Linux distros push critical patches
- Linux distributions spent the week shipping security fixes for openSUSE, Rocky Linux, Fedora and Debian, covering Chromium, ImageMagick, PackageKit, Kyverno and Linux kernels. - Rocky Linux posted two Important advisories on April 25 for kernel and kernel-rt on Rocky Linux 8, while openSUSE patched 16 ImageMagick CVEs. - The updates span browsers, package managers and Kubernetes policy tools, widening the routine patch list for Linux operators. (linuxcompatible.org)
Linux administrators got a broad patch wave this week as major distributions pushed fixes for browsers, image libraries, package managers and the kernel. (linuxcompatible.org) The week 17 roundup named openSUSE, Rocky Linux, Fedora, Debian and AlmaLinux among the distributions shipping security updates. The affected software ranged from Chromium and ImageMagick to PackageKit and Linux kernels. (linuxcompatible.org) On Rocky Linux, the clearest urgent items were two Important advisories dated April 25: RLSA-2026:9131 for the kernel and RLSA-2026:9135 for kernel-rt on Rocky Linux 8. Rocky’s errata page listed both as security updates in the latest batch. (errata.rockylinux.org) On openSUSE, one ImageMagick update published April 23 bundled fixes for 16 CVEs, including CVE-2026-33901 and CVE-2026-33908, both scored 8.7 under CVSS 4.0 by SUSE. The same notice described crashes and out-of-bounds writes tied to malformed image handling. (lists.opensuse.org) Browsers were in the mix too. openSUSE’s Chromium advisories earlier in the cycle moved the package to versions including 145.0.7632.159 and fixed multiple memory-safety bugs such as heap buffer overflows and integer overflows. (lists.opensuse.org 1) (lists.opensuse.org 2) Fedora’s package manager stack was part of the security workload. Fedora 44 accepted a PackageKit fix for a local privilege-escalation race condition, and Fedora’s blocker tracker described the flaw as code running as root. (qa.fedoraproject.org) (linuxcompatible.org) Kyverno adds a different kind of exposure. It is a Kubernetes policy engine that checks cluster rules the way a spell-checker scans text, and openSUSE Tumbleweed shipped kyverno-1.17.2-1.1 as a security update on its GA media. (lists.opensuse.org) That matters because the attack surface here is not just the Linux base system. The week’s fixes touched software that parses untrusted images, installs packages with elevated privileges, renders web content and enforces Kubernetes admission policies. (linuxcompatible.org) For operators, the practical takeaway is less about one headline bug than the spread of them. This patch cycle reached from desktop-facing packages like Chromium to server-critical components like kernels and cluster tooling, leaving little room to defer updates. (linuxcompatible.org)
