Fedora 42 Update: ntpd-rs-1.7.1-1.fc42
Fedora 42 Update: perl-YAML-Syck-1.39-1.fc42
Fedora 42 Update: stgit-2.5.5-5.fc42
Fedora 42 Update: musescore-4.3.2-21.fc42
Fedora 42 Update: firefox-149.0-2.fc42
Fedora 42 Update: nss-3.121.0-1.fc42
Fedora 43 Update: ntpd-rs-1.7.1-1.fc43
Fedora 43 Update: rust-cargo-rpmstatus-0.2.4-3.fc43
Fedora 43 Update: stgit-2.5.5-5.fc43
Fedora 43 Update: perl-YAML-Syck-1.39-1.fc43
Fedora 43 Update: dotnet8.0-8.0.125-1.fc43
Fedora 43 Update: dotnet9.0-9.0.115-1.fc43
Fedora 43 Update: musescore-4.6.5-34.fc43
Fedora 44 Update: webkitgtk-2.52.1-1.fc44
Fedora 44 Update: polkit-127-2.fc44.2
Fedora 44 Update: rust-1.94.1-1.fc44
Fedora 44 Update: xen-4.21.1-1.fc44
Fedora 44 Update: python3.12-3.12.13-2.fc44
Fedora 44 Update: bind-dyndb-ldap-11.11-13.fc44
Fedora 44 Update: bind-9.18.47-1.fc44
Fedora 44 Update: freerdp-3.24.2-1.fc44
Fedora 44 Update: ntpd-rs-1.7.1-1.fc44
Fedora 44 Update: rust-cargo-vendor-filterer-0.5.18-4.fc44
Fedora 44 Update: rust-cargo-rpmstatus-0.2.4-3.fc44
Fedora 44 Update: stgit-2.5.5-5.fc44
Fedora 44 Update: perl-YAML-Syck-1.39-1.fc44
Fedora 44 Update: pyOpenSSL-26.0.0-1.fc44
Fedora 44 Update: nss-3.121.0-1.fc44
Fedora 42 Update: mingw-expat-2.7.5-1.fc42
Fedora 42 Update: php-phpseclib3-3.0.50-1.fc42
[SECURITY] Fedora 42 Update: ntpd-rs-1.7.1-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2dc4882154
2026-03-31 01:08:27.845639+00:00
--------------------------------------------------------------------------------
Name : ntpd-rs
Product : Fedora 42
Version : 1.7.1
Release : 1.fc42
URL : https://github.com/pendulum-project/ntpd-rs
Summary : Full-featured implementation of NTP with NTS support
Description :
Full-featured implementation of NTP with NTS support.
--------------------------------------------------------------------------------
Update Information:
Update to version 1.7.1.
Includes the fix for CVE-2026-26076: https://github.com/pendulum-project/ntpd-
rs/security/advisories/GHSA-c7j7-rmvr-fjmv
Release notes:
https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.0
https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1
--------------------------------------------------------------------------------
ChangeLog:
* Sun Mar 22 2026 Fabio Valentini [decathorpe@gmail.com] - 1.7.1-1
- Update to version 1.7.1; Fixes RHBZ#2435477
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2439601 - CVE-2026-26076 ntpd-rs: ntpd-rs: Denial of Service via malformed NTS packets requesting excessive cookies [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2439601
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2dc4882154' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: perl-YAML-Syck-1.39-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d226775800
2026-03-31 01:08:27.845612+00:00
--------------------------------------------------------------------------------
Name : perl-YAML-Syck
Product : Fedora 42
Version : 1.39
Release : 1.fc42
URL : https://metacpan.org/release/YAML-Syck
Summary : Fast, lightweight YAML loader and dumper
Description :
This module provides a Perl interface to the libsyck data serialization
library. It exports the Dump and Load functions for converting Perl data
structures to YAML strings, and the other way around.
--------------------------------------------------------------------------------
Update Information:
YAML::Syck versions up to and including 1.36 for Perl has several potential
security vulnerabilities including a high-severity heap buffer overflow in the
YAML emitter. The heap overflow occurs when class names exceed the initial
512-byte allocation. The base64 decoder could read past the buffer end on
trailing newlines. strtok mutated n->type_id in place, corrupting shared node
data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an
anchor. The incoming anchor string 'a' was leaked on early return.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Mar 22 2026 Paul Howarth - 1.39-1
- Update to 1.39
Bug Fixes:
- Fix: escape solidus (/) as \/ in JSON::Syck::Dump for XSS safety
(GH#125, GH#130)
- Fix: anchor tracking for blessed scalar refs in Dump (GH#126, GH#131)
- Fix: prevent buffer underflow in base60 (sexagesimal) parsing (GH#133)
- Fix: guard against NULL type from strtok in tag parsing (GH#135)
- Fix: correct copy-paste bug in syck_seq_assign() ASSERT macros (GH#137)
- Fix t/yaml-implicit-typing.t failure with -Duselongdouble perls
(GH#138, GH#139)
Improvements:
- Resolve TODO tests for empty/invalid YAML to match actual behaviour
(GH#127, GH#129)
Maintenance:
- Remove dead Perl 5.6 TODOs and convert 5.8 TODO to SKIP (GH#129)
- Add comprehensive implicit type resolution test suite (GH#137)
- Update MANIFEST to include all unit tests
- Clean up test names to remove unnecessary numbering
* Thu Mar 19 2026 Paul Howarth - 1.37-1
- Update to 1.37
Features:
- Add LoadBytes, LoadUTF8, DumpBytes, DumpUTF8 functions (GH#51)
Fixes:
- Fix heap buffer overflow in the YAML emitter - CVE-2026-4177 (GH#67)
- Fix DumpFile with tied filehandles (IO::String, IO::Scalar) (GH#22)
- Fix _is_glob to recognize IO::Handle subclasses (GH#23)
- Fix memory leak when dumping filehandles (CPAN RT#41199, GH#42)
- Fix dumping of tied hashes (GH#31)
- Fix dumping strings starting with '...' as unquoted plain scalars (GH#34)
- Fix dumping strings with tabs and carriage returns as plain scalars (GH#59)
- Fix double-dash YAML parsing (RT#34073, GH#35)
- Fix extra newline after empty arrays/hashes in YAML output (GH#36)
- Remove trailing whitespace from YAML output lines (GH#37, GH#38, GH#39)
- Fix quoting of \r and \t in YAML output instead of emitting raw bytes
(GH#40)
- Fix growing !!perl/regexp objects in round-trips (GH#43)
- Fix quoted '=' being transformed into 'str' (GH#45)
- Fix backslash-space escape in double-quoted YAML strings (GH#61)
- Fix flow sequence comma separator not recognized without trailing space
(GH#60)
- Fix wide character warning in DumpFile (GH#28)
- Fix inline arrays without space after comma (GH#25)
- Fix: quote strings matching YAML implicit types to prevent round-trip
failures (GH#26)
- Fix JSON::Syck::Dump to use JSON-valid \uXXXX escapes in output (GH#21)
- Fix JSON::Syck::Load decoding of \/ and \uXXXX escape sequences (GH#30)
- Fix: apply JSON postprocessing to JSON::Syck::DumpFile output (GH#104)
- Fix: add tied-filehandle fallback to JSON::Syck::DumpFile (GH#98)
- Fix: handle JSON escape sequences in SingleQuote mode Load (GH#99)
- Fix: restore Perl 5.8 compatibility in test suite (GH#121)
- Fix: correct copy-paste error in Makefile.PL clean target (GH#101)
- Fix: correct $SortKeys POD default from false to true (GH#100)
- Fix: correct POD documentation errors (GH#103)
Maintenance:
- Add C23-compatible function prototypes for GCC 15 compatibility (GH#112)
- Silence macOS compiler warnings (GH#92)
- Guard stdint.h include for portability (HP-UX 11.11) (GH#33)
- Guard stdint.h include in syck_st.h for portability (GH#24)
- Update ppport.h to 3.68
- Add regression tests for magical variable dumping (GH#32)
- CI: modernize GitHub Actions workflow (GH#123, GH#124)
- CI: add disttest job to validate MANIFEST completeness
- Use %{make_build} and %{make_install}
- Drop workaround for C23 incompatibility
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.36-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2448281 - CVE-2026-4177 perl-YAML-Syck: YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448281
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d226775800' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: stgit-2.5.5-5.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9e26f48b50
2026-03-31 01:08:27.845620+00:00
--------------------------------------------------------------------------------
Name : stgit
Product : Fedora 42
Version : 2.5.5
Release : 5.fc42
URL : https://stacked-git.github.io/
Summary : Stack-based patch management for Git
Description :
Stacked Git, StGit for short, is an application for managing Git commits as a
stack of patches.
With a patch stack workflow, multiple patches can be developed concurrently and
efficiently, with each patch focused on a single concern, resulting in both a
clean Git commit history and improved productivity.
--------------------------------------------------------------------------------
Update Information:
Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
--------------------------------------------------------------------------------
ChangeLog:
* Sun Mar 22 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 2.5.5-5
- Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
- Fixes RHBZ#2449690
- Updated the License expression and wrote it one-term-per-line
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 2.5.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2449690 - CVE-2026-33056 stgit: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449690
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9e26f48b50' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: musescore-4.3.2-21.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2e5626418f
2026-03-31 01:08:27.845596+00:00
--------------------------------------------------------------------------------
Name : musescore
Product : Fedora 42
Version : 4.3.2
Release : 21.fc42
URL : https://musescore.org/
Summary : Music Composition & Notation Software
Description :
MuseScore is a free cross platform WYSIWYG music notation program. Some
highlights:
* WYSIWYG, notes are entered on a "virtual note sheet"
* Unlimited number of staves
* Up to four voices per staff
* Easy and fast note entry with mouse, keyboard or MIDI
* Integrated sequencer and FluidSynth software synthesizer
* Import and export of MusicXML and Standard MIDI Files (SMF)
* Translated in 26 languages
--------------------------------------------------------------------------------
Update Information:
Rebuilt with patched dr_wav to fix CVE-2026-29022.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Mar 4 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.6.5-21
- Rebuilt with updated dr_wav to fix CVE-2026-29022
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2e5626418f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: firefox-149.0-2.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-49237e1ced
2026-03-31 01:08:27.845551+00:00
--------------------------------------------------------------------------------
Name : firefox
Product : Fedora 42
Version : 149.0
Release : 2.fc42
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.
--------------------------------------------------------------------------------
Update Information:
Update NSS to 3.121.0
Update to Firefox 149.0
--------------------------------------------------------------------------------
ChangeLog:
* Fri Mar 20 2026 Martin Stransky [stransky@redhat.com] - 149.0-2
- Added D&D freeze fix D288856
* Thu Mar 19 2026 Martin Stransky [stransky@redhat.com] - 149.0-1
- Update to latest upstream (149.0)
* Tue Mar 17 2026 Jan Grulich [jgrulich@redhat.com] - 148.0.2-2
- Add a potential fix for PipeWire camera crashes (mozbz#2023103)
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-49237e1ced' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: nss-3.121.0-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-49237e1ced
2026-03-31 01:08:27.845551+00:00
--------------------------------------------------------------------------------
Name : nss
Product : Fedora 42
Version : 3.121.0
Release : 1.fc42
URL : http://www.mozilla.org/projects/security/pki/nss/
Summary : Network Security Services
Description :
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.
--------------------------------------------------------------------------------
Update Information:
Update NSS to 3.121.0
Update to Firefox 149.0
--------------------------------------------------------------------------------
ChangeLog:
* Tue Mar 3 2026 Frantisek Krenzelok [fkrenzel@redhat.com] - 3.121.0-1
- Update NSS to 3.121.0
- Updated patch nss-3.118-ml-dsa-leancrypto.patch
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-49237e1ced' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: ntpd-rs-1.7.1-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-cbe2315bad
2026-03-31 00:53:02.706803+00:00
--------------------------------------------------------------------------------
Name : ntpd-rs
Product : Fedora 43
Version : 1.7.1
Release : 1.fc43
URL : https://github.com/pendulum-project/ntpd-rs
Summary : Full-featured implementation of NTP with NTS support
Description :
Full-featured implementation of NTP with NTS support.
--------------------------------------------------------------------------------
Update Information:
Update to version 1.7.1.
Includes the fix for CVE-2026-26076: https://github.com/pendulum-project/ntpd-
rs/security/advisories/GHSA-c7j7-rmvr-fjmv
Release notes:
https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.0
https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1
--------------------------------------------------------------------------------
ChangeLog:
* Sun Mar 22 2026 Fabio Valentini [decathorpe@gmail.com] - 1.7.1-1
- Update to version 1.7.1; Fixes RHBZ#2435477
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2439602 - CVE-2026-26076 ntpd-rs: ntpd-rs: Denial of Service via malformed NTS packets requesting excessive cookies [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2439602
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-cbe2315bad' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: rust-cargo-rpmstatus-0.2.4-3.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-e5b9665269
2026-03-31 00:53:02.706791+00:00
--------------------------------------------------------------------------------
Name : rust-cargo-rpmstatus
Product : Fedora 43
Version : 0.2.4
Release : 3.fc43
URL : https://crates.io/crates/cargo-rpmstatus
Summary : Cargo-tree for RPM packaging
Description :
Cargo-tree for RPM packaging.
--------------------------------------------------------------------------------
Update Information:
Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
--------------------------------------------------------------------------------
ChangeLog:
* Sun Mar 22 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.2.4-3
- Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
- Fixes RHBZ#2423511
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 0.2.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-e5b9665269' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: stgit-2.5.5-5.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d6b7d7e177
2026-03-31 00:53:02.706787+00:00
--------------------------------------------------------------------------------
Name : stgit
Product : Fedora 43
Version : 2.5.5
Release : 5.fc43
URL : https://stacked-git.github.io/
Summary : Stack-based patch management for Git
Description :
Stacked Git, StGit for short, is an application for managing Git commits as a
stack of patches.
With a patch stack workflow, multiple patches can be developed concurrently and
efficiently, with each patch focused on a single concern, resulting in both a
clean Git commit history and improved productivity.
--------------------------------------------------------------------------------
Update Information:
Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
--------------------------------------------------------------------------------
ChangeLog:
* Sun Mar 22 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 2.5.5-5
- Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
- Fixes RHBZ#2449690
- Updated the License expression and wrote it one-term-per-line
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 2.5.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2449690 - CVE-2026-33056 stgit: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449690
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d6b7d7e177' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: perl-YAML-Syck-1.39-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3572f7e01c
2026-03-31 00:53:02.706782+00:00
--------------------------------------------------------------------------------
Name : perl-YAML-Syck
Product : Fedora 43
Version : 1.39
Release : 1.fc43
URL : https://metacpan.org/release/YAML-Syck
Summary : Fast, lightweight YAML loader and dumper
Description :
This module provides a Perl interface to the libsyck data serialization
library. It exports the Dump and Load functions for converting Perl data
structures to YAML strings, and the other way around.
--------------------------------------------------------------------------------
Update Information:
YAML::Syck versions up to and including 1.36 for Perl has several potential
security vulnerabilities including a high-severity heap buffer overflow in the
YAML emitter. The heap overflow occurs when class names exceed the initial
512-byte allocation. The base64 decoder could read past the buffer end on
trailing newlines. strtok mutated n->type_id in place, corrupting shared node
data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an
anchor. The incoming anchor string 'a' was leaked on early return.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Mar 22 2026 Paul Howarth - 1.39-1
- Update to 1.39
Bug Fixes:
- Fix: escape solidus (/) as \/ in JSON::Syck::Dump for XSS safety
(GH#125, GH#130)
- Fix: anchor tracking for blessed scalar refs in Dump (GH#126, GH#131)
- Fix: prevent buffer underflow in base60 (sexagesimal) parsing (GH#133)
- Fix: guard against NULL type from strtok in tag parsing (GH#135)
- Fix: correct copy-paste bug in syck_seq_assign() ASSERT macros (GH#137)
- Fix t/yaml-implicit-typing.t failure with -Duselongdouble perls
(GH#138, GH#139)
Improvements:
- Resolve TODO tests for empty/invalid YAML to match actual behaviour
(GH#127, GH#129)
Maintenance:
- Remove dead Perl 5.6 TODOs and convert 5.8 TODO to SKIP (GH#129)
- Add comprehensive implicit type resolution test suite (GH#137)
- Update MANIFEST to include all unit tests
- Clean up test names to remove unnecessary numbering
* Thu Mar 19 2026 Paul Howarth - 1.37-1
- Update to 1.37
Features:
- Add LoadBytes, LoadUTF8, DumpBytes, DumpUTF8 functions (GH#51)
Fixes:
- Fix heap buffer overflow in the YAML emitter - CVE-2026-4177 (GH#67)
- Fix DumpFile with tied filehandles (IO::String, IO::Scalar) (GH#22)
- Fix _is_glob to recognize IO::Handle subclasses (GH#23)
- Fix memory leak when dumping filehandles (CPAN RT#41199, GH#42)
- Fix dumping of tied hashes (GH#31)
- Fix dumping strings starting with '...' as unquoted plain scalars (GH#34)
- Fix dumping strings with tabs and carriage returns as plain scalars (GH#59)
- Fix double-dash YAML parsing (RT#34073, GH#35)
- Fix extra newline after empty arrays/hashes in YAML output (GH#36)
- Remove trailing whitespace from YAML output lines (GH#37, GH#38, GH#39)
- Fix quoting of \r and \t in YAML output instead of emitting raw bytes
(GH#40)
- Fix growing !!perl/regexp objects in round-trips (GH#43)
- Fix quoted '=' being transformed into 'str' (GH#45)
- Fix backslash-space escape in double-quoted YAML strings (GH#61)
- Fix flow sequence comma separator not recognized without trailing space
(GH#60)
- Fix wide character warning in DumpFile (GH#28)
- Fix inline arrays without space after comma (GH#25)
- Fix: quote strings matching YAML implicit types to prevent round-trip
failures (GH#26)
- Fix JSON::Syck::Dump to use JSON-valid \uXXXX escapes in output (GH#21)
- Fix JSON::Syck::Load decoding of \/ and \uXXXX escape sequences (GH#30)
- Fix: apply JSON postprocessing to JSON::Syck::DumpFile output (GH#104)
- Fix: add tied-filehandle fallback to JSON::Syck::DumpFile (GH#98)
- Fix: handle JSON escape sequences in SingleQuote mode Load (GH#99)
- Fix: restore Perl 5.8 compatibility in test suite (GH#121)
- Fix: correct copy-paste error in Makefile.PL clean target (GH#101)
- Fix: correct $SortKeys POD default from false to true (GH#100)
- Fix: correct POD documentation errors (GH#103)
Maintenance:
- Add C23-compatible function prototypes for GCC 15 compatibility (GH#112)
- Silence macOS compiler warnings (GH#92)
- Guard stdint.h include for portability (HP-UX 11.11) (GH#33)
- Guard stdint.h include in syck_st.h for portability (GH#24)
- Update ppport.h to 3.68
- Add regression tests for magical variable dumping (GH#32)
- CI: modernize GitHub Actions workflow (GH#123, GH#124)
- CI: add disttest job to validate MANIFEST completeness
- Use %{make_build} and %{make_install}
- Drop workaround for C23 incompatibility
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.36-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2448281 - CVE-2026-4177 perl-YAML-Syck: YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448281
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3572f7e01c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: dotnet8.0-8.0.125-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f84afd42df
2026-03-31 00:53:02.706769+00:00
--------------------------------------------------------------------------------
Name : dotnet8.0
Product : Fedora 43
Version : 8.0.125
Release : 1.fc43
URL : https://github.com/dotnet/
Summary : .NET Runtime and SDK
Description :
.NET is a fast, lightweight and modular platform for creating
cross platform applications that work on Linux, macOS and Windows.
It particularly focuses on creating console applications, web
applications and micro-services.
.NET contains a runtime conforming to .NET Standards a set of
framework libraries, an SDK containing compilers and a 'dotnet'
application to drive everything.
--------------------------------------------------------------------------------
Update Information:
This is the March 2026 release of .NET 8
Release Notes:
SDK: https://github.com/dotnet/core/blob/main/release-
notes/8.0/8.0.25/8.0.125.md
Runtime: https://github.com/dotnet/core/blob/main/release-
notes/8.0/8.0.25/8.0.25.md
--------------------------------------------------------------------------------
ChangeLog:
* Wed Mar 11 2026 Omair Majid [omajid@redhat.com] - 8.0.125-1
- Update to .NET SDK 8.0.125 and Runtime 8.0.25
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2446427 - CVE-2026-26130 dotnet8.0: ASP.NET Core: Denial of Service via uncontrolled resource allocation [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2446427
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f84afd42df' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: dotnet9.0-9.0.115-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-22e517fe60
2026-03-31 00:53:02.706764+00:00
--------------------------------------------------------------------------------
Name : dotnet9.0
Product : Fedora 43
Version : 9.0.115
Release : 1.fc43
URL : https://github.com/dotnet/
Summary : .NET Runtime and SDK
Description :
.NET is a fast, lightweight and modular platform for creating
cross platform applications that work on Linux, macOS and Windows.
It particularly focuses on creating console applications, web
applications and micro-services.
.NET contains a runtime conforming to .NET Standards a set of
framework libraries, an SDK containing compilers and a 'dotnet'
application to drive everything.
--------------------------------------------------------------------------------
Update Information:
This is the March 2026 release of .NET 9.
Release Notes:
SDK: https://github.com/dotnet/core/blob/main/release-
notes/9.0/9.0.14/9.0.115.md
Runtime: https://github.com/dotnet/core/blob/main/release-
notes/9.0/9.0.14/9.0.14.md
--------------------------------------------------------------------------------
ChangeLog:
* Wed Mar 11 2026 Omair Majid [omajid@redhat.com] - 9.0.115-1
- Update to .NET SDK 9.0.115 and Runtime 9.0.14
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2446428 - CVE-2026-26130 dotnet9.0: ASP.NET Core: Denial of Service via uncontrolled resource allocation [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2446428
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-22e517fe60' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: musescore-4.6.5-34.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c571483404
2026-03-31 00:53:02.706748+00:00
--------------------------------------------------------------------------------
Name : musescore
Product : Fedora 43
Version : 4.6.5
Release : 34.fc43
URL : https://musescore.org/
Summary : Music Composition & Notation Software
Description :
MuseScore is a free cross platform WYSIWYG music notation program. Some
highlights:
* WYSIWYG, notes are entered on a "virtual note sheet"
* Unlimited number of staves
* Up to four voices per staff
* Easy and fast note entry with mouse, keyboard or MIDI
* Integrated sequencer and FluidSynth software synthesizer
* Import and export of MusicXML and Standard MIDI Files (SMF)
* Translated in 26 languages
--------------------------------------------------------------------------------
Update Information:
Rebuilt with updated dr_wav to fix CVE-2026-29022.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Mar 4 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 4.6.5-34
- Rebuilt with updated dr_wav to fix CVE-2026-29022
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c571483404' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: webkitgtk-2.52.1-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f00460a7d9
2026-03-31 00:16:35.926192+00:00
--------------------------------------------------------------------------------
Name : webkitgtk
Product : Fedora 44
Version : 2.52.1
Release : 1.fc44
URL : https://www.webkitgtk.org/
Summary : GTK web content engine library
Description :
WebKitGTK is the port of the WebKit web rendering engine to the
GTK platform.
--------------------------------------------------------------------------------
Update Information:
Update to 2.52.1:
Reduce the amount of useless MPRIS notifications produced by MediaSesion when
the information about media being played is incomplete.
Add Sysprof marks for mouse events.
Fix MediaSession icon for iheart.com not being displayed.
Fix several crashes and rendering issues.
Translation updates: Georgian.
Update to 2.52.0:
Make text look like in other browsers by blending in linear color space.
Improved rendering performance by using a different tile size depending on
whether GPU rendering is enabled or not.
Improved composition scheduling to avoid blocking waiting for tile painting.
Improved performance of accelerated 2D canvas by recording operations for
batched replay.
Improved async scrolling when main thread is busy by avoiding locks and
rendering the scrollbars from the scrolling thread.
Enabled dynamic MSAA for accelerated 2D canvas rendering.
Improved text rendering performance
Videos with BT2100-PQ colorspace are now tone-mapped to SDR, ensuring colours do
not appear washed out.
Added support for the Audio Output Devices API.
Added API to handle WebXR permission requests.
Added API to query the immersive session status.
Added initial API for web extensions.
2.51.93:
Make text look like in other browsers by blending in linear color space.
Avoid composition for non visible layers with running animations.
Fix several crashes and rendering issues.
2.51.92:
Fix PDF rendering broken by the accelerated 2D canvas performance improvements.
Fix flickering while scrolling in some edge cases.
Support for rotation and mirroring in internal WebCodecs encoder.
System fallback font selection no longer takes style into account.
Fix several crashes and rendering issues.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Mar 28 2026 Michael Catanzaro [mcatanzaro@gnome.org] - 2.52.1-1
- Update to 2.52.1
* Wed Mar 25 2026 Jan Grulich [jgrulich@redhat.com] - 2.52.0-4
- Add configuration for release-monitoring
* Tue Mar 24 2026 Michael Catanzaro [mcatanzaro@gnome.org] - 2.52.0-3
- Remove Unicode-TOU from license list
* Tue Mar 24 2026 Michael Catanzaro [mcatanzaro@gnome.org] - 2.52.0-2
- Correct license of m4sugar.m4
* Sat Mar 21 2026 Michael Catanzaro [mcatanzaro@gnome.org] - 2.52.0-1
- Update to 2.52.0
* Fri Mar 6 2026 Michael Catanzaro [mcatanzaro@gnome.org] - 2.51.93-1
- Update to 2.51.93
* Sun Mar 1 2026 Michael Catanzaro [mcatanzaro@gnome.org] - 2.51.92-1
- Update to 2.51.92
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2449069 - CVE-2025-43213 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449069
[ 2 ] Bug #2449073 - CVE-2025-43214 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449073
[ 3 ] Bug #2449086 - CVE-2025-43457 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449086
[ 4 ] Bug #2449089 - CVE-2025-43511 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449089
[ 5 ] Bug #2449092 - CVE-2025-46299 webkitgtk: Processing maliciously crafted web content may disclose internal states of the app [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449092
[ 6 ] Bug #2449095 - CVE-2026-20608 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449095
[ 7 ] Bug #2449098 - CVE-2026-20635 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449098
[ 8 ] Bug #2449102 - CVE-2026-20636 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449102
[ 9 ] Bug #2449105 - CVE-2026-20644 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449105
[ 10 ] Bug #2449108 - CVE-2026-20652 webkitgtk: A remote attacker may be able to cause a denial-of-service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449108
[ 11 ] Bug #2449111 - CVE-2026-20676 webkitgtk: A website may be able to track users through Safari web extensions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449111
[ 12 ] Bug #2450634 - webkitgtk-2.50.5: WebKitWebProcess repeated SIGABRT crashes (heap corruption), upstream fixed in 2.50.6+
https://bugzilla.redhat.com/show_bug.cgi?id=2450634
[ 13 ] Bug #2453064 - CVE-2026-20643 webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453064
[ 14 ] Bug #2453067 - CVE-2026-20664 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453067
[ 15 ] Bug #2453070 - CVE-2026-20665 webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453070
[ 16 ] Bug #2453073 - CVE-2026-20691 webkitgtk: A maliciously crafted webpage may be able to fingerprint the user [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453073
[ 17 ] Bug #2453076 - CVE-2026-28857 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453076
[ 18 ] Bug #2453079 - CVE-2026-28859 webkitgtk: A malicious website may be able to process restricted web content outside the sandbox [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453079
[ 19 ] Bug #2453082 - CVE-2026-28871 webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453082
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f00460a7d9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: polkit-127-2.fc44.2
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-054c0e22d1
2026-03-31 00:16:35.926178+00:00
--------------------------------------------------------------------------------
Name : polkit
Product : Fedora 44
Version : 127
Release : 2.fc44.2
URL : https://github.com/polkit-org/polkit
Summary : An authorization framework
Description :
polkit is a toolkit for defining and handling authorizations. It is
used for allowing unprivileged processes to speak to privileged
processes.
--------------------------------------------------------------------------------
Update Information:
CVE-2026-4897 aisle.com fix of unsanitized getline
--------------------------------------------------------------------------------
ChangeLog:
* Fri Mar 27 2026 Jan Rybar [jrybar@redhat.com] - 127-2.2
- CVE-2026-4897 aisle.com fix of unsanitized getline
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-054c0e22d1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: rust-1.94.1-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-30b1c7e18a
2026-03-31 00:16:35.926155+00:00
--------------------------------------------------------------------------------
Name : rust
Product : Fedora 44
Version : 1.94.1
Release : 1.fc44
URL : https://www.rust-lang.org
Summary : The Rust Programming Language
Description :
Rust is a systems programming language that runs blazingly fast, prevents
segfaults, and guarantees thread safety.
This package includes the Rust compiler and documentation generator.
--------------------------------------------------------------------------------
Update Information:
Update to 1.94.1
--------------------------------------------------------------------------------
ChangeLog:
* Thu Mar 26 2026 Paul Murphy [murp@redhat.com] - 1.94.1-1
- Update to Rust 1.94.1
* Tue Mar 17 2026 Jesus Checa Hidalgo [jchecahi@redhat.com] - 1.94.0-2
- Disable `package::publish_to_crates_io_warns` cargo test
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2449686 - CVE-2026-33056 rust: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449686
[ 2 ] Bug #2451697 - rust-1.94.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2451697
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-30b1c7e18a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: xen-4.21.1-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f884fd0313
2026-03-31 00:16:35.926128+00:00
--------------------------------------------------------------------------------
Name : xen
Product : Fedora 44
Version : 4.21.1
Release : 1.fc44
URL : http://xen.org/
Summary : Xen is a virtual machine monitor
Description :
This package contains the XenD daemon and xm command line
tools, needed to manage virtual machines running under the
Xen hypervisor
--------------------------------------------------------------------------------
Update Information:
update to xen 4.21.1
Use after free of paging structures in EPT [XSA-480, CVE-2026-23554]
Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]
--------------------------------------------------------------------------------
ChangeLog:
* Thu Mar 26 2026 Michael Young [m.a.young@durham.ac.uk] - 4.21.1-1
- update to xen 4.21.0
remove patches now included or superceded upstream
* Tue Mar 17 2026 Michael Young [m.a.young@durham.ac.uk] - 4.21.0-5
- Use after free of paging structures in EPT [XSA-480, CVE-2026-23554]
- Xenstored DoS by unprivileged domain [XSA-481, CVE-2026-23555]
* Fri Feb 20 2026 Richard W.M. Jones [rjones@redhat.com] - 4.21.0-4
- OCaml 5.4.1 rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2415748 - xen-4.21.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2415748
[ 2 ] Bug #2450273 - CVE-2026-23554 xen: Xen: Information disclosure and potential privilege escalation via use-after-free in EPT paging [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2450273
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f884fd0313' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: python3.12-3.12.13-2.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9c8d7e5c9a
2026-03-31 00:16:35.926121+00:00
--------------------------------------------------------------------------------
Name : python3.12
Product : Fedora 44
Version : 3.12.13
Release : 2.fc44
URL : https://www.python.org/
Summary : Version 3.12 of the Python interpreter
Description :
Python 3.12 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.
The python3.12 package provides the "python3.12" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.12-libs package,
which should be installed automatically along with python3.12.
The remaining parts of the Python standard library are broken out into the
python3.12-tkinter and python3.12-test packages, which may need to be installed
separately.
Documentation for Python is provided in the python3.12-docs package.
Packages containing additional libraries for Python are generally named with
the "python3.12-" prefix.
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2026-4519.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Mar 26 2026 Lum??r Balhar [lbalhar@redhat.com] - 3.12.13-2
- Security fix for CVE-2026-4519 (rhbz#2449728)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2449728 - CVE-2026-4519 python3.12: Python: Command-line option injection in webbrowser.open() via crafted URLs [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449728
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9c8d7e5c9a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 44 Update: bind-dyndb-ldap-11.11-13.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-19d899e92d
2026-03-31 00:16:35.926114+00:00
--------------------------------------------------------------------------------
Name : bind-dyndb-ldap
Product : Fedora 44
Version : 11.11
Release : 13.fc44
URL : https://releases.pagure.org/bind-dyndb-ldap
Summary : LDAP back-end plug-in for BIND
Description :
This package provides an LDAP back-end plug-in for BIND. It features
support for dynamic updates and internal caching, to lift the load
off of your LDAP server.
--------------------------------------------------------------------------------
Update Information:
Update to 9.18.47 (rhbz#2440561)
Security Fixes:
Fix unbounded NSEC3 iterations when validating referrals to unsigned
delegations. (CVE-2026-1519)
Source:
https://downloads.isc.org/isc/bind9/9.18.47/doc/arm/html/notes.html#notes-for-
bind-9-18-47
--------------------------------------------------------------------------------
ChangeLog:
* Wed Mar 25 2026 Petr Men????k [pemensik@redhat.com] - 11.11-13
- Rebuild for BIND 9.18.47 (rhbz#2440561)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2440561 - bind-9.18.47 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2440561
[ 2 ] Bug #2451360 - CVE-2026-1519 bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2451360
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-19d899e92d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 44 Update: bind-9.18.47-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-19d899e92d
2026-03-31 00:16:35.926114+00:00
--------------------------------------------------------------------------------
Name : bind
Product : Fedora 44
Version : 9.18.47
Release : 1.fc44
URL : https://www.isc.org/downloads/bind/
Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Description :
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating properly.
--------------------------------------------------------------------------------
Update Information:
Update to 9.18.47 (rhbz#2440561)
Security Fixes:
Fix unbounded NSEC3 iterations when validating referrals to unsigned
delegations. (CVE-2026-1519)
Source:
https://downloads.isc.org/isc/bind9/9.18.47/doc/arm/html/notes.html#notes-for-
bind-9-18-47
--------------------------------------------------------------------------------
ChangeLog:
* Wed Mar 25 2026 Petr Men????k [pemensik@redhat.com] - 32:9.18.47-1
- Update to 9.18.47 (rhbz#2440561)
* Tue Mar 3 2026 Petr Men????k [pemensik@redhat.com] - 32:9.18.46-1
- Update to 9.18.46 (rhbz#2440561)
* Wed Jan 28 2026 Petr Men????k [pemensik@redhat.com] - 32:9.18.44-2
- Create /var/named directories for bind-chroot (RHEL-132053)
- Add forgotten _libdir/named into bind-chroot tmpfiles
* Thu Jan 22 2026 Petr Men????k [pemensik@redhat.com] - 32:9.18.44-1
- Update to 9.18.44 (rhbz#2431609)
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 32:9.18.43-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 32:9.18.43-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Wed Dec 17 2025 Petr Men????k [pemensik@redhat.com] - 32:9.18.43-1
- Update to 9.18.43 (rhbz#2415842)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2440561 - bind-9.18.47 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2440561
[ 2 ] Bug #2451360 - CVE-2026-1519 bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2451360
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-19d899e92d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
[SECURITY] Fedora 44 Update: freerdp-3.24.2-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-36ea367760
2026-03-31 00:16:35.926111+00:00
--------------------------------------------------------------------------------
Name : freerdp
Product : Fedora 44
Version : 3.24.2
Release : 1.fc44
URL : http://www.freerdp.com/
Summary : Free implementation of the Remote Desktop Protocol (RDP)
Description :
The xfreerdp & wlfreerdp Remote Desktop Protocol (RDP) clients from the FreeRDP
project.
xfreerdp & wlfreerdp can connect to RDP servers such as Microsoft Windows
machines, xrdp and VirtualBox.
--------------------------------------------------------------------------------
Update Information:
Update to 3.24.2
It fixes CVE-2026-33952, CVE-2026-33977, CVE-2026-33982, CVE-2026-33983,
CVE-2026-33984, CVE-2026-33985, CVE-2026-33986, CVE-2026-33987 and
CVE-2026-33995.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Mar 26 2026 Ondrej Holy [oholy@redhat.com] - 2:3.24.2-1
- Update to 3.24.2 (CVE-2026-33952, CVE-2026-33977, CVE-2026-33982,
CVE-2026-33983, CVE-2026-33984, CVE-2026-33985, CVE-2026-33986,
CVE-2026-33987, CVE-2026-33995)
Resolves: rhbz#2448592
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-36ea367760' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: ntpd-rs-1.7.1-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-eb0777262e
2026-03-31 00:16:35.926071+00:00
--------------------------------------------------------------------------------
Name : ntpd-rs
Product : Fedora 44
Version : 1.7.1
Release : 1.fc44
URL : https://github.com/pendulum-project/ntpd-rs
Summary : Full-featured implementation of NTP with NTS support
Description :
Full-featured implementation of NTP with NTS support.
--------------------------------------------------------------------------------
Update Information:
Update to version 1.7.1.
Includes the fix for CVE-2026-26076: https://github.com/pendulum-project/ntpd-
rs/security/advisories/GHSA-c7j7-rmvr-fjmv
Release notes:
https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.0
https://github.com/pendulum-project/ntpd-rs/releases/tag/v1.7.1
--------------------------------------------------------------------------------
ChangeLog:
* Sun Mar 22 2026 Fabio Valentini [decathorpe@gmail.com] - 1.7.1-1
- Update to version 1.7.1; Fixes RHBZ#2435477
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-eb0777262e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: rust-cargo-vendor-filterer-0.5.18-4.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8deecdc6c6
2026-03-31 00:16:35.926049+00:00
--------------------------------------------------------------------------------
Name : rust-cargo-vendor-filterer
Product : Fedora 44
Version : 0.5.18
Release : 4.fc44
URL : https://crates.io/crates/cargo-vendor-filterer
Summary : Cargo vendor, but with filtering for platforms and more
Description :
`cargo vendor`, but with filtering for platforms and more.
--------------------------------------------------------------------------------
Update Information:
Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
--------------------------------------------------------------------------------
ChangeLog:
* Sun Mar 22 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.5.18-4
- Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
- Updated the License expression based on a current Rawhide build
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8deecdc6c6' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: rust-cargo-rpmstatus-0.2.4-3.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d7cc8fd693
2026-03-31 00:16:35.926038+00:00
--------------------------------------------------------------------------------
Name : rust-cargo-rpmstatus
Product : Fedora 44
Version : 0.2.4
Release : 3.fc44
URL : https://crates.io/crates/cargo-rpmstatus
Summary : Cargo-tree for RPM packaging
Description :
Cargo-tree for RPM packaging.
--------------------------------------------------------------------------------
Update Information:
Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
--------------------------------------------------------------------------------
ChangeLog:
* Sun Mar 22 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.2.4-3
- Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
- Fixes RHBZ#2423511
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d7cc8fd693' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: stgit-2.5.5-5.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-25285d56e4
2026-03-31 00:16:35.926034+00:00
--------------------------------------------------------------------------------
Name : stgit
Product : Fedora 44
Version : 2.5.5
Release : 5.fc44
URL : https://stacked-git.github.io/
Summary : Stack-based patch management for Git
Description :
Stacked Git, StGit for short, is an application for managing Git commits as a
stack of patches.
With a patch stack workflow, multiple patches can be developed concurrently and
efficiently, with each patch focused on a single concern, resulting in both a
clean Git commit history and improved productivity.
--------------------------------------------------------------------------------
Update Information:
Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
--------------------------------------------------------------------------------
ChangeLog:
* Sun Mar 22 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 2.5.5-5
- Rebuilt with rust-tar 0.4.45 for CVE-2026-33056
- Fixes RHBZ#2449690
- Updated the License expression and wrote it one-term-per-line
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2449690 - CVE-2026-33056 stgit: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449690
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-25285d56e4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: perl-YAML-Syck-1.39-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a8d89d8ae2
2026-03-31 00:16:35.926016+00:00
--------------------------------------------------------------------------------
Name : perl-YAML-Syck
Product : Fedora 44
Version : 1.39
Release : 1.fc44
URL : https://metacpan.org/release/YAML-Syck
Summary : Fast, lightweight YAML loader and dumper
Description :
This module provides a Perl interface to the libsyck data serialization
library. It exports the Dump and Load functions for converting Perl data
structures to YAML strings, and the other way around.
--------------------------------------------------------------------------------
Update Information:
YAML::Syck versions up to and including 1.36 for Perl has several potential
security vulnerabilities including a high-severity heap buffer overflow in the
YAML emitter. The heap overflow occurs when class names exceed the initial
512-byte allocation. The base64 decoder could read past the buffer end on
trailing newlines. strtok mutated n->type_id in place, corrupting shared node
data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an
anchor. The incoming anchor string 'a' was leaked on early return.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Mar 22 2026 Paul Howarth - 1.39-1
- Update to 1.39
Bug Fixes:
- Fix: escape solidus (/) as \/ in JSON::Syck::Dump for XSS safety
(GH#125, GH#130)
- Fix: anchor tracking for blessed scalar refs in Dump (GH#126, GH#131)
- Fix: prevent buffer underflow in base60 (sexagesimal) parsing (GH#133)
- Fix: guard against NULL type from strtok in tag parsing (GH#135)
- Fix: correct copy-paste bug in syck_seq_assign() ASSERT macros (GH#137)
- Fix t/yaml-implicit-typing.t failure with -Duselongdouble perls
(GH#138, GH#139)
Improvements:
- Resolve TODO tests for empty/invalid YAML to match actual behaviour
(GH#127, GH#129)
Maintenance:
- Remove dead Perl 5.6 TODOs and convert 5.8 TODO to SKIP (GH#129)
- Add comprehensive implicit type resolution test suite (GH#137)
- Update MANIFEST to include all unit tests
- Clean up test names to remove unnecessary numbering
* Thu Mar 19 2026 Paul Howarth - 1.37-1
- Update to 1.37
Features:
- Add LoadBytes, LoadUTF8, DumpBytes, DumpUTF8 functions (GH#51)
Fixes:
- Fix heap buffer overflow in the YAML emitter - CVE-2026-4177 (GH#67)
- Fix DumpFile with tied filehandles (IO::String, IO::Scalar) (GH#22)
- Fix _is_glob to recognize IO::Handle subclasses (GH#23)
- Fix memory leak when dumping filehandles (CPAN RT#41199, GH#42)
- Fix dumping of tied hashes (GH#31)
- Fix dumping strings starting with '...' as unquoted plain scalars (GH#34)
- Fix dumping strings with tabs and carriage returns as plain scalars (GH#59)
- Fix double-dash YAML parsing (RT#34073, GH#35)
- Fix extra newline after empty arrays/hashes in YAML output (GH#36)
- Remove trailing whitespace from YAML output lines (GH#37, GH#38, GH#39)
- Fix quoting of \r and \t in YAML output instead of emitting raw bytes
(GH#40)
- Fix growing !!perl/regexp objects in round-trips (GH#43)
- Fix quoted '=' being transformed into 'str' (GH#45)
- Fix backslash-space escape in double-quoted YAML strings (GH#61)
- Fix flow sequence comma separator not recognized without trailing space
(GH#60)
- Fix wide character warning in DumpFile (GH#28)
- Fix inline arrays without space after comma (GH#25)
- Fix: quote strings matching YAML implicit types to prevent round-trip
failures (GH#26)
- Fix JSON::Syck::Dump to use JSON-valid \uXXXX escapes in output (GH#21)
- Fix JSON::Syck::Load decoding of \/ and \uXXXX escape sequences (GH#30)
- Fix: apply JSON postprocessing to JSON::Syck::DumpFile output (GH#104)
- Fix: add tied-filehandle fallback to JSON::Syck::DumpFile (GH#98)
- Fix: handle JSON escape sequences in SingleQuote mode Load (GH#99)
- Fix: restore Perl 5.8 compatibility in test suite (GH#121)
- Fix: correct copy-paste error in Makefile.PL clean target (GH#101)
- Fix: correct $SortKeys POD default from false to true (GH#100)
- Fix: correct POD documentation errors (GH#103)
Maintenance:
- Add C23-compatible function prototypes for GCC 15 compatibility (GH#112)
- Silence macOS compiler warnings (GH#92)
- Guard stdint.h include for portability (HP-UX 11.11) (GH#33)
- Guard stdint.h include in syck_st.h for portability (GH#24)
- Update ppport.h to 3.68
- Add regression tests for magical variable dumping (GH#32)
- CI: modernize GitHub Actions workflow (GH#123, GH#124)
- CI: add disttest job to validate MANIFEST completeness
- Use %{make_build} and %{make_install}
- Drop workaround for C23 incompatibility
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2448281 - CVE-2026-4177 perl-YAML-Syck: YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448281
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a8d89d8ae2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: pyOpenSSL-26.0.0-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5697f4e025
2026-03-31 00:16:35.926004+00:00
--------------------------------------------------------------------------------
Name : pyOpenSSL
Product : Fedora 44
Version : 26.0.0
Release : 1.fc44
URL : https://pyopenssl.readthedocs.org/
Summary : Python wrapper module around the OpenSSL library
Description :
High-level wrapper around a subset of the OpenSSL library, includes among others
* SSL.Connection objects, wrapping the methods of Python's portable
sockets
* Callbacks written in Python
* Extensive error-handling mechanism, mirroring OpenSSL's error codes
--------------------------------------------------------------------------------
Update Information:
Update to version 26.0.0
Added support for using aws-lc instead of OpenSSL.
Properly raise an error if a DTLS cookie callback returned a cookie
longer than DTLS1_COOKIE_LENGTH bytes. Previously this would result in
a buffer-overflow. Credit to dark_haxor for reporting the issue.
CVE-2026-27459
Added OpenSSL.SSL.Connection.get_group_name to determine which group
name was negotiated.
Context.set_tlsext_servername_callback now handles exceptions raised
in the callback by calling sys.excepthook and returning a fatal TLS
alert. Previously, exceptions were silently swallowed and the
handshake would proceed as if the callback had succeeded. Credit to
Leury Castillo for reporting this issue. CVE-2026-27448
--------------------------------------------------------------------------------
ChangeLog:
* Wed Mar 18 2026 Jeremy Cline [jeremycline@microsoft.com] - 26.0.0-1
- Update to v26.0.0
- Added support for using aws-lc instead of OpenSSL.
- Properly raise an error if a DTLS cookie callback returned a cookie
longer than DTLS1_COOKIE_LENGTH bytes. Previously this would result in a
buffer-overflow. Credit to dark_haxor for reporting the issue.
CVE-2026-27459
- Added OpenSSL.SSL.Connection.get_group_name to determine which group name
was negotiated.
- Context.set_tlsext_servername_callback now handles exceptions raised in
the callback by calling sys.excepthook and returning a fatal TLS alert.
Previously, exceptions were silently swallowed and the handshake would
proceed as if the callback had succeeded. Credit to Leury Castillo for
reporting this issue. CVE-2026-27448
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2448652 - CVE-2026-27459 pyOpenSSL: DTLS cookie callback buffer overflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448652
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5697f4e025' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 44 Update: nss-3.121.0-1.fc44
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-367d9a0b61
2026-03-31 00:16:35.925970+00:00
--------------------------------------------------------------------------------
Name : nss
Product : Fedora 44
Version : 3.121.0
Release : 1.fc44
URL : http://www.mozilla.org/projects/security/pki/nss/
Summary : Network Security Services
Description :
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.
--------------------------------------------------------------------------------
Update Information:
Update NSS to 3.121.0
--------------------------------------------------------------------------------
ChangeLog:
* Tue Mar 3 2026 Frantisek Krenzelok [fkrenzel@redhat.com] - 3.121.0-1
- Update NSS to 3.121.0
- Updated patch nss-3.118-ml-dsa-leancrypto.patch
* Tue Feb 24 2026 Frantisek Krenzelok [fkrenzel@redhat.com] - 3.121.0-1
- Update NSS to 3.121.0
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-367d9a0b61' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: mingw-expat-2.7.5-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1cbd107c34
2026-03-30 18:41:12.319042+00:00
--------------------------------------------------------------------------------
Name : mingw-expat
Product : Fedora 42
Version : 2.7.5
Release : 1.fc42
URL : http://www.libexpat.org/
Summary : MinGW Windows port of expat XML parser library
Description :
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
the parser prior to starting the parse. These handlers are called when the
parser discovers the associated structures in the document being parsed. A
start tag is an example of the kind of structures for which you may
register handlers.
--------------------------------------------------------------------------------
Update Information:
Update to 2.7.5.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Mar 21 2026 Sandro Mani [manisandro@gmail.com] - 2.7.5-1
- Update to 2.7.5
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2447973 - CVE-2026-32777 mingw-expat: libexpat: Denial of Service via infinite loop in DTD content parsing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447973
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1cbd107c34' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: php-phpseclib3-3.0.50-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-65fdd15133
2026-03-30 18:41:12.319036+00:00
--------------------------------------------------------------------------------
Name : php-phpseclib3
Product : Fedora 42
Version : 3.0.50
Release : 1.fc42
URL : https://github.com/phpseclib/phpseclib
Summary : PHP Secure Communications Library
Description :
MIT-licensed pure-PHP implementations of an arbitrary-precision integer
arithmetic library, fully PKCS#1 (v2.1) compliant RSA, DES, 3DES, RC4,
Rijndael, AES, Blowfish, Twofish, SSH-1, SSH-2, SFTP, and X.509
--------------------------------------------------------------------------------
Update Information:
Update to v3.0.50; contains fix for CVE-2026-32935
--------------------------------------------------------------------------------
ChangeLog:
* Sat Mar 21 2026 Artur Frenszek-Iwicki [fedora@svgames.pl] - 3.0.50-1
- Update to v3.0.50
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2448961 - php-phpseclib3-3.0.50 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2448961
[ 2 ] Bug #2449634 - CVE-2026-32935 php-phpseclib3: phpseclib: Information disclosure via padding oracle timing attack when using AES in CBC mode [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2449634
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-65fdd15133' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
