RLSA-2026:3840 Important: image-builder security update

A local binary for building customized OS artifacts such as VM images and OSTree commits. Uses osbuild under the hood. Security Fixes: crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate CVE-2025-61729 golang: net/url: Memory exhaustion in query...

CVE-2026-44060

A flaw was found in Netatalk. A remote attacker could exploit an integer underflow vulnerability in the dsiwriteinit function by sending a specially crafted request. This could lead to a denial of service DoS, making the service unavailable to legitimate users...

CVE-2026-44061

A flaw was found in Netatalk. This vulnerability involves the DES-ECB Data Encryption Standard - Electronic Codebook authentication mechanism, which is susceptible to a timing side channel attack. A remote attacker could potentially exploit this timing difference during authentication to gain...

CVE-2026-44049

A flaw was found in Netatalk. A remote attacker could exploit an out-of-bounds write vulnerability within the convertcharset function. This issue, caused by improper null termination, allows an attacker to write data beyond the allocated memory buffer. Successful exploitation could lead to...

SUSE CVE-2026-47373

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash...

CVE-2026-44071

A flaw was found in Netatalk. This issue arises because the software is compiled without FORTIFYSOURCE, a security feature that provides built-in buffer overflow detection at runtime. A remote attacker could exploit this by triggering memory errors that would otherwise be safely handled, leading ...

Malicious code in tensor-compute (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a3d1b50077a6311a43061891fa560d2c180fbdbd12ab4965e0d265910e6ef68 [email protected] presents itself as a Rust-backed tensor library but is a dropper. setup.py registers a custom buildext command src/buildext.py...

MAL-2026-4223 Malicious code in tensor-compute (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a3d1b50077a6311a43061891fa560d2c180fbdbd12ab4965e0d265910e6ef68 [email protected] presents itself as a Rust-backed tensor library but is a dropper. setup.py registers a custom buildext command src/buildext.py...

When Identity is the Attack Path

Consider a cached access key on a single Windows machine. It got there the way most cached credentials do - a user logged in, and the key stored itself automatically. Standard AWS behavior. No one misconfigured anything or violated a policy. Yet that single key, which was easily accessible to a...

MAL-2026-4442 Malicious code in @shadowmd/libsignal-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51bcabb5263ecf1f1259bd5969a921866dbb808da4fda7b9d7708baeb60c21e6 Package name and description impersonate the Open Whisper Systems libsignal-node library. On require, index.js schedules install.js, which locates an...

MAL-2026-4393 Malicious code in @hanssoft/libsignal-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 063fa3a06df50a8c53c5eb05ac4d1214e6fa1edfb18d03c8484fa2014190659a Package name impersonates the well-known libsignal-node Signal Protocol library and ships a verbatim copy of its README, but the code is unrelated. O...

CVE-2026-44051

An improper link resolution vulnerability in Netatalk 3.0.2 through 4.4.2 allows a remote authenticated attacker to read arbitrary files or overwrite arbitrary files via attacker-controlled symlink creation...

CVE-2026-44071

Netatalk 3.1.2 through 4.4.2 is compiled without FORTIFYSOURCE, which disables built-in buffer overflow detection at runtime, potentially allowing a remote attacker to cause a minor denial of service via memory errors that would otherwise be caught and safely terminated by runtime protection...

Another 'ghost domain names' attack variant

...

CVE-2026-7836 hextoint macro uppercase bug

An incorrect calculation in the hextoint macro in Netatalk 2.0.0 through 4.4.2 due to improper uppercase character handling allows a remote authenticated attacker to cause limited data modification via crafted hexadecimal input...

CVE-2026-44061

Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis...

CVE-2026-44061

Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis...

CVE-2026-44053

Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack...

CVE-2026-44053 Weak cryptography in DHCAST128 UAM

Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack...

CVE-2026-44053

Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack...