RPM 6.0.2 Release Notes

July 16, 2026

This is primarily a security update fixing two CVEs (moderate and low severity) and some other security related issues or regressions.

Download

  • Source: rpm-6.0.2.tar.bz2
  • SHA256SUM: 66a4998e020d7354a804fde83801a9d7157b20f5e08198f7fde69d3a0ab683fe

Changes since 6.0.1

Security

  • Prevent command injection in rpmuncompress(1) (CVE-2026-44604)
  • Harden the ndb implementation against integer overflows (CVE-2026-44605)
  • Prevent buffer overruns in preamble language string parsing (#4188)
  • Fix rpmkeys(8) result wrapping around and potentially returning 0 on failure (#4176)
  • Fix possible crashes in case of memory allocation failures (#4233)

Transactions

  • Fix regression causing Lua scriptlets in non-RPM generated packages to crash (#4189)

Packaging

  • Fix regression causing missing patch/source to not abort with error (#4079)
  • Remove upper bound on %lang locale length (#4114)
  • Fix broken %add_sysuser m directive (#4232)

Building RPM

  • Fix Clang error caused by incorrect function definition (#4070)