The following Fedora EPEL 8 Security updates need testing:
Age URL
70 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-5b2095e2c2
xpdf-4.06-1.el8
0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-cf486df588
opencc-1.0.5-4.el8
0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-58d7d41403
java-latest-openjdk-26.0.0.0.32-0.0.1.ea.el8
The following builds have been pushed to Fedora EPEL 8 updates-testing
scitokens-cpp-1.3.0-1.el8
xrdp-0.10.5-1.el8
Details about builds:
================================================================================
scitokens-cpp-1.3.0-1.el8 (FEDORA-EPEL-2026-1819f4d1e3)
C++ Implementation of the SciTokens Library
--------------------------------------------------------------------------------
Update Information:
Add scitokens-generate-jwks CLI for key generation.
Add environment variable-based configuration on library initialization.
Add per-issuer lock to prevent multiple concurrent queries against issuers
without a known key
Add negative cache for failed issuer lookups (preventing frequent re-queries)
Add monitoring API for per-issuer validation statistics
Add optional background thread for JWKS refresh
Add keycache load, metadata, and delete APIs
Revert "Fix memory leak in rs256_from_coords" by @djw8605
Add CTest-based integration test with JWKS server and TLS infrastructure
Fix segfault if the JSON parser cannot parse the JWKS
Fix float time claims issue and improve error handling
Fix security issue with malicious issuer handling in error messages
Improve JWTVerificationException message to include the invalid issuer
Update usage on verify command to make the TOKENFILE explicit
Read token for scitokens-verify from stdin
Set CURLOPT_NOSIGNAL option in SimpleCurlGet to prevent signal interruptions
Adding asan value to the job name
Turn off building unit tests by default.
Add cmake option SCITOKENS_WITH_ASAN which enables memory checking with the
address sanitizer. Also enable this in CI, so that tests fail if they hit a
memory leak or other memory problem.
Fix memory leak in store_public_ec_key
Fix memory leaks in the unit tests
Fix memory leak in rs256_from_coords
Fix memory leak in scitokens_verify
--------------------------------------------------------------------------------
ChangeLog:
* Thu Dec 11 2025 Brian Bockelman <[email protected]> - 1.3.0-1
- Add scitokens-generate-jwks CLI for key generation.
- Add environment variable-based configuration on library initialization.
- Add per-issuer lock to prevent multiple concurrent queries against issuers
without a known key
- Add negative cache for failed issuer lookups (preventing frequent re-queries)
- Add monitoring API for per-issuer validation statistics
- Add optional background thread for JWKS refresh
- Add keycache load, metadata, and delete APIs
- Revert "Fix memory leak in rs256_from_coords" by @djw8605
- Add CTest-based integration test with JWKS server and TLS infrastructure
* Fri Dec 5 2025 Derek Weitzel <[email protected]> - 1.2.0-1
- Fix segfault if the JSON parser cannot parse the JWKS
- Fix float time claims issue and improve error handling
- Fix security issue with malicious issuer handling in error messages
- Improve JWTVerificationException message to include the invalid issuer
- Update usage on verify command to make the TOKENFILE explicit
- Read token for scitokens-verify from stdin
- Set CURLOPT_NOSIGNAL option in SimpleCurlGet to prevent signal interruptions
- Adding asan value to the job name
- Turn off building unit tests by default.
- Add cmake option SCITOKENS_WITH_ASAN which enables memory checking with the
address sanitizer. Also enable this in CI, so that tests fail if they hit a
memory leak or other memory problem.
- Fix memory leak in store_public_ec_key
- Fix memory leaks in the unit tests
- Fix memory leak in rs256_from_coords
- Fix memory leak in scitokens_verify
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
1.1.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
xrdp-0.10.5-1.el8 (FEDORA-EPEL-2026-5c626357f7)
Open source remote desktop protocol (RDP) server
--------------------------------------------------------------------------------
Update Information:
Release notes for xrdp v0.10.5 (2026/01/27)
Security fixes
CVE-2025-68670: Improper bounds checking of domain string length leads to Stack-
based Buffer Overflow
New features
It is now possible to start the xrdp daemon entirely unprivileged from the
service manager (#3599 #3603). If you do this certain restrictions will apply.
See https://github.com/neutrinolabs/xrdp/wiki/Running-the-xrdp-process-as-non-
root for details.
TLS pre-master secrets can now be recorded for packet captures (#3617)
Add a FuseRootReportMaxFree to work around 'no free space' issues with some file
managers (#3639)
Alternate shell names can now be passed to startwm.sh in an environment variable
for more system management control (#3624 #3651)
Updated Xorg paths in sesman.ini to include more recent distros (#3663)
Add Slovenian keyboard (#3668 #3670)
xrdpapi: Add a way to monitor connect/disconnect events (#3693)
Bug fixes
Allow an empty X11 UTF8_STRING to be pasted to the clipboard (#3580 #3582)
Fix a regression introduced in v0.10.x, where it became impossible to connect to
a VNC server which did not support the ExtendedDesktopSize encoding (#3540
#3584)
Fix a regression introduced in v0.10.x related to PAM groups handling (#3594)
Inconsistencies with [MS-RDPBCGR] have been addressed (#3608)
A reference to uninitialised data within the verify_user_pam_userpass.c module
has been fixed (#3638)
Prevent some possible crashes when the RFX encoder is resized (#3590 #3644)
Fixes a regression introduced by GFX development which prevented the JPEG
encoder from working correctly (#3649)
Fixes a regression introduced by #2974 which resulted in the xrdp PID file being
deleted unexpectedly (#3650)
Do not overwrite a VNC port set by the user when not using sesman (#3674)
Fix regression from 0.9.x when freerdp client uses /workarea (#3618 #3676)
Fixes a crash where a resize is attempted with drdynvc disabled (#3672 #3680)
getgrouplist() now compiles on MacOS (#3575)
Various Coverity warnings have been addressed (#3656)
Documentation improvements (#3665)
Internal changes
An unnecessary include of sys/signal.h causing a compile warning on MUSL-C has
been removed (#3679)
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 28 2026 Bojan Smojver <[email protected]> - 1:0.10.5-1
- Update to 0.10.5
* Sat Jan 17 2026 Fedora Release Engineering <[email protected]> -
1:0.10.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Tue Nov 4 2025 Tom Callaway <[email protected]> - 1:0.10.4-4
- rebuild for new fuse3
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
1:0.10.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1908387 - Windows with transparency show whatever is below
https://bugzilla.redhat.com/show_bug.cgi?id=1908387
[ 2 ] Bug #2279775 - xrdp socketdir not cleaned up on package removal
https://bugzilla.redhat.com/show_bug.cgi?id=2279775
[ 3 ] Bug #2322105 - AltGr on Spanish keyboards
https://bugzilla.redhat.com/show_bug.cgi?id=2322105
[ 4 ] Bug #2323097 - Requesting clarification on the License of xrdp rpm.
https://bugzilla.redhat.com/show_bug.cgi?id=2323097
[ 5 ] Bug #2433439 - CVE-2025-68670 xrdp: xrdp: Remote code execution via
unauthenticated stack-based buffer overflow [epel-8]
https://bugzilla.redhat.com/show_bug.cgi?id=2433439
[ 6 ] Bug #2433441 - CVE-2025-68670 xrdp: xrdp: Remote code execution via
unauthenticated stack-based buffer overflow [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2433441
--------------------------------------------------------------------------------
--
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new
