Explore top 10 tips to secure your open-source projects now. Read More
×Update to 2.7.0 (rhbz#2467787). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-6dde06a6e9 2026-05-31 01:13:21.121542+00:00 -------------------------------------------------------------------------------- Name : python-urllib3 Product : Fedora 43 Version : 2.7.0 Release : 2.fc43 URL : https://github.com/urllib3/urllib3 Summary : HTTP library with thread-safe connection pooling, file post, and more Description : urllib3 is a powerful, user-friendly HTTP client for Python. urllib3 brings many critical features that are missing from the Python standard libraries: \u2022 Thread safety. \u2022 Connection pooling. \u2022 Client-side SSL/TLS verification. \u2022 File uploads with multipart encoding. \u2022 Helpers for retrying requests and dealing with HTTP redirects. \u2022 Support for gzip, deflate, brotli, and zstd encoding. \u2022 Proxy support for HTTP and SOCKS. \u2022 100% test coverage. -------------------------------------------------------------------------------- Update Information: Update to 2.7.0 (rhbz#2467787) -------------------------------------------------------------------------------- ChangeLog: * Fri May 15 2026 Lumir Balhar - 2.7.0-2 - Remove lower bounds for trustme * Tue May 12 2026 Lumir Balhar - 2.7.0-1 - Update to 2.7.0 (rhbz#2467787) * Wed Apr 8 2026 Miro Hron\u010dok - 2.6.3-3 - Allow building with setuptools-scm 10+ * Sat Jan 17 2026 Fedora Release Engineering - 2.6.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2467787 - python-urllib3-2.7.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2467787 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-6dde06a6e9' at thecommand line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Update available for Fedora 43 python-urllib3 to version 2.7.0. Includes enhancements and critical features.. Fedora 43 Update, Python urllib3 2.7.0, Security Fix, HTTP Client Update. . Severity: Informational. LinuxSecurity.com Team
An update that solves five vulnerabilities can now be installed.. # Security update for python3 Announcement ID: SUSE-SU-2026:1937-1 Release Date: 2026-05-18T07:42:02Z Rating: important References: * bsc#1261969 * bsc#1261970 * bsc#1262098 * bsc#1262319 * bsc#1262654 Cross-References: * CVE-2026-1502 * CVE-2026-3446 * CVE-2026-4786 * CVE-2026-6019 * CVE-2026-6100 CVSS scores: * CVE-2026-1502 ( SUSE ): 5.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-1502 ( SUSE ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N * CVE-2026-1502 ( NVD ): 5.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-3446 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-3446 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N * CVE-2026-3446 ( NVD ): 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-4786 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-4786 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L * CVE-2026-4786 ( NVD ): 7.0 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-6019 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-6019 ( SUSE ): 3.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N * CVE-2026-6019 ( NVD ): 2.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-6100 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-6100 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-6100 ( NVD ): 9.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Affected Products: * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server 12 SP5 LTSS * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security * SUSE Linux Enterprise Server for SAP Applications 12 SP5 An update that solves five vulnerabilities can now be installed. ## Description: This update for python3 fixes the following issue: * CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF (bsc#1261969). * CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be processed (bsc#1261970). * CVE-2026-4786: URLs prefixed with `%action` can pass the dash-prefix safety check and allow for command injection (bsc#1262319). * CVE-2026-6019: `BaseCookie.js_output()` does not neutralize characters in cookie values embedded in JS (bsc#1262654). * CVE-2026-6100: use-after-free in `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when process is under memory pressure(bsc#1262098). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 12 SP5 LTSS zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2026-1937=1 * SUSE Linux Enterprise Server 12 SP5 LTSS ExtendedSecurity zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-1937=1 ## Package List: * SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64) * python3-devel-3.4.10-25.185.1 * python3-base-3.4.10-25.185.1 * python3-tk-debuginfo-3.4.10-25.185.1 * python3-3.4.10-25.185.1 * python3-curses-3.4.10-25.185.1 * python3-curses-debuginfo-3.4.10-25.185.1 * python3-debuginfo-3.4.10-25.185.1 * python3-tk-3.4.10-25.185.1 * libpython3_4m1_0-3.4.10-25.185.1 * python3-debugsource-3.4.10-25.185.1 * python3-base-debugsource-3.4.10-25.185.1 * libpython3_4m1_0-debuginfo-3.4.10-25.185.1 * python3-base-debuginfo-3.4.10-25.185.1 * SUSE Linux Enterprise Server 12 SP5 LTSS (ppc64le s390x x86_64) * python3-devel-debuginfo-3.4.10-25.185.1 * SUSE Linux Enterprise Server 12 SP5 LTSS (s390x x86_64) * libpython3_4m1_0-debuginfo-32bit-3.4.10-25.185.1 * libpython3_4m1_0-32bit-3.4.10-25.185.1 * python3-base-debuginfo-32bit-3.4.10-25.185.1 * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64) * libpython3_4m1_0-32bit-3.4.10-25.185.1 * python3-devel-3.4.10-25.185.1 * python3-base-3.4.10-25.185.1 * python3-tk-debuginfo-3.4.10-25.185.1 * libpython3_4m1_0-debuginfo-32bit-3.4.10-25.185.1 * python3-3.4.10-25.185.1 * python3-curses-3.4.10-25.185.1 * python3-curses-debuginfo-3.4.10-25.185.1 * python3-debuginfo-3.4.10-25.185.1 * libpython3_4m1_0-3.4.10-25.185.1 * python3-base-debuginfo-32bit-3.4.10-25.185.1 * python3-tk-3.4.10-25.185.1 * python3-devel-debuginfo-3.4.10-25.185.1 * python3-debugsource-3.4.10-25.185.1 * python3-base-debugsource-3.4.10-25.185.1 * libpython3_4m1_0-debuginfo-3.4.10-25.185.1 * python3-base-debuginfo-3.4.10-25.185.1 ## References: * https://www.suse.com/security/cve/CVE-2026-1502.html * https://www.suse.com/security/cve/CVE-2026-3446.html * https://www.suse.com/security/cve/CVE-2026-4786.html *https://www.suse.com/security/cve/CVE-2026-6019.html * https://www.suse.com/security/cve/CVE-2026-6100.html * https://bugzilla.suse.com/show_bug.cgi?id=1261969 * https://bugzilla.suse.com/show_bug.cgi?id=1261970 * https://bugzilla.suse.com/show_bug.cgi?id=1262098 * https://bugzilla.suse.com/show_bug.cgi?id=1262319 * https://bugzilla.suse.com/show_bug.cgi?id=1262654 . SUSE updates python3 with fixes for five important issues. Ensure your system is patched to safeguard against risks.. SUSE python3 security update important vulnerabilities patch. . Severity: Important. LinuxSecurity.com Team
Moderate: libsoup security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2026:13978", "synopsis": "Moderate: libsoup security update", "severity": "SEVERITY_MODERATE", "topic": "An update is available for libsoup.\nThis update affects Rocky Linux 9.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "The libsoup packages provide an HTTP client and server library for GNOME.\n\nSecurity Fix(es):\n\n* libsoup: libsoup: Information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment (CVE-2026-5119)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 9"], "fixes": [{"ticket": "2452932", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2452932", "description": ""}], "cves": [{"name": "CVE-2026-5119", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5119", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "cvss3BaseScore": "5.9", "cwe": "CWE-319"}], "references": [], "publishedAt": "2026-05-07T12:03:39.445016Z", "rpms": {"Rocky Linux 9": {"nvras": ["libsoup-0:2.72.0-12.el9_7.6.aarch64.rpm", "libsoup-0:2.72.0-12.el9_7.6.i686.rpm", "libsoup-0:2.72.0-12.el9_7.6.ppc64le.rpm", "libsoup-0:2.72.0-12.el9_7.6.s390x.rpm", "libsoup-0:2.72.0-12.el9_7.6.src.rpm", "libsoup-0:2.72.0-12.el9_7.6.x86_64.rpm", "libsoup-debuginfo-0:2.72.0-12.el9_7.6.aarch64.rpm", "libsoup-debuginfo-0:2.72.0-12.el9_7.6.i686.rpm", "libsoup-debuginfo-0:2.72.0-12.el9_7.6.ppc64le.rpm", "libsoup-debuginfo-0:2.72.0-12.el9_7.6.s390x.rpm", "libsoup-debuginfo-0:2.72.0-12.el9_7.6.x86_64.rpm", "libsoup-debugsource-0:2.72.0-12.el9_7.6.aarch64.rpm", "libsoup-debugsource-0:2.72.0-12.el9_7.6.i686.rpm","libsoup-debugsource-0:2.72.0-12.el9_7.6.ppc64le.rpm", "libsoup-debugsource-0:2.72.0-12.el9_7.6.s390x.rpm", "libsoup-debugsource-0:2.72.0-12.el9_7.6.x86_64.rpm", "libsoup-devel-0:2.72.0-12.el9_7.6.aarch64.rpm", "libsoup-devel-0:2.72.0-12.el9_7.6.i686.rpm", "libsoup-devel-0:2.72.0-12.el9_7.6.ppc64le.rpm", "libsoup-devel-0:2.72.0-12.el9_7.6.s390x.rpm", "libsoup-devel-0:2.72.0-12.el9_7.6.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Discover the latest libsoup security update for Rocky Linux, addressing information disclosure risks linked to cookies.. Rocky Linux Security, libsoup Update, Information Disclosure, HTTP Client Security, Security Patches. . LinuxSecurity.com Team
Update uv and python-uv-build to 0.11.2. Version 0.11 includes changes to the networking stack used by uv. While its developers think that breakage will be rare, it is possible that these changes will result in the rejection of certificates previously trusted by uv so, they have marked the change as breaking out of an abundance of caution. The changes are largely driven by the. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-b8b59dcf44 2026-03-28 00:15:26.019955+00:00 -------------------------------------------------------------------------------- Name : rust-reqsign-http-send-reqwest Product : Fedora 44 Version : 4.0.0 Release : 1.fc44 URL : https://crates.io/crates/reqsign-http-send-reqwest Summary : Reqwest-based HTTP client implementation for reqsign Description : Reqwest-based HTTP client implementation for reqsign. -------------------------------------------------------------------------------- Update Information: Update uv and python-uv-build to 0.11.2. Version 0.11 includes changes to the networking stack used by uv. While its developers think that breakage will be rare, it is possible that these changes will result in the rejection of certificates previously trusted by uv so, they have marked the change as breaking out of an abundance of caution. The changes are largely driven by the upgrade of reqwest, which powers uv's HTTP clients, to v0.13, which included some breaking changes to TLS certificate verification. This update also includes updates for several of uv\u2019s Rust library dependencies. Update rust-openssl-probe to 0.2.1, including breaking changes introduced in 0.2.0, and introduce a new rust-openssl-probe0.1 compat package. Update rust-rustls-native-certs to 0.8.3, now using openssl-probe 0.2. Update rust-native-tls to 0.2.18. Version 0.2.16 added TLS 1.3 as an option, added stack_from_pem, and upgraded openssl-probe to 0.2. Version 0.2.17 added support for ALPN on the server side.Version 0.2.18 fixed min/max protocol selection fallback for very old OpenSSL versions. Add an initial package for rust-webpki-root-certs. -------------------------------------------------------------------------------- ChangeLog: * Tue Mar 24 2026 Benjamin A. Beasley - 4.0.0-1 - Update to version 4.0.0; Fixes RHBZ#2432772 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2425802 - rust-openssl-probe-0.2.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2425802 [ 2 ] Bug #2425819 - rust-rustls-native-certs-0.8.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2425819 [ 3 ] Bug #2432768 - rust-reqsign-aliyun-oss-3.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2432768 [ 4 ] Bug #2432769 - rust-reqsign-core-3.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2432769 [ 5 ] Bug #2432770 - rust-reqsign-0.20.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2432770 [ 6 ] Bug #2432771 - rust-reqsign-azure-storage-3.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2432771 [ 7 ] Bug #2432772 - rust-reqsign-http-send-reqwest-4.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2432772 [ 8 ] Bug #2432773 - rust-reqsign-google-3.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2432773 [ 9 ] Bug #2432774 - rust-reqsign-file-read-tokio-3.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2432774 [ 10 ] Bug #2432775 - rust-reqsign-command-execute-tokio-3.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2432775 [ 11 ] Bug #2432776 - rust-reqsign-aws-v4-3.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2432776 [ 12 ] Bug #2432777 - rust-reqsign-huaweicloud-obs-3.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2432777 [ 13 ] Bug #2432779 - rust-reqsign-tencent-cos-3.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2432779 [ 14 ] Bug #2436289 - rust-ambient-id-0.0.11 is available https://bugzilla.redhat.com/show_bug.cgi?id=2436289 [ 15 ] Bug #2437941 - rust-astral-reqwest-middleware-0.5.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2437941 [ 16 ] Bug #2437942 - rust-astral-reqwest-retry-0.9.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2437942 [ 17 ] Bug #2437976 - rust-astral_async_http_range_reader-0.10.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2437976 [ 18 ] Bug #2439752 - rust-native-tls-0.2.18 is available https://bugzilla.redhat.com/show_bug.cgi?id=2439752 [ 19 ] Bug #2450541 - python-uv-build-0.11.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2450541 [ 20 ] Bug #2450582 - uv-0.11.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2450582 [ 21 ] Bug #2451103 - Review Request: rust-webpki-root-certs - Mozilla trusted certificate authorities in self-signed X.509 format https://bugzilla.redhat.com/show_bug.cgi?id=2451103 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-b8b59dcf44' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Update required for rust-reqsign-http-send-reqwest due to potential certificate rejection after networking stack changes.. HTTP Client Update, Fedora Security Advisory, Certificate Management. . Severity: Important. LinuxSecurity.com Team
https://github.com/aio-libs/aiohttp/blob/v3.13.3/CHANGES.rst. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-66cb8ecfc2 2026-02-14 01:08:36.223045+00:00 -------------------------------------------------------------------------------- Name : python-aiohttp Product : Fedora 43 Version : 3.13.3 Release : 4.fc43 URL : https://github.com/aio-libs/aiohttp Summary : Python HTTP client/server for asyncio Description : Python HTTP client/server for asyncio which supports both the client and the server side of the HTTP protocol, client and server websocket, and webservers with middlewares and pluggable routing. -------------------------------------------------------------------------------- Update Information: https://github.com/aio-libs/aiohttp/blob/v3.13.3/CHANGES.rst -------------------------------------------------------------------------------- ChangeLog: * Tue Feb 3 2026 Benjamin A. Beasley - 3.13.3-4 - Skip test_send_compress_text_notakeover on s390x for now - Close RHBZ#2434949 * Tue Feb 3 2026 Benjamin A. Beasley - 3.13.3-3 - Revert "Drop s390xx for isal" * Tue Feb 3 2026 Nicolas Chauvet - 3.13.3-2 - Drop s390xx for isal * Tue Feb 3 2026 Nicolas Chauvet - 3.13.3-1 - Update to 3.13.3 * Sat Jan 17 2026 Fedora Release Engineering - 3.13.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Oct 17 2025 Benjamin A. Beasley - 3.13.1-1 - Update to 3.13.1 * Thu Oct 16 2025 Benjamin A. Beasley - 3.13.0-1 - Update to 3.13.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2434949 - python-aiohttp: FTBFS in Fedora rawhide/f44 https://bugzilla.redhat.com/show_bug.cgi?id=2434949 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisoryFEDORA-2026-66cb8ecfc2' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Important: libsoup security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2026:0422", "synopsis": "Important: libsoup security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for libsoup.\nThis update affects Rocky Linux 9.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "The libsoup packages provide an HTTP client and server library for GNOME.\n\nSecurity Fix(es):\n\n* libsoup: libsoup: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (First- vs Last-Value Wins) (CVE-2025-14523)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 9"], "fixes": [{"ticket": "2421349", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2421349", "description": ""}], "cves": [{"name": "CVE-2025-14523", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2025-14523", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "cvss3BaseScore": "8.2", "cwe": "CWE-444"}], "references": [], "publishedAt": "2026-01-15T09:13:58.593947Z", "rpms": {"Rocky Linux 9": {"nvras": ["libsoup-0:2.72.0-12.el9_7.3.aarch64.rpm", "libsoup-0:2.72.0-12.el9_7.3.i686.rpm", "libsoup-0:2.72.0-12.el9_7.3.ppc64le.rpm", "libsoup-0:2.72.0-12.el9_7.3.s390x.rpm", "libsoup-0:2.72.0-12.el9_7.3.src.rpm", "libsoup-0:2.72.0-12.el9_7.3.x86_64.rpm", "libsoup-debuginfo-0:2.72.0-12.el9_7.3.aarch64.rpm", "libsoup-debuginfo-0:2.72.0-12.el9_7.3.i686.rpm", "libsoup-debuginfo-0:2.72.0-12.el9_7.3.ppc64le.rpm", "libsoup-debuginfo-0:2.72.0-12.el9_7.3.s390x.rpm", "libsoup-debuginfo-0:2.72.0-12.el9_7.3.x86_64.rpm", "libsoup-debugsource-0:2.72.0-12.el9_7.3.aarch64.rpm", "libsoup-debugsource-0:2.72.0-12.el9_7.3.i686.rpm","libsoup-debugsource-0:2.72.0-12.el9_7.3.ppc64le.rpm", "libsoup-debugsource-0:2.72.0-12.el9_7.3.s390x.rpm", "libsoup-debugsource-0:2.72.0-12.el9_7.3.x86_64.rpm", "libsoup-devel-0:2.72.0-12.el9_7.3.aarch64.rpm", "libsoup-devel-0:2.72.0-12.el9_7.3.i686.rpm", "libsoup-devel-0:2.72.0-12.el9_7.3.ppc64le.rpm", "libsoup-devel-0:2.72.0-12.el9_7.3.s390x.rpm", "libsoup-devel-0:2.72.0-12.el9_7.3.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. An important libsoup security update addresses a critical issue related to host header discrepancies on Rocky Linux.. libsoup security update, Rocky Linux security, important libsoup patch. . Severity: Important. LinuxSecurity.com Team
Important: libsoup security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2025:19713", "synopsis": "Important: libsoup security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for libsoup.\nThis update affects Rocky Linux 9.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "The libsoup packages provide an HTTP client and server library for GNOME.\n\nSecurity Fix(es):\n\n* libsoup: Integer Overflow in Cookie Expiration Date Handling in libsoup (CVE-2025-4945)\n\n* libsoup: Out-of-Bounds Read in Cookie Date Handling of libsoup HTTP Library (CVE-2025-11021)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 9"], "fixes": [{"ticket": "2367175", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2367175", "description": ""}, {"ticket": "2399627", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2399627", "description": ""}], "cves": [{"name": "CVE-2025-11021", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2025-11021", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cvss3BaseScore": "7.5", "cwe": "CWE-125"}, {"name": "CVE-2025-4945", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2025-4945", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "cvss3BaseScore": "3.7", "cwe": "CWE-190"}], "references": [], "publishedAt": "2025-11-06T09:06:00.631395Z", "rpms": {"Rocky Linux 9": {"nvras": ["libsoup-0:2.72.0-10.el9_6.3.aarch64.rpm", "libsoup-0:2.72.0-10.el9_6.3.i686.rpm", "libsoup-0:2.72.0-10.el9_6.3.ppc64le.rpm", "libsoup-0:2.72.0-10.el9_6.3.s390x.rpm", "libsoup-0:2.72.0-10.el9_6.3.src.rpm","libsoup-0:2.72.0-10.el9_6.3.x86_64.rpm", "libsoup-debuginfo-0:2.72.0-10.el9_6.3.aarch64.rpm", "libsoup-debuginfo-0:2.72.0-10.el9_6.3.ppc64le.rpm", "libsoup-debuginfo-0:2.72.0-10.el9_6.3.s390x.rpm", "libsoup-debuginfo-0:2.72.0-10.el9_6.3.x86_64.rpm", "libsoup-debugsource-0:2.72.0-10.el9_6.3.aarch64.rpm", "libsoup-debugsource-0:2.72.0-10.el9_6.3.ppc64le.rpm", "libsoup-debugsource-0:2.72.0-10.el9_6.3.s390x.rpm", "libsoup-debugsource-0:2.72.0-10.el9_6.3.x86_64.rpm", "libsoup-devel-0:2.72.0-10.el9_6.3.aarch64.rpm", "libsoup-devel-0:2.72.0-10.el9_6.3.i686.rpm", "libsoup-devel-0:2.72.0-10.el9_6.3.ppc64le.rpm", "libsoup-devel-0:2.72.0-10.el9_6.3.s390x.rpm", "libsoup-devel-0:2.72.0-10.el9_6.3.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. An important security update for libsoup in Rocky Linux addresses critical fixes impacting HTTP functions.. libsoup security update, Rocky Linux 9, HTTP library update, important security fixes. . Severity: Important. LinuxSecurity.com Team
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-43a0bff5ea 2025-11-03 01:00:54.501352+00:00 -------------------------------------------------------------------------------- Name : rust-reqsign-http-send-reqwest Product : Fedora 41 Version : 2.0.0 Release : 1.fc41 URL : https://crates.io/crates/reqsign-http-send-reqwest Summary : Reqwest-based HTTP client implementation for reqsign Description : Reqwest-based HTTP client implementation for reqsign. -------------------------------------------------------------------------------- Update Information: uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv. Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1. Patch openapi-python-client to allow ruff 0.14 -------------------------------------------------------------------------------- ChangeLog: * Thu Oct 23 2025 Benjamin A. Beasley - 2.0.0-1 - Update to version 2.0.0; Fixes RHBZ#2402443 * Thu Oct 2 2025 Benjamin A. Beasley - 1.0.0-1 - Initial package (close RHBZ#2400100) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405471 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2405471 [ 8 ] Bug #2405472 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2405472 [ 9 ] Bug #2406135 - ruff-0.14.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406135 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-43a0bff5ea' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Get the latest Linux and open source security news straight to your inbox.