A flaw was found in glibc. The realpath function may sometimes return a unexpected value, potentially leading to disclosure of sensitive data.
RHEL 6, 7 and 8 are not affected by this bug as they ship an older version of glibc which does not include the vulnerable code (i.e. realpath_stk() function does not exist).
Created glibc tracking bugs for this issue:
Affects: fedora-all [bug 2039674]
I've posted a fix for review: https://firstname.lastname@example.org/