Fedora Linux 9409 Published by

Fedora 43 and 44 shipped a wide range of security updates that patch critical vulnerabilities across the Linux kernel, Rust libraries, and system utilities. The Linux kernel received a 7.1.3 rebase to address CVE-2026-53359, while rust-quick-xml updated to version 0.41.0 to resolve two separate RustSec advisories. Container management tools like podman-tui and prometheus-podman-exporter received fixes for multiple SSH and cryptographic flaws, alongside security patches for ClamAV, HPLIP, and the MinGW expat XML parser.

Fedora 43 Update: sandogasa-0.15.3-2.fc43
Fedora 43 Update: rust-reqsign-aws-v4-3.0.1-2.fc43
Fedora 43 Update: rust-quick-xml-0.41.0-1.fc43
Fedora 43 Update: rust-inferno-0.12.6-3.fc43
Fedora 43 Update: rust-busd-0.5.0-3.fc43
Fedora 43 Update: rust-wayland-scanner-0.31.10-3.fc43
Fedora 43 Update: mingw-expat-2.8.2-1.fc43
Fedora 44 Update: sandogasa-0.15.3-2.fc44
Fedora 44 Update: rust-reqsign-aws-v4-3.0.1-2.fc44
Fedora 44 Update: rust-inferno-0.12.6-3.fc44
Fedora 44 Update: rust-gtk4-macros-0.11.4-2.fc44
Fedora 44 Update: rust-wayland-scanner-0.31.10-3.fc44
Fedora 44 Update: rust-busd-0.5.0-3.fc44
Fedora 44 Update: rust-quick-xml-0.41.0-1.fc44
Fedora 44 Update: rust-ashpd-0.13.12-2.fc44
Fedora 44 Update: mir-2.26.0-2.fc44
Fedora 44 Update: hplip-3.26.4-7.fc44
Fedora 44 Update: python-rpds-py-0.29.0-4.fc44
Fedora 44 Update: mingw-expat-2.8.2-1.fc44
Fedora 43 Update: kernel-headers-7.1.3-100.fc43
Fedora 43 Update: kernel-7.1.3-100.fc43
Fedora 43 Update: perl-Imager-1.032-1.fc43
Fedora 43 Update: clamav-1.4.5-1.fc43
Fedora 43 Update: hplip-3.26.4-7.fc43
Fedora 43 Update: librabbitmq-0.17.0-1.fc43
Fedora 43 Update: podman-tui-1.11.3-1.fc43
Fedora 43 Update: prometheus-podman-exporter-1.21.2-1.fc43
Fedora 44 Update: kernel-headers-7.1.3-200.fc44
Fedora 44 Update: kernel-7.1.3-200.fc44
Fedora 44 Update: perl-Imager-1.032-1.fc44
Fedora 44 Update: podman-tui-1.11.3-1.fc44
Fedora 44 Update: prometheus-podman-exporter-1.21.2-1.fc44




[SECURITY] Fedora 43 Update: sandogasa-0.15.3-2.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ffaebbf2f0
2026-07-06 15:09:07.087500+00:00
--------------------------------------------------------------------------------

Name : sandogasa
Product : Fedora 43
Version : 0.15.3
Release : 2.fc43
URL : https://github.com/slopfest/sandogasa
Summary : A collection of Fedora and CentOS packaging tools
Description :
A collection of tools and libraries for Fedora package maintenance
and contributor activity tracking, built around shared API clients
for Bugzilla, Bodhi, NVD, dist-git, Discourse, FASJSON, and HyperKitty.

The name **sandogasa** (??????) refers to a Japanese straw hat often
associated with "slum" or post-apocalyptic robots in popular culture.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.15.3-2
- Rebuild for rust-quick-xml 0.41.0
* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.15.3-1
- Update to version 0.15.3
* Mon Jun 29 2026 Michel Lind [salimma@fedoraproject.org] - 0.15.2-1
- Update to version 0.15.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ffaebbf2f0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: rust-reqsign-aws-v4-3.0.1-2.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ffaebbf2f0
2026-07-06 15:09:07.087500+00:00
--------------------------------------------------------------------------------

Name : rust-reqsign-aws-v4
Product : Fedora 43
Version : 3.0.1
Release : 2.fc43
URL : https://crates.io/crates/reqsign-aws-v4
Summary : AWS SigV4 signing implementation for reqsign
Description :
AWS SigV4 signing implementation for reqsign.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 3.0.1-2
- Allow building against quick-xml 0.41
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ffaebbf2f0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: rust-quick-xml-0.41.0-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ffaebbf2f0
2026-07-06 15:09:07.087500+00:00
--------------------------------------------------------------------------------

Name : rust-quick-xml
Product : Fedora 43
Version : 0.41.0
Release : 1.fc43
URL : https://crates.io/crates/quick-xml
Summary : High performance xml reader and writer
Description :
High performance xml reader and writer.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.41.0-1
- Update to version 0.41.0; Resolves RHBZ#2494601
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ffaebbf2f0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: rust-inferno-0.12.6-3.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ffaebbf2f0
2026-07-06 15:09:07.087500+00:00
--------------------------------------------------------------------------------

Name : rust-inferno
Product : Fedora 43
Version : 0.12.6
Release : 3.fc43
URL : https://crates.io/crates/inferno
Summary : Rust port of the FlameGraph performance profiling tool suite
Description :
Rust port of the FlameGraph performance profiling tool suite.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.12.6-3
- Allow building against quick-xml 0.41
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ffaebbf2f0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: rust-busd-0.5.0-3.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ffaebbf2f0
2026-07-06 15:09:07.087500+00:00
--------------------------------------------------------------------------------

Name : rust-busd
Product : Fedora 43
Version : 0.5.0
Release : 3.fc43
URL : https://crates.io/crates/busd
Summary : D-Bus bus (broker) implementation
Description :
A D-Bus bus (broker) implementation.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.5.0-3
- Allow building against quick-xml 0.41
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ffaebbf2f0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: rust-wayland-scanner-0.31.10-3.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ffaebbf2f0
2026-07-06 15:09:07.087500+00:00
--------------------------------------------------------------------------------

Name : rust-wayland-scanner
Product : Fedora 43
Version : 0.31.10
Release : 3.fc43
URL : https://crates.io/crates/wayland-scanner
Summary : Wayland Scanner for generating rust APIs from XML wayland protocol files
Description :
Wayland Scanner for generating rust APIs from XML wayland protocol
files.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.31.10-3
- Allow building against quick-xml 0.41
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ffaebbf2f0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: mingw-expat-2.8.2-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-6666907a26
2026-07-06 15:09:07.087456+00:00
--------------------------------------------------------------------------------

Name : mingw-expat
Product : Fedora 43
Version : 2.8.2
Release : 1.fc43
URL : http://www.libexpat.org/
Summary : MinGW Windows port of expat XML parser library
Description :
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
the parser prior to starting the parse. These handlers are called when the
parser discovers the associated structures in the document being parsed. A
start tag is an example of the kind of structures for which you may
register handlers.

--------------------------------------------------------------------------------
Update Information:

Update to expat-2.8.2.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jun 26 2026 Sandro Mani [manisandro@gmail.com] - 2.8.2-1
- Update to 2.8.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2486180 - CVE-2026-50219 mingw-expat: libexpat: Use-after-free vulnerability due to improper handler call depth tracking [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486180
[ 2 ] Bug #2493317 - CVE-2026-56412 mingw-expat: libexpat: Use-after-free vulnerability due to improper handling of XML CDATA sections [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2493317
[ 3 ] Bug #2493319 - CVE-2026-56412 mingw-expat: libexpat: Use-after-free vulnerability due to improper handling of XML CDATA sections [fedora-44]
https://bugzilla.redhat.com/show_bug.cgi?id=2493319
[ 4 ] Bug #2493638 - CVE-2026-56132 mingw-expat: libexpat: Arbitrary Code Execution via Heap-based Buffer Overflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493638
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-6666907a26' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: sandogasa-0.15.3-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b25dca4806
2026-07-06 14:53:30.168848+00:00
--------------------------------------------------------------------------------

Name : sandogasa
Product : Fedora 44
Version : 0.15.3
Release : 2.fc44
URL : https://github.com/slopfest/sandogasa
Summary : A collection of Fedora and CentOS packaging tools
Description :
A collection of tools and libraries for Fedora package maintenance
and contributor activity tracking, built around shared API clients
for Bugzilla, Bodhi, NVD, dist-git, Discourse, FASJSON, and HyperKitty.

The name **sandogasa** (??????) refers to a Japanese straw hat often
associated with "slum" or post-apocalyptic robots in popular culture.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.15.3-2
- Rebuild for rust-quick-xml 0.41.0
* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.15.3-1
- Update to version 0.15.3
* Mon Jun 29 2026 Michel Lind [salimma@fedoraproject.org] - 0.15.2-1
- Update to version 0.15.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b25dca4806' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: rust-reqsign-aws-v4-3.0.1-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b25dca4806
2026-07-06 14:53:30.168848+00:00
--------------------------------------------------------------------------------

Name : rust-reqsign-aws-v4
Product : Fedora 44
Version : 3.0.1
Release : 2.fc44
URL : https://crates.io/crates/reqsign-aws-v4
Summary : AWS SigV4 signing implementation for reqsign
Description :
AWS SigV4 signing implementation for reqsign.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 3.0.1-2
- Allow building against quick-xml 0.41
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b25dca4806' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: rust-inferno-0.12.6-3.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b25dca4806
2026-07-06 14:53:30.168848+00:00
--------------------------------------------------------------------------------

Name : rust-inferno
Product : Fedora 44
Version : 0.12.6
Release : 3.fc44
URL : https://crates.io/crates/inferno
Summary : Rust port of the FlameGraph performance profiling tool suite
Description :
Rust port of the FlameGraph performance profiling tool suite.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.12.6-3
- Allow building against quick-xml 0.41
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b25dca4806' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: rust-gtk4-macros-0.11.4-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b25dca4806
2026-07-06 14:53:30.168848+00:00
--------------------------------------------------------------------------------

Name : rust-gtk4-macros
Product : Fedora 44
Version : 0.11.4
Release : 2.fc44
URL : https://crates.io/crates/gtk4-macros
Summary : Macros helpers for GTK 4 bindings
Description :
Macros helpers for GTK 4 bindings.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.11.4-2
- Allow building against quick-xml 0.41
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b25dca4806' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: rust-wayland-scanner-0.31.10-3.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b25dca4806
2026-07-06 14:53:30.168848+00:00
--------------------------------------------------------------------------------

Name : rust-wayland-scanner
Product : Fedora 44
Version : 0.31.10
Release : 3.fc44
URL : https://crates.io/crates/wayland-scanner
Summary : Wayland Scanner for generating rust APIs from XML wayland protocol files
Description :
Wayland Scanner for generating rust APIs from XML wayland protocol
files.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.31.10-3
- Allow building against quick-xml 0.41
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b25dca4806' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: rust-busd-0.5.0-3.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b25dca4806
2026-07-06 14:53:30.168848+00:00
--------------------------------------------------------------------------------

Name : rust-busd
Product : Fedora 44
Version : 0.5.0
Release : 3.fc44
URL : https://crates.io/crates/busd
Summary : D-Bus bus (broker) implementation
Description :
A D-Bus bus (broker) implementation.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.5.0-3
- Allow building against quick-xml 0.41
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b25dca4806' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: rust-quick-xml-0.41.0-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b25dca4806
2026-07-06 14:53:30.168848+00:00
--------------------------------------------------------------------------------

Name : rust-quick-xml
Product : Fedora 44
Version : 0.41.0
Release : 1.fc44
URL : https://crates.io/crates/quick-xml
Summary : High performance xml reader and writer
Description :
High performance xml reader and writer.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.41.0-1
- Update to version 0.41.0; Resolves RHBZ#2494601
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b25dca4806' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: rust-ashpd-0.13.12-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b25dca4806
2026-07-06 14:53:30.168848+00:00
--------------------------------------------------------------------------------

Name : rust-ashpd
Product : Fedora 44
Version : 0.13.12
Release : 2.fc44
URL : https://crates.io/crates/ashpd
Summary : XDG portals wrapper in Rust using zbus
Description :
XDG portals wrapper in Rust using zbus.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 0.13.12-2
- Allow building against quick-xml 0.41
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b25dca4806' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: mir-2.26.0-2.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b25dca4806
2026-07-06 14:53:30.168848+00:00
--------------------------------------------------------------------------------

Name : mir
Product : Fedora 44
Version : 2.26.0
Release : 2.fc44
URL : https://canonical.com/mir
Summary : Next generation Wayland display server toolkit
Description :
Mir is a Wayland display server toolkit for Linux systems,
with a focus on efficiency, robust operation,
and a well-defined driver model.

--------------------------------------------------------------------------------
Update Information:

Update quick-xml for two security advisories, rebuild dependents, and update
sandogasa to the latest
https://rustsec.org/advisories/RUSTSEC-2026-0194.html
https://rustsec.org/advisories/RUSTSEC-2026-0195.html
sandogasa
v0.15.3
ebranch base-distro guard ??? resolve/file-requests now know EPEL must
not replace RHEL/CentOS Stream packages: deps present in the base at a
too-old version are blocked with clear options (alternate package via
--override, or lower the requirement) instead of becoming CANTFIX
branch requests; file-requests re-checks the base before filing
New sandogasa-sourcehut crate ??? sr.ht GraphQL client; sandogasa-report
gains a Sourcehut section (patches, tickets, commits split yours vs
third-party, git_emails attribution)
ebranch check-crate ??? human report on stderr alongside --koji/--copr
machine output, so build scripts stay pipeable
dbranch rebuild ??? creates debian/gbp.conf when the Debian branch has
none and handles the modern single-line salsa-ci.yml
Robustness: 120s HTTP timeout on every client; --version on every
tool; quick-xml bumped to 0.41 for RUSTSEC-2026-0194/-0195
sandogasa-report: consistent commit detail levels across forges
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.3/CHANGELOG.md#v0153
v0.15.2
New sandogasa-review crate ??? shared keep/explain/remove resolution for
reviewer-curated findings; adopted by fedora-review-digest, ebranch
check-update, and fedora-cve-triage
New sandogasa-forgejo crate ??? Forgejo/Gitea REST API client (PR activity
issue filing); powers sandogasa-report's Forgejo accounting
ebranch check-update overhaul ??? condensed output (counts + version
grouping), reviewer curation of blocking findings before karma, branch
inference for Fedora side tags (EPEL still needs -b al9 -r @epel), plus
fixes for stale-side-tag and rich-dep installability false positives and
large-update performance
fedora-cve-triage ??? per-bug keep/explain/remove review before closing
detected false positives
sandogasa-report ??? Forgejo PR-merge and issue accounting
Full details:
https://github.com/slopfest/sandogasa/blob/v0.15.2/CHANGELOG.md#v0152
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Michel Lind [salimma@fedoraproject.org] - 2.26.0-2
- Rebuild for rust-quick-xml 0.41.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2494601 - rust-quick-xml-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2494601
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b25dca4806' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 44 Update: hplip-3.26.4-7.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d9b508b972
2026-07-06 14:53:30.168841+00:00
--------------------------------------------------------------------------------

Name : hplip
Product : Fedora 44
Version : 3.26.4
Release : 7.fc44
URL : https://developers.hp.com/hp-linux-imaging-and-printing
Summary : HP Linux Imaging and Printing Project
Description :
The Hewlett-Packard Linux Imaging and Printing Project provides
drivers for HP printers and multi-function peripherals.

--------------------------------------------------------------------------------
Update Information:

fix CVE-2026-14544 - incomplete fix after CVE-2026-8631 (fedora#2496773,
fedora#2496772)
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Zdenek Dohnal [zdohnal@redhat.com] - 3.26.4-7
- fix CVE-2026-14544 - incomplete fix after CVE-2026-8631 (fedora#2496773,
fedora#2496772)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2496772 - CVE-2026-14544 HPLIP: Incomplete Fix for CVE-2026-8631
https://bugzilla.redhat.com/show_bug.cgi?id=2496772
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d9b508b972' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: python-rpds-py-0.29.0-4.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-93da8dcc2c
2026-07-06 14:53:30.168830+00:00
--------------------------------------------------------------------------------

Name : python-rpds-py
Product : Fedora 44
Version : 0.29.0
Release : 4.fc44
URL : https://github.com/crate-py/rpds
Summary : Python bindings to the Rust rpds crate
Description :
Python bindings to the Rust rpds crate.

--------------------------------------------------------------------------------
Update Information:

Update to PyO3 0.29, with fixes for RUSTSEC-2026-0176 and RUSTSEC-2026-0177.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 30 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.29.0-4
- Update License expression based on a current F44 build
* Tue Jun 30 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.29.0-3
- Update to PyO3 0.29
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-93da8dcc2c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: mingw-expat-2.8.2-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3cb1034453
2026-07-06 14:53:30.168787+00:00
--------------------------------------------------------------------------------

Name : mingw-expat
Product : Fedora 44
Version : 2.8.2
Release : 1.fc44
URL : http://www.libexpat.org/
Summary : MinGW Windows port of expat XML parser library
Description :
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
the parser prior to starting the parse. These handlers are called when the
parser discovers the associated structures in the document being parsed. A
start tag is an example of the kind of structures for which you may
register handlers.

--------------------------------------------------------------------------------
Update Information:

Update to expat-2.8.2.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jun 26 2026 Sandro Mani [manisandro@gmail.com] - 2.8.2-1
- Update to 2.8.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2486180 - CVE-2026-50219 mingw-expat: libexpat: Use-after-free vulnerability due to improper handler call depth tracking [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486180
[ 2 ] Bug #2493317 - CVE-2026-56412 mingw-expat: libexpat: Use-after-free vulnerability due to improper handling of XML CDATA sections [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2493317
[ 3 ] Bug #2493319 - CVE-2026-56412 mingw-expat: libexpat: Use-after-free vulnerability due to improper handling of XML CDATA sections [fedora-44]
https://bugzilla.redhat.com/show_bug.cgi?id=2493319
[ 4 ] Bug #2493638 - CVE-2026-56132 mingw-expat: libexpat: Arbitrary Code Execution via Heap-based Buffer Overflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493638
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3cb1034453' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: kernel-headers-7.1.3-100.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c3e2e91b4d
2026-07-07 01:08:27.509786+00:00
--------------------------------------------------------------------------------

Name : kernel-headers
Product : Fedora 43
Version : 7.1.3
Release : 100.fc43
URL : http://www.kernel.org/
Summary : Header files for the Linux kernel for use by glibc
Description :
Kernel-headers includes the C header files that specify the interface
between the Linux kernel and userspace libraries and programs. The
header files define structures and constants that are needed for
building most standard programs and are also needed for rebuilding the
glibc package.

--------------------------------------------------------------------------------
Update Information:

The 7.1.3 stable kernel rebase contains new features, improved hardware support,
and a number of important fixes across the tree.
This also has a fix for CVE-2026-53359
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jul 5 2026 Justin M. Forbes [jforbes@fedoraproject.org] - 7.1.3-1
- Linux v7.1.3
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c3e2e91b4d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: kernel-7.1.3-100.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c3e2e91b4d
2026-07-07 01:08:27.509786+00:00
--------------------------------------------------------------------------------

Name : kernel
Product : Fedora 43
Version : 7.1.3
Release : 100.fc43
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package

--------------------------------------------------------------------------------
Update Information:

The 7.1.3 stable kernel rebase contains new features, improved hardware support,
and a number of important fixes across the tree.
This also has a fix for CVE-2026-53359
--------------------------------------------------------------------------------
ChangeLog:

* Sat Jul 4 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.1.3-1]
- Linux v7.1.3
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c3e2e91b4d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: perl-Imager-1.032-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ab8bc1220a
2026-07-07 01:08:27.509774+00:00
--------------------------------------------------------------------------------

Name : perl-Imager
Product : Fedora 43
Version : 1.032
Release : 1.fc43
URL : https://metacpan.org/release/Imager
Summary : Perl extension for Generating 24 bit Images
Description :
Imager is a module for creating and altering images. It can read and
write various image formats, draw primitive shapes like lines,and
polygons, blend multiple images together in various ways, scale, crop,
render text and more.

--------------------------------------------------------------------------------
Update Information:

1.032 bump- Fix CVE-2026-13708 and CVE-2026-13705
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Jitka Plesnikova [jplesnik@redhat.com] - 1.032-1
- 1.032 bump (rhbz#2495894) - Fix CVE-2026-13708 and CVE-2026-13705
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2495894 - perl-Imager-1.032 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2495894
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ab8bc1220a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: clamav-1.4.5-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-144f87ee92
2026-07-07 01:08:27.509767+00:00
--------------------------------------------------------------------------------

Name : clamav
Product : Fedora 43
Version : 1.4.5
Release : 1.fc43
URL : https://www.clamav.net/
Summary : End-user tools for the Clam Antivirus scanner
Description :
Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this
software is the integration with mail servers (attachment scanning). The
package provides a flexible and scalable multi-threaded daemon, a command
line scanner, and a tool for automatic updating via Internet. The programs
are based on a shared library distributed with the Clam AntiVirus package,
which you can use with your own software. The virus database is based on
the virus database from OpenAntiVirus, but contains additional signatures
(including signatures for popular polymorphic viruses, too) and is KEPT UP
TO DATE.

--------------------------------------------------------------------------------
Update Information:

Fixes for multiple CVEs https://github.com/Cisco-
Talos/clamav/releases/tag/clamav-1.4.5
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 2 2026 Gwyn Ciesla [gwync@protonmail.com] - 1.4.5-1
- Update to 1.4.5
* Fri Jun 12 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 1.4.4-2
- Rebuilt for openssl 4.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-144f87ee92' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: hplip-3.26.4-7.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7d23917d90
2026-07-07 01:08:27.509772+00:00
--------------------------------------------------------------------------------

Name : hplip
Product : Fedora 43
Version : 3.26.4
Release : 7.fc43
URL : https://developers.hp.com/hp-linux-imaging-and-printing
Summary : HP Linux Imaging and Printing Project
Description :
The Hewlett-Packard Linux Imaging and Printing Project provides
drivers for HP printers and multi-function peripherals.

--------------------------------------------------------------------------------
Update Information:

fix CVE-2026-14544 - incomplete fix after CVE-2026-8631 (fedora#2496773,
fedora#2496772)
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Zdenek Dohnal [zdohnal@redhat.com] - 3.26.4-7
- fix CVE-2026-14544 - incomplete fix after CVE-2026-8631 (fedora#2496773,
fedora#2496772)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2496772 - CVE-2026-14544 HPLIP: Incomplete Fix for CVE-2026-8631
https://bugzilla.redhat.com/show_bug.cgi?id=2496772
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7d23917d90' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: librabbitmq-0.17.0-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-436ef78874
2026-07-07 01:08:27.509763+00:00
--------------------------------------------------------------------------------

Name : librabbitmq
Product : Fedora 43
Version : 0.17.0
Release : 1.fc43
URL : https://github.com/alanxz/rabbitmq-c
Summary : Client library for AMQP
Description :
This is a C-language AMQP client library for use with AMQP servers
speaking protocol versions 0-9-1.

--------------------------------------------------------------------------------
Update Information:

Version 0.17.0 - 2026-07-01
Security
Fix size_t overflow in amqp_decode_bytes bounds check leading to out-of-bounds
read (GHSA-jgjf-7fwf-f3c7, #888)
Fix heap buffer overflow in amqp_frame_to_bytes for oversized body frames (GHSA-
hfjv-vcp3-39wh, #892)
Added
librabbitmq-tools fall back to the AMQP_URL environment variable when no
connection options are given on the command line (#887)
Fixed
Fix undefined behavior in amqp_decode_properties when decoding content-header
property flags (#883, #885)
Fix ioctlsocket type mismatch on Windows (#890)
Document buffer lifetime requirement of amqp_decode_table's encoded buffer to
prevent use-after-free misuse (#895)
Changed
librabbitmq-tools now enable default SSL certificate verification paths unless
--no-default-cert-paths is passed (fixes #868, #893)
Building the tools now requires POPT v1.14 or newer (#889)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 2 2026 Remi Collet [remi@remirepo.net] - 0.17.0-1
- update to 0.17.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-436ef78874' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: podman-tui-1.11.3-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1842aaea5d
2026-07-07 01:08:27.509723+00:00
--------------------------------------------------------------------------------

Name : podman-tui
Product : Fedora 43
Version : 1.11.3
Release : 1.fc43
URL : https://github.com/containers/podman-tui
Summary : Podman Terminal User Interface
Description :

podman-tui is a terminal user interface for Podman.
podman-tui is using podman.socket service to communicate with podman environment
and SSH to connect to remote podman machines.

--------------------------------------------------------------------------------
Update Information:

release 1.11.3
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jun 28 2026 Packit [hello@packit.dev] - 1.11.3-1
- Update to 1.11.3 upstream release
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2421877 - CVE-2025-66506 podman-tui: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2421877
[ 2 ] Bug #2421882 - CVE-2025-66506 podman-tui: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2421882
[ 3 ] Bug #2455640 - CVE-2026-34986 podman-tui: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455640
[ 4 ] Bug #2455670 - CVE-2026-34986 podman-tui: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455670
[ 5 ] Bug #2486211 - CVE-2026-45287 podman-tui: OpenTelemetry-Go: Denial of Service due to file descriptor leak [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486211
[ 6 ] Bug #2486257 - CVE-2026-45287 podman-tui: OpenTelemetry-Go: Denial of Service due to file descriptor leak [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486257
[ 7 ] Bug #2489878 - CVE-2026-39828 podman-tui: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489878
[ 8 ] Bug #2489916 - CVE-2026-39828 podman-tui: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489916
[ 9 ] Bug #2490044 - CVE-2026-39829 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490044
[ 10 ] Bug #2490103 - CVE-2026-39829 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490103
[ 11 ] Bug #2490437 - CVE-2026-39830 podman-tui: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490437
[ 12 ] Bug #2490489 - CVE-2026-39830 podman-tui: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490489
[ 13 ] Bug #2493062 - CVE-2026-39832 podman-tui: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493062
[ 14 ] Bug #2493084 - CVE-2026-39832 podman-tui: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493084
[ 15 ] Bug #2493481 - CVE-2026-39835 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493481
[ 16 ] Bug #2493539 - CVE-2026-39835 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493539
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1842aaea5d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: prometheus-podman-exporter-1.21.2-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a96d4ee174
2026-07-07 01:08:27.509721+00:00
--------------------------------------------------------------------------------

Name : prometheus-podman-exporter
Product : Fedora 43
Version : 1.21.2
Release : 1.fc43
URL : https://github.com/containers/prometheus-podman-exporter
Summary : Prometheus exporter for podman environment
Description :
Prometheus exporter for podman environments exposing containers, pods, images,
volumes and networks information.

--------------------------------------------------------------------------------
Update Information:

release 1.21.2
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jun 28 2026 Packit [hello@packit.dev] - 1.21.2-1
- Update to 1.21.2 upstream release
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2421878 - CVE-2025-66506 prometheus-podman-exporter: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2421878
[ 2 ] Bug #2421883 - CVE-2025-66506 prometheus-podman-exporter: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2421883
[ 3 ] Bug #2455641 - CVE-2026-34986 prometheus-podman-exporter: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455641
[ 4 ] Bug #2455671 - CVE-2026-34986 prometheus-podman-exporter: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455671
[ 5 ] Bug #2486201 - CVE-2026-45287 prometheus-podman-exporter: OpenTelemetry-Go: Denial of Service due to file descriptor leak [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486201
[ 6 ] Bug #2486270 - CVE-2026-45287 prometheus-podman-exporter: OpenTelemetry-Go: Denial of Service due to file descriptor leak [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486270
[ 7 ] Bug #2489881 - CVE-2026-39828 prometheus-podman-exporter: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489881
[ 8 ] Bug #2489960 - CVE-2026-39828 prometheus-podman-exporter: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489960
[ 9 ] Bug #2490029 - CVE-2026-39829 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490029
[ 10 ] Bug #2490048 - CVE-2026-39829 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490048
[ 11 ] Bug #2490420 - CVE-2026-39830 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490420
[ 12 ] Bug #2490449 - CVE-2026-39830 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490449
[ 13 ] Bug #2493075 - CVE-2026-39832 prometheus-podman-exporter: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493075
[ 14 ] Bug #2493092 - CVE-2026-39832 prometheus-podman-exporter: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493092
[ 15 ] Bug #2493482 - CVE-2026-39835 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493482
[ 16 ] Bug #2493526 - CVE-2026-39835 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493526
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a96d4ee174' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: kernel-headers-7.1.3-200.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-75653cf1c2
2026-07-07 00:48:39.633226+00:00
--------------------------------------------------------------------------------

Name : kernel-headers
Product : Fedora 44
Version : 7.1.3
Release : 200.fc44
URL : http://www.kernel.org/
Summary : Header files for the Linux kernel for use by glibc
Description :
Kernel-headers includes the C header files that specify the interface
between the Linux kernel and userspace libraries and programs. The
header files define structures and constants that are needed for
building most standard programs and are also needed for rebuilding the
glibc package.

--------------------------------------------------------------------------------
Update Information:

The 7.1.3 stable kernel rebase contains new features, improved hardware support,
and a number of important fixes across the tree. This also has a fix for
CVE-2026-53359
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jul 5 2026 Justin M. Forbes [jforbes@fedoraproject.org] - 7.1.3-1
- Linux v7.1.3
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-75653cf1c2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: kernel-7.1.3-200.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-75653cf1c2
2026-07-07 00:48:39.633226+00:00
--------------------------------------------------------------------------------

Name : kernel
Product : Fedora 44
Version : 7.1.3
Release : 200.fc44
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package

--------------------------------------------------------------------------------
Update Information:

The 7.1.3 stable kernel rebase contains new features, improved hardware support,
and a number of important fixes across the tree. This also has a fix for
CVE-2026-53359
--------------------------------------------------------------------------------
ChangeLog:

* Sat Jul 4 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.1.3-1]
- Linux v7.1.3
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-75653cf1c2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: perl-Imager-1.032-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-adbe03cd7a
2026-07-07 00:48:39.633212+00:00
--------------------------------------------------------------------------------

Name : perl-Imager
Product : Fedora 44
Version : 1.032
Release : 1.fc44
URL : https://metacpan.org/release/Imager
Summary : Perl extension for Generating 24 bit Images
Description :
Imager is a module for creating and altering images. It can read and
write various image formats, draw primitive shapes like lines,and
polygons, blend multiple images together in various ways, scale, crop,
render text and more.

--------------------------------------------------------------------------------
Update Information:

1.032 bump- Fix CVE-2026-13708 and CVE-2026-13705
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 3 2026 Jitka Plesnikova [jplesnik@redhat.com] - 1.032-1
- 1.032 bump (rhbz#2495894) - Fix CVE-2026-13708 and CVE-2026-13705
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2495894 - perl-Imager-1.032 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2495894
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-adbe03cd7a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: podman-tui-1.11.3-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d5c6299162
2026-07-07 00:48:39.633185+00:00
--------------------------------------------------------------------------------

Name : podman-tui
Product : Fedora 44
Version : 1.11.3
Release : 1.fc44
URL : https://github.com/containers/podman-tui
Summary : Podman Terminal User Interface
Description :

podman-tui is a terminal user interface for Podman.
podman-tui is using podman.socket service to communicate with podman environment
and SSH to connect to remote podman machines.

--------------------------------------------------------------------------------
Update Information:

release 1.11.3
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jun 28 2026 Packit [hello@packit.dev] - 1.11.3-1
- Update to 1.11.3 upstream release
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2421877 - CVE-2025-66506 podman-tui: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2421877
[ 2 ] Bug #2421882 - CVE-2025-66506 podman-tui: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2421882
[ 3 ] Bug #2455640 - CVE-2026-34986 podman-tui: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455640
[ 4 ] Bug #2455670 - CVE-2026-34986 podman-tui: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455670
[ 5 ] Bug #2486211 - CVE-2026-45287 podman-tui: OpenTelemetry-Go: Denial of Service due to file descriptor leak [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486211
[ 6 ] Bug #2486257 - CVE-2026-45287 podman-tui: OpenTelemetry-Go: Denial of Service due to file descriptor leak [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486257
[ 7 ] Bug #2489878 - CVE-2026-39828 podman-tui: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489878
[ 8 ] Bug #2489916 - CVE-2026-39828 podman-tui: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489916
[ 9 ] Bug #2490044 - CVE-2026-39829 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490044
[ 10 ] Bug #2490103 - CVE-2026-39829 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490103
[ 11 ] Bug #2490437 - CVE-2026-39830 podman-tui: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490437
[ 12 ] Bug #2490489 - CVE-2026-39830 podman-tui: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490489
[ 13 ] Bug #2493062 - CVE-2026-39832 podman-tui: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493062
[ 14 ] Bug #2493084 - CVE-2026-39832 podman-tui: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493084
[ 15 ] Bug #2493481 - CVE-2026-39835 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493481
[ 16 ] Bug #2493539 - CVE-2026-39835 podman-tui: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493539
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d5c6299162' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 44 Update: prometheus-podman-exporter-1.21.2-1.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f366154bec
2026-07-07 00:48:39.633183+00:00
--------------------------------------------------------------------------------

Name : prometheus-podman-exporter
Product : Fedora 44
Version : 1.21.2
Release : 1.fc44
URL : https://github.com/containers/prometheus-podman-exporter
Summary : Prometheus exporter for podman environment
Description :
Prometheus exporter for podman environments exposing containers, pods, images,
volumes and networks information.

--------------------------------------------------------------------------------
Update Information:

release 1.21.2
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jun 28 2026 Packit [hello@packit.dev] - 1.21.2-1
- Update to 1.21.2 upstream release
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2421878 - CVE-2025-66506 prometheus-podman-exporter: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2421878
[ 2 ] Bug #2421883 - CVE-2025-66506 prometheus-podman-exporter: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2421883
[ 3 ] Bug #2455641 - CVE-2026-34986 prometheus-podman-exporter: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455641
[ 4 ] Bug #2455671 - CVE-2026-34986 prometheus-podman-exporter: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455671
[ 5 ] Bug #2486201 - CVE-2026-45287 prometheus-podman-exporter: OpenTelemetry-Go: Denial of Service due to file descriptor leak [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486201
[ 6 ] Bug #2486270 - CVE-2026-45287 prometheus-podman-exporter: OpenTelemetry-Go: Denial of Service due to file descriptor leak [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2486270
[ 7 ] Bug #2489881 - CVE-2026-39828 prometheus-podman-exporter: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489881
[ 8 ] Bug #2489960 - CVE-2026-39828 prometheus-podman-exporter: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2489960
[ 9 ] Bug #2490029 - CVE-2026-39829 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490029
[ 10 ] Bug #2490048 - CVE-2026-39829 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490048
[ 11 ] Bug #2490420 - CVE-2026-39830 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490420
[ 12 ] Bug #2490449 - CVE-2026-39830 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490449
[ 13 ] Bug #2493075 - CVE-2026-39832 prometheus-podman-exporter: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493075
[ 14 ] Bug #2493092 - CVE-2026-39832 prometheus-podman-exporter: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493092
[ 15 ] Bug #2493482 - CVE-2026-39835 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493482
[ 16 ] Bug #2493526 - CVE-2026-39835 prometheus-podman-exporter: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493526
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f366154bec' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new