Fedora Security Advisories

FEDORA-EPEL-2026-ea9af18b11 Packages in this update:

• strongswan-6.0.6-1.el9

Update description:

Update to 6.0.6 to fix CVE-2026-35328, CVE-2026-35329, CVE-2026-35330, CVE-2026-35331, CVE-2026-35332, CVE-2026-35333, CVE-2026-35334, CVE-2026-25075, CVE-2025-9615, CVE-2025-62291

FEDORA-2026-ecfadb29a1 Packages in this update:

• rust-sequoia-cert-store-0.7.3-1.fc43
• rust-sequoia-chameleon-gnupg-0.13.1-13.fc43
• rust-sequoia-octopus-librnp-1.11.1-7.fc43
• rust-sequoia-sop-0.37.3-4.fc43
• rust-sequoia-sq-1.3.1-12.fc43
• rust-sequoia-wot-0.15.2-1.fc43

Update description:

• Update the sequoia-wot crate to version 0.15.2.
• Update the sequoia-keystore crate to version 0.7.3.

This includes a rebuild of all dependent applications to address three low-severity security vulnerabilities in sequoia-wot:

• https://gitlab.com/sequoia-pgp/sequoia-wot/-/commit/77605b2f
• https://gitlab.com/sequoia-pgp/sequoia-wot/-/commit/81210321
• https://gitlab.com/sequoia-pgp/sequoia-wot/-/commit/dd2ffb50

FEDORA-2026-5c5f4f40a4 Packages in this update:

• rust-sequoia-cert-store-0.7.3-1.fc44
• rust-sequoia-chameleon-gnupg-0.13.1-13.fc44
• rust-sequoia-octopus-librnp-1.11.1-7.fc44
• rust-sequoia-sop-0.37.3-4.fc44
• rust-sequoia-sq-1.3.1-12.fc44
• rust-sequoia-wot-0.15.2-1.fc44

Update description:

• Update the sequoia-wot crate to version 0.15.2.
• Update the sequoia-keystore crate to version 0.7.3.

This includes a rebuild of all dependent applications to address three low-severity security vulnerabilities in sequoia-wot:

• https://gitlab.com/sequoia-pgp/sequoia-wot/-/commit/77605b2f
• https://gitlab.com/sequoia-pgp/sequoia-wot/-/commit/81210321
• https://gitlab.com/sequoia-pgp/sequoia-wot/-/commit/dd2ffb50

FEDORA-2026-4a6b728056 Packages in this update:

• dolphin-emu-2503a-16.fc45

Update description:

Automatic update for dolphin-emu-2503a-16.fc45.

Changelog * Wed May 27 2026 Jeremy Newton <alexjnewt@hotmail.com> - 2503a-16 - Fix RHBZ#2454084

FEDORA-EPEL-2026-9b6d13e4b9 Packages in this update:

• strongswan-6.0.6-1.el10_3

Update description:

Fixes CVE-2026-35328, CVE-2026-35329, CVE-2026-35330, CVE-2026-35331, CVE-2026-35332, CVE-2026-35333, CVE-2026-35334, CVE-2026-25075, CVE-2025-9615, CVE-2025-62291

FEDORA-2026-bc20b091a8 Packages in this update:

• kernel-7.0.10-201.fc44

Update description:

The 7.0.10-101/201 stable kernel updates contain a number of important fixes across the tree.

FEDORA-2026-146d86eefc Packages in this update:

• kernel-7.0.10-101.fc43

Update description:

The 7.0.10-101/201 stable kernel updates contain a number of important fixes across the tree.

FEDORA-2026-f2c746ff8e Packages in this update:

• perl-Crypt-Argon2-0.031-1.fc43
• perl-Dist-Build-0.028-1.fc43
• perl-ExtUtils-Builder-0.020-1.fc43
• perl-ExtUtils-Builder-Compiler-0.036-1.fc43

Update description:

Update to 0.031 #2477035 #2481131 fixes CVE-2026-8463

FEDORA-2026-dafdad8fd3 Packages in this update:

• perl-Crypt-Argon2-0.031-1.fc44
• perl-Dist-Build-0.028-1.fc44
• perl-ExtUtils-Builder-0.020-1.fc44
• perl-ExtUtils-Builder-Compiler-0.036-1.fc44

Update description:

Update to 0.031 #2477035 #2481131 fixes CVE-2026-8463

FEDORA-2026-5d15cef372 Packages in this update:

• perl-Crypt-Argon2-0.031-1.fc45
• perl-Dist-Build-0.028-1.fc45
• perl-ExtUtils-Builder-0.020-1.fc45
• perl-ExtUtils-Builder-Compiler-0.036-1.fc45

Update description:

Update perl-Crypt-Argon2 to 0.031 #2477035 #2481131 fixes CVE-2026-8463

FEDORA-2026-e5d5fc359d Packages in this update:

• pie-1.4.5-1.fc44

Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

• GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
• GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
• GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
• GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
• GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
• GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

FEDORA-EPEL-2026-4114f4323c Packages in this update:

• pie-1.4.5-1.el10_2

Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

• GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
• GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
• GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
• GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
• GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
• GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

FEDORA-EPEL-2026-e9a72cc7ed Packages in this update:

• pie-1.4.5-1.el10_3

Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

• GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
• GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
• GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
• GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
• GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
• GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

FEDORA-2026-b2fe14ec86 Packages in this update:

• pie-1.4.5-1.fc43

Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

• GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
• GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
• GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
• GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
• GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
• GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

FEDORA-2026-1151ae6bdf Packages in this update:

• libcaca-0.99-0.83.beta20.fc45

Update description:

Automatic update for libcaca-0.99-0.83.beta20.fc45.

Changelog * Tue May 26 2026 Xavier Bachelot <xavier@bachelot.org> - 0.99-0.83.beta20 - Fix CVE-2026-42046 (RHBZ#2475408)

FEDORA-2026-3e75b379d4 Packages in this update:

• jpegxl-0.11.2-1.fc43

Update description:

Update to version 0.11.2. Resolves CVE-2025-12474 and CVE-2026-1837.

Release notes: https://github.com/libjxl/libjxl/releases/tag/v0.11.2

FEDORA-2026-aa2e960a9f Packages in this update:

• jpegxl-0.11.2-1.fc44

Update description:

Update to version 0.11.2. Resolves CVE-2025-12474 and CVE-2026-1837.

Release notes: https://github.com/libjxl/libjxl/releases/tag/v0.11.2

FEDORA-2026-28afc9a105 Packages in this update:

• hplip-3.26.4-2.fc43

Update description:

Update to 3.26.4, fixes CVE-2026-8631, CVE-2026-8632

FEDORA-2026-a109a9ac2c Packages in this update:

• libpng-1.6.58-1.fc43

Update description:

• updated to 1.6.58
• 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
• 1.6.57 is released with fixes for the following security vulnerability:
• CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

FEDORA-2026-9a678a08c8 Packages in this update:

• libpng-1.6.58-1.fc42

Update description:

• updated to 1.6.58
• 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
• 1.6.57 is released with fixes for the following security vulnerability:
• CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).