Fedora administrators must apply security updates for versions 42 through 44 that fix critical flaws in chromium, openssh, and several Python libraries. The python-scitokens package receives hardening against SQL injection risks while also fixing path traversal validation issues within the Enforcer scope checks. Updates to python-ujson address buffer overflow problems caused by large indent parameters and memory leaks during integer parsing.

Fedora 42 Update: python-scitokens-1.9.7-1.fc42
Fedora 42 Update: chromium-146.0.7680.80-1.fc42
Fedora 42 Update: python-ujson-5.12.0-1.fc42
Fedora 43 Update: python-scitokens-1.9.7-1.fc43
Fedora 43 Update: python-ujson-5.12.0-1.fc43
Fedora 44 Update: openssh-10.2p1-6.fc44
Fedora 44 Update: python-scitokens-1.9.7-1.fc44
Fedora 44 Update: python-ujson-5.12.0-1.fc44

[SECURITY] Fedora 42 Update: python-scitokens-1.9.7-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-dec8f790f7
2026-03-22 01:07:57.226580+00:00
--------------------------------------------------------------------------------

Name : python-scitokens
Product : Fedora 42
Version : 1.9.7
Release : 1.fc42
URL : https://scitokens.org
Summary : SciToken reference implementation library
Description :
SciToken reference implementation library

--------------------------------------------------------------------------------
Update Information:

Remove legacy parent SciToken chaining behavior from token initialization and
claim handling
Harden Enforcer scope path traversal validation (including encoded traversal
checks)
Clean up documentation references to parent/chained SciTokens
Fix SQL injection risk in KeyCache by using parameterized SQLite queries
Prevent sibling-path authorization bypass in Enforcer scope checks
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 13 2026 Derek Weitzel [dweitzel@unl.edu] - 1.9.7-1
- Remove legacy parent SciToken chaining behavior from token initialization and claim handling
- Harden Enforcer scope path traversal validation (including encoded traversal checks)
- Clean up documentation references to parent/chained SciTokens
* Fri Mar 13 2026 Derek Weitzel [dweitzel@unl.edu] - 1.9.6-1
- Fix SQL injection risk in KeyCache by using parameterized SQLite queries
- Prevent sibling-path authorization bypass in Enforcer scope checks
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.9.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-dec8f790f7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: chromium-146.0.7680.80-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7ffd130a98
2026-03-22 01:07:57.226585+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 42
Version : 146.0.7680.80
Release : 1.fc42
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 146.0.7680.80
* CVE-2026-3909: Out of bounds write in Ski
--------------------------------------------------------------------------------
ChangeLog:

* Sat Mar 14 2026 Than Ngo [than@redhat.com] - 146.0.7680.80-1
- Update to 146.0.7680.80
* CVE-2026-3909: Out of bounds write in Skia
* Fri Mar 13 2026 Than Ngo [than@redhat.com] - 146.0.7680.75-1
- Update to 146.0.7680.75
* CVE-2026-3910: Inappropriate implementation in V8
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2447254 - CVE-2026-3909 CVE-2026-3910 chromium: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447254
[ 2 ] Bug #2447255 - CVE-2026-3909 CVE-2026-3910 chromium: various flaws [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447255
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7ffd130a98' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: python-ujson-5.12.0-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0f099ed388
2026-03-22 01:07:57.226534+00:00
--------------------------------------------------------------------------------

Name : python-ujson
Product : Fedora 42
Version : 5.12.0
Release : 1.fc42
URL : https://github.com/ultrajson/ultrajson
Summary : Ultra fast JSON encoder and decoder written in pure C
Description :
UltraJSON is an ultra fast JSON encoder and decoder written in pure C with
bindings for Python.

--------------------------------------------------------------------------------
Update Information:

Update to 5.12.0. This release updates the license field in the Python
metadata and fixes a buffer overflow/infinite loop from indent handling.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 12 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 5.12.0-1
- Update to 5.12.0 (close RHBZ#2446884)
* Thu Mar 12 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 5.11.0-9
- Use the provisional pyproject declarative buildsystem
* Thu Mar 12 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 5.11.0-6
- Use a pkgconfig(???) BR on double-conversion
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 5.11.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2446884 - python-ujson-5.12.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2446884
[ 2 ] Bug #2449471 - CVE-2026-32875 python-ujson: UltraJSON: Denial of Service via large indent parameter in JSON serialization [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2449471
[ 3 ] Bug #2449472 - CVE-2026-32874 python-ujson: UltraJSON: Denial of Service due to memory leak when parsing large integers [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2449472
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0f099ed388' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 43 Update: python-scitokens-1.9.7-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-727b73bfa0
2026-03-22 00:52:45.125293+00:00
--------------------------------------------------------------------------------

Name : python-scitokens
Product : Fedora 43
Version : 1.9.7
Release : 1.fc43
URL : https://scitokens.org
Summary : SciToken reference implementation library
Description :
SciToken reference implementation library

--------------------------------------------------------------------------------
Update Information:

Remove legacy parent SciToken chaining behavior from token initialization and
claim handling
Harden Enforcer scope path traversal validation (including encoded traversal
checks)
Clean up documentation references to parent/chained SciTokens
Fix SQL injection risk in KeyCache by using parameterized SQLite queries
Prevent sibling-path authorization bypass in Enforcer scope checks
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 13 2026 Derek Weitzel [dweitzel@unl.edu] - 1.9.7-1
- Remove legacy parent SciToken chaining behavior from token initialization and claim handling
- Harden Enforcer scope path traversal validation (including encoded traversal checks)
- Clean up documentation references to parent/chained SciTokens
* Fri Mar 13 2026 Derek Weitzel [dweitzel@unl.edu] - 1.9.6-1
- Fix SQL injection risk in KeyCache by using parameterized SQLite queries
- Prevent sibling-path authorization bypass in Enforcer scope checks
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.9.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-727b73bfa0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: python-ujson-5.12.0-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-bf741e26e4
2026-03-22 00:52:45.125243+00:00
--------------------------------------------------------------------------------

Name : python-ujson
Product : Fedora 43
Version : 5.12.0
Release : 1.fc43
URL : https://github.com/ultrajson/ultrajson
Summary : Ultra fast JSON encoder and decoder written in pure C
Description :
UltraJSON is an ultra fast JSON encoder and decoder written in pure C with
bindings for Python.

--------------------------------------------------------------------------------
Update Information:

Update to 5.12.0. This release updates the license field in the Python
metadata and fixes a buffer overflow/infinite loop from indent handling.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 12 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 5.12.0-1
- Update to 5.12.0 (close RHBZ#2446884)
* Thu Mar 12 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 5.11.0-9
- Use the provisional pyproject declarative buildsystem
* Thu Mar 12 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 5.11.0-6
- Use a pkgconfig(???) BR on double-conversion
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 5.11.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2446884 - python-ujson-5.12.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2446884
[ 2 ] Bug #2449473 - CVE-2026-32875 python-ujson: UltraJSON: Denial of Service via large indent parameter in JSON serialization [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2449473
[ 3 ] Bug #2449474 - CVE-2026-32874 python-ujson: UltraJSON: Denial of Service due to memory leak when parsing large integers [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2449474
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-bf741e26e4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 44 Update: openssh-10.2p1-6.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-62fb46caac
2026-03-22 00:15:14.987323+00:00
--------------------------------------------------------------------------------

Name : openssh
Product : Fedora 44
Version : 10.2p1
Release : 6.fc44
URL : http://www.openssh.com/portable.html
Summary : An open source implementation of SSH protocol version 2
Description :
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.

OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features.

This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.

--------------------------------------------------------------------------------
Update Information:

CVE-2026-3497: Fix information disclosure or denial of service due to
uninitialized variables in gssapi-keyex
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 18 2026 Zoltan Fridrich [zfridric@redhat.com] - 10.2p1-6
- CVE-2026-3497: Fix information disclosure or denial of service due
to uninitialized variables in gssapi-keyex
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2442505 - 0043-openssh-8.7p1-ssh-manpage.patch introduces duplicates in documentation
https://bugzilla.redhat.com/show_bug.cgi?id=2442505
[ 2 ] Bug #2447289 - CVE-2026-3497 openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2447289
[ 3 ] Bug #2447290 - CVE-2026-3497 openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2447290
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-62fb46caac' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: python-scitokens-1.9.7-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-86ad7d8a1a
2026-03-22 00:15:14.987315+00:00
--------------------------------------------------------------------------------

Name : python-scitokens
Product : Fedora 44
Version : 1.9.7
Release : 1.fc44
URL : https://scitokens.org
Summary : SciToken reference implementation library
Description :
SciToken reference implementation library

--------------------------------------------------------------------------------
Update Information:

Remove legacy parent SciToken chaining behavior from token initialization and
claim handling
Harden Enforcer scope path traversal validation (including encoded traversal
checks)
Clean up documentation references to parent/chained SciTokens
Fix SQL injection risk in KeyCache by using parameterized SQLite queries
Prevent sibling-path authorization bypass in Enforcer scope checks
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 13 2026 Derek Weitzel [dweitzel@unl.edu] - 1.9.7-1
- Remove legacy parent SciToken chaining behavior from token initialization and claim handling
- Harden Enforcer scope path traversal validation (including encoded traversal checks)
- Clean up documentation references to parent/chained SciTokens
* Fri Mar 13 2026 Derek Weitzel [dweitzel@unl.edu] - 1.9.6-1
- Fix SQL injection risk in KeyCache by using parameterized SQLite queries
- Prevent sibling-path authorization bypass in Enforcer scope checks
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-86ad7d8a1a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: python-ujson-5.12.0-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5725d633ec
2026-03-22 00:15:14.987231+00:00
--------------------------------------------------------------------------------

Name : python-ujson
Product : Fedora 44
Version : 5.12.0
Release : 1.fc44
URL : https://github.com/ultrajson/ultrajson
Summary : Ultra fast JSON encoder and decoder written in pure C
Description :
UltraJSON is an ultra fast JSON encoder and decoder written in pure C with
bindings for Python.

--------------------------------------------------------------------------------
Update Information:

Update to 5.12.0. This release updates the license field in the Python
metadata and fixes a buffer overflow/infinite loop from indent handling.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 12 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 5.12.0-1
- Update to 5.12.0 (close RHBZ#2446884)
* Thu Mar 12 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 5.11.0-9
- Use the provisional pyproject declarative buildsystem
* Thu Mar 12 2026 Benjamin A. Beasley [code@musicinmybrain.net] - 5.11.0-6
- Use a pkgconfig(???) BR on double-conversion
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2446884 - python-ujson-5.12.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2446884
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5725d633ec' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------