Fedora 43 administrators must apply urgent security patches targeting Composer, WeasyPrint, and Xwayland before attackers exploit known weaknesses. The new Composer release tightens shell escaping protocols and enforces stricter plugin verification to stop malicious code from running during dependency management. WeasyPrint finally addresses a critical PDF rendering flaw while the Xwayland server update plugs several ZDI reported vulnerabilities that could compromise display servers. Since these updates are signed with official GPG keys, rolling them out via standard dnf commands guarantees a safe and seamless installation process for every connected machine.

Fedora 43 Update: composer-2.10.1-1.fc43
Fedora 43 Update: weasyprint-69.0-1.fc43
Fedora 43 Update: xorg-x11-server-Xwayland-24.1.12-1.fc43

[SECURITY] Fedora 43 Update: composer-2.10.1-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4308b5fc39
2026-06-14 05:02:05.956606+00:00
--------------------------------------------------------------------------------

Name : composer
Product : Fedora 43
Version : 2.10.1
Release : 1.fc43
URL : https://getcomposer.org/
Summary : Dependency Manager for PHP
Description :
Composer helps you declare, manage and install dependencies of PHP projects,
ensuring you have the right stack everywhere.

Documentation: https://getcomposer.org/doc/

--------------------------------------------------------------------------------
Update Information:

Version 2.10.1 - 2026-06-04
Security: Fixed shell escaping when opening an editor (#12903)
Security: Verify backup phar signature before restoring it when using self-
update --rollback (#12918)
Fixed source-fallback also disabling fallbacks to dist install when source is
the preferred install method (#12888)
Fixed source -> dist package updates wiping the .git dir without checking for
local changes first (#12912)
Fixed GitHub token prompt happening multiple times on parallel auth failures
(#12913)
Fixed warnings from Composer repositories being printed twice in some cases
(#12907)
Version 2.10.0
Read the Composer 2.10 Release Announcement for more details on the release
highlights.
Full Changelog
BC Break / Security: Disabled automatic fallback to source checkout if dist/zip
install fails, we have introduced a new source-fallback config option as a
temporary way to restore the old behavior, but if you need this talk to us as we
plan to remove it entirely in 2.11 (#12885)
BC Break: Minor break for audit consumers, the exit code is now always 0
(success) or 1 if anything failed the audit (#12881)
Security: Added dependency policies to block package versions where malware was
detected on update/install or report it with audit (#12786)
Security: Hardened output filtering of URLs to reduce chances of token leaks
(#12882, #12886)
Security: Fixed handling of uppercase schemes in URL validation that might have
allowed https requirement bypass (#12884)
Security: Fixed git credentials remaining in git mirror .git/config after clone
or update failed (2bcbfc3)
Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing
(5e71d77)
Security: Enforce allow-plugins even in non-interactive mode for very old
pre-2.2 lock files (#12764)
Added support for temporary --with constraints with wildcards in the package
name for the update command (#12658)
Added --strict-psr-autoloader flag to install and update commands (#12647)
Added source-fallback config option to disable or enable source fallback on
download failure (#12698)
Added --require parameter to create-project to add new packages to the project
as it gets installed (#12738)
Optimized plugin autoloading by avoiding regenerating classmaps for every
package per plugin (#12696)
Optimized PoolOptimizer memory usage (#12783)
Optimized classmap dumping performance
Deprecated most of the audit config in favor of the new policy one (#12804, see
#12786 for the RFC and upgrade docs)
Fixed update --bump-after-update to only bump packages that actually were
updated (#12733)
Fixed GitHub API authentication errors not being visible to the user (#12737)
Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
Fixed warning being shown when lock file is disabled (#12760)
Fixed inconsistent treatment of SingleCommandApplication script commands wrt
autoloading (#12758)
Fixed some platform package parsing failing when Composer runs in web SAPIs
(#12735)
Fixed audit command returning a success code when the vendor dir was not present
(#12880)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jun 4 2026 Remi Collet [remi@remirepo.net] - 2.10.1-1
- update to 2.10.1
* Thu May 28 2026 Remi Collet [remi@remirepo.net] - 2.10.0-1
- update to 2.10.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4308b5fc39' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: weasyprint-69.0-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2080c5c036
2026-06-14 05:02:05.956597+00:00
--------------------------------------------------------------------------------

Name : weasyprint
Product : Fedora 43
Version : 69.0
Release : 1.fc43
URL : https://weasyprint.org
Summary : Utility to render HTML and CSS to PDF
Description :
WeasyPrint can render HTML and CSS to PDF. It aims to support web standards
for printing.

--------------------------------------------------------------------------------
Update Information:

New upstream version which also includes a security update (CVE-2026-49452).
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jun 4 2026 Felix Schwarz [fschwarz@fedoraproject.org] - 69.0-1
- update to 69.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2483992 - weasyprint-69.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2483992
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2080c5c036' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: xorg-x11-server-Xwayland-24.1.12-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-557e726e74
2026-06-14 05:02:05.956587+00:00
--------------------------------------------------------------------------------

Name : xorg-x11-server-Xwayland
Product : Fedora 43
Version : 24.1.12
Release : 1.fc43
URL : http://www.x.org
Summary : Xwayland
Description :
Xwayland is an X server for running X clients under Wayland.

--------------------------------------------------------------------------------
Update Information:

Update to xwayland 24.1.12, Security fixes for: ZDI-CAN-30136,
ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163,
ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 2 2026 Peter Hutterer [peter.hutterer@redhat.com] - 24.1.12-1
- Update to xwayland 24.1.12
Security fixes for: ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160,
ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164,
ZDI-CAN-30165, ZDI-CAN-30168
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-557e726e74' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new