS linux-image-5.15.0-1104-intel-iotg 5.15.0-1104.110~20.04.1 Available with Ubuntu Pro linux-image-5.15.0-181-lowlatency 5.15.0-181.191~20.04.1 Available with Ubuntu Pro linux-image-5.15.0-181-lowlatency-64k 5.15.0-181.191~20.04.1 Available with Ubuntu Pro linux-image-intel 5.15.0.1104.110~20.04.1 Available with Ubuntu Pro linux-image-intel-iotg 5.15.0.1104.110~20.04.1 Available with Ubuntu Pro linux-image-intel-iotg-5.15 5.15.0.1104.110~20.04.1 Available with Ubuntu Pro linux-image-lowlatency-5.15 5.15.0.181.191~20.04.1 Available with Ubuntu Pro linux-image-lowlatency-64k-5.15 5.15.0.181.191~20.04.1 Available with Ubuntu Pro linux-image-lowlatency-64k-hwe-20.04 5.15.0.181.191~20.04.1 Available with Ubuntu Pro linux-image-lowlatency-hwe-20.04 5.15.0.181.191~20.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8388-2 https://ubuntu.com/security/notices/USN-8388-1 CVE-2026-43284, CVE-2026-43494, CVE-2026-43500, CVE-2026-43503, CVE-2026-46300, CVE-2026-46333 Package Information: https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-181.191 . Explore the security essentials of Ubuntu's new kernel update addressing privilege escalation issues with critical patches.. Ubuntu Kernel Update Escalation Socket Buffer. . Severity: high. LinuxSecurity.com Team
This update fixes a command injection issue resulting from the use of the 2-argument form of open (CVE-2026-11526).. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-263adf0222 2026-06-19 00:59:07.048628+00:00 -------------------------------------------------------------------------------- Name : perl-GD Product : Fedora 44 Version : 2.86 Release : 1.fc44 URL : https://metacpan.org/release/GD Summary : Perl interface to the GD graphics library Description : This is a auto-loadable interface module for GD, a popular library for creating and manipulating PNG files. With this library you can create PNG images on the fly or modify existing files. -------------------------------------------------------------------------------- Update Information: This update fixes a command injection issue resulting from the use of the 2-argument form of open (CVE-2026-11526). -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 9 2026 Paul Howarth - 2.86-1 - Update to 2.86 - Fix command injection via 2-arg open() in _make_filehandle (CVE-2026-11526) * Tue Jun 2 2026 Paul Howarth - 2.85-1 - Update to 2.85 - Tolerate runtime TIFF decode failures in autodetect (GH#62) - Replace cpm with cpanm in github actions - Fixed a minor precedence bug in t/z_manifest.t -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-263adf0222' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
A vulnerability was discoverd in Nginx, a high-performance web and reverse proxy server, which could result in remote code execution and denial of service. For Debian 11 bullseye, this problem has been fixed in version 1.18.0-6.1+deb11u7.. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4634-1
Get the latest Linux and open source security news straight to your inbox.