System administrators should install two critical security updates that Fedora released in April 2026. The first patch covers curl version 8.11.1 on Fedora 42 and closes four gaps involving faulty connection handling and leaked credentials. Meanwhile, the second update focuses on Python 3.12 for Fedora 43 by squashing six vulnerabilities that might allow attackers to run malicious code or inject headers. You can apply both fixes right away through the regular dnf upgrade tool while trusting the standard GPG verification process.

Fedora 42 Update: curl-8.11.1-8.fc42
Fedora 43 Update: python3.12-3.12.13-3.fc43

[SECURITY] Fedora 42 Update: curl-8.11.1-8.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-907bbf2a13
2026-04-19 01:24:43.910421+00:00
--------------------------------------------------------------------------------

Name : curl
Product : Fedora 42
Version : 8.11.1
Release : 8.fc42
URL : https://curl.se/
Summary : A utility for getting files from remote servers (FTP, HTTP, and others)
Description :
curl is a command line tool for transferring data with URL syntax, supporting
FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP
uploading, HTTP form based upload, proxies, cookies, user+password
authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer
resume, proxy tunneling and a busload of other useful tricks.

--------------------------------------------------------------------------------
Update Information:

fix bad reuse of HTTP Negotiate connection (CVE-2026-1965)
fix token leak with redirect and netrc (CVE-2026-3783)
fix wrong proxy connection reuse with credentials (CVE-2026-3784)
fix use after free in SMB connection reuse (CVE-2026-3805)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 14 2026 Jan Macku [jamacku@redhat.com] - 8.11.1-8
- fix bad reuse of HTTP Negotiate connection (CVE-2026-1965)
- fix token leak with redirect and netrc (CVE-2026-3783)
- fix wrong proxy connection reuse with credentials (CVE-2026-3784)
- fix use after free in SMB connection reuse (CVE-2026-3805)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2446457 - CVE-2026-3805 curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2446457
[ 2 ] Bug #2446472 - CVE-2026-3783 curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2446472
[ 3 ] Bug #2446488 - CVE-2026-3784 curl: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2446488
[ 4 ] Bug #2446504 - CVE-2026-1965 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2446504
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-907bbf2a13' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: python3.12-3.12.13-3.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f684007460
2026-04-19 01:12:06.516459+00:00
--------------------------------------------------------------------------------

Name : python3.12
Product : Fedora 43
Version : 3.12.13
Release : 3.fc43
URL : https://www.python.org/
Summary : Version 3.12 of the Python interpreter
Description :
Python 3.12 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

The python3.12 package provides the "python3.12" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.12-libs package,
which should be installed automatically along with python3.12.
The remaining parts of the Python standard library are broken out into the
python3.12-tkinter and python3.12-test packages, which may need to be installed
separately.

Documentation for Python is provided in the python3.12-docs package.

Packages containing additional libraries for Python are generally named with
the "python3.12-" prefix.

--------------------------------------------------------------------------------
Update Information:

Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-6100, CVE-2026-2297,
CVE-2026-3644, CVE-2026-4224
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 16 2026 Charalampos Stratakis [cstratak@redhat.com] - 3.12.13-3
- Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-6100, CVE-2026-2297, CVE-2026-3644, CVE-2026-4224
Resolves: rhbz#2444705, rhbz#2448189, rhbz#2448205, rhbz#2457942, rhbz#2458014, rhbz#2458222
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2444705 - CVE-2026-2297 python3.12: CPython: Logging Bypass in Legacy .pyc File Handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2444705
[ 2 ] Bug #2448189 - CVE-2026-3644 python3.12: Incomplete control character validation in http.cookies [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448189
[ 3 ] Bug #2448205 - CVE-2026-4224 python3.12: Stack overflow parsing XML with deeply nested DTD content models [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448205
[ 4 ] Bug #2457942 - CVE-2026-1502 python3.12: Python: HTTP header injection via CR/LF in proxy tunnel headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457942
[ 5 ] Bug #2458014 - CVE-2026-6100 python3.12: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458014
[ 6 ] Bug #2458222 - CVE-2026-4786 python3.12: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458222
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f684007460' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new