Python updates for Fedora

Fedora Linux 9261 Published by

Several security updates have been released for Fedora 42 and Fedora 43. The updates include fixes for vulnerabilities in Python, including potential SQL injections and denial-of-service attacks, as well as updates to Django, a high-level Python Web framework. The updates also include security fixes for CVE-2025-15366, CVE-2025-15367, CVE-2026-0865, and CVE-2026-1299, among others.

Fedora 42 Update: python-django5-5.2.11-1.fc42
Fedora 42 Update: python3.13-3.13.12-1.fc42
Fedora 42 Update: python3-docs-3.13.12-1.fc42
Fedora 42 Update: python3.9-3.9.25-6.fc42
Fedora 43 Update: python-django5-5.2.11-1.fc43
Fedora 43 Update: python3.9-3.9.25-6.fc43




[SECURITY] Fedora 42 Update: python-django5-5.2.11-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-00b5bf3150
2026-02-28 01:23:52.457275+00:00
--------------------------------------------------------------------------------

Name : python-django5
Product : Fedora 42
Version : 5.2.11
Release : 1.fc42
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.

--------------------------------------------------------------------------------
Update Information:

Fixes CVE-2025-13473: Username enumeration through timing difference in mod_wsgi
authentication handler
Fixes CVE-2025-14550: Potential denial-of-service vulnerability via repeated
headers when using ASGI
Fixes CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
Fixes CVE-2026-1285: Potential denial-of-service vulnerability in
django.utils.text.Truncator HTML methods
Fixes CVE-2026-1287: Potential SQL injection in column aliases via control
characters
Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and
FilteredRelation
Fixed a bug in Django 5.2 where data exceeding max_length was silently truncated
by QuerySet.bulk_create() on PostgreSQL
Fixed a bug where management command colorized help (introduced in Python 3.14)
ignored the --no-color option and the DJANGO_COLORS setting
--------------------------------------------------------------------------------
ChangeLog:

* Thu Feb 19 2026 Michel Lind [salimma@fedoraproject.org] - 5.2.11-1
- Update to version 5.2.11; Resolves: RHBZ#2427483
- `python-django5` is now the alternate `python3-django5` on Fedora 44+,
`python3-django` is now Django 6.x
- Fixes CVE-2025-13473: Username enumeration through timing difference in
mod_wsgi authentication handler
- Fixes CVE-2025-14550: Potential denial-of-service vulnerability via
repeated headers when using ASGI
- Fixes CVE-2026-1207: Potential SQL injection via raster lookups on
PostGIS
- Fixes CVE-2026-1285: Potential denial-of-service vulnerability in
django.utils.text.Truncator HTML methods
- Fixes CVE-2026-1287: Potential SQL injection in column aliases via
control characters
- Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and
FilteredRelation
- Fixed a bug in Django 5.2 where data exceeding max_length was silently
truncated by QuerySet.bulk_create() on PostgreSQL
- Fixed a bug where management command colorized help (introduced in Python
3.14) ignored the --no-color option and the DJANGO_COLORS setting
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2427483 - python-django5-5.2.11 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2427483
[ 2 ] Bug #2436695 - CVE-2025-14550 python-django5: Django: Denial of Service via crafted request with duplicate headers [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2436695
[ 3 ] Bug #2436699 - CVE-2026-1312 python-django5: Django: SQL injection via crafted column aliases in QuerySet.order_by() [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2436699
[ 4 ] Bug #2436709 - CVE-2026-1285 python-django5: Django: Denial of Service via crafted HTML inputs [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2436709
[ 5 ] Bug #2436714 - CVE-2026-1287 python-django5: Django: SQL Injection via crafted column aliases [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2436714
[ 6 ] Bug #2436716 - CVE-2026-1207 python-django5: Django: SQL Injection via RasterField band index parameter [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2436716
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-00b5bf3150' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: python3.13-3.13.12-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b1b37b00ef
2026-02-28 01:23:52.457217+00:00
--------------------------------------------------------------------------------

Name : python3.13
Product : Fedora 42
Version : 3.13.12
Release : 1.fc42
URL : https://www.python.org/
Summary : Version 3.13 of the Python interpreter
Description :
Python 3.13 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

--------------------------------------------------------------------------------
Update Information:

Update to 3.13.12
--------------------------------------------------------------------------------
ChangeLog:

* Wed Feb 4 2026 Tom???? Hrn??iar [thrnciar@redhat.com] - 3.13.12-1
- Update to 3.13.12
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 3.13.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2431618 - CVE-2025-15366 python3.13: IMAP command injection in user-controlled commands [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431618
[ 2 ] Bug #2431642 - CVE-2025-15367 python3.13: POP3 command injection in user-controlled commands [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431642
[ 3 ] Bug #2431767 - CVE-2025-11468 python3.13: Missing character filtering in Python [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431767
[ 4 ] Bug #2431792 - CVE-2026-0672 python3.13: Header injection in http.cookies.Morsel in Python [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431792
[ 5 ] Bug #2431797 - CVE-2026-0865 python3.13: wsgiref.headers.Headers allows header newline injection in Python [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431797
[ 6 ] Bug #2431812 - CVE-2025-15282 python3.13: Header injection via newlines in data URL mediatype in Python [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431812
[ 7 ] Bug #2433818 - CVE-2026-1299 python3.13: email header injection due to unquoted newlines [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2433818
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b1b37b00ef' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 42 Update: python3-docs-3.13.12-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b1b37b00ef
2026-02-28 01:23:52.457217+00:00
--------------------------------------------------------------------------------

Name : python3-docs
Product : Fedora 42
Version : 3.13.12
Release : 1.fc42
URL : https://www.python.org/
Summary : Documentation for the Python 3 programming language
Description :
The python3-docs package contains documentation on the Python 3
programming language and interpreter.

--------------------------------------------------------------------------------
Update Information:

Update to 3.13.12
--------------------------------------------------------------------------------
ChangeLog:

* Wed Feb 4 2026 Tom???? Hrn??iar [thrnciar@redhat.com] - 3.13.12-1
- Update to 3.13.12
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2431618 - CVE-2025-15366 python3.13: IMAP command injection in user-controlled commands [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431618
[ 2 ] Bug #2431642 - CVE-2025-15367 python3.13: POP3 command injection in user-controlled commands [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431642
[ 3 ] Bug #2431767 - CVE-2025-11468 python3.13: Missing character filtering in Python [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431767
[ 4 ] Bug #2431792 - CVE-2026-0672 python3.13: Header injection in http.cookies.Morsel in Python [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431792
[ 5 ] Bug #2431797 - CVE-2026-0865 python3.13: wsgiref.headers.Headers allows header newline injection in Python [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431797
[ 6 ] Bug #2431812 - CVE-2025-15282 python3.13: Header injection via newlines in data URL mediatype in Python [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431812
[ 7 ] Bug #2433818 - CVE-2026-1299 python3.13: email header injection due to unquoted newlines [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2433818
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b1b37b00ef' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 42 Update: python3.9-3.9.25-6.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-cad5404d98
2026-02-28 01:23:52.457241+00:00
--------------------------------------------------------------------------------

Name : python3.9
Product : Fedora 42
Version : 3.9.25
Release : 6.fc42
URL : https://www.python.org/
Summary : Version 3.9 of the Python interpreter
Description :
Python 3.9 package for developers.

This package exists to allow developers to test their code against an older
version of Python. This is not a full Python stack and if you wish to run
your applications with Python 3.9, see other distributions
that support it, such as CentOS or RHEL or older Fedora releases.

--------------------------------------------------------------------------------
Update Information:

Security fixes for CVE-2026-1299, CVE-2026-0865, CVE-2025-15366 and
CVE-2025-15367
--------------------------------------------------------------------------------
ChangeLog:

* Tue Feb 10 2026 Tom???? Hrn??iar [thrnciar@redhat.com] - 3.9.25-6
- Security fix for CVE-2026-1299
* Mon Feb 9 2026 Tom???? Hrn??iar [thrnciar@redhat.com] - 3.9.25-5
- Security fixes for CVE-2026-0865, CVE-2025-15366 and CVE-2025-15367
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 3.9.25-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2431622 - CVE-2025-15366 python3.9: IMAP command injection in user-controlled commands [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431622
[ 2 ] Bug #2431646 - CVE-2025-15367 python3.9: POP3 command injection in user-controlled commands [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431646
[ 3 ] Bug #2431810 - CVE-2026-0865 python3.9: wsgiref.headers.Headers allows header newline injection in Python [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2431810
[ 4 ] Bug #2433822 - CVE-2026-1299 python3.9: email header injection due to unquoted newlines [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2433822
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-cad5404d98' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: python-django5-5.2.11-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3adb735295
2026-02-28 01:06:49.013784+00:00
--------------------------------------------------------------------------------

Name : python-django5
Product : Fedora 43
Version : 5.2.11
Release : 1.fc43
URL : https://www.djangoproject.com/
Summary : A high-level Python Web framework
Description :
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.

--------------------------------------------------------------------------------
Update Information:

Fixes CVE-2025-13473: Username enumeration through timing difference in mod_wsgi
authentication handler
Fixes CVE-2025-14550: Potential denial-of-service vulnerability via repeated
headers when using ASGI
Fixes CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
Fixes CVE-2026-1285: Potential denial-of-service vulnerability in
django.utils.text.Truncator HTML methods
Fixes CVE-2026-1287: Potential SQL injection in column aliases via control
characters
Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and
FilteredRelation
Fixed a bug in Django 5.2 where data exceeding max_length was silently truncated
by QuerySet.bulk_create() on PostgreSQL
Fixed a bug where management command colorized help (introduced in Python 3.14)
ignored the --no-color option and the DJANGO_COLORS setting
--------------------------------------------------------------------------------
ChangeLog:

* Thu Feb 19 2026 Michel Lind [salimma@fedoraproject.org] - 5.2.11-1
- Update to version 5.2.11; Resolves: RHBZ#2427483
- `python-django5` is now the alternate `python3-django5` on Fedora 44+,
`python3-django` is now Django 6.x
- Fixes CVE-2025-13473: Username enumeration through timing difference in
mod_wsgi authentication handler
- Fixes CVE-2025-14550: Potential denial-of-service vulnerability via
repeated headers when using ASGI
- Fixes CVE-2026-1207: Potential SQL injection via raster lookups on
PostGIS
- Fixes CVE-2026-1285: Potential denial-of-service vulnerability in
django.utils.text.Truncator HTML methods
- Fixes CVE-2026-1287: Potential SQL injection in column aliases via
control characters
- Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and
FilteredRelation
- Fixed a bug in Django 5.2 where data exceeding max_length was silently
truncated by QuerySet.bulk_create() on PostgreSQL
- Fixed a bug where management command colorized help (introduced in Python
3.14) ignored the --no-color option and the DJANGO_COLORS setting
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 5.2.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2427483 - python-django5-5.2.11 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2427483
[ 2 ] Bug #2436693 - CVE-2026-1312 python-django5: Django: SQL injection via crafted column aliases in QuerySet.order_by() [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2436693
[ 3 ] Bug #2436702 - CVE-2026-1207 python-django5: Django: SQL Injection via RasterField band index parameter [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2436702
[ 4 ] Bug #2436706 - CVE-2026-1285 python-django5: Django: Denial of Service via crafted HTML inputs [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2436706
[ 5 ] Bug #2436707 - CVE-2025-14550 python-django5: Django: Denial of Service via crafted request with duplicate headers [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2436707
[ 6 ] Bug #2436717 - CVE-2026-1287 python-django5: Django: SQL Injection via crafted column aliases [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2436717
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3adb735295' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: python3.9-3.9.25-6.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-289d6d4f69
2026-02-28 01:06:49.013721+00:00
--------------------------------------------------------------------------------

Name : python3.9
Product : Fedora 43
Version : 3.9.25
Release : 6.fc43
URL : https://www.python.org/
Summary : Version 3.9 of the Python interpreter
Description :
Python 3.9 package for developers.

This package exists to allow developers to test their code against an older
version of Python. This is not a full Python stack and if you wish to run
your applications with Python 3.9, see other distributions
that support it, such as CentOS or RHEL or older Fedora releases.

--------------------------------------------------------------------------------
Update Information:

Security fixes for CVE-2026-1299, CVE-2026-0865, CVE-2025-15366 and
CVE-2025-15367
--------------------------------------------------------------------------------
ChangeLog:

* Tue Feb 10 2026 Tom???? Hrn??iar [thrnciar@redhat.com] - 3.9.25-6
- Security fix for CVE-2026-1299
* Mon Feb 9 2026 Tom???? Hrn??iar [thrnciar@redhat.com] - 3.9.25-5
- Security fixes for CVE-2026-0865, CVE-2025-15366 and CVE-2025-15367
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 3.9.25-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2431632 - CVE-2025-15366 python3.9: IMAP command injection in user-controlled commands [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2431632
[ 2 ] Bug #2431656 - CVE-2025-15367 python3.9: POP3 command injection in user-controlled commands [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2431656
[ 3 ] Bug #2431848 - CVE-2026-0865 python3.9: wsgiref.headers.Headers allows header newline injection in Python [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2431848
[ 4 ] Bug #2433832 - CVE-2026-1299 python3.9: email header injection due to unquoted newlines [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2433832
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-289d6d4f69' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


GnuTLS28 security update for Debian ELTS

Container-Tools and MinGW-Fontconfig updates for Oracle Linux

Windows

Linux

macOS

Community

  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...