Fedora Security Advisories

• uriparser-1.0.0-1.fc42

Update to uriparser-1.0.0, fixes CVE-2025-67899.

• uriparser-1.0.0-1.fc43

Update to uriparser-1.0.0, fixes CVE-2025-67899.

• php-8.4.16-1.fc42

PHP version 8.4.16 (18 Dec 2025)

Core:

• Sync all boost.context files with release 1.86.0. (mvorisek)
• Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). (ndossche)
• Fixed bug GH-20286 (use-after-destroy during userland stream_close()). (ndossche, David Carlier)

Bz2:

• Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

Date:

• Fix crashes when trying to instantiate uninstantiable classes via date static constructors. (ndossche)

DOM:

• Fix memory leak when edge case is hit when registering xpath callback. (ndossche)
• Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase). (ndossche)
• Fix missing NUL byte check on C14NFile(). (ndossche)

Fibers:

• Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). (David Carlier)

FTP:

• Fixed bug GH-20601 (ftp_connect overflow on timeout). (David Carlier)

GD:

• Fixed bug GH-20511 (imagegammacorrect out of range input/output values). (David Carlier)
• Fixed bug GH-20602 (imagescale overflow with large height values). (David Carlier)

Intl:

• Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). (DanielEScherzer)

LibXML:

• Fix some deprecations on newer libxml versions regarding input buffer/parser handling. (ndossche)

MbString:

• Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). (ndossche)
• Fixed bug GH-20492 (mbstring compile warning due to non-strings). (ndossche)

MySQLnd:

• Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). (Remi)

Opcache:

• Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). (Arnaud)

PDO:

• Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) (Jakub Zelenka)

Phar:

• Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). (ndossche, TimWolla)
• Fix broken return value of fflush() for phar file entries. (ndossche)
• Fix assertion failure when fseeking a phar file out of bounds. (ndossche)

PHPDBG:

• Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). (Girgias)

SPL:

• Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). (ndossche)

Standard:

• Fix memory leak in array_diff() with custom type checks. (ndossche)
• Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). (ndossche)
• Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). (ndossche)
• Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) (ndossche)
• Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) (ndossche)

Tidy:

• Fixed bug GH-20374 (PHP with tidy and custom-tags). (ndossche)

XML:

• Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). (ndossche)

Zlib:

• Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

• php-8.4.16-1.fc43

PHP version 8.4.16 (18 Dec 2025)

Core:

• Sync all boost.context files with release 1.86.0. (mvorisek)
• Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). (ndossche)
• Fixed bug GH-20286 (use-after-destroy during userland stream_close()). (ndossche, David Carlier)

Bz2:

• Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

Date:

• Fix crashes when trying to instantiate uninstantiable classes via date static constructors. (ndossche)

DOM:

• Fix memory leak when edge case is hit when registering xpath callback. (ndossche)
• Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase). (ndossche)
• Fix missing NUL byte check on C14NFile(). (ndossche)

Fibers:

• Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). (David Carlier)

FTP:

• Fixed bug GH-20601 (ftp_connect overflow on timeout). (David Carlier)

GD:

• Fixed bug GH-20511 (imagegammacorrect out of range input/output values). (David Carlier)
• Fixed bug GH-20602 (imagescale overflow with large height values). (David Carlier)

Intl:

• Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). (DanielEScherzer)

LibXML:

• Fix some deprecations on newer libxml versions regarding input buffer/parser handling. (ndossche)

MbString:

• Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). (ndossche)
• Fixed bug GH-20492 (mbstring compile warning due to non-strings). (ndossche)

MySQLnd:

• Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). (Remi)

Opcache:

• Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). (Arnaud)

PDO:

• Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) (Jakub Zelenka)

Phar:

• Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). (ndossche, TimWolla)
• Fix broken return value of fflush() for phar file entries. (ndossche)
• Fix assertion failure when fseeking a phar file out of bounds. (ndossche)

PHPDBG:

• Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). (Girgias)

SPL:

• Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). (ndossche)

Standard:

• Fix memory leak in array_diff() with custom type checks. (ndossche)
• Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). (ndossche)
• Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). (ndossche)
• Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) (ndossche)
• Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) (ndossche)

Tidy:

• Fixed bug GH-20374 (PHP with tidy and custom-tags). (ndossche)

XML:

• Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). (ndossche)

Zlib:

• Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

• webkitgtk-2.50.4-1.fc43

• Correctly handle the program name passed to the sleep disabler.
• Ensure GStreamer is initialized before using the Quirks.
• Fix several crashes and rendering issues.
• Fix CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541

• webkitgtk-2.50.4-1.fc42

• Correctly handle the program name passed to the sleep disabler.
• Ensure GStreamer is initialized before using the Quirks.
• Fix several crashes and rendering issues.
• Fix CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541

• golang-github-facebook-time-0^20251216git61f7510-2.el9

Update logrus for https://access.redhat.com/security/cve/cve-2025-65637

• golang-github-facebook-time-0^20251216git61f7510-2.fc43

Update logrus for https://access.redhat.com/security/cve/cve-2025-65637

• golang-github-facebook-time-0^20251216git61f7510-2.el10_1

Update logrus for https://access.redhat.com/security/cve/cve-2025-65637

• golang-github-facebook-time-0^20251216git61f7510-2.el10_2

Update logrus for https://access.redhat.com/security/cve/cve-2025-65637

• golang-github-facebook-time-0^20251216git61f7510-2.fc42

Update logrus for https://access.redhat.com/security/cve/cve-2025-65637

• NetworkManager-1.54.3-2.fc43

Update to 1.54.3 Partially fixes CVE-2025-9615. To protect totally from it, see: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2325.

Update to 1.54.3 Partially fixes CVE-2025-9615. To protect totally from it, see: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2325.

• roundcubemail-1.5.12-1.el9

• Fix Cross-Site-Scripting vulnerability via SVG's animate tag
• Fix Information Disclosure vulnerability in the HTML style sanitizer

• roundcubemail-1.6.12-1.fc42

• Support IPv6 in database DSN (#9937)
• Don't force specific error_reporting setting
• Fix compatibility with PHP 8.5 regarding array_first()
• Remove X-XSS-Protection example from .htaccess file (#9875)
• Fix "Assign to group" action state after creation of a first group (#9889)
• Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
• Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
• Fix parsing of inline styles that aren't well-formatted (#9948)
• Fix Cross-Site-Scripting vulnerability via SVG's animate tag
• Fix Information Disclosure vulnerability in the HTML style sanitizer

• roundcubemail-1.6.12-1.fc43

• Support IPv6 in database DSN (#9937)
• Don't force specific error_reporting setting
• Fix compatibility with PHP 8.5 regarding array_first()
• Remove X-XSS-Protection example from .htaccess file (#9875)
• Fix "Assign to group" action state after creation of a first group (#9889)
• Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
• Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
• Fix parsing of inline styles that aren't well-formatted (#9948)
• Fix Cross-Site-Scripting vulnerability via SVG's animate tag
• Fix Information Disclosure vulnerability in the HTML style sanitizer

• roundcubemail-1.6.12-1.el10_2

• Support IPv6 in database DSN (#9937)
• Don't force specific error_reporting setting
• Fix compatibility with PHP 8.5 regarding array_first()
• Remove X-XSS-Protection example from .htaccess file (#9875)
• Fix "Assign to group" action state after creation of a first group (#9889)
• Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
• Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
• Fix parsing of inline styles that aren't well-formatted (#9948)
• Fix Cross-Site-Scripting vulnerability via SVG's animate tag
• Fix Information Disclosure vulnerability in the HTML style sanitizer

• roundcubemail-1.6.12-1.el10_1

• Support IPv6 in database DSN (#9937)
• Don't force specific error_reporting setting
• Fix compatibility with PHP 8.5 regarding array_first()
• Remove X-XSS-Protection example from .htaccess file (#9875)
• Fix "Assign to group" action state after creation of a first group (#9889)
• Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
• Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
• Fix parsing of inline styles that aren't well-formatted (#9948)
• Fix Cross-Site-Scripting vulnerability via SVG's animate tag
• Fix Information Disclosure vulnerability in the HTML style sanitizer

• util-linux-2.40.4-8.fc42

• fix setpwnam() buffer use [CVE-2025-14104]
• libblkid: use snprintf() instead of sprintf()

• util-linux-2.41.3-7.fc43

upstream stable upgrade from 2.41.1 to 2.41.3 (CVE-2025-14104 and other issues)

• NetworkManager-1.54.3-1.fc43

Update to 1.54.3 Partially fixes CVE-2025-9615. To protect totally from it, see: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2325.