Aggregator

It was discovered that Robocode could be tricked into making network requests to attacker-controlled systems. An attacker could possibly use this issue to cause external service interaction, resulting in information disclosure. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-10648) Lim Sim Yee discovered that Robocode did not properly validate file paths in the CacheCleaner component. An attacker could possibly use this issue to delete arbitrary files. (CVE-2025-14306) Lim Sim Yee discovered that Robocode did not securely create temporary files in the AutoExtract component. An attacker could possibly use this issue to manipulate temporary files, resulting in arbitrary code execution. (CVE-2025-14307) Lim Sim Yee discovered that Robocode did not properly validate data lengths in the Buffer class. An attacker could possibly use this issue to trigger an integer overflow, resulting in arbitrary code execution. (CVE-2025-14308)

FEDORA-EPEL-2026-4dc7d2c6bb Packages in this update:

• python-python-multipart-0.0.31-1.el10_2

Update description: 0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch.
• Bound header field name size before validating.
• Validate Content-Length is non-negative in parse_form.

Fixes security issues GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf, GHSA-6jv3-5f52-599m, and GHSA-vffw-93wf-4j4q.

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.

FEDORA-EPEL-2026-63f4d4a3b2 Packages in this update:

• python-python-multipart-0.0.31-1.el10_3

Update description: 0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch.
• Bound header field name size before validating.

• Validate Content-Length is non-negative in parse_form.

• GHSA-v9pg-7xvm-68hf

• GHSA-5rvq-cxj2-64vf
• GHSA-6jv3-5f52-599m
• GHSA-vffw-93wf-4j4q

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.

FEDORA-2026-4d81c2ff49 Packages in this update:

• python-python-multipart-0.0.31-1.fc43

Update description: 0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch.
• Bound header field name size before validating.
• Validate Content-Length is non-negative in parse_form.

Fixes security issues GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf, GHSA-6jv3-5f52-599m, and GHSA-vffw-93wf-4j4q.

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.

FEDORA-2026-c7869a8216 Packages in this update:

• python-python-multipart-0.0.31-1.fc44

Update description: 0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch.
• Bound header field name size before validating.
• Validate Content-Length is non-negative in parse_form.

Fixes security issues GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf, GHSA-6jv3-5f52-599m, and GHSA-vffw-93wf-4j4q.

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.

FEDORA-2026-a63aad0224 Packages in this update:

• webkitgtk-2.52.4-1.fc44

Update description:

• Add support for half-width fonts.
• Improve content filter compilation by avoiding file copies.
• Improve handling of out of disk space conditions when the NetworkProcess tried to write data in caches.
• Fix painting scrollbars when their width changes.
• Fix playback of certain YouTube videos with low frame rates.
• Fix webkit://gpu not working in systems where neither libGL.so.1 nor libOpenGL.so.0 are available.
• Fix several crashes and rendering issues.
• Security fixes: CVE-2026-28847, CVE-2026-28883, CVE-2026-28901, CVE-2026-28902, CVE-2026-28903, CVE-2026-28904, CVE-2026-28905, CVE-2026-28907, CVE-2026-28942, CVE-2026-28946, CVE-2026-28947, CVE-2026-28953, CVE-2026-28955, CVE-2026-28958, CVE-2026-43658, CVE-2026-43660

FEDORA-2026-1557aaef26 Packages in this update:

• webkitgtk-2.52.4-1.fc43

Update description:

• Add support for half-width fonts.
• Improve content filter compilation by avoiding file copies.
• Improve handling of out of disk space conditions when the NetworkProcess tried to write data in caches.
• Fix painting scrollbars when their width changes.
• Fix playback of certain YouTube videos with low frame rates.
• Fix webkit://gpu not working in systems where neither libGL.so.1 nor libOpenGL.so.0 are available.
• Fix several crashes and rendering issues.
• Security fixes: CVE-2026-28847, CVE-2026-28883, CVE-2026-28901, CVE-2026-28902, CVE-2026-28903, CVE-2026-28904, CVE-2026-28905, CVE-2026-28907, CVE-2026-28942, CVE-2026-28946, CVE-2026-28947, CVE-2026-28953, CVE-2026-28955, CVE-2026-28958, CVE-2026-43658, CVE-2026-43660

It was discovered that Apache HTTP Server incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause Apache HTTP Server to consume excessive resources, resulting in a denial of service.

FEDORA-2026-4308b5fc39 Packages in this update:

• composer-2.10.1-1.fc43

Update description: Version 2.10.1 - 2026-06-04

• Security: Fixed shell escaping when opening an editor (#12903)
• Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
• Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
• Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
• Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
• Fixed warnings from Composer repositories being printed twice in some cases (#12907)

Version 2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

• BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
• BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
• Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
• Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
• Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
• Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
• Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
• Added --strict-psr-autoloader flag to install and update commands (#12647)
• Added source-fallback config option to disable or enable source fallback on download failure (#12698)
• Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
• Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
• Optimized PoolOptimizer memory usage (#12783)
• Optimized classmap dumping performance
• Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
• Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
• Fixed warning being shown when lock file is disabled (#12760)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed audit command returning a success code when the vendor dir was not present (#12880)

FEDORA-EPEL-2026-5497484804 Packages in this update:

• composer-2.10.1-1.el9

Update description: Version 2.10.1 - 2026-06-04

• Security: Fixed shell escaping when opening an editor (#12903)
• Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
• Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
• Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
• Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
• Fixed warnings from Composer repositories being printed twice in some cases (#12907)

Version 2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

• BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
• BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
• Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
• Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
• Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
• Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
• Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
• Added --strict-psr-autoloader flag to install and update commands (#12647)
• Added source-fallback config option to disable or enable source fallback on download failure (#12698)
• Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
• Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
• Optimized PoolOptimizer memory usage (#12783)
• Optimized classmap dumping performance
• Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
• Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
• Fixed warning being shown when lock file is disabled (#12760)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed audit command returning a success code when the vendor dir was not present (#12880)

FEDORA-EPEL-2026-15368435dd Packages in this update:

• composer-2.10.1-1.el10_2

Update description: Version 2.10.1 - 2026-06-04

• Security: Fixed shell escaping when opening an editor (#12903)
• Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
• Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
• Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
• Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
• Fixed warnings from Composer repositories being printed twice in some cases (#12907)

Version 2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

• BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
• BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
• Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
• Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
• Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
• Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
• Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
• Added --strict-psr-autoloader flag to install and update commands (#12647)
• Added source-fallback config option to disable or enable source fallback on download failure (#12698)
• Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
• Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
• Optimized PoolOptimizer memory usage (#12783)
• Optimized classmap dumping performance
• Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
• Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
• Fixed warning being shown when lock file is disabled (#12760)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed audit command returning a success code when the vendor dir was not present (#12880)

FEDORA-EPEL-2026-30ff6c2325 Packages in this update:

• composer-2.10.1-1.el10_3

Update description: Version 2.10.1 - 2026-06-04

• Security: Fixed shell escaping when opening an editor (#12903)
• Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
• Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
• Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
• Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
• Fixed warnings from Composer repositories being printed twice in some cases (#12907)

Version 2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

• BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
• BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
• Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
• Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
• Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
• Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
• Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
• Added --strict-psr-autoloader flag to install and update commands (#12647)
• Added source-fallback config option to disable or enable source fallback on download failure (#12698)
• Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
• Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
• Optimized PoolOptimizer memory usage (#12783)
• Optimized classmap dumping performance
• Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
• Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
• Fixed warning being shown when lock file is disabled (#12760)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed audit command returning a success code when the vendor dir was not present (#12880)

FEDORA-2026-9b34a78e81 Packages in this update:

• composer-2.10.1-1.fc44

Update description: Version 2.10.1 - 2026-06-04

• Security: Fixed shell escaping when opening an editor (#12903)
• Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
• Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
• Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
• Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
• Fixed warnings from Composer repositories being printed twice in some cases (#12907)

Version 2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

• BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
• BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
• Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
• Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
• Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
• Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
• Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
• Added --strict-psr-autoloader flag to install and update commands (#12647)
• Added source-fallback config option to disable or enable source fallback on download failure (#12698)
• Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
• Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
• Optimized PoolOptimizer memory usage (#12783)
• Optimized classmap dumping performance
• Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
• Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
• Fixed warning being shown when lock file is disabled (#12760)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed audit command returning a success code when the vendor dir was not present (#12880)

FEDORA-2026-905e9afc79 Packages in this update:

• chezmoi-2.70.5-1.fc44

Update description:

Update to 2.70.5

FEDORA-EPEL-2026-aa1072911c Packages in this update:

• chezmoi-2.70.5-1.el10_2

Update description:

Update to 2.70.5

FEDORA-EPEL-2026-b18955a7ae Packages in this update:

• chezmoi-2.70.5-1.el9

Update description:

Update to 2.70.5

FEDORA-EPEL-2026-d404995bb4 Packages in this update:

• chezmoi-2.70.5-1.el10_3

Update description:

Update to 2.70.5

FEDORA-2026-5e2446b30f Packages in this update:

• libinput-1.31.3-1.fc44

Update description:

libinput 1.31.3, fixes a udev property inject via uinput devices that can lead to local privilege escalation

FEDORA-2026-2080c5c036 Packages in this update:

• weasyprint-69.0-1.fc43

Update description:

New upstream version which also includes a security update (CVE-2026-49452).

FEDORA-2026-6525541bb8 Packages in this update:

• weasyprint-69.0-1.fc44

Update description:

New upstream version which also includes a security update (CVE-2026-49452).