Fedora Account System
Red Hat Associate
Red Hat Customer
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
This bug was filed against the wrong component. CVE-2026-41082 is a flaw in opam, not dune.
By the time this bug was filed, I had already built opam 2.5.1, with the fix for this issue, in Fedora 42, 43, 44 and Rawhide, and the update had been pushed to the testing repositories. I don't want to edit the updates now to add this bug, because I'm not sure if that restarts the 7 day testing timer or not.
@gsuckevi , you filed this bug against the wrong component. I fixed it, and then you made it wrong again. CVE-2026-41082 is NOT A BUG IN DUNE, it is is a BUG IN OPAM. Read the CVE. Start from the top and read every word, all the way to the end: https://access.redhat.com/security/cve/cve-2026-41082. Quiz time! Problem 1: Is dune mentioned anywhere in the CVE text? (Hint: only in the title of the RedHat bug, not in the description.) Problem 2: Is opam mentioned anywhere in the CVE text? (Hint: yes) Also see the upstream opam discussion of this bug: - https://github.com/ocaml/security-advisories/pull/20 - https://github.com/ocaml/opam/pull/6897 - https://github.com/ocaml/opam/pull/6898
Version 2.5.1 of opam, which has the fix for this bug, is now stable in Fedora 42, 43, 44, and Rawhide.