koji: recent builds

complete: bind-9.18.21-5.ocs23, target: dist-ocs23-base

Thu, 04 Jun 2026 22:54:50 CST

* Thu Jun 04 2026 PkgAgent Robot  - 9.18.21-5
- [Type] security
- [DESC] Fix CVE-2026-5946: disable recursion/UPDATE/NOTIFY for non-IN classes, validate DNS CLASS early, reject metaclasses in UPDATE/NOTIFY, skip deny-answer-address for non-IN

* Mon Oct 27 2025 Xin Cheng  - 9.18.21-4
- fix CVE-2025-8677, CVE-2025-40778, CVE-2025-40780

* Fri May 23 2025 Xin Cheng  - 9.18.21-3
- fix CVE-2024-11187, CVE-2024-12705

complete: ignition-2.15.0-8.ocs23, target: dist-ocs23-base

Thu, 04 Jun 2026 17:33:16 CST

* Thu Jun 04 2026 wynnfeng  - 2.15.0-8
- [type] security
- [desc] fix CVE-2026-39821 in bundled golang.org/x/net/idna

* Mon Nov 10 2025 Zhang Yu  - 2.15.0-7
- [type] security
- [desc] rebuilt with golang 1.24.4-5 to fix CVE-2025-47912 and CVE-2025-58188

* Fri Apr 25 2025 wynnfeng  - 2.15.0-6
- [type] security
- [desc] fix CVE-2025-22868

complete: nginx-1.26.3-7.ocs23, target: dist-ocs23-base

Thu, 04 Jun 2026 16:34:59 CST

* Thu Jun 04 2026 PkgAgent Robot  - 1.26.3-7
- [Type] security
- [DESC] Fix HTTP/2 Bomb: added max_headers directive to limit request headers count

* Mon May 25 2026 PkgAgent Robot  - 1.26.3-6
- [Type] security
- [DESC] Fix CVE-2026-9256, CVE-2026-40701

* Thu May 14 2026 PkgAgent Robot  - 1.26.3-5
- [Type] security
- [DESC] Fix CVE-2026-42945 vulnerability

complete: rust-1.92.0-1.ocs23, target: dist-ocs23-base

Thu, 04 Jun 2026 00:43:52 CST

* Mon Jun 01 2026 Wang Guodong  - 1.92.0-1
- [Type] enhancement
- [DESC] Upgrade to 1.92.0

* Thu Nov 13 2025 Wang Guodong  - 1.91.0-1
- Upgrade to 1.91.0
- remove extra llvm flags

* Mon Nov 10 2025 Wang Guodong  - 1.90.0-1
- Upgrade to 1.90.0

complete: grafana-12.4.3-2.ocs23, target: dist-ocs23-base

Wed, 03 Jun 2026 17:37:12 CST

* Tue Jun 02 2026 Zhang Yu  - 12.4.3-2
- [type] bugfix
- [desc] Fix runtime panic in crypto/tls caused by cryptobyte panic stub.
- [desc] Remove example demo app from unconditional app registry.

* Wed May 27 2026 Zhang Yu  - 12.4.3-1
- [type] security
- [desc] upgrade to Grafana 12.4.3.
- [desc] Patch count reduced from 51 to 10.
- [desc] All prior CVE fixes (10.2.6-7 through 10.2.6-29) resolved by upstream or dep upgrades.
- [desc] Additional security patches on top of 12.4.3:
  CVE-2025-4123 (CSP enabled by default),
  CVE-2026-27136/CVE-2026-39831 (x/net 0.55.0, x/crypto 0.52.0),
  CVE-2026-41238 (DOMPurify 3.4.0), CVE-2026-41242 (protobufjs 7.5.6),
  CVE-2026-33891 (node-forge 1.4.0), CVE-2026-42044 (axios 1.15.2).

* Mon Apr 27 2026 Zhang Yu  - 10.2.6-29
- [type] security
- [desc] bump node-forge to 1.4.0(CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896).
- [desc] bump flatted to 3.4.2, protobufjs to 7.5.5, minimatch to fixed versions, axios to 1.15.1, and svgo to 3.3.3
- [desc] fix CVE-2026-42037, CVE-2026-27903, CVE-2026-27904, CVE-2026-42035, CVE-2026-41242, CVE-2026-33228, CVE-2026-32141.

complete: unbound-1.17.1-13.ocs23, target: dist-ocs23-base

Wed, 03 Jun 2026 16:42:34 CST

* Mon Jun 01 2026 PkgAgent Robot  - 1.17.1-13
- [Type] security
- [DESC] Fix CVE-2026-42959, CVE-2026-42960

* Tue Jul 29 2025 Xin Cheng  - 1.17.1-12
- [Type] security
- [DESC] fix CVE-2025-5994

* Mon Jun 30 2025 Xin Cheng  - 1.17.1-11
- [Type] security
- [DESC] fix CVE-2024-43167 and CVE-2024-43168

complete: rsync-3.2.7-10.ocs23, target: dist-ocs23-base

Wed, 03 Jun 2026 16:37:54 CST

* Mon Jun 01 2026 PkgAgent Robot  - 3.2.7-10
- [Type] security
- [DESC] Fix CVE-2025-10158, CVE-2026-29518, CVE-2026-43618

* Mon Apr 20 2026 PkgAgent Robot  - 3.2.7-9
- [Type] security
- [DESC] Fix CVE-2026-41035 vulnerability: SIGSEGV in receive_xattr()

* Tue Aug 19 2025 Xin Cheng  - 3.2.7-8
- fix CVE-2024-12086, CVE-2024-12088, CVE-2024-12747

complete: freerdp-2.11.6-14.ocs23, target: dist-ocs23-base

Wed, 03 Jun 2026 12:31:34 CST

* Wed Jun 03 2026 PkgAgent Robot  - 2.11.6-14
- [Type] security
- [DESC] Fix CVE-2026-44420: validate capabilitySetLength in cliprdr server caps

* Tue Jun 02 2026 Xinlong Chen  - 2.11.6-13
- [Type] security
- [DESC] fix CVE-2026-24679 CVE-2026-24683 CVE-2026-24684
-            CVE-2026-25942 CVE-2026-25959 CVE-2026-29774
-            CVE-2026-29775 CVE-2026-29776 CVE-2026-31884
-            CVE-2026-31885 CVE-2026-31897 CVE-2026-33952
-            CVE-2026-33977 CVE-2026-33983 CVE-2026-33985
-            CVE-2026-44421

* Wed Apr 15 2026 Xinlong Chen  - 2.11.6-12
- [Type] security
- [DESC] fix CVE-2026-23533

complete: python-ply-3.11-8.ocs23, target: dist-ocs23-base

Wed, 03 Jun 2026 11:27:11 CST

* Tue Feb 03 2026 cunshunxia  - 3.11-8
- [Type] security
- [DESC] Fix CVE-2025-56005 vulnerability

* Thu Sep 26 2024 OpenCloudOS Release Engineering  - 3.11-7
- Rebuilt for clarifying the packages requirement in BaseOS and AppStream

* Fri Aug 16 2024 OpenCloudOS Release Engineering  - 3.11-6
- Rebuilt for loongarch release

complete: freerdp-2.11.6-13.ocs23, target: dist-ocs23-base

Wed, 03 Jun 2026 10:28:45 CST

* Tue Jun 02 2026 Xinlong Chen  - 2.11.6-13
- [Type] security
- [DESC] fix CVE-2026-24679 CVE-2026-24683 CVE-2026-24684
-            CVE-2026-25942 CVE-2026-25959 CVE-2026-29774
-            CVE-2026-29775 CVE-2026-29776 CVE-2026-31884
-            CVE-2026-31885 CVE-2026-31897 CVE-2026-33952
-            CVE-2026-33977 CVE-2026-33983 CVE-2026-33985
-            CVE-2026-44421

* Wed Apr 15 2026 Xinlong Chen  - 2.11.6-12
- [Type] security
- [DESC] fix CVE-2026-23533

* Mon Mar 16 2026 Xinlong Chen  - 2.11.6-11
- Fix out-of-bounds write in nsc_process_message

complete: gnutls-3.8.2-14.ocs23, target: dist-ocs23-base

Wed, 03 Jun 2026 10:26:11 CST

* Mon Jun 01 2026 Feng Weiyao  - 3.8.2-14
- [type] security
- [desc] fix CVE-2026-42012 (URI SAN should preclude CN fallback) and CVE-2026-42013 (oversized SAN should preclude CN/DN fallback)

* Tue May 12 2026 Feng Weiyao  - 3.8.2-13
- [type] security
- [desc] fix CVE-2026-42011 (name constraint bypass when prior CA only excludes)

* Fri May 08 2026 Feng Weiyao  - 3.8.2-12
- [type] security
- [desc] fix CVE-2026-3833 and CVE-2026-33846

complete: gcc-12.3.1.8-2.ocs23, target: dist-ocs23-base

Wed, 03 Jun 2026 00:11:49 CST

* Fri May 22 2026 Tim Hu - 12.3.1.8-2
- [Type] sync
- [DESC] [X86] zhaoxin patch
- backport zhaoxin lujiazui,yongfeng,shijidadao enablements from community's trunk

* Tue Mar 10 2026 Xionghu Luo - 12.3.1.8-1
- [Type] bugfix
- [DESC] update to 12.3.1.8

* Wed Dec 03 2025 Zhao Zhen  - 12.3.1.7-1
- [Type] sync
- [DESC] [Aarch64] Add loop optimize, and change hip12 pipeline

complete: libvncserver-0.9.13-11.ocs23, target: dist-ocs23-base

Tue, 02 Jun 2026 17:42:43 CST

* Tue Jun 02 2026 PkgAgent Robot  - 0.9.13-11
- [Type] security
- [DESC] Fix CVE-2026-44988: Tight gradient decoding buffer overflow in LibVNCClient

* Mon Apr 20 2026 PkgAgent Robot  - 0.9.13-10
- [Type] security
- [DESC] Fix CVE-2026-32854 vulnerability

* Thu Apr 16 2026 PkgAgent Robot  - 0.9.13-9
- [Type] security
- [DESC] Fix CVE-2026-32853 vulnerability

complete: python-jwt-2.13.0-1.ocs23, target: dist-ocs23-base

Tue, 02 Jun 2026 14:42:14 CST

* Mon Jun 01 2026 PkgAgent Robot  - 2.13.0-1
- [Type] security
- [DESC] Update to 2.13.0 (fixes CVE-2026-48523, CVE-2026-48522)

* Tue Feb 24 2026 Sinong Chen  - 2.11.0-1
- [Type] security
- [Desc] update to 2.11.0 to fix CVE-2025-45768

* Thu Sep 26 2024 OpenCloudOS Release Engineering  - 2.6.0-5
- Rebuilt for clarifying the packages requirement in BaseOS and AppStream

complete: grafana-12.4.3-1.ocs23, target: dist-ocs23-base

Tue, 02 Jun 2026 14:39:39 CST

* Wed May 27 2026 Zhang Yu  - 12.4.3-1
- [type] security
- [desc] upgrade to Grafana 12.4.3.
- [desc] Patch count reduced from 51 to 10.
- [desc] All prior CVE fixes (10.2.6-7 through 10.2.6-29) resolved by upstream or dep upgrades.
- [desc] Additional security patches on top of 12.4.3:
  CVE-2025-4123 (CSP enabled by default),
  CVE-2026-27136/CVE-2026-39831 (x/net 0.55.0, x/crypto 0.52.0),
  CVE-2026-41238 (DOMPurify 3.4.0), CVE-2026-41242 (protobufjs 7.5.6),
  CVE-2026-33891 (node-forge 1.4.0), CVE-2026-42044 (axios 1.15.2).

* Mon Apr 27 2026 Zhang Yu  - 10.2.6-29
- [type] security
- [desc] bump node-forge to 1.4.0(CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896).
- [desc] bump flatted to 3.4.2, protobufjs to 7.5.5, minimatch to fixed versions, axios to 1.15.1, and svgo to 3.3.3
- [desc] fix CVE-2026-42037, CVE-2026-27903, CVE-2026-27904, CVE-2026-42035, CVE-2026-41242, CVE-2026-33228, CVE-2026-32141.

* Wed Apr 15 2026 Zhang Yu  - 10.2.6-28
- [type] security
- [desc] bump axios to 1.15.0(CVE-2026-40175, CVE-2026-25639, CVE-2025-62718 and CVE-2026-39865).

complete: perl-IO-Compress-2.206-5.ocs23, target: dist-ocs23-base

Tue, 02 Jun 2026 11:38:52 CST

* Mon Jun 01 2026 PkgAgent Robot  - 2.206-5
- [Type] security
- [DESC] Fix CVE-2026-48962: IO::Compress arbitrary code execution in File::GlobMapper via eval STRING

* Thu Sep 26 2024 OpenCloudOS Release Engineering  - 2.206-4
- Rebuilt for clarifying the packages requirement in BaseOS and AppStream

* Fri Aug 16 2024 OpenCloudOS Release Engineering  - 2.206-3
- Rebuilt for loongarch release

complete: golang-1.26.3-1.ocs23, target: dist-ocs23-base

Mon, 01 Jun 2026 12:00:03 CST

* Thu May 28 2026 hudson zhu  - 1.26.3-1
- [Type] sync
- [DESC] Upgrade to 1.26.3 to resolve grafana's go version dependency and address CVE-2025-12141

* Wed Apr 29 2026 hudson zhu  - 1.25.8-3
- [Type] security
- [DESC] Fix [CVE-2026-27140] to disallow cgo trust boundary bypass

* Wed Apr 15 2026 hudson zhu  - 1.25.8-2
- [Type] bugfix
- [DESC] use GOEXPERIMENT=nodwarf5 for debugedit compatibility

complete: perl-Archive-Tar-3.10-1.ocs23, target: dist-ocs23-base

Mon, 01 Jun 2026 11:30:54 CST

* Fri May 29 2026 Xiaojie Chen  - 3.10-1
- [Type] bugfix
- [DESC] Upgrade to upstream version 3.10
- Fix CVE-2026-42496

* Thu Sep 26 2024 OpenCloudOS Release Engineering  - 3.02-4
- Rebuilt for clarifying the packages requirement in BaseOS and AppStream

* Fri Aug 16 2024 OpenCloudOS Release Engineering  - 3.02-3
- Rebuilt for loongarch release

complete: libsolv-0.7.24-7.ocs23, target: dist-ocs23-base

Mon, 01 Jun 2026 10:39:24 CST

* Fri May 29 2026 Maxon Xie  - 0.7.24-7
- [Type] security
- [DESC] Fix CVE-2026-48863: use correct length in Ed25519 signature memcpy

* Thu Sep 26 2024 OpenCloudOS Release Engineering  - 0.7.24-6
- Rebuilt for clarifying the packages requirement in BaseOS and AppStream

* Fri Aug 16 2024 OpenCloudOS Release Engineering  - 0.7.24-5
- Rebuilt for loongarch release

complete: python-pip-23.3.1-7.ocs23, target: dist-ocs23-base

Mon, 01 Jun 2026 10:11:39 CST

* Fri May 29 2026 Shuo Wang  - 23.3.1-7
- [Type] security
- [DESC] fix CVE-2026-8643, Reject entry point names that escape scripts dir (#14000)

* Thu Feb 05 2026 Shuo Wang  - 23.3.1-6
- fix CVE-2026-1703
- Use os.path.commonpath() instead of commonprefix()

* Thu Sep 26 2024 OpenCloudOS Release Engineering  - 23.3.1-5
- Rebuilt for clarifying the packages requirement in BaseOS and AppStream