Just today I got known of CVE-2026-41651. When I was checking the current version of PackageKit on my computer with Fedora Linux 43, I was a little bit surprised to see that there is not a newer version of PackageKit resolving the bug.
The bug on its own is known at 2460604 – (CVE-2026-41651) CVE-2026-41651 PackageKit: race condition vulnerability leads to arbitrary package installation as root
Does anybody know something about that?
Best regards
Andreas
CVE discussions don’t take place here but either on related Matrix channels, bugzilla or devel mailing, at least in cases when a public discussion does already make sense
Keep it mind that fixes can be also backported, which sometimes is preferred over making “quickly new releases”. That’s case dependent decisions.
The update to address this CVE is currently in the updates-testing repo. If you want to install it now, ahead of it reaching the stable repos, you can do so:
sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-7463cd3c32
Thank you for the fast reply.
Actually, it has been already submitted for stable. So it should be in the normal stable updates in a few hours. It’s marked as security update, containing a security fix.
Am I right that a backported solution would increment at least a minor version number? And the install date of that package would be newer?
The version numbers are always of the upstream release, but the build number changes (after the -).
E.g., there might be kernel 7.0.1. The first build for f43 is 200. If we add another patch (e.g., to fix something critical about security) because we do not want to wait for the release of 7.0.2 for whatever reason, it would lead to a new build that is then 7.0.1-201.
All builds including releases etc are in koji, incl. changelog of what they changed
Thank you.