Fedora 42 Update: composer-2.9.3-1.fc42
Fedora 43 Update: firefox-147.0-1.fc43
Fedora 43 Update: chezmoi-2.69.0-1.fc43
Fedora 43 Update: composer-2.9.3-1.fc43
Fedora 43 Update: complyctl-0.1.2-1.fc43
[SECURITY] Fedora 42 Update: composer-2.9.3-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-13b4dbe546
2026-01-14 01:09:41.794572+00:00
--------------------------------------------------------------------------------
Name : composer
Product : Fedora 42
Version : 2.9.3
Release : 1.fc42
URL : https://getcomposer.org/
Summary : Dependency Manager for PHP
Description :
Composer helps you declare, manage and install dependencies of PHP projects,
ensuring you have the right stack everywhere.
Documentation: https://getcomposer.org/doc/
--------------------------------------------------------------------------------
Update Information:
Version 2.9.3 - 2025-12-30
Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done
via the install command, and added --no-security-blocking flag to install as
well (#12677)
Fixed update --lock / update mirrors not working when locked packages contain
vulnerabilities (#12645)
Fixed client-certificate authentication implementation (#12667)
Fixed php-ext schema not being validated in ValidatingArrayLoader (#12694)
Fixed crash when --bump-after-update is used and the lock file is disabled
(#12660)
Fixed support for SecureTransport + LibreSSL on macOS (#12615)
Fixed display of reasons for why advisories are ignored (#12668)
Fixed compatibility issues when git has log.showSignature enabled (#12666)
Fixed curl downloader not retrying when a timeout (err 28) failure occurs
(#12662)
Fixed EventDispatcher requiring a full Composer instance to function (#12629)
--------------------------------------------------------------------------------
ChangeLog:
* Wed Dec 31 2025 Remi Collet [remi@remirepo.net] - 2.9.3-1
- update to 2.9.3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2428107 - CVE-2025-67746 composer: Composer: Terminal output manipulation leading to Denial of Service [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2428107
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-13b4dbe546' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 43 Update: firefox-147.0-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-de370822e0
2026-01-14 00:50:55.476257+00:00
--------------------------------------------------------------------------------
Name : firefox
Product : Fedora 43
Version : 147.0
Release : 1.fc43
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.
--------------------------------------------------------------------------------
Update Information:
New upstream release (147.0)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 6 2026 Martin Stransky [stransky@redhat.com] - 147.0-1
- Updated to 147.0
* Fri Dec 19 2025 Martin Stransky [stransky@redhat.com] - 146.0.1-1
- Updated to 146.0.1
* Wed Dec 17 2025 Martin Stransky [stransky@redhat.com] - 146.0-6
- Added upstream patch IWYU (libwebrtc IWYU fixes for PipeWire)
- Claude AI assisted editing (failed to do whole work, but it was close!)
* Wed Dec 17 2025 Martin Stransky [stransky@redhat.com] - 146.0-5
- Removed firefox-bin from man pages
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-de370822e0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 43 Update: chezmoi-2.69.0-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-004192d79d
2026-01-14 00:50:55.476182+00:00
--------------------------------------------------------------------------------
Name : chezmoi
Product : Fedora 43
Version : 2.69.0
Release : 1.fc43
URL : https://github.com/twpayne/chezmoi
Summary : Manage your dotfiles across multiple diverse machines
Description :
Manage your dotfiles across multiple diverse machines, securely.
--------------------------------------------------------------------------------
Update Information:
Update to 2.69.0
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 5 2026 Packit [hello@packit.dev] - 2.69.0-1
- Update to 2.69.0 upstream release
- Resolves: rhbz#2427071
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2409601 - CVE-2025-61723 chezmoi: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2409601
[ 2 ] Bug #2410552 - CVE-2025-58185 chezmoi: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2410552
[ 3 ] Bug #2411450 - CVE-2025-58188 chezmoi: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2411450
[ 4 ] Bug #2412669 - CVE-2025-58183 chezmoi: Unbounded allocation when parsing GNU sparse map [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2412669
[ 5 ] Bug #2420608 - CVE-2025-47913 chezmoi: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2420608
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-004192d79d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 43 Update: composer-2.9.3-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0b03072979
2026-01-14 00:50:55.476166+00:00
--------------------------------------------------------------------------------
Name : composer
Product : Fedora 43
Version : 2.9.3
Release : 1.fc43
URL : https://getcomposer.org/
Summary : Dependency Manager for PHP
Description :
Composer helps you declare, manage and install dependencies of PHP projects,
ensuring you have the right stack everywhere.
Documentation: https://getcomposer.org/doc/
--------------------------------------------------------------------------------
Update Information:
Version 2.9.3 - 2025-12-30
Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done
via the install command, and added --no-security-blocking flag to install as
well (#12677)
Fixed update --lock / update mirrors not working when locked packages contain
vulnerabilities (#12645)
Fixed client-certificate authentication implementation (#12667)
Fixed php-ext schema not being validated in ValidatingArrayLoader (#12694)
Fixed crash when --bump-after-update is used and the lock file is disabled
(#12660)
Fixed support for SecureTransport + LibreSSL on macOS (#12615)
Fixed display of reasons for why advisories are ignored (#12668)
Fixed compatibility issues when git has log.showSignature enabled (#12666)
Fixed curl downloader not retrying when a timeout (err 28) failure occurs
(#12662)
Fixed EventDispatcher requiring a full Composer instance to function (#12629)
--------------------------------------------------------------------------------
ChangeLog:
* Wed Dec 31 2025 Remi Collet [remi@remirepo.net] - 2.9.3-1
- update to 2.9.3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2428108 - CVE-2025-67746 composer: Composer: Terminal output manipulation leading to Denial of Service [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2428108
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0b03072979' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
[SECURITY] Fedora 43 Update: complyctl-0.1.2-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-aa8453cfd0
2026-01-14 00:50:55.476163+00:00
--------------------------------------------------------------------------------
Name : complyctl
Product : Fedora 43
Version : 0.1.2
Release : 1.fc43
URL : https://github.com/complytime/complyctl
Summary : Tool to perform compliance assessment activities, scaled by plugins
Description :
complyctl leverages OSCAL to perform compliance assessment activities, using
plugins for each stage of the life-cycle.
--------------------------------------------------------------------------------
Update Information:
Update to Upstream version 0.1.2
- https://github.com/complytime/complyctl/releases/tag/v0.1.2
--------------------------------------------------------------------------------
ChangeLog:
* Fri Dec 19 2025 Packit [hello@packit.dev] - 0.1.2-1
- Update to version 0.1.2
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2411187 - CVE-2025-58188 complyctl: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2411187
[ 2 ] Bug #2411452 - CVE-2025-58188 complyctl: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2411452
[ 3 ] Bug #2420579 - CVE-2025-47913 complyctl: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2420579
[ 4 ] Bug #2420609 - CVE-2025-47913 complyctl: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2420609
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-aa8453cfd0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
