Several security updates have been released for Fedora 42 and 43, addressing issues in packages such as mupdf, rust-ambient-id, uv, python-uv-build, python-pyasn1, and python3.13. The updates include patches for bugs like CVE-2026-25556, CVE-2026-25727, and CVE-2026-23490, which could lead to denial-of-service attacks or memory exhaustion.

Fedora 42 Update: mupdf-1.26.3-5.fc42
Fedora 42 Update: rust-ambient-id-0.0.10-1.fc42
Fedora 42 Update: uv-0.10.2-1.fc42
Fedora 42 Update: python-uv-build-0.10.2-1.fc42
Fedora 42 Update: python-pyasn1-0.6.2-1.fc42
Fedora 43 Update: python3.13-3.13.12-1.fc43
Fedora 43 Update: python-pyasn1-0.6.2-1.fc43

[SECURITY] Fedora 42 Update: mupdf-1.26.3-5.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4366b8d2d8
2026-02-22 00:57:35.024161+00:00
--------------------------------------------------------------------------------

Name : mupdf
Product : Fedora 42
Version : 1.26.3
Release : 5.fc42
URL : http://mupdf.com/
Summary : A lightweight PDF viewer and toolkit
Description :
MuPDF is a lightweight PDF viewer and toolkit written in portable C.
The renderer in MuPDF is tailored for high quality anti-aliased
graphics. MuPDF renders text with metrics and spacing accurate to
within fractions of a pixel for the highest fidelity in reproducing
the look of a printed page on screen.
MuPDF has a small footprint. A binary that includes the standard
Roman fonts is only one megabyte. A build with full CJK support
(including an Asian font) is approximately seven megabytes.
MuPDF has support for all non-interactive PDF 1.7 features, and the
toolkit provides a simple API for accessing the internal structures of
the PDF document. Example code for navigating interactive links and
bookmarks, encrypting PDF files, extracting fonts, images, and
searchable text, and rendering pages to image files is provided.

--------------------------------------------------------------------------------
Update Information:

fix CVE-2026-25556 (rhbz#2437973)
--------------------------------------------------------------------------------
ChangeLog:

* Fri Feb 13 2026 Michael J Gruber [mjg@fedoraproject.org] - 1.26.3-5
- fix CVE-2026-25556 (rhbz#2437973)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2437973 - CVE-2026-25556 mupdf: MuPDF: Denial of Service via crafted input during barcode decoding [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2437973
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4366b8d2d8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: rust-ambient-id-0.0.10-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-086a367966
2026-02-22 00:57:35.024139+00:00
--------------------------------------------------------------------------------

Name : rust-ambient-id
Product : Fedora 42
Version : 0.0.10
Release : 1.fc42
URL : https://crates.io/crates/ambient-id
Summary : Detects ambient OIDC credentials in a variety of environments
Description :
Detects ambient OIDC credentials in a variety of environments.

--------------------------------------------------------------------------------
Update Information:

Update uv and python-uv-build to 0.10.2. There are some minor breaking changes
in uv; most users should not have to change anything. See
https://github.com/astral-sh/uv/blob/0.10.2/CHANGELOG.md for details. There are
no breaking changes to python-uv-build.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Feb 10 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.0.10-1
- Update to version 0.0.10
* Wed Feb 4 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.0.9-1
- Update to version 0.0.9
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2438083 - CVE-2026-25727 python-uv-build: time affected by a stack exhaustion denial of service attack [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2438083
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-086a367966' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: uv-0.10.2-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-086a367966
2026-02-22 00:57:35.024139+00:00
--------------------------------------------------------------------------------

Name : uv
Product : Fedora 42
Version : 0.10.2
Release : 1.fc42
URL : https://github.com/astral-sh/uv
Summary : An extremely fast Python package installer and resolver, written in Rust
Description :
An extremely fast Python package and project manager, written in Rust.

Highlights:

??? A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twine,
virtualenv, and more.
??? 10-100x faster than pip.
??? Provides comprehensive project management, with a universal lockfile.
??? Runs scripts, with support for inline dependency metadata.
??? Installs and manages Python versions.
??? Runs and installs tools published as Python packages.
??? Includes a pip-compatible interface for a performance boost with a familiar
CLI.
??? Supports Cargo-style workspaces for scalable projects.
??? Disk-space efficient, with a global cache for dependency deduplication.

--------------------------------------------------------------------------------
Update Information:

Update uv and python-uv-build to 0.10.2. There are some minor breaking changes
in uv; most users should not have to change anything. See
https://github.com/astral-sh/uv/blob/0.10.2/CHANGELOG.md for details. There are
no breaking changes to python-uv-build.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Feb 10 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.10.2-1
- Update to 0.10.2
* Tue Feb 10 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.10.1-1
- Update to 0.10.1 (close RHBZ#2437188)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2438083 - CVE-2026-25727 python-uv-build: time affected by a stack exhaustion denial of service attack [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2438083
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-086a367966' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 42 Update: python-uv-build-0.10.2-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-086a367966
2026-02-22 00:57:35.024139+00:00
--------------------------------------------------------------------------------

Name : python-uv-build
Product : Fedora 42
Version : 0.10.2
Release : 1.fc42
URL : https://pypi.org/project/uv-build
Summary : The uv build backend
Description :

This package is a slimmed down version of uv containing only the build
backend.

--------------------------------------------------------------------------------
Update Information:

Update uv and python-uv-build to 0.10.2. There are some minor breaking changes
in uv; most users should not have to change anything. See
https://github.com/astral-sh/uv/blob/0.10.2/CHANGELOG.md for details. There are
no breaking changes to python-uv-build.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Feb 10 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.10.2-1
- Update to 0.10.2
* Tue Feb 10 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.10.1-1
- Update to 0.10.1 (close RHBZ#2438446)
* Fri Feb 6 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.10.0-1
- Update to 0.10.0 (close RHBZ#2437187)
* Thu Feb 5 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.9.30-1
- Update to 0.9.30 (close RHBZ#2436958)
* Tue Feb 3 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 0.9.29-1
- Update to 0.9.29 (close RHBZ#2436549)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2438083 - CVE-2026-25727 python-uv-build: time affected by a stack exhaustion denial of service attack [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2438083
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-086a367966' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: python-pyasn1-0.6.2-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ddafe1357a
2026-02-22 00:57:35.024081+00:00
--------------------------------------------------------------------------------

Name : python-pyasn1
Product : Fedora 42
Version : 0.6.2
Release : 1.fc42
URL : https://github.com/pyasn1/pyasn1
Summary : ASN.1 tools for Python
Description :
This is an implementation of ASN.1 types and codecs in the Python programming
language.

--------------------------------------------------------------------------------
Update Information:

Update for python-pyasn1-0.6.2-1.fc42.
Changelog
* Thu Feb 05 2026 Simon Pichugin [spichugi@redhat.com] - 0.6.2-1
- Update to 0.6.2
- Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Feb 5 2026 Simon Pichugin [spichugi@redhat.com] - 0.6.2-1
- Update to 0.6.2
- Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2437015 - python-pyasn1-0.6.2 is available [f42]
https://bugzilla.redhat.com/show_bug.cgi?id=2437015
[ 2 ] Bug #2438395 - CVE-2026-23490 python-pyasn1: pyasn1: Denial of Service due to memory exhaustion from malformed RELATIVE-OID [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2438395
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ddafe1357a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: python3.13-3.13.12-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-6ee987bce2
2026-02-22 00:42:56.794629+00:00
--------------------------------------------------------------------------------

Name : python3.13
Product : Fedora 43
Version : 3.13.12
Release : 1.fc43
URL : https://www.python.org/
Summary : Version 3.13 of the Python interpreter
Description :
Python 3.13 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

The python3.13 package provides the "python3.13" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.13-libs package,
which should be installed automatically along with python3.13.
The remaining parts of the Python standard library are broken out into the
python3.13-tkinter and python3.13-test packages, which may need to be installed
separately.

Documentation for Python is provided in the python3.13-docs package.

Packages containing additional libraries for Python are generally named with
the "python3.13-" prefix.

--------------------------------------------------------------------------------
Update Information:

Update to 3.13.12
--------------------------------------------------------------------------------
ChangeLog:

* Wed Feb 4 2026 Tom???? Hrn??iar [thrnciar@redhat.com] - 3.13.12-1
- Update to 3.13.12
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 3.13.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Tue Jan 6 2026 Karolina Surma [ksurma@redhat.com] - 3.13.11-2
- Require at least the same expat version as used during the build time
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2431628 - CVE-2025-15366 python3.13: IMAP command injection in user-controlled commands [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2431628
[ 2 ] Bug #2431652 - CVE-2025-15367 python3.13: POP3 command injection in user-controlled commands [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2431652
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-6ee987bce2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 43 Update: python-pyasn1-0.6.2-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0179c9b8ac
2026-02-22 00:42:56.794609+00:00
--------------------------------------------------------------------------------

Name : python-pyasn1
Product : Fedora 43
Version : 0.6.2
Release : 1.fc43
URL : https://github.com/pyasn1/pyasn1
Summary : ASN.1 tools for Python
Description :
This is an implementation of ASN.1 types and codecs in the Python programming
language.

--------------------------------------------------------------------------------
Update Information:

Update for python-pyasn1-0.6.2-1.fc43.
Changelog
* Thu Feb 05 2026 Simon Pichugin [spichugi@redhat.com] - 0.6.2-1
- Update to 0.6.2
- Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Feb 5 2026 Simon Pichugin [spichugi@redhat.com] - 0.6.2-1
- Update to 0.6.2
- Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2437014 - python-pyasn1-0.6.2 is available [f43]
https://bugzilla.redhat.com/show_bug.cgi?id=2437014
[ 2 ] Bug #2438396 - CVE-2026-23490 python-pyasn1: pyasn1: Denial of Service due to memory exhaustion from malformed RELATIVE-OID [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2438396
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0179c9b8ac' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new