Fedora Security Advisories

• mupdf-1.27.1-4.fc43
• python-PyMuPDF-1.27.1-2.fc43
• qpdfview-0.5.0-25.fc43
• zathura-pdf-mupdf-0.4.4-9.fc43

mupdf 1.27.1 and dependencies

• libpng-1.6.55-1.fc42

Version 1.6.54 [January 12, 2026] Fixed CVE-2026-22695 (medium severity): Heap buffer over-read in png_image_read_direct_scaled. Fixed CVE-2026-22801 (medium severity): Integer truncation causing heap buffer over-read in png_image_write_*.

Version 1.6.55 [February 9, 2026] Fixed CVE-2026-25646 (high severity): Heap buffer overflow in png_set_quantize.

• libpng-1.6.55-1.fc43

Version 1.6.54 [January 12, 2026] Fixed CVE-2026-22695 (medium severity): Heap buffer over-read in png_image_read_direct_scaled. Fixed CVE-2026-22801 (medium severity): Integer truncation causing heap buffer over-read in png_image_write_*.

Version 1.6.55 [February 9, 2026] Fixed CVE-2026-25646 (high severity): Heap buffer overflow in png_set_quantize.

• mupdf-1.26.3-5.fc42

fix CVE-2026-25556 (rhbz#2437973)

• rsync-3.4.1-4.fc42

Fix for CVE-2025-10158

• rsync-3.4.1-5.fc43

Fix for CVE-2025-10158

• python-uv-build-0.10.2-1.fc42
• rust-ambient-id-0.0.10-1.fc42
• uv-0.10.2-1.fc42

Update uv and python-uv-build to 0.10.2. There are some minor breaking changes in uv; most users should not have to change anything. See https://github.com/astral-sh/uv/blob/0.10.2/CHANGELOG.md for details. There are no breaking changes to python-uv-build.

• vim-9.1.2146-1.fc42

patchlevel 2146

Security fix for CVE-2026-25749

• vim-9.1.2146-1.fc43

patchlevel 2146

Security fix for CVE-2026-25749

• python3.13-3.13.12-1.fc43

Update to 3.13.12

• python3.13-3.13.12-1.el10_1

Update to 3.13.12

• python3.13-3.13.12-1.fc42
• python3-docs-3.13.12-1.fc42

Update to 3.13.12

• python3.13-3.13.12-1.el10_2

Update to 3.13.12

• python3.13-3.13.12-1.el9

Update to 3.13.12

• mingw-libpng-1.6.55-1.fc42

Update to libpng-1.6.55.

• mingw-libpng-1.6.55-1.fc43

Update to libpng-1.6.55.

• python3.14-3.14.3-1.fc42

New version of the Python interpreter also bringing security fixes.

• 389-ds-base-3.1.4-7.fc43
• python3.14-3.14.3-1.fc43
• python3-docs-3.14.3-1.fc43

• New minor version of the Python interpreter, bringing also security fixes.
• 389-ds-base: Fix system index configuration issues
• 389-ds-base: Fix AttributeError: 'CustomHelpFormatter' object has no attribute '_format_actions_usage'

• roundcubemail-1.6.13-1.el10_2

• Managesieve: Fix handling of string-list format values for date tests in Out of Office (#10075)
• Fix remote image blocking bypass via SVG content reported by nullcathedral
• Fix CSS injection vulnerability reported by CERT Polska

• roundcubemail-1.6.13-1.fc43

• Managesieve: Fix handling of string-list format values for date tests in Out of Office (#10075)
• Fix remote image blocking bypass via SVG content reported by nullcathedral
• Fix CSS injection vulnerability reported by CERT Polska