Fedora Linux 9422 Published by

Fedora 43 received a batch of security patches on July 19, 2026, targeting seven development tools including Erlang, ANTLR4, OPAM, UV, Orjson, and Async-Zip. The Erlang update backports six distinct vulnerabilities spanning server-side request forgery, denial of service attacks, and TLS authentication bypasses from the newer OTP 27 release to the current 26.x branch. Developers using UV and its Rust dependencies should note the new release hardens zip parsing routines against differential attacks, while the Orjson update refreshes its PyO3 dependency to patch two separate Rust security advisories.

Fedora 43 Update: erlang-26.2.5.21-4.fc43
Fedora 43 Update: antlr4-project-4.13.2-14.fc43
Fedora 43 Update: opam-2.5.2-1.fc43
Fedora 43 Update: python-uv-build-0.11.28-1.fc43
Fedora 43 Update: uv-0.11.28-1.fc43
Fedora 43 Update: python-orjson-3.11.9-3.fc43
Fedora 43 Update: rust-astral_async_zip-0.0.20-1.fc43




[SECURITY] Fedora 43 Update: erlang-26.2.5.21-4.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-965be97ac0
2026-07-19 03:55:06.729073+00:00
--------------------------------------------------------------------------------

Name : erlang
Product : Fedora 43
Version : 26.2.5.21
Release : 4.fc43
URL : https://www.erlang.org
Summary : General-purpose programming language and runtime environment
Description :
Erlang is a general-purpose programming language and runtime
environment. Erlang has built-in support for concurrency, distribution
and fault tolerance. Erlang is used in several large telecommunication
systems from Ericsson.

--------------------------------------------------------------------------------
Update Information:

Backport fixes for CVE-2026-48858 (ftp SSRF), CVE-2026-49759 (SCTP DoS),
CVE-2026-48860 (dist-over-TLS auth bypass), CVE-2026-54886 (ssh SFTP DoS),
CVE-2026-54891 (TLS handshake data injection), and CVE-2026-55952 (TLS 1.3
session ticket DoS). These are fixed upstream in OTP 27.x (rawhide/f45);
backported here to the OTP 26.x line.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 10 2026 Peter Lemenkov [lemenkov@gmail.com] - 26.2.5.21-4
- Backport fix for CVE-2026-48858, CVE-2026-48860, CVE-2026-49759,
CVE-2026-54886, CVE-2026-54891, CVE-2026-55952
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2489554 - CVE-2026-48858 erlang: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489554
[ 2 ] Bug #2490026 - CVE-2026-49759 erlang: Erlang OTP: Denial of Service via crafted SCTP ERROR chunk [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490026
[ 3 ] Bug #2490272 - CVE-2026-48860 erlang: Erlang/OTP: Authentication bypass allows arbitrary code execution via improper IP address validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490272
[ 4 ] Bug #2496748 - CVE-2026-54891 erlang: Erlang SSL: Unauthenticated data injection during TLS handshake [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2496748
[ 5 ] Bug #2496790 - CVE-2026-54886 erlang: Erlang OTP ssh: Denial of Service via infinite loop in SFTP channel [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2496790
[ 6 ] Bug #2496798 - CVE-2026-55952 erlang: Erlang/OTP: Denial of Service in TLS 1.3 session ticket handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2496798
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-965be97ac0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: antlr4-project-4.13.2-14.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d9ca28a7b8
2026-07-19 03:55:06.729085+00:00
--------------------------------------------------------------------------------

Name : antlr4-project
Product : Fedora 43
Version : 4.13.2
Release : 14.fc43
URL : https://www.antlr.org/
Summary : Parser generator (ANother Tool for Language Recognition)
Description :
ANTLR (ANother Tool for Language Recognition) is a powerful parser generator
for reading, processing, executing, or translating structured text or binary
files. It is widely used to build languages, tools, and frameworks. From a
grammar, ANTLR generates a parser that can build and walk parse trees.

--------------------------------------------------------------------------------
Update Information:

This update contains a fix for CVE-2026-13503.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 10 2026 Jerry James [loganjerry@gmail.com] - 4.13.2-14
- Add patch to fix CVE-2026-13503
* Fri Jul 10 2026 Jerry James [loganjerry@gmail.com] - 4.13.2-13
- Drop unused BuildRequires
* Fri Jul 10 2026 Jerry James [loganjerry@gmail.com] - 4.13.2-12
- Add Unicode-3.0 to the antlr4 License field
* Fri Jul 10 2026 Jerry James [loganjerry@gmail.com] - 4.13.2-11
- Reflow the description text
- Remove ancient obsoletes
* Wed Nov 12 2025 Vít Ondruch [vondruch@redhat.com] - 4.13.2-10
- Rebuild for nodejs-packaging
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494757 - CVE-2026-13503 ANTLR4: Path traversal via manipulation of getImportedVocabFile function [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id$94757
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d9ca28a7b8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: opam-2.5.2-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-fb48505840
2026-07-19 03:55:06.729078+00:00
--------------------------------------------------------------------------------

Name : opam
Product : Fedora 43
Version : 2.5.2
Release : 1.fc43
URL : https://opam.ocaml.org/
Summary : Source-based package manager for OCaml
Description :
Opam is a source-based package manager for OCaml. It supports multiple
simultaneous compiler installations, flexible package constraints, and a
Git-friendly development workflow.

--------------------------------------------------------------------------------
Update Information:

Version 2.5.2 of opam fixes CVE-2026-57825. See
https://github.com/ocaml/opam/releases/tag/2.5.2 for more information.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 10 2026 Jerry James [loganjerry@gmail.com] - 2.5.2-1
- Version 2.5.2
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-fb48505840' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: python-uv-build-0.11.28-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8893ec1aeb
2026-07-19 03:55:06.729034+00:00
--------------------------------------------------------------------------------

Name : python-uv-build
Product : Fedora 43
Version : 0.11.28
Release : 1.fc43
URL : https://pypi.org/project/uv-build
Summary : The uv build backend
Description :

This package is a slimmed down version of uv containing only the build
backend.

--------------------------------------------------------------------------------
Update Information:

Update uv / python-uv-build to 0.11.28, with significant hardening of zip file
handling against parser differentials.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jul 8 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.28-1
- Update to 0.11.28 (close RHBZ#2497949)
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.27-1
- Update to 0.11.27 (close RHBZ#2497574)
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8893ec1aeb' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: uv-0.11.28-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8893ec1aeb
2026-07-19 03:55:06.729034+00:00
--------------------------------------------------------------------------------

Name : uv
Product : Fedora 43
Version : 0.11.28
Release : 1.fc43
URL : https://github.com/astral-sh/uv
Summary : An extremely fast Python package installer and resolver, written in Rust
Description :
An extremely fast Python package and project manager, written in Rust.

Highlights:

• A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twine,
virtualenv, and more.
• 10-100x faster than pip.
• Provides comprehensive project management, with a universal lockfile.
• Runs scripts, with support for inline dependency metadata.
• Installs and manages Python versions.
• Runs and installs tools published as Python packages.
• Includes a pip-compatible interface for a performance boost with a familiar
CLI.
• Supports Cargo-style workspaces for scalable projects.
• Disk-space efficient, with a global cache for dependency deduplication.

--------------------------------------------------------------------------------
Update Information:

Update uv / python-uv-build to 0.11.28, with significant hardening of zip file
handling against parser differentials.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jul 8 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.28-1
- Update to 0.11.28 (close RHBZ#2497922)
* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.11.27-1
- Update to 0.11.27 (close RHBZ#2497560)
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8893ec1aeb' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: python-orjson-3.11.9-3.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c8f1a4ee05
2026-07-19 03:55:06.729037+00:00
--------------------------------------------------------------------------------

Name : python-orjson
Product : Fedora 43
Version : 3.11.9
Release : 3.fc43
URL : https://github.com/ijl/orjson
Summary : Fast, correct Python JSON library
Description :
orjson is a fast, correct Python JSON library supporting dataclasses,
datetimes, and numpy

--------------------------------------------------------------------------------
Update Information:

Update PyO3 to 0.29, fixing RUSTSEC-2026-0194 and RUSTSEC-2026-0195.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 10 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 3.11.9-3
- Update PyO3 to 0.29
* Thu Jun 4 2026 Python Maint - 3.11.9-2
- Rebuilt for Python 3.15
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c8f1a4ee05' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: rust-astral_async_zip-0.0.20-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8893ec1aeb
2026-07-19 03:55:06.729034+00:00
--------------------------------------------------------------------------------

Name : rust-astral_async_zip
Product : Fedora 43
Version : 0.0.20
Release : 1.fc43
URL : https://crates.io/crates/astral_async_zip
Summary : Asynchronous ZIP archive reading/writing crate
Description :
An asynchronous ZIP archive reading/writing crate.

--------------------------------------------------------------------------------
Update Information:

Update uv / python-uv-build to 0.11.28, with significant hardening of zip file
handling against parser differentials.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 7 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.0.20-1
- Update to version 0.0.20; Fixes RHBZ#2497383
* Thu Jun 18 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.0.18-3
- Exclude examples, tests, and test data from -devel packages
* Thu Jun 18 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.0.18-2
- Exclude rustfmt.toml from the crate
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8893ec1aeb' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new