Explore top 10 tips to secure your open-source projects now. Read More
×Security update resolving 22 CVEs across both caddy itself and its vendored libraries.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-3dc324bd9a 2026-07-02 01:07:29.332017+00:00 -------------------------------------------------------------------------------- Name : caddy Product : Fedora 43 Version : 2.10.2 Release : 9.fc43 URL : https://caddyserver.com Summary : Web server with automatic HTTPS Description : Caddy is an extensible server platform that uses TLS by default. -------------------------------------------------------------------------------- Update Information: Security update resolving 22 CVEs across both caddy itself and its vendored libraries. -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 23 2026 Carl George - 2.10.2-9 - Port to new golang packaging guidelines - Backport upstream fix for CVE-2026-27585 - Backport upstream fix for CVE-2026-27586 - Backport upstream fix for CVE-2026-27587 - Backport upstream fix for CVE-2026-27588 - Backport upstream fix for CVE-2026-27589 - Backport upstream fix for CVE-2026-27590 - Backport upstream fix for CVE-2026-30851 - Backport upstream fix for CVE-2026-30852 - Update vendored github.com/quic-go/quic-go to v0.57.0 for CVE-2025-64702 - Update vendored golang.org/x/crypto to v0.52.0 for CVE-2025-47913, CVE-2026-39828, CVE-2026-39829, and CVE-2026-39830 - Update vendored github.com/smallstep/certificates to v0.30.0 for CVE-2025-44005 and CVE-2026-40097 - Update vendored github.com/go-chi/chi/v5 to v5.2.5 for CVE-2025-69725 - Update vendored github.com/yuin/goldmark/renderer/html to v1.7.17 for CVE-2026-5160 * Mon Feb 2 2026 Maxwell G - 2.10.2-5 - Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26 * Fri Jan 16 2026 Fedora Release Engineering - 2.10.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Jan 16 2026 Fedora Release Engineering - 2.10.2-3 -Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Oct 10 2025 Alejandro Sáez - 2.10.2-2 - rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2488094 - CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488094 [ 2 ] Bug #2488095 - CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488095 [ 3 ] Bug #2488141 - CVE-2026-40097 caddy: Step CA: Denial of Service via crafted attestation key certificate [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488141 [ 4 ] Bug #2488502 - CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488502 [ 5 ] Bug #2488503 - CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488503 [ 6 ] Bug #2488514 - CVE-2026-27587 caddy: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488514 [ 7 ] Bug #2488516 - CVE-2026-27588 caddy: Caddy: Access control bypass due to case-sensitive host matching [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488516 [ 8 ] Bug #2488517 - CVE-2026-27589 caddy: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488517 [ 9 ] Bug #2488518 - CVE-2026-27590 caddy: Caddy: Remote Code Execution via FastCGI path confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488518 [ 10 ] Bug #2488572 - CVE-2025-47910 caddy: CrossOriginProtection bypass in net/http[fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2488572 [ 11 ] Bug #2488575 - CVE-2025-58185 caddy: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2488575 [ 12 ] Bug #2488578 - CVE-2025-58188 caddy: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2488578 [ 13 ] Bug #2488580 - CVE-2025-58189 caddy: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2488580 [ 14 ] Bug #2488582 - CVE-2025-61723 caddy: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2488582 [ 15 ] Bug #2488661 - CVE-2025-64702 caddy: quic-go HTTP/3 QPACK Header Expansion DoS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488661 [ 16 ] Bug #2488663 - CVE-2025-47913 caddy: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488663 [ 17 ] Bug #2488665 - CVE-2025-44005 caddy: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488665 [ 18 ] Bug #2488666 - CVE-2025-69725 caddy: Go-chi/chi: Open Redirect vulnerability allows redirection to malicious websites [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488666 [ 19 ] Bug #2488667 - CVE-2026-5160 caddy: github.com/yuin/goldmark/renderer/html: Cross-site Scripting due to improper URL validation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488667 [ 20 ] Bug #2489962 - CVE-2026-39828 caddy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2489962 [ 21 ] Bug #2490067 -CVE-2026-39829 caddy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490067 [ 22 ] Bug #2490486 - CVE-2026-39830 caddy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490486 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-3dc324bd9a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Fedora 43 security advisory updating Caddy addressing 22 CVEs with critical risks including DoS and information leaks.. Fedora 43, security advisory, Caddy update, CVE patching, web server security. . Severity: Critical. LinuxSecurity.com Team
nginx-mod-brotli: Rebuild for 1.30.3 nginx-mod-fancyindex: Rebuild for 1.30.3 nginx-mod-vts:. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-b8e751787c 2026-06-27 01:10:00.374795+00:00 -------------------------------------------------------------------------------- Name : nginx Product : Fedora 44 Version : 1.30.3 Release : 1.fc44 URL : https://nginx.org Summary : A high performance web server and reverse proxy server Description : Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. -------------------------------------------------------------------------------- Update Information: nginx-mod-brotli: Rebuild for 1.30.3 nginx-mod-fancyindex: Rebuild for 1.30.3 nginx-mod-vts: Rebuild for 1.30.3 nginx-mod-modsecurity: Rebuild for 1.30.3 nginx-mod-headers-more: Rebuild for 1.30.3 nginx-mod-naxsi: Rebuild for 1.30.3 nginx-mod-js-challenge: Rebuild for 1.30.3 nginx: update to 1.30.3 fixes CVE-2026-42055, CVE-2026-42530 and CVE-2026-48142 -------------------------------------------------------------------------------- ChangeLog: * Wed Jun 17 2026 Felix Kaechele - 2:1.30.3-1 - update to 1.30.3 - fixes CVE-2026-42055, CVE-2026-42530 and CVE-2026-48142 * Fri Jun 12 2026 Yaakov Selkowitz - 2:1.30.2-2 - Rebuilt for openssl 4.0 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-b8e751787c' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
1.4.84 1.4.83 https://wiki.lighttpd.net/Release-1_4_83. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-d7d472853a 2026-06-27 00:54:50.049700+00:00 -------------------------------------------------------------------------------- Name : lighttpd Product : Fedora 43 Version : 1.4.84 Release : 1.fc43 URL : http://www.lighttpd.net/ Summary : Lightning fast webserver with light system requirements Description : lighttpd (pronounced /lighty/) is a secure, fast, compliant, and very flexible web server that has been optimized for high-performance environments. lighttpd uses memory and CPU efficiently and has lower resource use than other popular web servers. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and much more) make lighttpd the perfect web server for all systems, small and large. -------------------------------------------------------------------------------- Update Information: 1.4.84 1.4.83 https://wiki.lighttpd.net/Release-1_4_83 -------------------------------------------------------------------------------- ChangeLog: * Thu Jun 18 2026 Gwyn Ciesla - 1.4.84-1 - 1.4.84 * Mon Jun 15 2026 Gwyn Ciesla - 1.4.83-1 - 1.4.83 * Fri Jun 12 2026 Yaakov Selkowitz - 1.4.82-5 - Rebuilt for openssl 4.0 * Thu Apr 16 2026 Tom Callaway - 1.4.82-4 - rebuild * Tue Mar 3 2026 Tom Callaway - 1.4.82-3 - rebuild for lua 5.5 * Fri Jan 16 2026 Fedora Release Engineering - 1.4.82-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2488792 - lighttpd-1.4.83 is available https://bugzilla.redhat.com/show_bug.cgi?id=2488792 [ 2 ] Bug #2490240 - lighttpd-1.4.84 is available https://bugzilla.redhat.com/show_bug.cgi?id=2490240 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-d7d472853a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
nginx-mod-headers-more: Rebuild for 1.30.3 nginx-mod-brotli: Rebuild for 1.30.3 nginx-mod-vts:. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-9d7328702e 2026-06-27 00:54:50.049683+00:00 -------------------------------------------------------------------------------- Name : nginx Product : Fedora 43 Version : 1.30.3 Release : 1.fc43 URL : https://nginx.org Summary : A high performance web server and reverse proxy server Description : Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. -------------------------------------------------------------------------------- Update Information: nginx-mod-headers-more: Rebuild for 1.30.3 nginx-mod-brotli: Rebuild for 1.30.3 nginx-mod-vts: Rebuild for 1.30.3 nginx-mod-modsecurity: Rebuild for 1.30.3 nginx-mod-fancyindex: Rebuild for 1.30.3 nginx-mod-naxsi: Rebuild for 1.30.3 nginx: update to 1.30.3 fixes CVE-2026-42055, CVE-2026-42530 and CVE-2026-48142 -------------------------------------------------------------------------------- ChangeLog: * Wed Jun 17 2026 Felix Kaechele - 2:1.30.3-1 - update to 1.30.3 - fixes CVE-2026-42055, CVE-2026-42530 and CVE-2026-48142 * Fri Jun 12 2026 Yaakov Selkowitz - 2:1.30.2-2 - Rebuilt for openssl 4.0 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-9d7328702e' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
nginx-mod-vts: Rebuild for 1.30.1 nginx-mod-fancyindex: Rebuild for 1.30.1 nginx-mod-naxsi:. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-38623b4fed 2026-05-15 22:44:59.632855+00:00 -------------------------------------------------------------------------------- Name : nginx Product : Fedora 42 Version : 1.30.1 Release : 1.fc42 URL : https://nginx.org Summary : A high performance web server and reverse proxy server Description : Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. -------------------------------------------------------------------------------- Update Information: nginx-mod-vts: Rebuild for 1.30.1 nginx-mod-fancyindex: Rebuild for 1.30.1 nginx-mod-naxsi: Rebuild for 1.30.1 nginx-mod-headers-more: Rebuild for 1.30.1 nginx-mod-brotli: Rebuild for 1.30.1 nginx-mod-modsecurity: Rebuild for 1.30.1 nginx: update to 1.30.1 fixes CVE-2026-42926, CVE-2026-42945, CVE-2026-42946, CVE-2026-42934, CVE-2026-40460 and CVE-2026-40701 -------------------------------------------------------------------------------- ChangeLog: * Wed May 13 2026 Felix Kaechele - 2:1.30.1-1 - update to 1.30.1 - fixes CVE-2026-42926, CVE-2026-42945, CVE-2026-42946, CVE-2026-42934, CVE-2026-40460 and CVE-2026-40701 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2477413 - CVE-2026-42945 nginx: NGINX: Arbitrary Code Execution Vulnerability [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2477413 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-38623b4fed' at the command line. For more information, refer to the dnf documentation availableat http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
nginx-mod-vts: Rebuild for 1.30.1 nginx-mod-fancyindex: Rebuild for 1.30.1 nginx-mod-naxsi:. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-38623b4fed 2026-05-15 22:44:59.632855+00:00 -------------------------------------------------------------------------------- Name : nginx-mod-modsecurity Product : Fedora 42 Version : 1.0.4 Release : 10.fc42 URL : https://github.com/SpiderLabs/ModSecurity-nginx Summary : ModSecurity v3 nginx connector Description : The ModSecurity-nginx connector is the connection point between nginx and libmodsecurity (ModSecurity v3). Said another way, this project provides a communication channel between nginx and libmodsecurity. This connector is required to use LibModSecurity with nginx. The ModSecurity-nginx connector takes the form of an nginx module. The module simply serves as a layer of communication between nginx and ModSecurity -------------------------------------------------------------------------------- Update Information: nginx-mod-vts: Rebuild for 1.30.1 nginx-mod-fancyindex: Rebuild for 1.30.1 nginx-mod-naxsi: Rebuild for 1.30.1 nginx-mod-headers-more: Rebuild for 1.30.1 nginx-mod-brotli: Rebuild for 1.30.1 nginx-mod-modsecurity: Rebuild for 1.30.1 nginx: update to 1.30.1 fixes CVE-2026-42926, CVE-2026-42945, CVE-2026-42946, CVE-2026-42934, CVE-2026-40460 and CVE-2026-40701 -------------------------------------------------------------------------------- ChangeLog: * Wed May 13 2026 Felix Kaechele - 1.0.4-10 - Rebuild for 1.30.1 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2477413 - CVE-2026-42945 nginx: NGINX: Arbitrary Code Execution Vulnerability [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2477413 -------------------------------------------------------------------------------- This update can be installed with the "dnf"update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-38623b4fed' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
nginx-mod-fancyindex: Rebuild for 1.30.1 nginx-mod-headers-more: Rebuild for 1.30.1 nginx-mod-naxsi:. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-094eb13bb1 2026-05-15 20:57:10.102601+00:00 -------------------------------------------------------------------------------- Name : nginx Product : Fedora 44 Version : 1.30.1 Release : 1.fc44 URL : https://nginx.org Summary : A high performance web server and reverse proxy server Description : Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. -------------------------------------------------------------------------------- Update Information: nginx-mod-fancyindex: Rebuild for 1.30.1 nginx-mod-headers-more: Rebuild for 1.30.1 nginx-mod-naxsi: Rebuild for 1.30.1 nginx-mod-js-challenge: Rebuild for 1.30.1 nginx-mod-brotli: Rebuild for 1.30.1 nginx-mod-vts: Rebuild for 1.30.1 nginx-mod-modsecurity: Rebuild for 1.30.1 nginx: update to 1.30.1 fixes CVE-2026-42926, CVE-2026-42945, CVE-2026-42946, CVE-2026-42934, CVE-2026-40460 and CVE-2026-40701 -------------------------------------------------------------------------------- ChangeLog: * Wed May 13 2026 Felix Kaechele - 2:1.30.1-1 - update to 1.30.1 - fixes CVE-2026-42926, CVE-2026-42945, CVE-2026-42946, CVE-2026-42934, CVE-2026-40460 and CVE-2026-40701 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2477413 - CVE-2026-42945 nginx: NGINX: Arbitrary Code Execution Vulnerability [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2477413 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-094eb13bb1' at the command line. For more information,refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
new version 2.4.67. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-3e32c54eab 2026-05-12 00:48:49.533506+00:00 -------------------------------------------------------------------------------- Name : httpd Product : Fedora 44 Version : 2.4.67 Release : 1.fc44 URL : https://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. -------------------------------------------------------------------------------- Update Information: new version 2.4.67 -------------------------------------------------------------------------------- ChangeLog: * Wed May 6 2026 Lubo\u0161 Uhliarik - 2.4.67-1 - new version 2.4.67 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2464943 - httpd-2.4.67 is available https://bugzilla.redhat.com/show_bug.cgi?id=2464943 [ 2 ] Bug #2466956 - CVE-2026-28780 httpd: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2466956 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-3e32c54eab' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Apache HTTP Server update available for Fedora 44 addressing critical code execution issue. Install to secure system.. Apache HTTP Server, Fedora 44, security advisory, code execution update. . Severity: Critical.LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.