Fedora 42 Update: kernel-6.19.14-102.fc42
Fedora 42 Update: python-django5-5.2.14-1.fc42
Fedora 42 Update: php-8.4.21-1.fc42
Fedora 42 Update: nix-2.31.5-1.fc42
Fedora 42 Update: GitPython-3.1.50-1.fc42
Fedora 42 Update: krb5-1.21.3-7.fc42
Fedora 42 Update: xen-4.19.5-2.fc42
Fedora 43 Update: kernel-headers-7.0.6-100.fc43
Fedora 43 Update: kernel-7.0.6-100.fc43
Fedora 43 Update: python-click-8.1.7-12.fc43
Fedora 43 Update: nix-2.31.5-1.fc43
Fedora 44 Update: kernel-7.0.6-200.fc44
Fedora 44 Update: kernel-headers-7.0.6-200.fc44
Fedora 44 Update: firefox-150.0.3-1.fc44
Fedora 44 Update: freerdp-3.26.0-4.fc44
Fedora 44 Update: nix-2.34.7-2.fc44
Fedora 42 Update: nodejs20-20.20.2-4.fc42
Fedora 42 Update: nano-8.3-4.fc42
Fedora 44 Update: chromium-148.0.7778.96-1.fc44
Fedora 44 Update: SDL2_image-2.8.12-1.fc44
[SECURITY] Fedora 42 Update: kernel-6.19.14-102.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ec1c523fdb
2026-05-14 04:02:29.141275+00:00
--------------------------------------------------------------------------------
Name : kernel
Product : Fedora 42
Version : 6.19.14
Release : 102.fc42
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package
--------------------------------------------------------------------------------
Update Information:
The 6.19.14-102 stable kernel update contains a fix for the Fragnesia
CVE-2026-46300.
--------------------------------------------------------------------------------
ChangeLog:
* Wed May 13 2026 Justin M. Forbes [jforbes@fedoraproject.org] [6.19.14-102]
- Revert "redhat/kernel.spec.template: Fix indentation of uki-virt generation code" (Justin M. Forbes)
- Revert "redhat/kernel.spec.template: Simplify uki-virt signing" (Justin M. Forbes)
- Revert "redhat/kernel.spec.template: Add kernel-uki-dtbloader sub-package" (Justin M. Forbes)
- Revert "redhat/kernel.spec.template: Make -uki-dtbloader provide kernel-core-uname-r" (Justin M. Forbes)
* Wed May 13 2026 Justin M. Forbes [jforbes@fedoraproject.org] [6.19.14-0]
- net: skbuff: preserve shared-frag marker during coalescing (William Bowling)
- net: skbuff: propagate shared-frag marker through pskb_copy() (Hyunwoo Kim)
- Turn off F43 and F44 release targets (Justin M. Forbes)
- rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present (Hyunwoo Kim)
- rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets (David Howells)
- rxrpc: Fix re-decryption of RESPONSE packets (David Howells)
- rxrpc: Fix error handling in rxgk_extract_token() (David Howells)
- rxrpc: Fix rxkad crypto unalignment handling (David Howells)
- rxrpc: Fix conn-level packet handling to unshare RESPONSE packets (David Howells)
- rxrpc: Fix memory leaks in rxkad_verify_response() (David Howells)
- rxrpc: Fix potential UAF after skb_unshare() failure (David Howells)
- xfrm: esp: avoid in-place decrypt on shared skb frags (Kuan-Ting Chen)
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ec1c523fdb' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: python-django5-5.2.14-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b9548393aa
2026-05-14 04:02:29.141273+00:00
--------------------------------------------------------------------------------
Name : python-django5
Product : Fedora 42
Version : 5.2.14
Release : 1.fc42
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.
--------------------------------------------------------------------------------
Update Information:
Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests
via file upload limit bypass
Fixes CVE-2026-35192: Session fixation via public cached pages and
SESSION_SAVE_EVERY_REQUEST
Fixes CVE-2026-6907: Potential exposure of private data due to incorrect
handling of Vary: * in UpdateCacheMiddleware
Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
Fixes CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload
Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests
via memory upload limit bypass
Fixes CVE-2026-25674: Potential incorrect permissions on newly created file
system objects
--------------------------------------------------------------------------------
ChangeLog:
* Tue May 12 2026 Michel Lind [salimma@fedoraproject.org] - 5.2.14-1
- Update to version 5.2.14; Resolves RHBZ#2444117
- Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI
requests via file upload limit bypass
- Fixes CVE-2026-35192: Session fixation via public cached pages and
SESSION_SAVE_EVERY_REQUEST
- Fixes CVE-2026-6907: Potential exposure of private data due to incorrect
handling of Vary: * in UpdateCacheMiddleware
- Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen
conflation
- Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
- Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
- Fixes CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload
- Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI
requests via memory upload limit bypass
- Fixes CVE-2026-25674: Potential incorrect permissions on newly created
file system objects
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2444117 - python-django5-5.2.14 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2444117
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b9548393aa' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: php-8.4.21-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3a58db70ca
2026-05-14 04:02:29.141261+00:00
--------------------------------------------------------------------------------
Name : php
Product : Fedora 42
Version : 8.4.21
Release : 1.fc42
URL : http://www.php.net/
Summary : PHP scripting language for creating dynamic web sites
Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated web pages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.
--------------------------------------------------------------------------------
Update Information:
PHP version 8.4.21 (07 May 2026)
Core:
Fixed bug GH-19983 (GC assertion failure with fibers, generators and
destructors). (iliaal)
Fixed bug GH-21478 (Forward property operations to real instance for initialized
lazy proxies). (iliaal)
Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving
self::/parent::/static:: callables if the error handler throws). (macoaure)
Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
Fixed bug GH-21760 (Trait with class constant name conflict against enum case
causes SEGV). (Pratik Bhujel)
CLI:
Fixed bug GH-21754 (--rf command line option with a method triggers
ext/reflection deprecation warnings). (DanielEScherzer)
Curl:
Add support for brotli and zstd on Windows. (Shivam Mathur)
DOM:
Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate
xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier)
Fixed bug GH-21688 (segmentation fault on empty HTMLDocument). (David Carlier)
Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov)
FPM:
Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) (Jakub
Zelenka)
Iconv:
Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)
MBString:
Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding()
via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s)
Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()).
(CVE-2026-6104) (ilutov)
Opcache:
Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1
