Aggregator
python-python-multipart-0.0.31-1.el10_2
- python-python-multipart-0.0.31-1.el10_2
- Speed up multipart header parsing and callback dispatch.
- Bound header field name size before validating.
- Validate Content-Length is non-negative in parse_form.
Fixes security issues GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf, GHSA-6jv3-5f52-599m, and GHSA-vffw-93wf-4j4q.
0.0.30 (2026-05-31)- Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
- Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.
python-python-multipart-0.0.31-1.el10_3
- python-python-multipart-0.0.31-1.el10_3
- Speed up multipart header parsing and callback dispatch.
- Bound header field name size before validating.
-
Validate Content-Length is non-negative in parse_form.
- GHSA-5rvq-cxj2-64vf
- GHSA-6jv3-5f52-599m
- GHSA-vffw-93wf-4j4q
- Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
- Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.
python-python-multipart-0.0.31-1.fc43
- python-python-multipart-0.0.31-1.fc43
- Speed up multipart header parsing and callback dispatch.
- Bound header field name size before validating.
- Validate Content-Length is non-negative in parse_form.
Fixes security issues GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf, GHSA-6jv3-5f52-599m, and GHSA-vffw-93wf-4j4q.
0.0.30 (2026-05-31)- Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
- Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.
python-python-multipart-0.0.31-1.fc44
- python-python-multipart-0.0.31-1.fc44
- Speed up multipart header parsing and callback dispatch.
- Bound header field name size before validating.
- Validate Content-Length is non-negative in parse_form.
Fixes security issues GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf, GHSA-6jv3-5f52-599m, and GHSA-vffw-93wf-4j4q.
0.0.30 (2026-05-31)- Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
- Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.
webkitgtk-2.52.4-1.fc44
- webkitgtk-2.52.4-1.fc44
- Add support for half-width fonts.
- Improve content filter compilation by avoiding file copies.
- Improve handling of out of disk space conditions when the NetworkProcess tried to write data in caches.
- Fix painting scrollbars when their width changes.
- Fix playback of certain YouTube videos with low frame rates.
- Fix webkit://gpu not working in systems where neither libGL.so.1 nor libOpenGL.so.0 are available.
- Fix several crashes and rendering issues.
- Security fixes: CVE-2026-28847, CVE-2026-28883, CVE-2026-28901, CVE-2026-28902, CVE-2026-28903, CVE-2026-28904, CVE-2026-28905, CVE-2026-28907, CVE-2026-28942, CVE-2026-28946, CVE-2026-28947, CVE-2026-28953, CVE-2026-28955, CVE-2026-28958, CVE-2026-43658, CVE-2026-43660
webkitgtk-2.52.4-1.fc43
- webkitgtk-2.52.4-1.fc43
- Add support for half-width fonts.
- Improve content filter compilation by avoiding file copies.
- Improve handling of out of disk space conditions when the NetworkProcess tried to write data in caches.
- Fix painting scrollbars when their width changes.
- Fix playback of certain YouTube videos with low frame rates.
- Fix webkit://gpu not working in systems where neither libGL.so.1 nor libOpenGL.so.0 are available.
- Fix several crashes and rendering issues.
- Security fixes: CVE-2026-28847, CVE-2026-28883, CVE-2026-28901, CVE-2026-28902, CVE-2026-28903, CVE-2026-28904, CVE-2026-28905, CVE-2026-28907, CVE-2026-28942, CVE-2026-28946, CVE-2026-28947, CVE-2026-28953, CVE-2026-28955, CVE-2026-28958, CVE-2026-43658, CVE-2026-43660
USN-8384-1: Apache HTTP Server vulnerability
composer-2.10.1-1.fc43
- composer-2.10.1-1.fc43
- Security: Fixed shell escaping when opening an editor (#12903)
- Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
- Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
- Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
- Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
- Fixed warnings from Composer repositories being printed twice in some cases (#12907)
Read the Composer 2.10 Release Announcement for more details on the release highlights.
Full Changelog
- BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
- BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
- Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
- Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
- Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
- Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
- Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
- Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
- Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
- Added --strict-psr-autoloader flag to install and update commands (#12647)
- Added source-fallback config option to disable or enable source fallback on download failure (#12698)
- Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
- Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
- Optimized PoolOptimizer memory usage (#12783)
- Optimized classmap dumping performance
- Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
- Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
- Fixed GitHub API authentication errors not being visible to the user (#12737)
- Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
- Fixed warning being shown when lock file is disabled (#12760)
- Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
- Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
- Fixed audit command returning a success code when the vendor dir was not present (#12880)
composer-2.10.1-1.el9
- composer-2.10.1-1.el9
- Security: Fixed shell escaping when opening an editor (#12903)
- Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
- Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
- Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
- Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
- Fixed warnings from Composer repositories being printed twice in some cases (#12907)
Read the Composer 2.10 Release Announcement for more details on the release highlights.
Full Changelog
- BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
- BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
- Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
- Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
- Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
- Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
- Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
- Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
- Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
- Added --strict-psr-autoloader flag to install and update commands (#12647)
- Added source-fallback config option to disable or enable source fallback on download failure (#12698)
- Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
- Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
- Optimized PoolOptimizer memory usage (#12783)
- Optimized classmap dumping performance
- Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
- Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
- Fixed GitHub API authentication errors not being visible to the user (#12737)
- Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
- Fixed warning being shown when lock file is disabled (#12760)
- Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
- Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
- Fixed audit command returning a success code when the vendor dir was not present (#12880)
composer-2.10.1-1.el10_2
- composer-2.10.1-1.el10_2
- Security: Fixed shell escaping when opening an editor (#12903)
- Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
- Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
- Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
- Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
- Fixed warnings from Composer repositories being printed twice in some cases (#12907)
Read the Composer 2.10 Release Announcement for more details on the release highlights.
Full Changelog
- BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
- BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
- Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
- Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
- Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
- Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
- Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
- Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
- Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
- Added --strict-psr-autoloader flag to install and update commands (#12647)
- Added source-fallback config option to disable or enable source fallback on download failure (#12698)
- Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
- Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
- Optimized PoolOptimizer memory usage (#12783)
- Optimized classmap dumping performance
- Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
- Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
- Fixed GitHub API authentication errors not being visible to the user (#12737)
- Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
- Fixed warning being shown when lock file is disabled (#12760)
- Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
- Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
- Fixed audit command returning a success code when the vendor dir was not present (#12880)
composer-2.10.1-1.el10_3
- composer-2.10.1-1.el10_3
- Security: Fixed shell escaping when opening an editor (#12903)
- Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
- Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
- Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
- Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
- Fixed warnings from Composer repositories being printed twice in some cases (#12907)
Read the Composer 2.10 Release Announcement for more details on the release highlights.
Full Changelog
- BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
- BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
- Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
- Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
- Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
- Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
- Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
- Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
- Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
- Added --strict-psr-autoloader flag to install and update commands (#12647)
- Added source-fallback config option to disable or enable source fallback on download failure (#12698)
- Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
- Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
- Optimized PoolOptimizer memory usage (#12783)
- Optimized classmap dumping performance
- Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
- Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
- Fixed GitHub API authentication errors not being visible to the user (#12737)
- Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
- Fixed warning being shown when lock file is disabled (#12760)
- Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
- Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
- Fixed audit command returning a success code when the vendor dir was not present (#12880)
composer-2.10.1-1.fc44
- composer-2.10.1-1.fc44
- Security: Fixed shell escaping when opening an editor (#12903)
- Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
- Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
- Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
- Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
- Fixed warnings from Composer repositories being printed twice in some cases (#12907)
Read the Composer 2.10 Release Announcement for more details on the release highlights.
Full Changelog
- BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
- BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
- Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
- Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
- Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
- Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
- Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
- Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
- Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
- Added --strict-psr-autoloader flag to install and update commands (#12647)
- Added source-fallback config option to disable or enable source fallback on download failure (#12698)
- Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
- Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
- Optimized PoolOptimizer memory usage (#12783)
- Optimized classmap dumping performance
- Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
- Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
- Fixed GitHub API authentication errors not being visible to the user (#12737)
- Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
- Fixed warning being shown when lock file is disabled (#12760)
- Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
- Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
- Fixed audit command returning a success code when the vendor dir was not present (#12880)
chezmoi-2.70.5-1.fc44
- chezmoi-2.70.5-1.fc44
Update to 2.70.5
chezmoi-2.70.5-1.el10_2
- chezmoi-2.70.5-1.el10_2
Update to 2.70.5
chezmoi-2.70.5-1.el9
- chezmoi-2.70.5-1.el9
Update to 2.70.5
chezmoi-2.70.5-1.el10_3
- chezmoi-2.70.5-1.el10_3
Update to 2.70.5
libinput-1.31.3-1.fc44
- libinput-1.31.3-1.fc44
libinput 1.31.3, fixes a udev property inject via uinput devices that can lead to local privilege escalation
weasyprint-69.0-1.fc43
- weasyprint-69.0-1.fc43
New upstream version which also includes a security update (CVE-2026-49452).
weasyprint-69.0-1.fc44
- weasyprint-69.0-1.fc44
New upstream version which also includes a security update (CVE-2026-49452).