RPM 6.1.0 RC2 Release Notes
July 17, 2026
This is the second release candidate of RPM 6.1 fixing two CVEs (moderate and low severity) and some other security related issues and regressions found in RC1.
For more information on the upcoming 6.1.0 release, see the full release notes.
Download
- Source: rpm-6.0.92.tar.bz2
- SHA256SUM: 46c8775c4857507450ceec9f3a2eba2eda97e1e96418914f5c0abbadb0ee31d4
Changes since RC1
Security Fixes
- Prevent command injection in rpmuncompress(1) (CVE-2026-44604)
- Harden the ndb implementation against integer overflows (CVE-2026-44605)
- Fix possible crashes in case of memory allocation failures (#4233)
Building Packages
- Fix regression in RubyGems extraction causing double dot in
.gemspecsuffix (RhBug:2492128) - Fix regression causing spurious whitespace warning when using
%define(RhBug:2492483) (#4249) - Fix broken
%add_sysuser mdirective (#4232)
Signing & Verifying Packages
- Fix rpmsign(1) to handle
%_file_signing_key_idvalues greater thanINT_MAX(#4218)