Fedora Security Advisories

kernel-7.0.4-200.fc44

Fedora Security Advisories
3 hours 13 minutes ago
FEDORA-2026-8cffa03dad Packages in this update:
  • kernel-7.0.4-200.fc44
Update description:

The 7.0.4 stable kernel rebase contains additional hardware support, new features, and a number of important fixes across the tree. It also contains a fix for the dirtyfrag vulnerability. This covers CVE-2026-43284 and CVE-2026-43500. For users who experience a problem with the 7.0.4 rebase, a build of 6.19.14 with just the dirtyfrag fixes should be available in koji shortly.

kernel-7.0.4-100.fc43

Fedora Security Advisories
4 hours 15 minutes ago
FEDORA-2026-abc00fb4e8 Packages in this update:
  • kernel-7.0.4-100.fc43
Update description:

The 7.0.4 stable kernel rebase contains additional hardware support, new features, and a number of important fixes across the tree. It also contains a fix for the dirtyfrag vulnerability. This covers CVE-2026-43284 and CVE-2026-43500. For users who experience a problem with the 7.0.4 rebase, a build of 6.19.14 with just the dirtyfrag fixes should be available in koji shortly.

pypy-7.3.22-2.fc45

Fedora Security Advisories
4 hours 16 minutes ago
FEDORA-2026-b58cd376d6 Packages in this update:
  • pypy-7.3.22-2.fc45
Update description:

Automatic update for pypy-7.3.22-2.fc45.

Changelog * Tue May 5 2026 Charalampos Stratakis <cstratak@redhat.com> - 7.3.22-2 - Security fix for CVE-2026-3219 in the bundled pip wheel - Fixes: rhbz#2461288 * Tue May 5 2026 Charalampos Stratakis <cstratak@redhat.com> - 7.3.22-1 - Update to 7.3.22 - Fixes: rhbz#2463475

kernel-6.19.14-101.fc42

Fedora Security Advisories
4 hours 19 minutes ago
FEDORA-2026-87dc12705e Packages in this update:
  • kernel-6.19.14-101.fc42
Update description:

The 6.19.14-101 stable update contains a fix for the dirtyfrag vulnerability. This covers CVE-2026-43284 and CVE-2026-43500

python-pulp-glue-0.37.0-5.fc43 python-requests-2.33.1-1.fc43

Fedora Security Advisories
6 hours 50 minutes ago
FEDORA-2026-8ad863685a Packages in this update:
  • python-pulp-glue-0.37.0-5.fc43
  • python-requests-2.33.1-1.fc43
Update description: 2.33.1 (2026-03-30)

Bugfixes - Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. - Fixed Content-Type header parsing for malformed values. - Improved error consistency for malformed header values.

2.33.0 (2026-03-25)

Announcements - 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security - CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements - Migrated to a PEP 517 build system using setuptools.

Bugfixes - Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+.

Deprecations - Dropped support for Python 3.9 following its end of support.

Documentation - Various typo fixes and doc improvements.

python-pulp-glue-0.37.0-5.fc44 python-requests-2.33.1-1.fc44

Fedora Security Advisories
6 hours 50 minutes ago
FEDORA-2026-44919b3d9f Packages in this update:
  • python-pulp-glue-0.37.0-5.fc44
  • python-requests-2.33.1-1.fc44
Update description: 2.33.1 (2026-03-30)

Bugfixes - Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. - Fixed Content-Type header parsing for malformed values. - Improved error consistency for malformed header values.

2.33.0 (2026-03-25)

Announcements - 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security - CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements - Migrated to a PEP 517 build system using setuptools.

Bugfixes - Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+.

Deprecations - Dropped support for Python 3.9 following its end of support.

Documentation - Various typo fixes and doc improvements.

python-jupytext-1.19.1-4.fc42

Fedora Security Advisories
19 hours 22 minutes ago
FEDORA-2026-793b55138d Packages in this update:
  • python-jupytext-1.19.1-4.fc42
Update description:

This update contains upgrades to various npm packages used during the build to address CVEs, namely:

  • CVE-2025-69873 (ajv)
  • CVE-2026-0540 (DOMPurify)
  • CVE-2026-3449 (@tootallnate/once)
  • CVE-2026-4800 (lodash)
  • CVE-2026-6321 (fast-uri)
  • CVE-2026-41240 (DOMPurify)

This is probably unimportant since these packages are used at build-time only. They are not shipped with python3-jupytext and therefore do not affect runtime.

python-jupytext-1.19.1-4.fc43

Fedora Security Advisories
19 hours 23 minutes ago
FEDORA-2026-85b819b928 Packages in this update:
  • python-jupytext-1.19.1-4.fc43
Update description:

This update contains upgrades to various npm packages used during the build to address CVEs, namely:

  • CVE-2025-69873 (ajv)
  • CVE-2026-0540 (DOMPurify)
  • CVE-2026-3449 (@tootallnate/once)
  • CVE-2026-4800 (lodash)
  • CVE-2026-6321 (fast-uri)
  • CVE-2026-41240 (DOMPurify)

This is probably unimportant since these packages are used at build-time only. They are not shipped with python3-jupytext and therefore do not affect runtime.

python-jupytext-1.19.1-4.fc44

Fedora Security Advisories
19 hours 24 minutes ago
FEDORA-2026-301cbbe347 Packages in this update:
  • python-jupytext-1.19.1-4.fc44
Update description:

This update contains upgrades to various npm packages used during the build to address CVEs, namely:

  • CVE-2025-69873 (ajv)
  • CVE-2026-0540 (DOMPurify)
  • CVE-2026-3449 (@tootallnate/once)
  • CVE-2026-4800 (lodash)
  • CVE-2026-6321 (fast-uri)
  • CVE-2026-41240 (DOMPurify)

This is probably unimportant since these packages are used at build-time only. They are not shipped with python3-jupytext and therefore do not affect runtime.

php-8.5.6-1.fc44

Fedora Security Advisories
2 days 13 hours ago
FEDORA-2026-c66eaae759 Packages in this update:
  • php-8.5.6-1.fc44
Update description:

PHP version 8.5.6 (07 May 2026)

Core:

  • Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). (iliaal)
  • Fixed ZEND_API mismatch on zend_ce_closure forward decl for Windows+Clang. (henderkes)
  • Fixed bug GH-21504 (Incorrect RC-handling for ZEND_EXT_STMT op1). (ilutov)
  • Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). (iliaal)
  • Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
  • Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). (macoaure)
  • Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
  • Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). (Pratik Bhujel)

CLI:

  • Fixed bug GH-21754 (--rf command line option with a method triggers ext/reflection deprecation warnings). (DanielEScherzer)

Curl:

  • Add support for brotli and zstd on Windows. (Shivam Mathur)

DOM:

  • Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier)

FPM:

Iconv:

  • Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)

Lexbor:

  • Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov)

MBString:

  • Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s)
  • Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) (ilutov)

Opcache:

  • Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). (Arnaud)
  • Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
  • Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
  • Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)

OpenSSL:

  • Fix memory leak regression in openssl_pbkdf2(). (ndossche)
  • Fix a bunch of memory leaks and crashes on edge cases. (ndossche)

PDO_Firebird:

  • Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

PDO_PGSQL:

  • Fixed bug GH-21683 (pdo_pgsql throws with ATTR_PREFETCH=0 on empty result set). (thomasschiet)

Phar:

  • Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
  • Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). (iliaal)
  • Fix memory leak in Phar::offsetGet(). (iliaal)
  • Fix memory leak in phar_add_file(). (iliaal)
  • Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). (iliaal)
  • Fix memory leak in phar_verify_signature() when md_ctx is invalid. (JarneClauw)

Random:

  • Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). (iliaal)

Session:

  • Fixed memory leak when session GC callback return a refcounted value. (jorgsowa)

SOAP:

  • Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) (ilutov)
  • Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
  • Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) (ilutov)

SPL:

  • Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). (Girgias)
  • Fix concurrent iteration and deletion issues in SplObjectStorage. (ndossche)

Sqlite3:

  • Fixed wrong free list comparator pointer type. (David Carlier)

Standard:

  • Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) (TimWolla)
  • Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) (ilutov)

Streams:

  • Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). (ndossche)

php-8.4.21-1.fc43

Fedora Security Advisories
2 days 14 hours ago
FEDORA-2026-c4d1ca4f16 Packages in this update:
  • php-8.4.21-1.fc43
Update description:

PHP version 8.4.21 (07 May 2026)

Core:

  • Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). (iliaal)
  • Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). (iliaal)
  • Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
  • Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). (macoaure)
  • Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
  • Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). (Pratik Bhujel)

CLI:

  • Fixed bug GH-21754 (--rf command line option with a method triggers ext/reflection deprecation warnings). (DanielEScherzer)

Curl:

  • Add support for brotli and zstd on Windows. (Shivam Mathur)

DOM:

  • Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier)
  • Fixed bug GH-21688 (segmentation fault on empty HTMLDocument). (David Carlier)
  • Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov)

FPM:

Iconv:

  • Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)

MBString:

  • Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s)
  • Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) (ilutov)

Opcache:

  • Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). (Arnaud)
  • Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
  • Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
  • Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)

OpenSSL:

  • Fix a bunch of memory leaks and crashes on edge cases. (ndossche)

PDO_Firebird:

  • Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

Phar:

  • Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
  • Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). (iliaal)
  • Fix memory leak in Phar::offsetGet(). (iliaal)
  • Fix memory leak in phar_add_file(). (iliaal)
  • Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). (iliaal)
  • Fix memory leak in phar_verify_signature() when md_ctx is invalid. (JarneClauw)

Random:

  • Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). (iliaal)

Session:

  • Fixed memory leak when session GC callback return a refcounted value. (jorgsowa)

SOAP:

  • Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) (ilutov)
  • Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
  • Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) (ilutov)

SPL:

  • Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). (Girgias)
  • Fix concurrent iteration and deletion issues in SplObjectStorage. (ndossche)

Standard:

  • Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) (TimWolla)
  • Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) (ilutov)

Streams:

  • Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). (ndossche)

XSL:

  • Fixed bug GH-21600 (Segfault on module shutdown). (David Carlier)

php-8.4.21-1.fc42

Fedora Security Advisories
2 days 14 hours ago
FEDORA-2026-3a58db70ca Packages in this update:
  • php-8.4.21-1.fc42
Update description:

PHP version 8.4.21 (07 May 2026)

Core:

  • Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). (iliaal)
  • Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). (iliaal)
  • Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
  • Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). (macoaure)
  • Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
  • Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). (Pratik Bhujel)

CLI:

  • Fixed bug GH-21754 (--rf command line option with a method triggers ext/reflection deprecation warnings). (DanielEScherzer)

Curl:

  • Add support for brotli and zstd on Windows. (Shivam Mathur)

DOM:

  • Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier)
  • Fixed bug GH-21688 (segmentation fault on empty HTMLDocument). (David Carlier)
  • Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov)

FPM:

Iconv:

  • Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)

MBString:

  • Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s)
  • Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) (ilutov)

Opcache:

  • Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). (Arnaud)
  • Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
  • Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
  • Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)

OpenSSL:

  • Fix a bunch of memory leaks and crashes on edge cases. (ndossche)

PDO_Firebird:

  • Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

Phar:

  • Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
  • Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). (iliaal)
  • Fix memory leak in Phar::offsetGet(). (iliaal)
  • Fix memory leak in phar_add_file(). (iliaal)
  • Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). (iliaal)
  • Fix memory leak in phar_verify_signature() when md_ctx is invalid. (JarneClauw)

Random:

  • Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). (iliaal)

Session:

  • Fixed memory leak when session GC callback return a refcounted value. (jorgsowa)

SOAP:

  • Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) (ilutov)
  • Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
  • Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) (ilutov)

SPL:

  • Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). (Girgias)
  • Fix concurrent iteration and deletion issues in SplObjectStorage. (ndossche)

Standard:

  • Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) (TimWolla)
  • Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) (ilutov)

Streams:

  • Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). (ndossche)

XSL:

  • Fixed bug GH-21600 (Segfault on module shutdown). (David Carlier)
Checked
5 minutes 49 seconds ago
URL
https://bodhi.fedoraproject.org/rss/updates/?type=security