Fedora 42 Update: cef-145.0.25^chromium145.0.7632.75-4.fc42
Fedora 42 Update: nextcloud-32.0.6-1.fc42
Fedora 42 Update: pgadmin4-9.12-2.fc42
Fedora 43 Update: python3.12-3.12.12-4.fc43
Fedora 43 Update: nextcloud-32.0.6-1.fc43
Fedora 43 Update: pgadmin4-9.12-2.fc43
Fedora 43 Update: cef-145.0.25^chromium145.0.7632.75-4.fc43
Fedora 42 Update: python-django4.2-4.2.28-1.fc42
[SECURITY] Fedora 42 Update: cef-145.0.25^chromium145.0.7632.75-4.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a48b5f36ec
2026-03-02 00:56:30.545282+00:00
--------------------------------------------------------------------------------
Name : cef
Product : Fedora 42
Version : 145.0.25^chromium145.0.7632.75
Release : 4.fc42
URL : https://bitbucket.org/chromiumembedded/cef
Summary : Chromium Embedded Framework
Description :
CEF is an embeddable build of Chromium, powered by WebKit (Blink).
--------------------------------------------------------------------------------
Update Information:
Update to cef-145.0.25 + chromium 145.0.7632.75
CVE-2026-1861: Heap buffer overflow in libvpx
CVE-2026-1862: Type Confusion in V8
CVE-2026-2313: Use after free in CSS
CVE-2026-2314: Heap buffer overflow in Codecs
CVE-2026-2315: Inappropriate implementation in WebGPU
CVE-2026-2316: Insufficient policy enforcement in Frames
CVE-2026-2317: Inappropriate implementation in Animation
CVE-2026-2318: Inappropriate implementation in PictureInPicture
CVE-2026-2319: Race in DevTools
CVE-2026-2320: Inappropriate implementation in File input
CVE-2026-2321: Use after free in Ozone
CVE-2026-2322: Inappropriate implementation in File input
CVE-2026-2323: Inappropriate implementation in Downloads
CVE-2026-2441: Use after free in CSS
--------------------------------------------------------------------------------
ChangeLog:
* Fri Feb 20 2026 Than Ngo [than@redhat.com] - 145.0.25^chromium145.0.7632.75-1
- Update to 145.0.7632.75
- * CVE-2026-2441: Use after free in CSS
- Fix FTFS on aarch64/ppc64le caused by missing include file (el9)
- Enable rustc_nightly_capability
* Fri Feb 20 2026 Than Ngo [than@redhat.com] - 145.0.25^chromium145.0.7632.45-1
- Update to 145.0.7632.45
- * CVE-2026-2313: Use after free in CSS
- * CVE-2026-2314: Heap buffer overflow in Codecs
- * CVE-2026-2315: Inappropriate implementation in WebGPU
- * CVE-2026-2316: Insufficient policy enforcement in Frames
- * CVE-2026-2317: Inappropriate implementation in Animation
- * CVE-2026-2318: Inappropriate implementation in PictureInPicture
- * CVE-2026-2319: Race in DevTools
- * CVE-2026-2320: Inappropriate implementation in File input
- * CVE-2026-2321: Use after free in Ozone
- * CVE-2026-2322: Inappropriate implementation in File input
- * CVE-2026-2323: Inappropriate implementation in Downloads
- Hoshino Lina: Update to cef-145.0.25+g265860d
* Fri Feb 20 2026 Than Ngo [than@redhat.com] - 144.0.11^chromium144.0.7559.132-1
- Update to 144.0.7559.132
- * CVE-2026-1861: Heap buffer overflow in libvpx
- * CVE-2026-1862: Type Confusion in V8
- Add BR on esbuild
- Disable devtool bundle
- Update scripts for downloading the source
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a48b5f36ec' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: nextcloud-32.0.6-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-889607c7a0
2026-03-02 00:56:30.545310+00:00
--------------------------------------------------------------------------------
Name : nextcloud
Product : Fedora 42
Version : 32.0.6
Release : 1.fc42
URL : http://nextcloud.com
Summary : Private file sync and share server
Description :
NextCloud gives you universal access to your files through a web interface or
WebDAV. It also provides a platform to easily view & sync your contacts,
calendars and bookmarks across all your devices and enables basic editing right
on the web. NextCloud is extendable via a simple but powerful API for
applications and plugins.
--------------------------------------------------------------------------------
Update Information:
32.0.6 release
--------------------------------------------------------------------------------
ChangeLog:
* Sat Feb 21 2026 Andrew Bauer [zonexpertconsulting@outlook.com] - 32.0.6-1
- 32.0.6 release RHBZ#2440650
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2432927 - CVE-2025-13465 nextcloud: prototype pollution in _.unset and _.omit functions [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2432927
[ 2 ] Bug #2432981 - CVE-2025-13465 nextcloud: prototype pollution in _.unset and _.omit functions [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2432981
[ 3 ] Bug #2433031 - CVE-2025-13465 nextcloud: prototype pollution in _.unset and _.omit functions [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2433031
[ 4 ] Bug #2439004 - CVE-2026-25639 nextcloud: Axios affected by Denial of Service via __proto__ Key in mergeConfig [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2439004
[ 5 ] Bug #2439019 - CVE-2026-25639 nextcloud: Axios affected by Denial of Service via __proto__ Key in mergeConfig [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2439019
[ 6 ] Bug #2439026 - CVE-2026-25639 nextcloud: Axios affected by Denial of Service via __proto__ Key in mergeConfig [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2439026
[ 7 ] Bug #2440650 - nextcloud-33.0.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2440650
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-889607c7a0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: pgadmin4-9.12-2.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9a4d6dd8eb
2026-03-02 00:56:30.545295+00:00
--------------------------------------------------------------------------------
Name : pgadmin4
Product : Fedora 42
Version : 9.12
Release : 2.fc42
URL : https://www.pgadmin.org/
Summary : Administration tool for PostgreSQL
Description :
pgAdmin is the most popular and feature rich Open Source administration and development
platform for PostgreSQL, the most advanced Open Source database in the world.
--------------------------------------------------------------------------------
Update Information:
Refresh vendored bundle. fixes multiple CVEs.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Feb 21 2026 Sandro Mani [manisandro@gmail.com] - 9.12-2
- Refresh vendor bundle, fixes svelte CVEs
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2439021 - CVE-2026-25639 pgadmin4: Axios affected by Denial of Service via __proto__ Key in mergeConfig [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2439021
[ 2 ] Bug #2439027 - CVE-2026-25639 pgadmin4: Axios affected by Denial of Service via __proto__ Key in mergeConfig [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2439027
[ 3 ] Bug #2441546 - CVE-2026-27125 pgadmin4: Svelte SSR attribute spreading includes inherited properties from prototype chain [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2441546
[ 4 ] Bug #2441547 - CVE-2026-27122 pgadmin4: Svelte SSR does not validate dynamic element tag names in `` [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2441547
[ 5 ] Bug #2441548 - CVE-2026-27125 pgadmin4: Svelte SSR attribute spreading includes inherited properties from prototype chain [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2441548
[ 6 ] Bug #2441549 - CVE-2026-27121 pgadmin4: Svelte affected by cross-site scripting via spread attributes in Svelte SSR [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2441549
[ 7 ] Bug #2441550 - CVE-2026-27119 pgadmin4: Svelte affected by XSS in SSR `` element [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2441550
[ 8 ] Bug #2441551 - CVE-2026-27122 pgadmin4: Svelte SSR does not validate dynamic element tag names in `` [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2441551
[ 9 ] Bug #2441552 - CVE-2026-27121 pgadmin4: Svelte affected by cross-site scripting via spread attributes in Svelte SSR [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2441552
[ 10 ] Bug #2441553 - CVE-2026-27119 pgadmin4: Svelte affected by XSS in SSR `` element [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2441553
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9a4d6dd8eb' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: python3.12-3.12.12-4.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4e99b7fe5f
2026-03-02 00:40:42.980517+00:00
--------------------------------------------------------------------------------
Name : python3.12
Product : Fedora 43
Version : 3.12.12
Release : 4.fc43
URL : https://www.python.org/
Summary : Version 3.12 of the Python interpreter
Description :
Python 3.12 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.
The python3.12 package provides the "python3.12" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.12-libs package,
which should be installed automatically along with python3.12.
The remaining parts of the Python standard library are broken out into the
python3.12-tkinter and python3.12-test packages, which may need to be installed
separately.
Documentation for Python is provided in the python3.12-docs package.
Packages containing additional libraries for Python are generally named with
the "python3.12-" prefix.
--------------------------------------------------------------------------------
Update Information:
Security fixes for CVE-2026-1299, CVE-2026-0865, CVE-2025-15366 and
CVE-2025-15367
--------------------------------------------------------------------------------
ChangeLog:
* Fri Feb 6 2026 Tom???? Hrn??iar [thrnciar@redhat.com] - 3.12.12-4
- Security fixes for CVE-2026-0865, CVE-2025-15366 and CVE-2025-15367
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2431627 - CVE-2025-15366 python3.12: IMAP command injection in user-controlled commands [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2431627
[ 2 ] Bug #2431651 - CVE-2025-15367 python3.12: POP3 command injection in user-controlled commands [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2431651
[ 3 ] Bug #2431830 - CVE-2026-0865 python3.12: wsgiref.headers.Headers allows header newline injection in Python [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2431830
[ 4 ] Bug #2433827 - CVE-2026-1299 python3.12: email header injection due to unquoted newlines [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2433827
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4e99b7fe5f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 43 Update: nextcloud-32.0.6-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ae48fa379e
2026-03-02 00:40:42.980512+00:00
--------------------------------------------------------------------------------
Name : nextcloud
Product : Fedora 43
Version : 32.0.6
Release : 1.fc43
URL : http://nextcloud.com
Summary : Private file sync and share server
Description :
NextCloud gives you universal access to your files through a web interface or
WebDAV. It also provides a platform to easily view & sync your contacts,
calendars and bookmarks across all your devices and enables basic editing right
on the web. NextCloud is extendable via a simple but powerful API for
applications and plugins.
--------------------------------------------------------------------------------
Update Information:
32.0.6 release
--------------------------------------------------------------------------------
ChangeLog:
* Sat Feb 21 2026 Andrew Bauer [zonexpertconsulting@outlook.com] - 32.0.6-1
- 32.0.6 release RHBZ#2440650
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2432927 - CVE-2025-13465 nextcloud: prototype pollution in _.unset and _.omit functions [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2432927
[ 2 ] Bug #2432981 - CVE-2025-13465 nextcloud: prototype pollution in _.unset and _.omit functions [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2432981
[ 3 ] Bug #2433031 - CVE-2025-13465 nextcloud: prototype pollution in _.unset and _.omit functions [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2433031
[ 4 ] Bug #2439004 - CVE-2026-25639 nextcloud: Axios affected by Denial of Service via __proto__ Key in mergeConfig [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2439004
[ 5 ] Bug #2439019 - CVE-2026-25639 nextcloud: Axios affected by Denial of Service via __proto__ Key in mergeConfig [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2439019
[ 6 ] Bug #2439026 - CVE-2026-25639 nextcloud: Axios affected by Denial of Service via __proto__ Key in mergeConfig [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2439026
[ 7 ] Bug #2440650 - nextcloud-33.0.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2440650
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ae48fa379e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: pgadmin4-9.12-2.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a0d40b97a8
2026-03-02 00:40:42.980496+00:00
--------------------------------------------------------------------------------
Name : pgadmin4
Product : Fedora 43
Version : 9.12
Release : 2.fc43
URL : https://www.pgadmin.org/
Summary : Administration tool for PostgreSQL
Description :
pgAdmin is the most popular and feature rich Open Source administration and development
platform for PostgreSQL, the most advanced Open Source database in the world.
--------------------------------------------------------------------------------
Update Information:
Refresh vendored bundle. fixes multiple CVEs.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Feb 21 2026 Sandro Mani [manisandro@gmail.com] - 9.12-2
- Refresh vendor bundle, fixes svelte CVEs
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2439021 - CVE-2026-25639 pgadmin4: Axios affected by Denial of Service via __proto__ Key in mergeConfig [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2439021
[ 2 ] Bug #2439027 - CVE-2026-25639 pgadmin4: Axios affected by Denial of Service via __proto__ Key in mergeConfig [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2439027
[ 3 ] Bug #2441546 - CVE-2026-27125 pgadmin4: Svelte SSR attribute spreading includes inherited properties from prototype chain [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2441546
[ 4 ] Bug #2441547 - CVE-2026-27122 pgadmin4: Svelte SSR does not validate dynamic element tag names in `` [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2441547
[ 5 ] Bug #2441548 - CVE-2026-27125 pgadmin4: Svelte SSR attribute spreading includes inherited properties from prototype chain [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2441548
[ 6 ] Bug #2441549 - CVE-2026-27121 pgadmin4: Svelte affected by cross-site scripting via spread attributes in Svelte SSR [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2441549
[ 7 ] Bug #2441550 - CVE-2026-27119 pgadmin4: Svelte affected by XSS in SSR `` element [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2441550
[ 8 ] Bug #2441551 - CVE-2026-27122 pgadmin4: Svelte SSR does not validate dynamic element tag names in `` [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2441551
[ 9 ] Bug #2441552 - CVE-2026-27121 pgadmin4: Svelte affected by cross-site scripting via spread attributes in Svelte SSR [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2441552
[ 10 ] Bug #2441553 - CVE-2026-27119 pgadmin4: Svelte affected by XSS in SSR `` element [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2441553
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a0d40b97a8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: cef-145.0.25^chromium145.0.7632.75-4.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0bced5158d
2026-03-02 00:40:42.980478+00:00
--------------------------------------------------------------------------------
Name : cef
Product : Fedora 43
Version : 145.0.25^chromium145.0.7632.75
Release : 4.fc43
URL : https://bitbucket.org/chromiumembedded/cef
Summary : Chromium Embedded Framework
Description :
CEF is an embeddable build of Chromium, powered by WebKit (Blink).
--------------------------------------------------------------------------------
Update Information:
Update to cef-145.0.25 + chromium 145.0.7632.75
CVE-2026-1861: Heap buffer overflow in libvpx
CVE-2026-1862: Type Confusion in V8
CVE-2026-2313: Use after free in CSS
CVE-2026-2314: Heap buffer overflow in Codecs
CVE-2026-2315: Inappropriate implementation in WebGPU
CVE-2026-2316: Insufficient policy enforcement in Frames
CVE-2026-2317: Inappropriate implementation in Animation
CVE-2026-2318: Inappropriate implementation in PictureInPicture
CVE-2026-2319: Race in DevTools
CVE-2026-2320: Inappropriate implementation in File input
CVE-2026-2321: Use after free in Ozone
CVE-2026-2322: Inappropriate implementation in File input
CVE-2026-2323: Inappropriate implementation in Downloads
CVE-2026-2441: Use after free in CSS
--------------------------------------------------------------------------------
ChangeLog:
* Fri Feb 20 2026 Than Ngo [than@redhat.com] - 145.0.25^chromium145.0.7632.75-1
- Update to 145.0.7632.75
- * CVE-2026-2441: Use after free in CSS
- Fix FTFS on aarch64/ppc64le caused by missing include file (el9)
- Enable rustc_nightly_capability
* Fri Feb 20 2026 Than Ngo [than@redhat.com] - 145.0.25^chromium145.0.7632.45-1
- Update to 145.0.7632.45
- * CVE-2026-2313: Use after free in CSS
- * CVE-2026-2314: Heap buffer overflow in Codecs
- * CVE-2026-2315: Inappropriate implementation in WebGPU
- * CVE-2026-2316: Insufficient policy enforcement in Frames
- * CVE-2026-2317: Inappropriate implementation in Animation
- * CVE-2026-2318: Inappropriate implementation in PictureInPicture
- * CVE-2026-2319: Race in DevTools
- * CVE-2026-2320: Inappropriate implementation in File input
- * CVE-2026-2321: Use after free in Ozone
- * CVE-2026-2322: Inappropriate implementation in File input
- * CVE-2026-2323: Inappropriate implementation in Downloads
- Hoshino Lina: Update to cef-145.0.25+g265860d
* Fri Feb 20 2026 Than Ngo [than@redhat.com] - 144.0.11^chromium144.0.7559.132-1
- Update to 144.0.7559.132
- * CVE-2026-1861: Heap buffer overflow in libvpx
- * CVE-2026-1862: Type Confusion in V8
- Add BR on esbuild
- Disable devtool bundle
- Update scripts for downloading the source
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0bced5158d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: python-django4.2-4.2.28-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ca3d81129a
2026-03-01 16:57:37.779658+00:00
--------------------------------------------------------------------------------
Name : python-django4.2
Product : Fedora 42
Version : 4.2.28
Release : 1.fc42
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.
--------------------------------------------------------------------------------
Update Information:
Fixes CVE-2025-13473: Username enumeration through timing difference in mod_wsgi
authentication handler
Fixes CVE-2025-14550: Potential denial-of-service vulnerability via repeated
headers when using ASGI
Fixes CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
Fixes CVE-2026-1285: Potential denial-of-service vulnerability in
django.utils.text.Truncator HTML methods
Fixes CVE-2026-1287: Potential SQL injection in column aliases via control
characters
Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and
FilteredRelation
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 19 2026 Michel Lind [salimma@fedoraproject.org] - 4.2.28-1
- Update to version 4.2.28
- Fixes CVE-2025-13473: Username enumeration through timing difference in
mod_wsgi authentication handler
- Fixes CVE-2025-14550: Potential denial-of-service vulnerability via
repeated headers when using ASGI
- Fixes CVE-2026-1207: Potential SQL injection via raster lookups on
PostGIS
- Fixes CVE-2026-1285: Potential denial-of-service vulnerability in
django.utils.text.Truncator HTML methods
- Fixes CVE-2026-1287: Potential SQL injection in column aliases via
control characters
- Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and
FilteredRelation
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2436703 - CVE-2026-1287 python-django4.2: Django: SQL Injection via crafted column aliases [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2436703
[ 2 ] Bug #2436705 - CVE-2026-1312 python-django4.2: Django: SQL injection via crafted column aliases in QuerySet.order_by() [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2436705
[ 3 ] Bug #2436711 - CVE-2026-1285 python-django4.2: Django: Denial of Service via crafted HTML inputs [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2436711
[ 4 ] Bug #2436720 - CVE-2025-14550 python-django4.2: Django: Denial of Service via crafted request with duplicate headers [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2436720
[ 5 ] Bug #2436722 - CVE-2026-1207 python-django4.2: Django: SQL Injection via RasterField band index parameter [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2436722
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ca3d81129a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
