{"advisories":[{"schema_version":"1.7.0","id":"RLSA-2026:15968","modified":"2026-05-14T06:09:17.161289Z","published":"2026-05-13T12:06:54.356511Z","upstream":["CVE-2026-4271","CVE-2026-5119"],"summary":"Moderate: libsoup3 security update","details":"Libsoup is an HTTP library implementation in C. It was originally part of a SOAP (Simple Object Access Protocol) implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages.  libsoup uses the Glib main loop and is designed to work well with GTK applications. This enables GNOME applications to access HTTP servers on the network in a completely asynchronous fashion, very similar to the Gtk+ programming model (a synchronous operation mode is also supported for those who want it), but the SOAP parts were removed long ago.\n\nSecurity Fix(es):\n\n* libsoup: libsoup: Denial of Service via Use-After-Free in HTTP/2 server (CVE-2026-4271)\n\n* libsoup: libsoup: Information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment (CVE-2026-5119)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"libsoup3","purl":"pkg:rpm/rocky-linux/libsoup3?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:3.6.5-3.el10_1.11"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:15968"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452932"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448044"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:15888","modified":"2026-05-14T06:09:17.099671Z","published":"2026-05-13T12:06:54.356511Z","upstream":["CVE-2026-34588"],"summary":"Important: openexr security update","details":"OpenEXR is an open-source high-dynamic-range floating-point image file format for high-quality image processing and storage. This document presents a brief overview of OpenEXR and explains concepts that are specific to this format.  This package containes the binaries for OpenEXR.\n\nSecurity Fix(es):\n\n* OpenEXR: OpenEXR: Arbitrary code execution and information disclosure via crafted EXR file (CVE-2026-34588)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"openexr","purl":"pkg:rpm/rocky-linux/openexr?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:3.1.10-8.el10_1.2"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:15888"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455408"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:16014","modified":"2026-05-14T06:09:17.035348Z","published":"2026-05-13T12:06:54.356511Z","upstream":["CVE-2026-25952","CVE-2026-25997","CVE-2026-26986","CVE-2026-29775","CVE-2026-31883","CVE-2026-31884","CVE-2026-31885","CVE-2026-33982","CVE-2026-33985","CVE-2026-33987"],"summary":"Moderate: freerdp security update","details":"FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox.\n\nSecurity Fix(es):\n\n* freerdp: FreeRDP: Denial of service via heap use-after-free during auto-reconnect (CVE-2026-25997)\n\n* freerdp: FreeRDP: Denial of service due to use-after-free vulnerability (CVE-2026-25952)\n\n* freerdp: FreeRDP: Denial of Service via double free vulnerability during disconnect (CVE-2026-26986)\n\n* freerdp: FreeRDP has a heap-buffer-overflow in bitmap_cache_put via OOB cacheId (CVE-2026-29775)\n\n* freerdp: FreeRDP has an out-of-bounds read in ADPCM decoders due to missing predictor/step_index bounds checks (CVE-2026-31885)\n\n* freerdp: FreeRDP has a division-by-zero in ADPCM decoders when `nBlockAlign` is 0 (CVE-2026-31884)\n\n* freerdp: FreeRDP: Denial of Service via crafted audio data in RDP (CVE-2026-31883)\n\n* FreeRDP: FreeRDP: Information disclosure via heap memory out of bounds read (CVE-2026-33985)\n\n* FreeRDP: FreeRDP: Information disclosure and denial of service via heap-buffer-overflow read (CVE-2026-33982)\n\n* FreeRDP: FreeRDP: Memory corruption vulnerability allows denial of service or arbitrary code execution (CVE-2026-33987)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"freerdp","purl":"pkg:rpm/rocky-linux/freerdp?distro=rocky-linux-10&epoch=2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:3.10.3-5.el10_1.8"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:16014"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442782"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442768"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453226"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447383"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442764"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453217"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447386"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447385"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447379"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453218"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:15969","modified":"2026-05-14T06:09:17.217982Z","published":"2026-05-13T12:06:54.356511Z","upstream":["CVE-2025-14087","CVE-2025-14512"],"summary":"Moderate: glib2 security update","details":"GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures.\n\nSecurity Fix(es):\n\n* glib: GLib: Buffer underflow in GVariant parser leads to heap corruption (CVE-2025-14087)\n\n* glib: Integer Overflow in GLib GIO Attribute Escaping Causes Heap Buffer Overflow (CVE-2025-14512)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"glib2","purl":"pkg:rpm/rocky-linux/glib2?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2.80.4-10.el10_1.13"}],"database_specific":{"yum_repository":"BaseOS"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:15969"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2419093"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2421339"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:15892","modified":"2026-05-14T06:09:15.920034Z","published":"2026-05-13T12:03:42.485295Z","upstream":["CVE-2026-6746","CVE-2026-6747","CVE-2026-6748","CVE-2026-6749","CVE-2026-6750","CVE-2026-6751","CVE-2026-6752","CVE-2026-6753","CVE-2026-6754","CVE-2026-6757","CVE-2026-6759","CVE-2026-6761","CVE-2026-6762","CVE-2026-6763","CVE-2026-6764","CVE-2026-6765","CVE-2026-6766","CVE-2026-6767","CVE-2026-6769","CVE-2026-6770","CVE-2026-6771","CVE-2026-6772","CVE-2026-6776","CVE-2026-6785","CVE-2026-6786"],"summary":"Important: thunderbird security update","details":"Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nSecurity Fix(es):\n\n* firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS (CVE-2026-6772)\n\n* firefox: thunderbird: Use-after-free in the JavaScript Engine component (CVE-2026-6754)\n\n* firefox: thunderbird: Spoofing issue in the DOM: Core & HTML component (CVE-2026-6762)\n\n* firefox: thunderbird: Incorrect boundary conditions in the WebRTC component (CVE-2026-6752)\n\n* firefox: thunderbird: Other issue in the Storage: IndexedDB component (CVE-2026-6770)\n\n* firefox: thunderbird: Invalid pointer in the JavaScript: WebAssembly component (CVE-2026-6757)\n\n* firefox: thunderbird: Other issue in the Libraries component in NSS (CVE-2026-6767)\n\n* firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 (CVE-2026-6786)\n\n* firefox: thunderbird: Incorrect boundary conditions in the WebRTC component (CVE-2026-6753)\n\n* firefox: thunderbird: Use-after-free in the Widget: Cocoa component (CVE-2026-6759)\n\n* firefox: thunderbird: Use-after-free in the WebRTC component (CVE-2026-6747)\n\n* firefox: thunderbird: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component (CVE-2026-6749)\n\n* firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS (CVE-2026-6766)\n\n* firefox: thunderbird: Privilege escalation in the Networking component (CVE-2026-6761)\n\n* firefox: thunderbird: Mitigation bypass in the File Handling component (CVE-2026-6763)\n\n* firefox: thunderbird: Privilege escalation in the Graphics: WebRender component (CVE-2026-6750)\n\n* firefox: thunderbird: Uninitialized memory in the Audio/Video: Web Codecs component (CVE-2026-6748)\n\n* firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 (CVE-2026-6785)\n\n* firefox: thunderbird: Mitigation bypass in the DOM: Security component (CVE-2026-6771)\n\n* firefox: thunderbird: Incorrect boundary conditions in the DOM: Device Interfaces component (CVE-2026-6764)\n\n* firefox: thunderbird: Information disclosure in the Form Autofill component (CVE-2026-6765)\n\n* firefox: thunderbird: Privilege escalation in the Debugger component (CVE-2026-6769)\n\n* firefox: thunderbird: Uninitialized memory in the Audio/Video: Web Codecs component (CVE-2026-6751)\n\n* firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Networking component (CVE-2026-6776)\n\n* firefox: thunderbird: Use-after-free in the DOM: Core & HTML component (CVE-2026-6746)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"thunderbird","purl":"pkg:rpm/rocky-linux/thunderbird?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:140.10.0-1.el9_7"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:15892"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460074"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460075"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460076"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460078"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460079"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460085"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460086"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460088"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460092"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460094"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460095"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460096"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460097"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460099"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460101"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460102"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460103"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460104"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460105"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460106"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460107"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460108"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460109"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460110"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460112"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:15971","modified":"2026-05-14T06:09:15.979595Z","published":"2026-05-13T12:03:42.485295Z","upstream":["CVE-2025-14087","CVE-2025-14512"],"summary":"Moderate: glib2 security update","details":"GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures.\n\nSecurity Fix(es):\n\n* glib: GLib: Buffer underflow in GVariant parser leads to heap corruption (CVE-2025-14087)\n\n* glib: Integer Overflow in GLib GIO Attribute Escaping Causes Heap Buffer Overflow (CVE-2025-14512)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"glib2","purl":"pkg:rpm/rocky-linux/glib2?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2.68.4-18.el9_7.2"}],"database_specific":{"yum_repository":"BaseOS"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:15971"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2419093"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2421339"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:15887","modified":"2026-05-14T06:09:15.864410Z","published":"2026-05-13T12:03:42.485295Z","upstream":["CVE-2026-34588"],"summary":"Important: openexr security update","details":"OpenEXR is an open-source high-dynamic-range floating-point image file format for high-quality image processing and storage. This document presents a brief overview of OpenEXR and explains concepts that are specific to this format.  This package containes the binaries for OpenEXR.\n\nSecurity Fix(es):\n\n* OpenEXR: OpenEXR: Arbitrary code execution and information disclosure via crafted EXR file (CVE-2026-34588)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"openexr","purl":"pkg:rpm/rocky-linux/openexr?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:3.1.1-3.el9_7.2"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:15887"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455408"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:16055","modified":"2026-05-14T06:09:14.760525Z","published":"2026-05-13T06:00:58.478905Z","upstream":["CVE-2026-4775"],"summary":"Important: libtiff security update","details":"The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.\n\nSecurity Fix(es):\n\n* libtiff: libtiff: Arbitrary code execution or denial of service via signed integer overflow in TIFF file processing (CVE-2026-4775)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"libtiff","purl":"pkg:rpm/rocky-linux/libtiff?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:4.0.9-37.el8_10"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:16055"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450768"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:16019","modified":"2026-05-14T06:09:14.715414Z","published":"2026-05-13T06:00:58.478905Z","upstream":["CVE-2026-25952","CVE-2026-26986","CVE-2026-27951","CVE-2026-29775","CVE-2026-31883","CVE-2026-31884","CVE-2026-31885","CVE-2026-33985"],"summary":"Moderate: freerdp security update","details":"FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox.\n\nSecurity Fix(es):\n\n* freerdp: FreeRDP: Denial of service due to use-after-free vulnerability (CVE-2026-25952)\n\n* freerdp: FreeRDP: Denial of Service via double free vulnerability during disconnect (CVE-2026-26986)\n\n* freerdp: FreeRDP: Denial of Service via endless blocking loop in Stream_EnsureCapacity (CVE-2026-27951)\n\n* freerdp: FreeRDP has a heap-buffer-overflow in bitmap_cache_put via OOB cacheId (CVE-2026-29775)\n\n* freerdp: FreeRDP has an out-of-bounds read in ADPCM decoders due to missing predictor/step_index bounds checks (CVE-2026-31885)\n\n* freerdp: FreeRDP has a division-by-zero in ADPCM decoders when `nBlockAlign` is 0 (CVE-2026-31884)\n\n* freerdp: FreeRDP: Denial of Service via crafted audio data in RDP (CVE-2026-31883)\n\n* FreeRDP: FreeRDP: Information disclosure via heap memory out of bounds read (CVE-2026-33985)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"freerdp","purl":"pkg:rpm/rocky-linux/freerdp?distro=rocky-linux-8&epoch=2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:2.11.7-9.el8_10"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:16019"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442768"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442782"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442783"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447379"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447383"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447385"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447386"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453217"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:15953","modified":"2026-05-14T06:09:14.020468Z","published":"2026-05-13T06:00:42.968790Z","upstream":["CVE-2025-14087","CVE-2025-14512"],"summary":"Moderate: glib2 security update","details":"GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures.\n\nSecurity Fix(es):\n\n* glib: GLib: Buffer underflow in GVariant parser leads to heap corruption (CVE-2025-14087)\n\n* glib: Integer Overflow in GLib GIO Attribute Escaping Causes Heap Buffer Overflow (CVE-2025-14512)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"glib2","purl":"pkg:rpm/rocky-linux/glib2?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2.56.4-169.el8_10"}],"database_specific":{"yum_repository":"BaseOS"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:15953"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2419093"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2421339"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:14790","modified":"2026-05-14T06:09:16.967298Z","published":"2026-05-11T12:06:47.483862Z","upstream":["CVE-2026-33636"],"summary":"Moderate: libpng security update","details":"The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics (PNG) image format files.\n\nSecurity Fix(es):\n\n* libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"libpng","purl":"pkg:rpm/rocky-linux/libpng?distro=rocky-linux-10&epoch=2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:1.6.40-8.el10_1.3"}],"database_specific":{"yum_repository":"BaseOS"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:14790"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2451819"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:14819","modified":"2026-05-14T06:09:15.747459Z","published":"2026-05-11T12:03:36.539894Z","upstream":["CVE-2026-33554"],"summary":"Moderate: freeipmi security update","details":"The freeipmi packages contain an Intelligent Platform Management Interface (IPMI) remote console and system management software based on the IPMI specification.\n\nSecurity Fix(es):\n\n* freeipmi: buffer overflows on response messages via ipmi-oem (CVE-2026-33554)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"freeipmi","purl":"pkg:rpm/rocky-linux/freeipmi?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:1.6.17-1.el9_7"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:14819"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450778"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:14791","modified":"2026-05-14T06:09:15.805455Z","published":"2026-05-11T12:03:36.539894Z","upstream":["CVE-2026-33636"],"summary":"Moderate: libpng security update","details":"The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics (PNG) image format files.\n\nSecurity Fix(es):\n\n* libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"libpng","purl":"pkg:rpm/rocky-linux/libpng?distro=rocky-linux-9&epoch=2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:1.6.37-12.el9_7.3"}],"database_specific":{"yum_repository":"BaseOS"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:14791"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2451819"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:14929","modified":"2026-05-14T06:09:14.878905Z","published":"2026-05-11T06:01:14.828317Z","upstream":["CVE-2026-4775"],"summary":"Important: mingw-libtiff security update","details":"The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files.  TIFF is a widely used file format for bitmapped images.  TIFF files usually end in the .tif extension and they are often quite large.  The libtiff package should be installed if you need to manipulate TIFF format image files.\n\nSecurity Fix(es):\n\n* libtiff: libtiff: Arbitrary code execution or denial of service via signed integer overflow in TIFF file processing (CVE-2026-4775)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"mingw-libtiff","purl":"pkg:rpm/rocky-linux/mingw-libtiff?distro=rocky-linux-8-x86-64&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:4.0.9-4.el8_10"}],"database_specific":{"yum_repository":"PowerTools"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:14929"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450768"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:14200","modified":"2026-05-14T06:09:15.688394Z","published":"2026-05-08T12:03:36.527692Z","upstream":["CVE-2026-32280","CVE-2026-32282","CVE-2026-32283"],"summary":"Important: git-lfs security update","details":"Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.\n\nSecurity Fix(es):\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"git-lfs","purl":"pkg:rpm/rocky-linux/git-lfs?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:3.6.1-8.el9_7.1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:14200"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456336"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456338"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456339"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13916","modified":"2026-05-14T06:09:16.906029Z","published":"2026-05-07T12:06:53.645622Z","upstream":["CVE-2026-30922","CVE-2026-32597"],"summary":"Important: fence-agents security update","details":"The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. \n\nSecurity Fix(es):\n\n* pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 ?4.1.11 MUST violation) (CVE-2026-32597)\n\n* pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion (CVE-2026-30922)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"fence-agents","purl":"pkg:rpm/rocky-linux/fence-agents?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:4.16.0-13.el10_1.4"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13916"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448553"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447194"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:12285","modified":"2026-05-14T06:09:16.485819Z","published":"2026-05-07T12:06:53.645622Z","upstream":["CVE-2026-6746","CVE-2026-6747","CVE-2026-6748","CVE-2026-6749","CVE-2026-6750","CVE-2026-6751","CVE-2026-6752","CVE-2026-6753","CVE-2026-6754","CVE-2026-6757","CVE-2026-6759","CVE-2026-6761","CVE-2026-6762","CVE-2026-6763","CVE-2026-6764","CVE-2026-6765","CVE-2026-6766","CVE-2026-6767","CVE-2026-6769","CVE-2026-6770","CVE-2026-6771","CVE-2026-6772","CVE-2026-6776","CVE-2026-6785","CVE-2026-6786"],"summary":"Important: thunderbird security update","details":"Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nSecurity Fix(es):\n\n* firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS (CVE-2026-6772)\n\n* firefox: thunderbird: Use-after-free in the JavaScript Engine component (CVE-2026-6754)\n\n* firefox: thunderbird: Spoofing issue in the DOM: Core & HTML component (CVE-2026-6762)\n\n* firefox: thunderbird: Incorrect boundary conditions in the WebRTC component (CVE-2026-6752)\n\n* firefox: thunderbird: Other issue in the Storage: IndexedDB component (CVE-2026-6770)\n\n* firefox: thunderbird: Invalid pointer in the JavaScript: WebAssembly component (CVE-2026-6757)\n\n* firefox: thunderbird: Other issue in the Libraries component in NSS (CVE-2026-6767)\n\n* firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 (CVE-2026-6786)\n\n* firefox: thunderbird: Incorrect boundary conditions in the WebRTC component (CVE-2026-6753)\n\n* firefox: thunderbird: Use-after-free in the Widget: Cocoa component (CVE-2026-6759)\n\n* firefox: thunderbird: Use-after-free in the WebRTC component (CVE-2026-6747)\n\n* firefox: thunderbird: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component (CVE-2026-6749)\n\n* firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS (CVE-2026-6766)\n\n* firefox: thunderbird: Privilege escalation in the Networking component (CVE-2026-6761)\n\n* firefox: thunderbird: Mitigation bypass in the File Handling component (CVE-2026-6763)\n\n* firefox: thunderbird: Privilege escalation in the Graphics: WebRender component (CVE-2026-6750)\n\n* firefox: thunderbird: Uninitialized memory in the Audio/Video: Web Codecs component (CVE-2026-6748)\n\n* firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 (CVE-2026-6785)\n\n* firefox: thunderbird: Mitigation bypass in the DOM: Security component (CVE-2026-6771)\n\n* firefox: thunderbird: Incorrect boundary conditions in the DOM: Device Interfaces component (CVE-2026-6764)\n\n* firefox: thunderbird: Information disclosure in the Form Autofill component (CVE-2026-6765)\n\n* firefox: thunderbird: Privilege escalation in the Debugger component (CVE-2026-6769)\n\n* firefox: thunderbird: Uninitialized memory in the Audio/Video: Web Codecs component (CVE-2026-6751)\n\n* firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Networking component (CVE-2026-6776)\n\n* firefox: thunderbird: Use-after-free in the DOM: Core & HTML component (CVE-2026-6746)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"thunderbird","purl":"pkg:rpm/rocky-linux/thunderbird?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:140.10.0-1.el10_1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:12285"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460109"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460112"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460076"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460075"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460086"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460104"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460099"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460106"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460094"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460088"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460105"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460101"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460092"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460107"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460079"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460097"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460078"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460096"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460085"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460095"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460102"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460108"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460074"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460110"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460103"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13857","modified":"2026-05-14T06:09:15.529755Z","published":"2026-05-07T12:03:39.445016Z","upstream":["CVE-2025-59032","CVE-2026-27857","CVE-2026-27858"],"summary":"Important: dovecot security update","details":"Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. \n\nSecurity Fix(es):\n\n* dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (CVE-2025-59032)\n\n* dovecot: denial of service via crafted message before authentication (CVE-2026-27858)\n\n* dovecot: denial of service via specially crafted NOOP command (CVE-2026-27857)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"dovecot","purl":"pkg:rpm/rocky-linux/dovecot?distro=rocky-linux-9&epoch=1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:2.3.16-15.el9_7.1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13857"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452172"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452175"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452179"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13978","modified":"2026-05-14T06:09:15.632859Z","published":"2026-05-07T12:03:39.445016Z","upstream":["CVE-2026-5119"],"summary":"Moderate: libsoup security update","details":"The libsoup packages provide an HTTP client and server library for GNOME.\n\nSecurity Fix(es):\n\n* libsoup: libsoup: Information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment (CVE-2026-5119)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"libsoup","purl":"pkg:rpm/rocky-linux/libsoup?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2.72.0-12.el9_7.6"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13978"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452932"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13917","modified":"2026-05-14T06:09:15.586970Z","published":"2026-05-07T12:03:39.445016Z","upstream":["CVE-2026-30922"],"summary":"Important: fence-agents security update","details":"The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. \n\nSecurity Fix(es):\n\n* pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion (CVE-2026-30922)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"fence-agents","purl":"pkg:rpm/rocky-linux/fence-agents?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:4.10.0-98.el9_7.13"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13917"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448553"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13902","modified":"2026-05-14T06:09:14.802326Z","published":"2026-05-07T06:01:03.840543Z","upstream":["CVE-2026-30922"],"summary":"Important: resource-agents security update","details":"The resource-agents packages provide the Pacemaker and RGManager service managers with a set of scripts. These scripts interface with several services to allow operating in a high-availability (HA) environment.\n\nSecurity Fix(es):\n\n* pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion (CVE-2026-30922)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"resource-agents","purl":"pkg:rpm/rocky-linux/resource-agents?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:4.9.0-54.el8_10.33"}],"database_specific":{"yum_repository":"HighAvailability"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13902"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448553"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13537","modified":"2026-05-14T06:09:14.573956Z","published":"2026-05-07T06:00:59.922786Z","upstream":["CVE-2026-6746","CVE-2026-6747","CVE-2026-6748","CVE-2026-6749","CVE-2026-6750","CVE-2026-6751","CVE-2026-6752","CVE-2026-6753","CVE-2026-6754","CVE-2026-6757","CVE-2026-6759","CVE-2026-6761","CVE-2026-6762","CVE-2026-6763","CVE-2026-6764","CVE-2026-6765","CVE-2026-6766","CVE-2026-6767","CVE-2026-6769","CVE-2026-6770","CVE-2026-6771","CVE-2026-6772","CVE-2026-6776","CVE-2026-6785","CVE-2026-6786"],"summary":"Important: thunderbird security update","details":"Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nSecurity Fix(es):\n\n* firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS (CVE-2026-6772)\n\n* firefox: thunderbird: Use-after-free in the JavaScript Engine component (CVE-2026-6754)\n\n* firefox: thunderbird: Spoofing issue in the DOM: Core & HTML component (CVE-2026-6762)\n\n* firefox: thunderbird: Incorrect boundary conditions in the WebRTC component (CVE-2026-6752)\n\n* firefox: thunderbird: Other issue in the Storage: IndexedDB component (CVE-2026-6770)\n\n* firefox: thunderbird: Invalid pointer in the JavaScript: WebAssembly component (CVE-2026-6757)\n\n* firefox: thunderbird: Other issue in the Libraries component in NSS (CVE-2026-6767)\n\n* firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 (CVE-2026-6786)\n\n* firefox: thunderbird: Incorrect boundary conditions in the WebRTC component (CVE-2026-6753)\n\n* firefox: thunderbird: Use-after-free in the Widget: Cocoa component (CVE-2026-6759)\n\n* firefox: thunderbird: Use-after-free in the WebRTC component (CVE-2026-6747)\n\n* firefox: thunderbird: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component (CVE-2026-6749)\n\n* firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS (CVE-2026-6766)\n\n* firefox: thunderbird: Privilege escalation in the Networking component (CVE-2026-6761)\n\n* firefox: thunderbird: Mitigation bypass in the File Handling component (CVE-2026-6763)\n\n* firefox: thunderbird: Privilege escalation in the Graphics: WebRender component (CVE-2026-6750)\n\n* firefox: thunderbird: Uninitialized memory in the Audio/Video: Web Codecs component (CVE-2026-6748)\n\n* firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 (CVE-2026-6785)\n\n* firefox: thunderbird: Mitigation bypass in the DOM: Security component (CVE-2026-6771)\n\n* firefox: thunderbird: Incorrect boundary conditions in the DOM: Device Interfaces component (CVE-2026-6764)\n\n* firefox: thunderbird: Information disclosure in the Form Autofill component (CVE-2026-6765)\n\n* firefox: thunderbird: Privilege escalation in the Debugger component (CVE-2026-6769)\n\n* firefox: thunderbird: Uninitialized memory in the Audio/Video: Web Codecs component (CVE-2026-6751)\n\n* firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Networking component (CVE-2026-6776)\n\n* firefox: thunderbird: Use-after-free in the DOM: Core & HTML component (CVE-2026-6746)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"thunderbird","purl":"pkg:rpm/rocky-linux/thunderbird?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:140.10.0-1.el8_10"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13537"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460074"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460075"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460076"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460078"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460079"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460085"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460086"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460088"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460092"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460094"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460095"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460096"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460097"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460099"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460101"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460102"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460103"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460104"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460105"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460106"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460107"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460108"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460109"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460110"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460112"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13830","modified":"2026-05-14T06:09:14.667954Z","published":"2026-05-07T06:00:59.922786Z","upstream":["CVE-2025-59032","CVE-2026-27857","CVE-2026-27858"],"summary":"Important: dovecot security update","details":"Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. \n\nSecurity Fix(es):\n\n* dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (CVE-2025-59032)\n\n* dovecot: denial of service via crafted message before authentication (CVE-2026-27858)\n\n* dovecot: denial of service via specially crafted NOOP command (CVE-2026-27857)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"dovecot","purl":"pkg:rpm/rocky-linux/dovecot?distro=rocky-linux-8&epoch=1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:2.3.16-7.el8_10"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13830"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452172"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452175"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452179"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13414","modified":"2026-05-14T06:09:14.529851Z","published":"2026-05-07T06:00:59.922786Z","upstream":["CVE-2026-33999","CVE-2026-34001","CVE-2026-34003","CVE-2026-34352"],"summary":"Important: tigervnc security update","details":"Virtual Network Computing (VNC) is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients.\n\nSecurity Fix(es):\n\n* xorg: xwayland: X.Org X server: Denial of Service via integer underflow in XKB compatibility map handling (CVE-2026-33999)\n\n* xorg: xwayland: X.Org X server: Use-after-free vulnerability leads to server crash and potential memory corruption (CVE-2026-34001)\n\n* xorg: xwayland: X.Org X server: Information exposure and denial of service via out-of-bounds memory access (CVE-2026-34003)\n\n* TigerVNC: x0vncserver: TigerVNC x0vncserver: Information disclosure, data manipulation, and denial of service via incorrect permissions (CVE-2026-34352)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"tigervnc","purl":"pkg:rpm/rocky-linux/tigervnc?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:1.15.0-9.el8_10"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13414"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2451106"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2451109"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2451113"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452022"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:14087","modified":"2026-05-14T06:09:13.988709Z","published":"2026-05-07T06:00:45.574113Z","upstream":["CVE-2026-5119"],"summary":"Moderate: libsoup security update","details":"The libsoup packages provide an HTTP client and server library for GNOME.\n\nSecurity Fix(es):\n\n* libsoup: libsoup: Information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment (CVE-2026-5119)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"libsoup","purl":"pkg:rpm/rocky-linux/libsoup?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2.62.3-14.el8_10"}],"database_specific":{"yum_repository":"BaseOS"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:14087"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452932"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13644","modified":"2026-05-14T06:09:16.837451Z","published":"2026-05-06T12:05:16.751656Z","upstream":["CVE-2026-35091","CVE-2026-35092"],"summary":"Moderate: corosync security update","details":"The corosync packages provide the Corosync Cluster Engine and C APIs for Rocky Linux cluster software.\n\nSecurity Fix(es):\n\n* corosync: Corosync: Denial of Service and information disclosure via crafted UDP packet (CVE-2026-35091)\n\n* corosync: Corosync: Denial of Service via integer overflow in join message validation (CVE-2026-35092)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"corosync","purl":"pkg:rpm/rocky-linux/corosync?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:3.1.9-2.el10_1.1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13644"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453814"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453813"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13641","modified":"2026-05-14T06:09:16.776099Z","published":"2026-05-06T12:05:16.751656Z","upstream":["CVE-2026-31958","CVE-2026-35536"],"summary":"Moderate: python-tornado security update","details":"Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n* tornado-python: Tornado: Denial of Service via large multipart bodies (CVE-2026-31958)\n\n* tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments (CVE-2026-35536)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"python-tornado","purl":"pkg:rpm/rocky-linux/python-tornado?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:6.5.5-1.el10_1.1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13641"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454716"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2446765"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:10217","modified":"2026-05-14T06:09:16.037630Z","published":"2026-05-06T12:05:16.751656Z","upstream":["CVE-2026-27140","CVE-2026-27143","CVE-2026-27144","CVE-2026-32280","CVE-2026-32282","CVE-2026-32283"],"summary":"Important: golang security update","details":"The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\n* golang: cmd/compile: no-op interface conversion bypasses overlap checking (CVE-2026-27144)\n\n* cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names (CVE-2026-27140)\n\n* golang: cmd/compile: possible memory corruption after bound check elimination (CVE-2026-27143)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"golang","purl":"pkg:rpm/rocky-linux/golang?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:1.25.9-3.el10_1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:10217"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456338"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456341"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456336"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456339"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456340"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456342"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:11881","modified":"2026-05-14T06:09:16.388171Z","published":"2026-05-06T12:05:16.751656Z","upstream":["CVE-2026-32283"],"summary":"Important: grafana-pcp security update","details":"The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.\n\nSecurity Fix(es):\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"grafana-pcp","purl":"pkg:rpm/rocky-linux/grafana-pcp?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:5.3.0-4.el10_1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:11881"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456338"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13498","modified":"2026-05-14T06:09:16.582494Z","published":"2026-05-06T12:05:16.751656Z","upstream":["CVE-2025-59032","CVE-2026-27857","CVE-2026-27858"],"summary":"Important: dovecot security update","details":"Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. \n\nSecurity Fix(es):\n\n* dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (CVE-2025-59032)\n\n* dovecot: denial of service via crafted message before authentication (CVE-2026-27858)\n\n* dovecot: denial of service via specially crafted NOOP command (CVE-2026-27857)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"dovecot","purl":"pkg:rpm/rocky-linux/dovecot?distro=rocky-linux-10&epoch=1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:2.3.21-16.el10_1.1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13498"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452175"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452179"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452172"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13515","modified":"2026-05-14T06:09:16.639371Z","published":"2026-05-06T12:05:16.751656Z","upstream":["CVE-2026-33554"],"summary":"Moderate: freeipmi security update","details":"The freeipmi packages contain an Intelligent Platform Management Interface (IPMI) remote console and system management software based on the IPMI specification.\n\nSecurity Fix(es):\n\n* freeipmi: buffer overflows on response messages via ipmi-oem (CVE-2026-33554)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"freeipmi","purl":"pkg:rpm/rocky-linux/freeipmi?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:1.6.17-1.el10_1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13515"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450778"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:11712","modified":"2026-05-14T06:09:16.332953Z","published":"2026-05-06T12:05:16.751656Z","upstream":["CVE-2026-32282","CVE-2026-32283"],"summary":"Important: grafana security update","details":"Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. \n\nSecurity Fix(es):\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"grafana","purl":"pkg:rpm/rocky-linux/grafana?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:10.2.6-25.el10_1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:11712"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456336"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456338"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13566","modified":"2026-05-14T06:09:16.724761Z","published":"2026-05-06T12:05:16.751656Z","upstream":["CVE-2026-23270","CVE-2026-31402","CVE-2026-31419","CVE-2026-31431","CVE-2026-43077"],"summary":"Important: kernel security update","details":"The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation (CVE-2026-23270)\n\n* kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402)\n\n* kernel: Linux kernel: Use-after-free in bonding driver leads to denial of service (CVE-2026-31419)\n\n* kernel: crypto: algif_aead - Revert to operating out-of-place (CVE-2026-31431)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"kernel","purl":"pkg:rpm/rocky-linux/kernel?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:6.12.0-124.55.1.el10_1"}],"database_specific":{"yum_repository":"BaseOS"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13566"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460538"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454844"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448745"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2457829"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467022"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:11711","modified":"2026-05-14T06:09:15.148735Z","published":"2026-05-06T12:01:51.637927Z","upstream":["CVE-2026-32282","CVE-2026-32283"],"summary":"Important: grafana security update","details":"Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. \n\nSecurity Fix(es):\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"grafana","purl":"pkg:rpm/rocky-linux/grafana?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:10.2.6-21.el9_7"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:11711"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456336"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456338"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13565","modified":"2026-05-14T06:09:15.336346Z","published":"2026-05-06T12:01:51.637927Z","upstream":["CVE-2026-23136","CVE-2026-23270","CVE-2026-31402","CVE-2026-31431","CVE-2026-43077"],"summary":"Important: kernel security update","details":"The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: Linux kernel: Denial of Service in libceph OSD client due to unreset sparse-read state (CVE-2026-23136)\n\n* kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation (CVE-2026-23270)\n\n* kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402)\n\n* kernel: crypto: algif_aead - Revert to operating out-of-place (CVE-2026-31431)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"kernel","purl":"pkg:rpm/rocky-linux/kernel?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:5.14.0-611.54.1.el9_7"}],"database_specific":{"yum_repository":"BaseOS"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13565"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2439852"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448745"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454844"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460538"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467022"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:10219","modified":"2026-05-14T06:09:14.920705Z","published":"2026-05-06T12:01:51.637927Z","upstream":["CVE-2026-27140","CVE-2026-27143","CVE-2026-27144","CVE-2026-32280","CVE-2026-32282","CVE-2026-32283"],"summary":"Important: golang security update","details":"The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\n* golang: cmd/compile: no-op interface conversion bypasses overlap checking (CVE-2026-27144)\n\n* cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names (CVE-2026-27140)\n\n* golang: cmd/compile: possible memory corruption after bound check elimination (CVE-2026-27143)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"golang","purl":"pkg:rpm/rocky-linux/golang?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:1.25.9-1.el9_7"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:10219"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456336"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456338"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456339"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456340"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456341"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456342"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:11704","modified":"2026-05-14T06:09:15.107539Z","published":"2026-05-06T12:01:51.637927Z","upstream":["CVE-2026-32282","CVE-2026-32283"],"summary":"Important: grafana-pcp security update","details":"The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.\n\nSecurity Fix(es):\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"grafana-pcp","purl":"pkg:rpm/rocky-linux/grafana-pcp?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:5.1.1-14.el9_7"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:11704"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456336"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456338"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13578","modified":"2026-05-14T06:09:14.837227Z","published":"2026-05-06T12:00:40.517652Z","upstream":["CVE-2024-41073","CVE-2025-40252","CVE-2025-68724","CVE-2026-23401","CVE-2026-31402","CVE-2026-31431","CVE-2026-43077"],"summary":"Important: kernel-rt security update","details":"The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* kernel: nvme: avoid double free special payload (CVE-2024-41073)\n\n* kernel: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() (CVE-2025-40252)\n\n* kernel: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id (CVE-2025-68724)\n\n* kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402)\n\n* kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling (CVE-2026-23401)\n\n* kernel: crypto: algif_aead - Revert to operating out-of-place (CVE-2026-31431)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"kernel-rt","purl":"pkg:rpm/rocky-linux/kernel-rt?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:4.18.0-553.123.1.rt7.464.el8_10"}],"database_specific":{"yum_repository":"NFV"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13578"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2301637"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2418875"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2424886"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453803"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454844"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460538"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467022"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:11514","modified":"2026-05-14T06:09:14.282467Z","published":"2026-05-06T12:00:32.501695Z","upstream":["CVE-2026-32280","CVE-2026-32282","CVE-2026-32283"],"summary":"Important: grafana-pcp security update","details":"The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.\n\nSecurity Fix(es):\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"grafana-pcp","purl":"pkg:rpm/rocky-linux/grafana-pcp?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:5.1.1-14.el8_10"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:11514"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456336"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456338"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456339"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:10704","modified":"2026-05-14T06:09:14.187576Z","published":"2026-05-06T12:00:32.501695Z","upstream":["CVE-2026-27140","CVE-2026-27143","CVE-2026-27144","CVE-2026-32280","CVE-2026-32282","CVE-2026-32283"],"summary":"Important: go-toolset:rhel8 security update","details":"Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nSecurity Fix(es):\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\n* golang: cmd/compile: no-op interface conversion bypasses overlap checking (CVE-2026-27144)\n\n* cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names (CVE-2026-27140)\n\n* golang: cmd/compile: possible memory corruption after bound check elimination (CVE-2026-27143)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"delve","purl":"pkg:rpm/rocky-linux/delve?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:1.25.2-1.module+el8.10.0+40035+ee0a7047"}],"database_specific":{"yum_repository":"AppStream"}}]},{"package":{"ecosystem":"Rocky Linux:8","name":"golang","purl":"pkg:rpm/rocky-linux/golang?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:1.25.9-1.module+el8.10.0+40168+6cb0ea60"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:10704"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456336"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456338"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456339"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456340"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456341"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456342"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:11507","modified":"2026-05-14T06:09:14.248574Z","published":"2026-05-06T12:00:32.501695Z","upstream":["CVE-2026-32280","CVE-2026-32282","CVE-2026-32283"],"summary":"Important: grafana security update","details":"Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. \n\nSecurity Fix(es):\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"grafana","purl":"pkg:rpm/rocky-linux/grafana?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:9.2.10-30.el8_10"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:11507"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456336"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456338"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456339"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13577","modified":"2026-05-14T06:09:13.952952Z","published":"2026-05-06T12:00:19.993560Z","upstream":["CVE-2024-41073","CVE-2025-40252","CVE-2025-68724","CVE-2026-23401","CVE-2026-31402","CVE-2026-31431","CVE-2026-43077"],"summary":"Important: kernel security update","details":"The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: nvme: avoid double free special payload (CVE-2024-41073)\n\n* kernel: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() (CVE-2025-40252)\n\n* kernel: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id (CVE-2025-68724)\n\n* kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402)\n\n* kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling (CVE-2026-23401)\n\n* kernel: crypto: algif_aead - Revert to operating out-of-place (CVE-2026-31431)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"kernel","purl":"pkg:rpm/rocky-linux/kernel?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:4.18.0-553.123.1.el8_10"}],"database_specific":{"yum_repository":"BaseOS"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13577"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2301637"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2418875"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2424886"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453803"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454844"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460538"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467022"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13670","modified":"2026-05-14T06:09:15.377120Z","published":"2026-05-06T06:02:14.811706Z","upstream":["CVE-2026-31958","CVE-2026-35536"],"summary":"Moderate: python-tornado security update","details":"Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n* tornado-python: Tornado: Denial of Service via large multipart bodies (CVE-2026-31958)\n\n* tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments (CVE-2026-35536)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"python-tornado","purl":"pkg:rpm/rocky-linux/python-tornado?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:6.5.5-1.el9_7.1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13670"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2446765"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454716"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13673","modified":"2026-05-14T06:09:15.477706Z","published":"2026-05-06T06:02:14.811706Z","upstream":["CVE-2026-35091","CVE-2026-35092"],"summary":"Moderate: corosync security update","details":"The corosync packages provide the Corosync Cluster Engine and C APIs for Rocky Linux cluster software.\n\nSecurity Fix(es):\n\n* corosync: Corosync: Denial of Service and information disclosure via crafted UDP packet (CVE-2026-35091)\n\n* corosync: Corosync: Denial of Service via integer overflow in join message validation (CVE-2026-35092)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"corosync","purl":"pkg:rpm/rocky-linux/corosync?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:3.1.9-2.el9_7.1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13673"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453813"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453814"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13672","modified":"2026-05-14T06:09:15.431452Z","published":"2026-05-06T06:02:14.811706Z","upstream":["CVE-2026-26007","CVE-2026-32597"],"summary":"Important: fence-agents security update","details":"The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. \n\nSecurity Fix(es):\n\n* cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves (CVE-2026-26007)\n\n* pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 ?4.1.11 MUST violation) (CVE-2026-32597)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"affected":[{"package":{"ecosystem":"Rocky Linux:9","name":"fence-agents","purl":"pkg:rpm/rocky-linux/fence-agents?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:4.10.0-98.el9_7.12"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13672"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438762"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447194"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13657","modified":"2026-05-14T06:09:14.622805Z","published":"2026-05-06T06:00:55.617468Z","upstream":["CVE-2026-35091","CVE-2026-35092"],"summary":"Moderate: corosync security update","details":"The corosync packages provide the Corosync Cluster Engine and C APIs for Rocky Linux cluster software.\n\nSecurity Fix(es):\n\n* corosync: Corosync: Denial of Service and information disclosure via crafted UDP packet (CVE-2026-35091)\n\n* corosync: Corosync: Denial of Service via integer overflow in join message validation (CVE-2026-35092)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"corosync","purl":"pkg:rpm/rocky-linux/corosync?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:3.1.8-1.el8_10.1"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13657"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453813"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453814"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13284","modified":"2026-05-14T06:09:14.483373Z","published":"2026-05-06T06:00:55.617468Z","upstream":["CVE-2026-20889","CVE-2026-21413","CVE-2026-24660"],"summary":"Important: LibRaw security update","details":"LibRaw is a library for reading RAW files obtained from digital photo cameras (CRW/CR2, NEF, RAF, DNG, and others).\n\nSecurity Fix(es):\n\n* LibRaw: LibRaw: Memory Corruption via Malicious File Processing (CVE-2026-24660)\n\n* LibRaw: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading (CVE-2026-21413)\n\n* LibRaw: LibRaw: Arbitrary code execution via specially crafted image file (CVE-2026-20889)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"LibRaw","purl":"pkg:rpm/rocky-linux/LibRaw?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:0.19.5-6.el8_10"}],"database_specific":{"yum_repository":"AppStream"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13284"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455926"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455929"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455942"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13383","modified":"2026-05-14T06:09:13.916863Z","published":"2026-05-06T06:00:43.332340Z","upstream":["CVE-2026-35385","CVE-2026-35386","CVE-2026-35387","CVE-2026-35388","CVE-2026-35414"],"summary":"Important: openssh security update","details":"OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n* OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode (CVE-2026-35385)\n\n* OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option (CVE-2026-35414)\n\n* OpenSSH: OpenSSH: Information disclosure due to unintended cryptographic algorithm usage (CVE-2026-35387)\n\n* OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions (CVE-2026-35388)\n\n* OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username (CVE-2026-35386)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"openssh","purl":"pkg:rpm/rocky-linux/openssh?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:8.0p1-29.el8_10"}],"database_specific":{"yum_repository":"BaseOS"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13383"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454469"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454490"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454494"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454500"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454506"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:13285","modified":"2026-05-14T06:09:13.885546Z","published":"2026-05-06T06:00:43.332340Z","upstream":["CVE-2026-4878"],"summary":"Important: libcap security update","details":"Libcap is a library for getting and setting POSIX.1e (formerly POSIX 6) draft 15 capabilities.\n\nSecurity Fix(es):\n\n* libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file() (CVE-2026-4878)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:8","name":"libcap","purl":"pkg:rpm/rocky-linux/libcap?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2.48-6.el8_10.1"}],"database_specific":{"yum_repository":"BaseOS"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:13285"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2451615"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]},{"schema_version":"1.7.0","id":"RLSA-2026:12423","modified":"2026-05-14T06:09:16.532480Z","published":"2026-05-03T12:06:49.800095Z","upstream":["CVE-2026-4878"],"summary":"Important: libcap security update","details":"Libcap is a library for getting and setting POSIX.1e (formerly POSIX 6) draft 15 capabilities.\n\nSecurity Fix(es):\n\n* libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file() (CVE-2026-4878)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Rocky Linux:10","name":"libcap","purl":"pkg:rpm/rocky-linux/libcap?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2.69-7.el10_1.1"}],"database_specific":{"yum_repository":"BaseOS"}}]}],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:12423"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2451615"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]}],"total":50,"page":1,"size":50,"links":{"first":"/api/v3/osv/?page=1","last":"/api/v3/osv/?page=1","self":"/api/v3/osv/"},"last_updated_at":"2026-05-14T05:58:04Z"}