Release date:
2026-07-03 10:47:19 UTC
Description:
- CVE-2026-12313: Linux sandbox broker SymlinkPath() accepted paths
containing /.. components, allowing a compromised content process to
traverse out of allowed directories; reject any path that contains
/../, equals .., starts with ../, or ends with /.. (Bug 2040477)
- CVE-2026-33636: bundled libpng 1.6.39 NEON palette expansion
(arm/palette_neon_intrinsics.c) had an out-of-bounds read/write when
row_width was not aligned to chunk size; backport upstream libpng
commit aba9f18 that rewrites the loop guard and removes the unsafe
post-loop adjustment (compiled but unreachable on x86_64 ESU builds)
Updated packages:
-
thunderbird-115.4.1-1.el9_2.alma.tuxcare.els16.x86_64.rpm
sha:994989094ff478c536da108142e9dd9b55bd147715b2864ab65f2102789f234a
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.