Fedora has released a batch of security patches across versions 42, 43, and 44 to address critical vulnerabilities in widely used system packages. The updates cover essential packages like the Linux kernel, MySQL databases, Firefox browser, Django web framework, and cryptographic libraries by patching flaws that could enable remote code execution or privilege escalation.

Fedora 42 Update: kernel-6.19.14-107.fc42
Fedora 42 Update: mysql8.0-8.0.46-1.fc42
Fedora 42 Update: mysql8.4-8.4.9-1.fc42
Fedora 43 Update: kernel-7.0.9-104.fc43
Fedora 43 Update: evince-48.1-2.fc43
Fedora 43 Update: nss-3.123.1-1.fc43
Fedora 43 Update: firefox-151.0-2.fc43
Fedora 43 Update: python-django5-5.2.14-1.fc43
Fedora 43 Update: rsync-3.4.1-6.fc43
Fedora 43 Update: erlang-cowlib-2.16.1-1.fc43
Fedora 43 Update: mysql8.0-8.0.46-1.fc43
Fedora 43 Update: proftpd-1.3.9a-2.fc43
Fedora 43 Update: python-dotenv-1.2.2-1.fc43
Fedora 43 Update: mingw-expat-2.8.1-1.fc43
Fedora 43 Update: pgadmin4-9.15-1.fc43
Fedora 43 Update: expat-2.8.1-1.fc43
Fedora 43 Update: mysql8.4-8.4.9-1.fc43
Fedora 43 Update: rustup-1.29.0-4.fc43
Fedora 43 Update: opencryptoki-3.26.0-3.fc43
Fedora 43 Update: rust-nu-0.99.1-17.fc43
Fedora 44 Update: firefox-151.0-2.fc44
Fedora 44 Update: evince-48.1-5.fc44
Fedora 44 Update: kernel-7.0.9-204.fc44
Fedora 44 Update: python-django5-5.2.14-1.fc44
Fedora 44 Update: python-django6-6.0.5-1.fc44
Fedora 44 Update: strongswan-6.0.6-2.fc44
Fedora 44 Update: erlang-cowlib-2.16.1-1.fc44
Fedora 44 Update: mysql8.0-8.0.46-1.fc44
Fedora 44 Update: proftpd-1.3.9a-2.fc44
Fedora 44 Update: python-dotenv-1.2.2-1.fc44
Fedora 44 Update: mingw-expat-2.8.1-1.fc44
Fedora 44 Update: pgadmin4-9.15-1.fc44
Fedora 44 Update: mysql8.4-8.4.9-1.fc44
Fedora 44 Update: rust-nu-0.99.1-17.fc44
Fedora 44 Update: rustup-1.29.0-4.fc44
Fedora 44 Update: opencryptoki-3.26.0-3.fc44

[SECURITY] Fedora 42 Update: kernel-6.19.14-107.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-32ae3b7199
2026-05-21 03:17:14.913959+00:00
--------------------------------------------------------------------------------

Name : kernel
Product : Fedora 42
Version : 6.19.14
Release : 107.fc42
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package

--------------------------------------------------------------------------------
Update Information:

The 6.19.14-107 update contains a fix for a SKBFL_SHARED_FRAG page-cache
corruption vulnerability.
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 19 2026 Justin M. Forbes [jforbes@fedoraproject.org] [6.19.14-107]
- Revert "redhat/kernel.spec.template: Fix indentation of uki-virt generation code" (Justin M. Forbes)
- Revert "redhat/kernel.spec.template: Simplify uki-virt signing" (Justin M. Forbes)
- Revert "redhat/kernel.spec.template: Add kernel-uki-dtbloader sub-package" (Justin M. Forbes)
- Revert "redhat/kernel.spec.template: Make -uki-dtbloader provide kernel-core-uname-r" (Justin M. Forbes)
* Tue May 19 2026 Justin M. Forbes [jforbes@fedoraproject.org] [6.19.14-7]
- net: gro: don't copy frags between mixed zcopy skbs (Sabrina Dubroca)
- Turn on auto bumping for remainder of F42 (Justin M. Forbes)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2479833 - kernel: Linux kernel: SKBFL_SHARED_FRAG page-cache corruption PoC [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2479833
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-32ae3b7199' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: mysql8.0-8.0.46-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b78d5204fe
2026-05-21 03:17:14.913955+00:00
--------------------------------------------------------------------------------

Name : mysql8.0
Product : Fedora 42
Version : 8.0.46
Release : 1.fc42
URL : http://www.mysql.com
Summary : MySQL client programs and shared libraries
Description :
MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld)
and many different client programs and libraries. The base package
contains the standard MySQL client programs and generic MySQL files.

--------------------------------------------------------------------------------
Update Information:

MySQL 8.0.46
Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-46.html
Known issue: s390x-specific issue - zlib with DFLTCC compressed pages with low
KEY_BLOCK_SIZE values can cause ER_TOO_BIG_ROWSIZE errors in tables near the
column count and their size limits.
EOL notice: As of April 2026, with version 8.0.46, MySQL 8.0 reached End of Life
(EoL).
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 22 2026 Michal Schorm [mschorm@redhat.com] - 8.0.46-1
- Rebase to 8.0.46
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2461062 - CVE-2026-21998 CVE-2026-22001 CVE-2026-22002 CVE-2026-22004 CVE-2026-22005 CVE-2026-22009 CVE-2026-22015 CVE-2026-22017 CVE-2026-34267 CVE-2026-34270 CVE-2026-34271 CVE-2026-34276 CVE-2026-34278 CVE-2026-34293 ... mysql8.0: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2461062
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b78d5204fe' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: mysql8.4-8.4.9-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a4e0e8211d
2026-05-21 03:17:14.913944+00:00
--------------------------------------------------------------------------------

Name : mysql8.4
Product : Fedora 42
Version : 8.4.9
Release : 1.fc42
URL : http://www.mysql.com
Summary : MySQL client programs and shared libraries
Description :
MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld)
and many different client programs and libraries. The base package
contains the standard MySQL client programs and generic MySQL files.

--------------------------------------------------------------------------------
Update Information:

MySQL 8.4.9
Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-9.html
Known issue: s390x-specific issue - zlib with DFLTCC compressed pages with low
KEY_BLOCK_SIZE values can cause ER_TOO_BIG_ROWSIZE errors in tables near the
column count and their size limits.
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 6 2026 Michal Schorm [mschorm@redhat.com] - 8.4.9-1
- Rebase to 8.4.9
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2461060 - CVE-2026-21998 CVE-2026-22001 CVE-2026-22002 CVE-2026-22004 CVE-2026-22005 CVE-2026-22009 CVE-2026-22015 CVE-2026-22017 CVE-2026-34270 CVE-2026-34271 CVE-2026-34276 CVE-2026-34303 CVE-2026-34304 CVE-2026-34308 ... mysql8.4: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2461060
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a4e0e8211d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: kernel-7.0.9-104.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3f85a4eba7
2026-05-21 01:26:51.960484+00:00
--------------------------------------------------------------------------------

Name : kernel
Product : Fedora 43
Version : 7.0.9
Release : 104.fc43
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package

--------------------------------------------------------------------------------
Update Information:

The 7.0.9-104/204 kernels contain a fix for a SKBFL_SHARED_FRAG page-cache
corruption vulnerability as well as some mitigations for PinTheft
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 19 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.9-4]
- rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer (David Howells)
- rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg (David Howells)
- crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks (David Howells)
* Tue May 19 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.9-3]
- net: gro: don't copy frags between mixed zcopy skbs (Sabrina Dubroca)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2479833 - kernel: Linux kernel: SKBFL_SHARED_FRAG page-cache corruption PoC [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2479833
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3f85a4eba7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: evince-48.1-2.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d29bd1ad07
2026-05-21 01:26:51.960482+00:00
--------------------------------------------------------------------------------

Name : evince
Product : Fedora 43
Version : 48.1
Release : 2.fc43
URL : https://wiki.gnome.org/Apps/Evince
Summary : Document viewer
Description :
Evince is simple multi-page document viewer. It can display and print
Portable Document Format (PDF), PostScript (PS) and Encapsulated PostScript
(EPS) files. When supported by the document format, evince allows searching
for text, copying text to the clipboard, hypertext navigation,
table-of-contents bookmarks and editing of forms.

Support for other document formats such as DVI and DJVU can be added by
installing additional backends.

--------------------------------------------------------------------------------
Update Information:

Fix command injection CVE-2026-46529
--------------------------------------------------------------------------------
ChangeLog:

--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d29bd1ad07' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: nss-3.123.1-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-cd20332935
2026-05-21 01:26:51.960465+00:00
--------------------------------------------------------------------------------

Name : nss
Product : Fedora 43
Version : 3.123.1
Release : 1.fc43
URL : http://www.mozilla.org/projects/security/pki/nss/
Summary : Network Security Services
Description :
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.

--------------------------------------------------------------------------------
Update Information:

Update NSS to 3.123.1
Update to Firefox 151.0
--------------------------------------------------------------------------------
ChangeLog:

* Thu May 7 2026 Frantisek Krenzelok [fkrenzel@redhat.com] - 3.123.1-1
- Update NSS to 3.123.1
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-cd20332935' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: firefox-151.0-2.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-cd20332935
2026-05-21 01:26:51.960465+00:00
--------------------------------------------------------------------------------

Name : firefox
Product : Fedora 43
Version : 151.0
Release : 2.fc43
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

--------------------------------------------------------------------------------
Update Information:

Update NSS to 3.123.1
Update to Firefox 151.0
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 18 2026 Martin Stransky [stransky@redhat.com] - 151.0-2
- Update to latest upstream (151.0) build 2
* Thu May 14 2026 Martin Stransky [stransky@redhat.com] - 151.0-1
- Update to latest upstream (151.0)
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-cd20332935' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: python-django5-5.2.14-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4d1404fc5d
2026-05-21 01:26:51.960459+00:00
--------------------------------------------------------------------------------

Name : python-django5
Product : Fedora 43
Version : 5.2.14
Release : 1.fc43
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.

--------------------------------------------------------------------------------
Update Information:

Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests
via file upload limit bypass
Fixes CVE-2026-35192: Session fixation via public cached pages and
SESSION_SAVE_EVERY_REQUEST
Fixes CVE-2026-6907: Potential exposure of private data due to incorrect
handling of Vary: * in UpdateCacheMiddleware
Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
Fixes CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload
Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests
via memory upload limit bypass
Fixes CVE-2026-25674: Potential incorrect permissions on newly created file
system objects
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 12 2026 Michel Lind [salimma@fedoraproject.org] - 5.2.14-1
- Update to version 5.2.14; Resolves RHBZ#2444117
- Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI
requests via file upload limit bypass
- Fixes CVE-2026-35192: Session fixation via public cached pages and
SESSION_SAVE_EVERY_REQUEST
- Fixes CVE-2026-6907: Potential exposure of private data due to incorrect
handling of Vary: * in UpdateCacheMiddleware
- Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen
conflation
- Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
- Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
- Fixes CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload
- Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI
requests via memory upload limit bypass
- Fixes CVE-2026-25674: Potential incorrect permissions on newly created
file system objects
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2444117 - python-django5-5.2.14 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2444117
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4d1404fc5d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: rsync-3.4.1-6.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d4d8ae2bdc
2026-05-21 01:26:51.960462+00:00
--------------------------------------------------------------------------------

Name : rsync
Product : Fedora 43
Version : 3.4.1
Release : 6.fc43
URL : https://rsync.samba.org/
Summary : A program for synchronizing files over a network
Description :
Rsync uses a reliable algorithm to bring remote and host files into
sync very quickly. Rsync is fast because it just sends the differences
in the files over the network instead of sending the complete
files. Rsync is often used as a very powerful mirroring process or
just as a more capable replacement for the rcp command. A technical
report which describes the rsync algorithm is included in this
package.

--------------------------------------------------------------------------------
Update Information:

Fixing various bugs from Upstream.
I did not do a rebase since the Upstream stopped supporting the rsync-patches
repo. I accepted this change in Rawhide but it changes the usage of one option
that is no longer available in rsync. This is why I avoided the rebase in older
stable branches.
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 6 2026 Michal Ruprich [mruprich@redhat.com] - 3.4.1-6
- Fix for CVE-2026-41035
- Fixing bad time in rsync logs
- Fixing regression from CVE-2024-12086 fix
- Fixing improper clearing of DISPLAY env variable
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2339145 - failed verification -- update discarded - regression from CVE fixes
https://bugzilla.redhat.com/show_bug.cgi?id=2339145
[ 2 ] Bug #2417003 - Bad time in rsync daemon log
https://bugzilla.redhat.com/show_bug.cgi?id=2417003
[ 3 ] Bug #2459115 - CVE-2026-41035 rsync: Rsync: Use-after-free vulnerability in extended attribute handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459115
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d4d8ae2bdc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: erlang-cowlib-2.16.1-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ce0a56ca97
2026-05-21 01:26:51.960452+00:00
--------------------------------------------------------------------------------

Name : erlang-cowlib
Product : Fedora 43
Version : 2.16.1
Release : 1.fc43
URL : https://github.com/ninenines/cowlib
Summary : Support library for manipulating Web protocols
Description :
Support library for manipulating Web protocols.

--------------------------------------------------------------------------------
Update Information:

Cowlib 2.16.1
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 12 2026 Peter Lemenkov [lemenkov@gmail.com] - 2.16.1-1
- Cowlib ver. 2.16.1
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2476458 - erlang-cowlib-2.16.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2476458
[ 2 ] Bug #2479579 - CVE-2026-43968 erlang-cowlib: cowlib: CRLF Injection leads to client-side logic manipulation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2479579
[ 3 ] Bug #2479811 - CVE-2026-43970 erlang-cowlib: cowlib: Remote denial of service via data amplification in SPDY frame processing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2479811
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ce0a56ca97' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: mysql8.0-8.0.46-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0c462e5676
2026-05-21 01:26:51.960447+00:00
--------------------------------------------------------------------------------

Name : mysql8.0
Product : Fedora 43
Version : 8.0.46
Release : 1.fc43
URL : http://www.mysql.com
Summary : MySQL client programs and shared libraries
Description :
MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld)
and many different client programs and libraries. The base package
contains the standard MySQL client programs and generic MySQL files.

--------------------------------------------------------------------------------
Update Information:

MySQL 8.0.46
Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-46.html
Known issue: s390x-specific issue - zlib with DFLTCC compressed pages with low
KEY_BLOCK_SIZE values can cause ER_TOO_BIG_ROWSIZE errors in tables near the
column count and their size limits.
EOL notice: As of April 2026, with version 8.0.46, MySQL 8.0 reached End of Life
(EoL).
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 22 2026 Michal Schorm [mschorm@redhat.com] - 8.0.46-1
- Rebase to 8.0.46
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2461062 - CVE-2026-21998 CVE-2026-22001 CVE-2026-22002 CVE-2026-22004 CVE-2026-22005 CVE-2026-22009 CVE-2026-22015 CVE-2026-22017 CVE-2026-34267 CVE-2026-34270 CVE-2026-34271 CVE-2026-34276 CVE-2026-34278 CVE-2026-34293 ... mysql8.0: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2461062
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0c462e5676' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: proftpd-1.3.9a-2.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4ddb108952
2026-05-21 01:26:51.960444+00:00
--------------------------------------------------------------------------------

Name : proftpd
Product : Fedora 43
Version : 1.3.9a
Release : 2.fc43
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by systemd instead are included.

--------------------------------------------------------------------------------
Update Information:

This update contains an updated mod_wrap2_sql that addresses a potential SQL
injection issue when connected to from a client with a maliciously-constructed
reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by
default and the issue can only happen if UseReverseDNS is enabled, which is also
off by default.
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 11 2026 Paul Howarth - 1.3.9a-2
- Additional escaping for avoidance of SQL injection issues with %{note:...}
and %{env:...}; these are on top of the existing fix for CVE-2026-42167 in
1.3.9a
- Fix for SQL Injection in mod_wrap2_sql via reverse DNS hostname
(CVE-2026-44331, rhbz#2466899, https://github.com/proftpd/proftpd/issues/2057)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466899 - CVE-2026-44331 proftpd: SQL injection via reverse DNS hostname [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2466899
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4ddb108952' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: python-dotenv-1.2.2-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-20312e36a8
2026-05-21 01:26:51.960437+00:00
--------------------------------------------------------------------------------

Name : python-dotenv
Product : Fedora 43
Version : 1.2.2
Release : 1.fc43
URL : https://github.com/theskumar/python-dotenv
Summary : Read key-value pairs from a .env file and set them as environment variables
Description :
Reads the key/value pairs from a .env file and can add them to environment
variables.

--------------------------------------------------------------------------------
Update Information:

Update to 1.2.2, security fix for CVE-2026-28684.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 1.2.2-1
- Update to 1.2.2 (close RHBZ#2443673)
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.1.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Tue Oct 28 2025 Miro Hron??ok [miro@hroncok.cz] - 1.1.0-6
- Remove unused build dependency on pytest-cov (redux)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2374518 - python-dotenv-1.2.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2374518
[ 2 ] Bug #2443673 - python-dotenv-1.2.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2443673
[ 3 ] Bug #2460552 - CVE-2026-28684 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2460552
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-20312e36a8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 43 Update: mingw-expat-2.8.1-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9cf92027ec
2026-05-21 01:26:51.960426+00:00
--------------------------------------------------------------------------------

Name : mingw-expat
Product : Fedora 43
Version : 2.8.1
Release : 1.fc43
URL : http://www.libexpat.org/
Summary : MinGW Windows port of expat XML parser library
Description :
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
the parser prior to starting the parse. These handlers are called when the
parser discovers the associated structures in the document being parsed. A
start tag is an example of the kind of structures for which you may
register handlers.

--------------------------------------------------------------------------------
Update Information:

Update to expat-2.8.1.
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 12 2026 Sandro Mani [manisandro@gmail.com] - 2.8.1-1
- Update to 2.8.1
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2459021 - CVE-2026-41080 mingw-expat: libexpat: Denial of Service via hash flooding with crafted XML [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459021
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9cf92027ec' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: pgadmin4-9.15-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1545df20ad
2026-05-21 01:26:51.960418+00:00
--------------------------------------------------------------------------------

Name : pgadmin4
Product : Fedora 43
Version : 9.15
Release : 1.fc43
URL : https://www.pgadmin.org/
Summary : Administration tool for PostgreSQL
Description :
pgAdmin is the most popular and feature rich Open Source administration and development
platform for PostgreSQL, the most advanced Open Source database in the world.

--------------------------------------------------------------------------------
Update Information:

Update to pgadmin4-9.15.
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 11 2026 Sandro Mani [manisandro@gmail.com] - 9.15-1
- Update to 9.15
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2476786 - CVE-2026-7819 pgadmin4: symbolic-link path traversal in File Manager allows arbitrary file write [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476786
[ 2 ] Bug #2476787 - CVE-2026-7815 pgadmin4: SQL injection in maintenance tool option values leading to remote code execution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476787
[ 3 ] Bug #2476788 - CVE-2026-7817 pgadmin4: local file inclusion and server-side request forgery in LLM API configuration endpoints [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476788
[ 4 ] Bug #2476789 - CVE-2026-7820 pgadmin4: account-lockout bypass via Flask-Security default /login view [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476789
[ 5 ] Bug #2476790 - CVE-2026-7818 pgadmin4: unsafe deserialization in file-backed session manager leads to remote code execution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476790
[ 6 ] Bug #2476791 - CVE-2026-7816 pgadmin4: OS command injection in Import/Export query export via psql metacommand breakout [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476791
[ 7 ] Bug #2476792 - CVE-2026-7813 pgadmin4: cross-user data access and shared-server privilege escalation in server mode [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476792
[ 8 ] Bug #2476793 - CVE-2026-7814 pgadmin4: stored XSS via crafted PostgreSQL object names in Browser Tree and Explain Visualizer [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476793
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1545df20ad' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: expat-2.8.1-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-89f45c355d
2026-05-21 01:26:51.960413+00:00
--------------------------------------------------------------------------------

Name : expat
Product : Fedora 43
Version : 2.8.1
Release : 1.fc43
URL : https://libexpat.github.io/
Summary : An XML parser library
Description :
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
the parser prior to starting the parse. These handlers are called when the
parser discovers the associated structures in the document being parsed. A
start tag is an example of the kind of structures for which you may
register handlers.

--------------------------------------------------------------------------------
Update Information:

Rebase to version 2.8.1
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 12 2026 Tomas Korbar [tkorbar@redhat.com] - 2.8.1-1
- Rebase to version 2.8.1
* Mon Mar 23 2026 Tomas Korbar [tkorbar@redhat.com] - 2.7.5-1
- Rebase to 2.7.5
* Mon Feb 9 2026 Miro Hron??ok [miro@hroncok.cz] - 2.7.4-1
- Update to 2.7.4
- Enable versioned symbols
- Fixes: rhbz#2435633
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 2.7.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2448482 - expat-2.8.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2448482
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-89f45c355d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 43 Update: mysql8.4-8.4.9-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a7adf2637c
2026-05-21 01:26:51.960408+00:00
--------------------------------------------------------------------------------

Name : mysql8.4
Product : Fedora 43
Version : 8.4.9
Release : 1.fc43
URL : http://www.mysql.com
Summary : MySQL client programs and shared libraries
Description :
MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld)
and many different client programs and libraries. The base package
contains the standard MySQL client programs and generic MySQL files.

--------------------------------------------------------------------------------
Update Information:

MySQL 8.4.9
Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-9.html
Known issue: s390x-specific issue - zlib with DFLTCC compressed pages with low
KEY_BLOCK_SIZE values can cause ER_TOO_BIG_ROWSIZE errors in tables near the
column count and their size limits.
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 6 2026 Michal Schorm [mschorm@redhat.com] - 8.4.9-1
- Rebase to 8.4.9
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2461060 - CVE-2026-21998 CVE-2026-22001 CVE-2026-22002 CVE-2026-22004 CVE-2026-22005 CVE-2026-22009 CVE-2026-22015 CVE-2026-22017 CVE-2026-34270 CVE-2026-34271 CVE-2026-34276 CVE-2026-34303 CVE-2026-34304 CVE-2026-34308 ... mysql8.4: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2461060
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a7adf2637c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: rustup-1.29.0-4.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f8e0fbaa84
2026-05-21 01:26:51.960391+00:00
--------------------------------------------------------------------------------

Name : rustup
Product : Fedora 43
Version : 1.29.0
Release : 4.fc43
URL : https://github.com/rust-lang/rustup
Summary : Manage multiple rust installations with ease
Description :
Manage multiple rust installations with ease.

--------------------------------------------------------------------------------
Update Information:

Rebuild with version 0.10.79 of the openssl crate which includes fixes for the
following security issues:
CVE-2026-41676 / GHSA-pqf5-4pqq-29f5
CVE-2026-41677 / GHSA-xmgf-hq76-4vx2
CVE-2026-41678 / GHSA-8c75-8mhr-p7r9
CVE-2026-41681 / GHSA-ghm9-cr32-g9qj
CVE-2026-41898 / GHSA-hppc-g8h3-xhp3
CVE-2026-42327 / GHSA-xp3w-r5p5-63rr
CVE-2026-44662 / GHSA-xv59-967r-8726
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 11 2026 Fabio Valentini [decathorpe@gmail.com] - 1.29.0-4
- Rebuild for rust-openssl
CVE-2026-{41676,41677,41678,41681,41898,42327,44662}
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f8e0fbaa84' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: opencryptoki-3.26.0-3.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-6c3b6ec624
2026-05-21 01:26:51.960371+00:00
--------------------------------------------------------------------------------

Name : opencryptoki
Product : Fedora 43
Version : 3.26.0
Release : 3.fc43
URL : https://github.com/opencryptoki/opencryptoki
Summary : Implementation of the PKCS#11 (Cryptoki) specification v3.0 and partially v3.1
Description :
Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
hardware.
This package contains the Slot Daemon (pkcsslotd) and general utilities.

--------------------------------------------------------------------------------
Update Information:

Fix CVE-2026-23893, Privilege Escalation or Data Exposure via Symlink Following
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 5 2026 Than Ngo [than@redhat.com] - 3.26.0-3
- Fix rhbz#2432016: CVE-2026-23893, Privilege Escalation or Data Exposure via Symlink Following
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 3.26.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Nov 28 2025 Than Ngo [than@redhat.com] - 3.26.0-1
- Update to 3.26.0
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2432016 - CVE-2026-23893 opencryptoki: openCryptoki: Privilege Escalation or Data Exposure via Symlink Following [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2432016
[ 2 ] Bug #2432017 - CVE-2026-23893 opencryptoki: openCryptoki: Privilege Escalation or Data Exposure via Symlink Following [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2432017
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-6c3b6ec624' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: rust-nu-0.99.1-17.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b00a9673c8
2026-05-21 01:26:51.960395+00:00
--------------------------------------------------------------------------------

Name : rust-nu
Product : Fedora 43
Version : 0.99.1
Release : 17.fc43
URL : https://crates.io/crates/nu
Summary : New type of shell
Description :
A new type of shell.

--------------------------------------------------------------------------------
Update Information:

Rebuild with version 0.10.79 of the openssl crate which includes fixes for the
following security issues:
CVE-2026-41676 / GHSA-pqf5-4pqq-29f5
CVE-2026-41677 / GHSA-xmgf-hq76-4vx2
CVE-2026-41678 / GHSA-8c75-8mhr-p7r9
CVE-2026-41681 / GHSA-ghm9-cr32-g9qj
CVE-2026-41898 / GHSA-hppc-g8h3-xhp3
CVE-2026-42327 / GHSA-xp3w-r5p5-63rr
CVE-2026-44662 / GHSA-xv59-967r-8726
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 11 2026 Fabio Valentini [decathorpe@gmail.com] - 0.99.1-17
- Rebuild for rust-openssl
CVE-2026-{41676,41677,41678,41681,41898,42327,44662}
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b00a9673c8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: firefox-151.0-2.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f3409cf313
2026-05-21 00:54:04.884747+00:00
--------------------------------------------------------------------------------

Name : firefox
Product : Fedora 44
Version : 151.0
Release : 2.fc44
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

--------------------------------------------------------------------------------
Update Information:

Updated to latest upstream (151.0)
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 18 2026 Martin Stransky [stransky@redhat.com] - 151.0-2
- Update to latest upstream (151.0) build 2
* Thu May 14 2026 Martin Stransky [stransky@redhat.com] - 151.0-1
- Update to latest upstream (151.0)
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f3409cf313' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: evince-48.1-5.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-aea94fcc1c
2026-05-21 00:54:04.884742+00:00
--------------------------------------------------------------------------------

Name : evince
Product : Fedora 44
Version : 48.1
Release : 5.fc44
URL : https://wiki.gnome.org/Apps/Evince
Summary : Document viewer
Description :
Evince is simple multi-page document viewer. It can display and print
Portable Document Format (PDF), PostScript (PS) and Encapsulated PostScript
(EPS) files. When supported by the document format, evince allows searching
for text, copying text to the clipboard, hypertext navigation,
table-of-contents bookmarks and editing of forms.

Support for other document formats such as DVI and DJVU can be added by
installing additional backends.

--------------------------------------------------------------------------------
Update Information:

Fix command injection CVE-2026-46529
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 19 2026 Michael Catanzaro [mcatanzaro@gnome.org] - 48.1-5
- Add patch for CVE-2026-46529
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-aea94fcc1c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: kernel-7.0.9-204.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-57965ac9f7
2026-05-21 00:54:04.884744+00:00
--------------------------------------------------------------------------------

Name : kernel
Product : Fedora 44
Version : 7.0.9
Release : 204.fc44
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package

--------------------------------------------------------------------------------
Update Information:

The 7.0.9-104/204 kernels contain a fix for a SKBFL_SHARED_FRAG page-cache
corruption vulnerability as well as some mitigations for PinTheft
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 19 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.9-4]
- rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer (David Howells)
- rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg (David Howells)
- crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks (David Howells)
* Tue May 19 2026 Justin M. Forbes [jforbes@fedoraproject.org] [7.0.9-3]
- net: gro: don't copy frags between mixed zcopy skbs (Sabrina Dubroca)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2479833 - kernel: Linux kernel: SKBFL_SHARED_FRAG page-cache corruption PoC [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2479833
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-57965ac9f7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: python-django5-5.2.14-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9b7a6474a1
2026-05-21 00:54:04.884708+00:00
--------------------------------------------------------------------------------

Name : python-django5
Product : Fedora 44
Version : 5.2.14
Release : 1.fc44
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.

--------------------------------------------------------------------------------
Update Information:

Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests
via file upload limit bypass
Fixes CVE-2026-35192: Session fixation via public cached pages and
SESSION_SAVE_EVERY_REQUEST
Fixes CVE-2026-6907: Potential exposure of private data due to incorrect
handling of Vary: * in UpdateCacheMiddleware
Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
Fixes CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload
Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests
via memory upload limit bypass
Fixes CVE-2026-25674: Potential incorrect permissions on newly created file
system objects
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 12 2026 Michel Lind [salimma@fedoraproject.org] - 5.2.14-1
- Update to version 5.2.14; Resolves RHBZ#2444117
- Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI
requests via file upload limit bypass
- Fixes CVE-2026-35192: Session fixation via public cached pages and
SESSION_SAVE_EVERY_REQUEST
- Fixes CVE-2026-6907: Potential exposure of private data due to incorrect
handling of Vary: * in UpdateCacheMiddleware
- Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen
conflation
- Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
- Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
- Fixes CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload
- Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI
requests via memory upload limit bypass
- Fixes CVE-2026-25674: Potential incorrect permissions on newly created
file system objects
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2444117 - python-django5-5.2.14 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2444117
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9b7a6474a1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: python-django6-6.0.5-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-de6e24ae07
2026-05-21 00:54:04.884700+00:00
--------------------------------------------------------------------------------

Name : python-django6
Product : Fedora 44
Version : 6.0.5
Release : 1.fc44
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.

--------------------------------------------------------------------------------
Update Information:

Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests
via file upload limit bypass
Fixes CVE-2026-35192: Session fixation via public cached pages and
SESSION_SAVE_EVERY_REQUEST
Fixes CVE-2026-6907: Potential exposure of private data due to incorrect
handling of Vary: * in UpdateCacheMiddleware
Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
Fixes CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload
Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests
via memory upload limit bypass
Fixes CVE-2026-25674: Potential incorrect permissions on newly created file
system objects
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 12 2026 Michel Lind [salimma@fedoraproject.org] - 6.0.5-1
- Update to version 6.0.5; Resolves RHBZ#2444118
- Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI
requests via file upload limit bypass
- Fixes CVE-2026-35192: Session fixation via public cached pages and
SESSION_SAVE_EVERY_REQUEST
- Fixes CVE-2026-6907: Potential exposure of private data due to incorrect
handling of Vary: * in UpdateCacheMiddleware
- Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen
conflation
- Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
- Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
- Fixes CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload
- Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI
requests via memory upload limit bypass
- Fixes CVE-2026-25674: Potential incorrect permissions on newly created
file system objects
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2444118 - python-django6-6.0.5 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2444118
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-de6e24ae07' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: strongswan-6.0.6-2.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-cc6fcd3a58
2026-05-21 00:54:04.884703+00:00
--------------------------------------------------------------------------------

Name : strongswan
Product : Fedora 44
Version : 6.0.6
Release : 2.fc44
URL : https://www.strongswan.org/
Summary : An OpenSource IPsec-based VPN and TNC solution
Description :
The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key
exchange protocols in conjunction with the native NETKEY IPsec stack of the
Linux kernel.

--------------------------------------------------------------------------------
Update Information:

Fixes CVE-2026-25075, CVE-2026-35328, CVE-2026-35329, CVE-2026-35330,
CVE-2026-35331, CVE-2026-35332, CVE-2026-35333, CVE-2026-35334
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 12 2026 Paul Wouters [paul.wouters@aiven.io] - 6.0.6-2
- updated sources
* Tue May 12 2026 Paul Wouters [paul.wouters@aiven.io] - 6.0.6-1
- Update to 6.0.6 for 8 CVEs
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2450414 - CVE-2026-25075 strongSwan: strongSwan: Denial of Service via integer underflow in EAP-TTLS AVP parser
https://bugzilla.redhat.com/show_bug.cgi?id=2450414
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-cc6fcd3a58' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: erlang-cowlib-2.16.1-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-84270bbc49
2026-05-21 00:54:04.884688+00:00
--------------------------------------------------------------------------------

Name : erlang-cowlib
Product : Fedora 44
Version : 2.16.1
Release : 1.fc44
URL : https://github.com/ninenines/cowlib
Summary : Support library for manipulating Web protocols
Description :
Support library for manipulating Web protocols.

--------------------------------------------------------------------------------
Update Information:

Cowlib 2.16.1
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 12 2026 Peter Lemenkov [lemenkov@gmail.com] - 2.16.1-1
- Cowlib ver. 2.16.1
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2476458 - erlang-cowlib-2.16.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2476458
[ 2 ] Bug #2479579 - CVE-2026-43968 erlang-cowlib: cowlib: CRLF Injection leads to client-side logic manipulation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2479579
[ 3 ] Bug #2479811 - CVE-2026-43970 erlang-cowlib: cowlib: Remote denial of service via data amplification in SPDY frame processing [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2479811
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-84270bbc49' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: mysql8.0-8.0.46-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1704f705ab
2026-05-21 00:54:04.884681+00:00
--------------------------------------------------------------------------------

Name : mysql8.0
Product : Fedora 44
Version : 8.0.46
Release : 1.fc44
URL : http://www.mysql.com
Summary : MySQL client programs and shared libraries
Description :
MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld)
and many different client programs and libraries. The base package
contains the standard MySQL client programs and generic MySQL files.

--------------------------------------------------------------------------------
Update Information:

MySQL 8.0.46
Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-46.html
Known issue: s390x-specific issue - zlib with DFLTCC compressed pages with low
KEY_BLOCK_SIZE values can cause ER_TOO_BIG_ROWSIZE errors in tables near the
column count and their size limits.
EOL notice: As of April 2026, with version 8.0.46, MySQL 8.0 reached End of Life
(EoL).
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 22 2026 Michal Schorm [mschorm@redhat.com] - 8.0.46-1
- Rebase to 8.0.46
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2461062 - CVE-2026-21998 CVE-2026-22001 CVE-2026-22002 CVE-2026-22004 CVE-2026-22005 CVE-2026-22009 CVE-2026-22015 CVE-2026-22017 CVE-2026-34267 CVE-2026-34270 CVE-2026-34271 CVE-2026-34276 CVE-2026-34278 CVE-2026-34293 ... mysql8.0: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2461062
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1704f705ab' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: proftpd-1.3.9a-2.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-871243b391
2026-05-21 00:54:04.884676+00:00
--------------------------------------------------------------------------------

Name : proftpd
Product : Fedora 44
Version : 1.3.9a
Release : 2.fc44
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by systemd instead are included.

--------------------------------------------------------------------------------
Update Information:

This update contains an updated mod_wrap2_sql that addresses a potential SQL
injection issue when connected to from a client with a maliciously-constructed
reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by
default and the issue can only happen if UseReverseDNS is enabled, which is also
off by default.
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 11 2026 Paul Howarth - 1.3.9a-2
- Additional escaping for avoidance of SQL injection issues with %{note:...}
and %{env:...}; these are on top of the existing fix for CVE-2026-42167 in
1.3.9a
- Fix for SQL Injection in mod_wrap2_sql via reverse DNS hostname
(CVE-2026-44331, rhbz#2466899, https://github.com/proftpd/proftpd/issues/2057)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2466899 - CVE-2026-44331 proftpd: SQL injection via reverse DNS hostname [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2466899
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-871243b391' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: python-dotenv-1.2.2-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-79e64d2daa
2026-05-21 00:54:04.884665+00:00
--------------------------------------------------------------------------------

Name : python-dotenv
Product : Fedora 44
Version : 1.2.2
Release : 1.fc44
URL : https://github.com/theskumar/python-dotenv
Summary : Read key-value pairs from a .env file and set them as environment variables
Description :
Reads the key/value pairs from a .env file and can add them to environment
variables.

--------------------------------------------------------------------------------
Update Information:

Update to 1.2.2, security fix for CVE-2026-28684.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 30 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 1.2.2-1
- Update to 1.2.2 (close RHBZ#2443673)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2374518 - python-dotenv-1.2.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2374518
[ 2 ] Bug #2443673 - python-dotenv-1.2.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2443673
[ 3 ] Bug #2460549 - CVE-2026-28684 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2460549
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-79e64d2daa' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: mingw-expat-2.8.1-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-163d1fe6c0
2026-05-21 00:54:04.884650+00:00
--------------------------------------------------------------------------------

Name : mingw-expat
Product : Fedora 44
Version : 2.8.1
Release : 1.fc44
URL : http://www.libexpat.org/
Summary : MinGW Windows port of expat XML parser library
Description :
This is expat, the C library for parsing XML, written by James Clark. Expat
is a stream oriented XML parser. This means that you register handlers with
the parser prior to starting the parse. These handlers are called when the
parser discovers the associated structures in the document being parsed. A
start tag is an example of the kind of structures for which you may
register handlers.

--------------------------------------------------------------------------------
Update Information:

Update to expat-2.8.1.
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 12 2026 Sandro Mani [manisandro@gmail.com] - 2.8.1-1
- Update to 2.8.1
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2459021 - CVE-2026-41080 mingw-expat: libexpat: Denial of Service via hash flooding with crafted XML [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459021
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-163d1fe6c0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: pgadmin4-9.15-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-68f6155fea
2026-05-21 00:54:04.884645+00:00
--------------------------------------------------------------------------------

Name : pgadmin4
Product : Fedora 44
Version : 9.15
Release : 1.fc44
URL : https://www.pgadmin.org/
Summary : Administration tool for PostgreSQL
Description :
pgAdmin is the most popular and feature rich Open Source administration and development
platform for PostgreSQL, the most advanced Open Source database in the world.

--------------------------------------------------------------------------------
Update Information:

Update to pgadmin4-9.15.
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 11 2026 Sandro Mani [manisandro@gmail.com] - 9.15-1
- Update to 9.15
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2476786 - CVE-2026-7819 pgadmin4: symbolic-link path traversal in File Manager allows arbitrary file write [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476786
[ 2 ] Bug #2476787 - CVE-2026-7815 pgadmin4: SQL injection in maintenance tool option values leading to remote code execution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476787
[ 3 ] Bug #2476788 - CVE-2026-7817 pgadmin4: local file inclusion and server-side request forgery in LLM API configuration endpoints [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476788
[ 4 ] Bug #2476789 - CVE-2026-7820 pgadmin4: account-lockout bypass via Flask-Security default /login view [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476789
[ 5 ] Bug #2476790 - CVE-2026-7818 pgadmin4: unsafe deserialization in file-backed session manager leads to remote code execution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476790
[ 6 ] Bug #2476791 - CVE-2026-7816 pgadmin4: OS command injection in Import/Export query export via psql metacommand breakout [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476791
[ 7 ] Bug #2476792 - CVE-2026-7813 pgadmin4: cross-user data access and shared-server privilege escalation in server mode [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476792
[ 8 ] Bug #2476793 - CVE-2026-7814 pgadmin4: stored XSS via crafted PostgreSQL object names in Browser Tree and Explain Visualizer [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2476793
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-68f6155fea' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: mysql8.4-8.4.9-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-92a75ddb71
2026-05-21 00:54:04.884633+00:00
--------------------------------------------------------------------------------

Name : mysql8.4
Product : Fedora 44
Version : 8.4.9
Release : 1.fc44
URL : http://www.mysql.com
Summary : MySQL client programs and shared libraries
Description :
MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld)
and many different client programs and libraries. The base package
contains the standard MySQL client programs and generic MySQL files.

--------------------------------------------------------------------------------
Update Information:

MySQL 8.4.9
Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-9.html
Known issue: s390x-specific issue - zlib with DFLTCC compressed pages with low
KEY_BLOCK_SIZE values can cause ER_TOO_BIG_ROWSIZE errors in tables near the
column count and their size limits.
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 6 2026 Michal Schorm [mschorm@redhat.com] - 8.4.9-1
- Rebase to 8.4.9
* Thu Feb 19 2026 Yaakov Selkowitz [yselkowi@redhat.com] - 8.4.8-3
- Never provide unversioned packages in RHEL
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2461060 - CVE-2026-21998 CVE-2026-22001 CVE-2026-22002 CVE-2026-22004 CVE-2026-22005 CVE-2026-22009 CVE-2026-22015 CVE-2026-22017 CVE-2026-34270 CVE-2026-34271 CVE-2026-34276 CVE-2026-34303 CVE-2026-34304 CVE-2026-34308 ... mysql8.4: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2461060
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-92a75ddb71' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: rust-nu-0.99.1-17.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-6de0476940
2026-05-21 00:54:04.884621+00:00
--------------------------------------------------------------------------------

Name : rust-nu
Product : Fedora 44
Version : 0.99.1
Release : 17.fc44
URL : https://crates.io/crates/nu
Summary : New type of shell
Description :
A new type of shell.

--------------------------------------------------------------------------------
Update Information:

Rebuild with version 0.10.79 of the openssl crate which includes fixes for the
following security issues:
CVE-2026-41676 / GHSA-pqf5-4pqq-29f5
CVE-2026-41677 / GHSA-xmgf-hq76-4vx2
CVE-2026-41678 / GHSA-8c75-8mhr-p7r9
CVE-2026-41681 / GHSA-ghm9-cr32-g9qj
CVE-2026-41898 / GHSA-hppc-g8h3-xhp3
CVE-2026-42327 / GHSA-xp3w-r5p5-63rr
CVE-2026-44662 / GHSA-xv59-967r-8726
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 11 2026 Fabio Valentini [decathorpe@gmail.com] - 0.99.1-17
- Rebuild for rust-openssl
CVE-2026-{41676,41677,41678,41681,41898,42327,44662}
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-6de0476940' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: rustup-1.29.0-4.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-fc7afe14b7
2026-05-21 00:54:04.884619+00:00
--------------------------------------------------------------------------------

Name : rustup
Product : Fedora 44
Version : 1.29.0
Release : 4.fc44
URL : https://github.com/rust-lang/rustup
Summary : Manage multiple rust installations with ease
Description :
Manage multiple rust installations with ease.

--------------------------------------------------------------------------------
Update Information:

Rebuild with version 0.10.79 of the openssl crate which includes fixes for the
following security issues:
CVE-2026-41676 / GHSA-pqf5-4pqq-29f5
CVE-2026-41677 / GHSA-xmgf-hq76-4vx2
CVE-2026-41678 / GHSA-8c75-8mhr-p7r9
CVE-2026-41681 / GHSA-ghm9-cr32-g9qj
CVE-2026-41898 / GHSA-hppc-g8h3-xhp3
CVE-2026-42327 / GHSA-xp3w-r5p5-63rr
CVE-2026-44662 / GHSA-xv59-967r-8726
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 11 2026 Fabio Valentini [decathorpe@gmail.com] - 1.29.0-4
- Rebuild for rust-openssl
CVE-2026-{41676,41677,41678,41681,41898,42327,44662}
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-fc7afe14b7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: opencryptoki-3.26.0-3.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1273c7855d
2026-05-21 00:54:04.884589+00:00
--------------------------------------------------------------------------------

Name : opencryptoki
Product : Fedora 44
Version : 3.26.0
Release : 3.fc44
URL : https://github.com/opencryptoki/opencryptoki
Summary : Implementation of the PKCS#11 (Cryptoki) specification v3.0 and partially v3.1
Description :
Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
hardware.
This package contains the Slot Daemon (pkcsslotd) and general utilities.

--------------------------------------------------------------------------------
Update Information:

Fix CVE-2026-23893, Privilege Escalation or Data Exposure via Symlink Following
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 5 2026 Than Ngo [than@redhat.com] - 3.26.0-3
- Fix rhbz#2432016: CVE-2026-23893, Privilege Escalation or Data Exposure via Symlink Following
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2432016 - CVE-2026-23893 opencryptoki: openCryptoki: Privilege Escalation or Data Exposure via Symlink Following [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2432016
[ 2 ] Bug #2432017 - CVE-2026-23893 opencryptoki: openCryptoki: Privilege Escalation or Data Exposure via Symlink Following [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2432017
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1273c7855d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new