RPM 6.0.2 Release Notes
July 16, 2026
This is primarily a security update fixing two CVEs (moderate and low severity) and some other security related issues or regressions.
Download
- Source: rpm-6.0.2.tar.bz2
- SHA256SUM: 66a4998e020d7354a804fde83801a9d7157b20f5e08198f7fde69d3a0ab683fe
Changes since 6.0.1
Security
- Prevent command injection in
rpmuncompress(1)(CVE-2026-44604) - Harden the ndb implementation against integer overflows (CVE-2026-44605)
- Prevent buffer overruns in preamble language string parsing (#4188)
- Fix
rpmkeys(8)result wrapping around and potentially returning 0 on failure (#4176) - Fix possible crashes in case of memory allocation failures (#4233)
Transactions
- Fix regression causing Lua scriptlets in non-RPM generated packages to crash (#4189)
Packaging
- Fix regression causing missing patch/source to not abort with error (#4079)
- Remove upper bound on
%langlocale length (#4114) - Fix broken
%add_sysuser mdirective (#4232)
Building RPM
- Fix Clang error caused by incorrect function definition (#4070)