- Announce - AlmaLinux List Archives

[Security Advisory] ALSA-2026:3887: postgresql16 security update (Important)
by AlmaLinux Errata Notifications 07 Mar '26

07 Mar '26

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 10 Type: Security Severity: Important Release date: 2026-03-06 Summary: PostgreSQL is an advanced Object-Relational database management system (DBMS). The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection. The PostgreSQL server can be found in the postgresql-server sub-package. Security Fix(es): * postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code (CVE-2026-2006) * postgresql: PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code (CVE-2026-2004) * postgresql: PostgreSQL pgcrypto heap buffer overflow executes arbitrary code (CVE-2026-2005) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-3887.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2026:3864: delve security update (Important)
by AlmaLinux Errata Notifications 07 Mar '26

07 Mar '26

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 10 Type: Security Severity: Important Release date: 2026-03-06 Summary: Delve is a debugger for the Go programming language. The goal of the project is to provide a simple, full featured debugging tool for Go. Delve should be easy to invoke and easy to use. Chances are if you're using a debugger, things aren't going your way. With that in mind, Delve should stay out of your way as much as possible. Security Fix(es): * crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729) * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-3864.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2026:3928: git-lfs security update (Important)
by AlmaLinux Errata Notifications 07 Mar '26

07 Mar '26

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 9 Type: Security Severity: Important Release date: 2026-03-06 Summary: Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fix(es): * crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729) * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2026-3928.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2026:3515: thunderbird security update (Important)
by AlmaLinux Errata Notifications 05 Mar '26

05 Mar '26

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 8 Type: Security Severity: Important Release date: 2026-03-04 Summary: Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fix(es): * libvpx: Heap buffer overflow in libvpx (CVE-2026-2447) * firefox: Invalid pointer in the JavaScript Engine component (CVE-2026-2785) * firefox: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2793) * firefox: Undefined behavior in the DOM: Core & HTML component (CVE-2026-2771) * firefox: Integer overflow in the Audio/Video component (CVE-2026-2774) * firefox: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software (CVE-2026-2776) * firefox: Integer overflow in the Libraries component in NSS (CVE-2026-2781) * firefox: Use-after-free in the JavaScript Engine: JIT component (CVE-2026-2766) * firefox: Use-after-free in the Storage: IndexedDB component (CVE-2026-2769) * firefox: Use-after-free in the DOM: Window and Location component (CVE-2026-2787) * firefox: Sandbox escape in the Storage: IndexedDB component (CVE-2026-2768) * firefox: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component (CVE-2026-2783) * firefox: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-2788) * firefox: Mitigation bypass in the DOM: Security component (CVE-2026-2784) * firefox: Incorrect boundary conditions in the Graphics: ImageLib component (CVE-2026-2759) * firefox: Integer overflow in the JavaScript: Standard Library component (CVE-2026-2762) * firefox: Sandbox escape in the Graphics: WebRender component (CVE-2026-2761) * firefox: Privilege escalation in the Messaging System component (CVE-2026-2777) * firefox: Same-origin policy bypass in the Networking: JAR component (CVE-2026-2790) * firefox: Mitigation bypass in the DOM: HTML Parser component (CVE-2026-2775) * firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2763) * firefox: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2792) * firefox: Incorrect boundary conditions in the Web Audio component (CVE-2026-2773) * firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2786) * firefox: Use-after-free in the Graphics: ImageLib component (CVE-2026-2789) * firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Audio/Video component (CVE-2026-2757) * firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component (CVE-2026-2760) * firefox: Use-after-free in the Audio/Video: Playback component (CVE-2026-2772) * firefox: Incorrect boundary conditions in the Networking: JAR component (CVE-2026-2779) * firefox: Use-after-free in the JavaScript: WebAssembly component (CVE-2026-2767) * firefox: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component (CVE-2026-2764) * firefox: Privilege escalation in the Netmonitor component (CVE-2026-2782) * firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2765) * firefox: Privilege escalation in the Netmonitor component (CVE-2026-2780) * firefox: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component (CVE-2026-2778) * firefox: Use-after-free in the JavaScript: GC component (CVE-2026-2758) * firefox: Mitigation bypass in the Networking: Cache component (CVE-2026-2791) * firefox: Use-after-free in the DOM: Bindings (WebIDL) component (CVE-2026-2770) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2026-3515.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2026:3443: valkey security update (Important)
by AlmaLinux Errata Notifications 05 Mar '26

05 Mar '26

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 10 Type: Security Severity: Important Release date: 2026-03-05 Summary: Valkey is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Valkey works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Valkey also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Valkey behave like a cache. You can use Valkey from most programming languages also. Security Fix(es): * Valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts (CVE-2025-67733) * valkey: Valkey: Denial of Service via invalid clusterbus packet (CVE-2026-21863) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-3443.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2026:3476: udisks2 security update (Important)
by AlmaLinux Errata Notifications 05 Mar '26

05 Mar '26

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 10 Type: Security Severity: Important Release date: 2026-03-05 Summary: The Udisks project provides a daemon, tools, and libraries to access and manipulate disks, storage devices, and technologies. Security Fix(es): * udisks: Missing Authorization Check Allows Unprivileged Users to Back Up LUKS Headers via udisks D-Bus API (CVE-2026-26104) * udisks: Missing Authorization Check Allows Unprivileged Users to Restore LUKS Headers via udisks D-Bus API (CVE-2026-26103) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-3476.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2026:3517: thunderbird security update (Important)
by AlmaLinux Errata Notifications 05 Mar '26

05 Mar '26

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 10 Type: Security Severity: Important Release date: 2026-03-05 Summary: Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fix(es): * libvpx: Heap buffer overflow in libvpx (CVE-2026-2447) * firefox: Invalid pointer in the JavaScript Engine component (CVE-2026-2785) * firefox: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2793) * firefox: Undefined behavior in the DOM: Core & HTML component (CVE-2026-2771) * firefox: Integer overflow in the Audio/Video component (CVE-2026-2774) * firefox: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software (CVE-2026-2776) * firefox: Integer overflow in the Libraries component in NSS (CVE-2026-2781) * firefox: Use-after-free in the JavaScript Engine: JIT component (CVE-2026-2766) * firefox: Use-after-free in the Storage: IndexedDB component (CVE-2026-2769) * firefox: Use-after-free in the DOM: Window and Location component (CVE-2026-2787) * firefox: Sandbox escape in the Storage: IndexedDB component (CVE-2026-2768) * firefox: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component (CVE-2026-2783) * firefox: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-2788) * firefox: Mitigation bypass in the DOM: Security component (CVE-2026-2784) * firefox: Incorrect boundary conditions in the Graphics: ImageLib component (CVE-2026-2759) * firefox: Integer overflow in the JavaScript: Standard Library component (CVE-2026-2762) * firefox: Sandbox escape in the Graphics: WebRender component (CVE-2026-2761) * firefox: Privilege escalation in the Messaging System component (CVE-2026-2777) * firefox: Same-origin policy bypass in the Networking: JAR component (CVE-2026-2790) * firefox: Mitigation bypass in the DOM: HTML Parser component (CVE-2026-2775) * firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2763) * firefox: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2792) * firefox: Incorrect boundary conditions in the Web Audio component (CVE-2026-2773) * firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2786) * firefox: Use-after-free in the Graphics: ImageLib component (CVE-2026-2789) * firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Audio/Video component (CVE-2026-2757) * firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component (CVE-2026-2760) * firefox: Use-after-free in the Audio/Video: Playback component (CVE-2026-2772) * firefox: Incorrect boundary conditions in the Networking: JAR component (CVE-2026-2779) * firefox: Use-after-free in the JavaScript: WebAssembly component (CVE-2026-2767) * firefox: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component (CVE-2026-2764) * firefox: Privilege escalation in the Netmonitor component (CVE-2026-2782) * firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2765) * firefox: Privilege escalation in the Netmonitor component (CVE-2026-2780) * firefox: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component (CVE-2026-2778) * firefox: Use-after-free in the JavaScript: GC component (CVE-2026-2758) * firefox: Mitigation bypass in the Networking: Cache component (CVE-2026-2791) * firefox: Use-after-free in the DOM: Bindings (WebIDL) component (CVE-2026-2770) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-3517.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2026:3669: go-rpm-macros security update (Important)
by AlmaLinux Errata Notifications 05 Mar '26

05 Mar '26

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 10 Type: Security Severity: Important Release date: 2026-03-04 Summary: This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only. Security Fix(es): * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-3669.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2026:3551: libpng security update (Important)
by AlmaLinux Errata Notifications 05 Mar '26

05 Mar '26

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 10 Type: Security Severity: Important Release date: 2026-03-04 Summary: The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics (PNG) image format files. Security Fix(es): * libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API (CVE-2026-22801) * libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read (CVE-2026-22695) * libpng: LIBPNG has a heap buffer overflow in png_set_quantize (CVE-2026-25646) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-3551.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2026:3668: go-rpm-macros security update (Important)
by AlmaLinux Errata Notifications 04 Mar '26

04 Mar '26

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 9 Type: Security Severity: Important Release date: 2026-03-04 Summary: This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only. Security Fix(es): * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2026-3668.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0