Python-Cairosvg, Erlang, LibPNG, and more updates for Fedora

Fedora Linux 9313 Published by

Several critical security updates have been released for Fedora 42 and Fedora 43 addressing vulnerabilities across a wide array of packages. The Chromium Embedded Framework, libpng, and mingw-openexr are among the key components receiving patches for serious issues like heap buffer overflows and integer overflows. Python libraries including cairosvg and Flask HTTP auth also require updating to fix authentication bypasses and denial of service risks found in recent versions. System administrators should utilize the dnf upgrade command with the provided advisory identifiers to install these signed packages immediately.

Fedora 42 Update: python-cairosvg-2.9.0-1.fc42
Fedora 42 Update: cef-146.0.11^chromium146.0.7680.177-2.fc42
Fedora 42 Update: moby-engine-29.4.0-1.fc42
Fedora 42 Update: erlang-26.2.5.19-1.fc42
Fedora 42 Update: mingw-openexr-3.3.9-1.fc42
Fedora 42 Update: libpng-1.6.56-1.fc42
Fedora 42 Update: perl-Devel-Cover-1.44-7.fc42
Fedora 42 Update: polymake-4.15-3.fc42
Fedora 42 Update: perl-5.40.4-520.fc42
Fedora 42 Update: perl-PAR-Packer-1.064-3.fc42
Fedora 43 Update: python-cairosvg-2.9.0-1.fc43
Fedora 43 Update: cef-146.0.11^chromium146.0.7680.177-2.fc43
Fedora 43 Update: pypy-7.3.21-8.fc43
Fedora 43 Update: composer-2.9.7-1.fc43
Fedora 43 Update: micropython-1.28.0-1.fc43
Fedora 43 Update: python3.15-3.15.0~a8-1.fc43
Fedora 43 Update: moby-engine-29.4.0-1.fc43
Fedora 43 Update: erlang-26.2.5.19-1.fc43
Fedora 43 Update: python-flask-httpauth-4.8.1-1.fc43
Fedora 43 Update: NetworkManager-ssh-1.4.4-1.fc43
Fedora 43 Update: mingw-openexr-3.3.9-1.fc43




[SECURITY] Fedora 42 Update: python-cairosvg-2.9.0-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a2778fcae6
2026-04-16 01:08:38.333442+00:00
--------------------------------------------------------------------------------

Name : python-cairosvg
Product : Fedora 42
Version : 2.9.0
Release : 1.fc42
URL : https://cairosvg.org/
Summary : A Simple SVG Converter for Cairo
Description :
CairoSVG is a SVG 1.1 to PNG, PDF, PS and SVG converter which can also be used
as a Python library.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2026-31899: https://nvd.nist.gov/vuln/detail/CVE-2026-31899
/ https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c
Exponential DoS via recursive element amplification
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 15 2026 Michel Lind [salimma@fedoraproject.org] - 2.9.0-1
- Update to 2.9.0 upstream release
- Resolves: rhbz#2229363
- Resolves: CVE-2026-31899
- Enable Packit
- Drop unneeded test shenanigans
- Enforce that license is preinstalled, stop installing by hand
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 2.8.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Sat Nov 29 2025 Orion Poplawski [orion@nwra.com] - 2.8.2-1
- Update to 2.8.2
* Sat Nov 29 2025 Orion Poplawski [orion@nwra.com] - 2.7.1-7
- Use pyproject macros (rhbz#2377503)
* Fri Sep 19 2025 Python Maint - 2.7.1-5
- Rebuilt for Python 3.14.0rc3 bytecode
* Fri Aug 15 2025 Python Maint - 2.7.1-4
- Rebuilt for Python 3.14.0rc2 bytecode
* Fri Jul 25 2025 Fedora Release Engineering [releng@fedoraproject.org] - 2.7.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Tue Jun 3 2025 Python Maint - 2.7.1-2
- Rebuilt for Python 3.14
* Fri May 9 2025 Orion Poplawski [orion@nwra.com] - 2.7.1-1
- Update to 2.7.1
* Thu Apr 3 2025 Lum??r Balhar [lbalhar@redhat.com] - 2.7.0-10
- Fix compatibility with newer setuptools
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2447854 - CVE-2026-31899 python-cairosvg: CairoSVG: Denial of Service via recursive element amplification [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447854
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a2778fcae6' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 42 Update: cef-146.0.11^chromium146.0.7680.177-2.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-e0c31e9e7e
2026-04-16 01:08:38.333440+00:00
--------------------------------------------------------------------------------

Name : cef
Product : Fedora 42
Version : 146.0.11^chromium146.0.7680.177
Release : 2.fc42
URL : https://bitbucket.org/chromiumembedded/cef
Summary : Chromium Embedded Framework
Description :
CEF is an embeddable build of Chromium, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 146.0.7680.177 + cef-146.0.11+g8e1262b
High CVE-2026-5273: Use after free in CSS
High CVE-2026-5272: Heap buffer overflow in GPU
High CVE-2026-5274: Integer overflow in Codecs
High CVE-2026-5275: Heap buffer overflow in ANGLE
High CVE-2026-5276: Insufficient policy enforcement in WebUSB
High CVE-2026-5277: Integer overflow in ANGLE
High CVE-2026-5278: Use after free in Web MIDI
High CVE-2026-5279: Object corruption in V8
High CVE-2026-5280: Use after free in WebCodecs
High CVE-2026-5281: Use after free in Dawn
High CVE-2026-5282: Out of bounds read in WebCodecs
High CVE-2026-5283: Inappropriate implementation in ANGLE
High CVE-2026-5284: Use after free in Dawn
High CVE-2026-5285: Use after free in WebGL
High CVE-2026-5286: Use after free in Dawn
High CVE-2026-5287: Use after free in PDF
High CVE-2026-5288: Use after free in WebView
High CVE-2026-5289: Use after free in Navigation
High CVE-2026-5290: Use after free in Compositing
Medium CVE-2026-5291: Inappropriate implementation in WebGL
Medium CVE-2026-5292: Out of bounds read in WebCodecs
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 15 2026 Hoshino Lina [lina@lina.yt] - 146.0.11^chromium146.0.7680.177-1
- Update to cef-146.0.11+g8e1262b
* Wed Apr 15 2026 Than Ngo [than@redhat.com] - 146.0.9^chromium146.0.7680.177-1
- Update to 146.0.7680.177
- * High CVE-2026-5273: Use after free in CSS
- * High CVE-2026-5272: Heap buffer overflow in GPU
- * High CVE-2026-5274: Integer overflow in Codecs
- * High CVE-2026-5275: Heap buffer overflow in ANGLE
- * High CVE-2026-5276: Insufficient policy enforcement in WebUSB
- * High CVE-2026-5277: Integer overflow in ANGLE
- * High CVE-2026-5278: Use after free in Web MIDI
- * High CVE-2026-5279: Object corruption in V8
- * High CVE-2026-5280: Use after free in WebCodecs
- * High CVE-2026-5281: Use after free in Dawn
- * High CVE-2026-5282: Out of bounds read in WebCodecs
- * High CVE-2026-5283: Inappropriate implementation in ANGLE
- * High CVE-2026-5284: Use after free in Dawn
- * High CVE-2026-5285: Use after free in WebGL
- * High CVE-2026-5286: Use after free in Dawn
- * High CVE-2026-5287: Use after free in PDF
- * High CVE-2026-5288: Use after free in WebView
- * High CVE-2026-5289: Use after free in Navigation
- * High CVE-2026-5290: Use after free in Compositing
- * Medium CVE-2026-5291: Inappropriate implementation in WebGL
- * Medium CVE-2026-5292: Out of bounds read in WebCodecs
- removed ppc64le-build-error patch that is merged in upstream
* Tue Apr 14 2026 Hoshino Lina [lina@lina.yt] - 146.0.9^chromium146.0.7680.164-2
- Fix 136 ABI backwards compat breakage
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2454750 - cef-146.0.11 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2454750
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-e0c31e9e7e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: moby-engine-29.4.0-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-49fd0d9636
2026-04-16 01:08:38.333428+00:00
--------------------------------------------------------------------------------

Name : moby-engine
Product : Fedora 42
Version : 29.4.0
Release : 1.fc42
URL : https://github.com/moby/moby
Summary : The open-source application container engine
Description :
Docker is an open source project to build, ship and run any application as a
lightweight container.

Docker containers are both hardware-agnostic and platform-agnostic. This means
they can run anywhere, from your laptop to the largest EC2 compute instance and
everything in between ??? and they do not require you to use a particular
language, framework or packaging system. That makes them great building blocks
for deploying and scaling web apps, databases, and backend services without
depending on a particular stack or provider.

--------------------------------------------------------------------------------
Update Information:

Update to release v29.4.0
Resolves: rhbz#2455894
Resolves CVE-2026-34986: rhbz#2455665
Upstream new features and fixes
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 7 2026 Bradley G Smith [bradley.g.smith@gmail.com] - 29.4.0-1
- Update to release v29.4.0
- Resolves: rhbz#2455894
- Resolves CVE-2026-34986: rhbz#2455665
- Upstream new features and fixes
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2455665 - CVE-2026-34986 moby-engine: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455665
[ 2 ] Bug #2455894 - moby-engine-29.4.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2455894
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-49fd0d9636' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 42 Update: erlang-26.2.5.19-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-dd4a7e240e
2026-04-16 01:08:38.333416+00:00
--------------------------------------------------------------------------------

Name : erlang
Product : Fedora 42
Version : 26.2.5.19
Release : 1.fc42
URL : https://www.erlang.org
Summary : General-purpose programming language and runtime environment
Description :
Erlang is a general-purpose programming language and runtime
environment. Erlang has built-in support for concurrency, distribution
and fault tolerance. Erlang is used in several large telecommunication
systems from Ericsson.

--------------------------------------------------------------------------------
Update Information:

Erlang ver. 26.2.5.19
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 7 2026 Peter Lemenkov [lemenkov@gmail.com] - 26.2.5.19-1
- Ver. 26.2.5.19
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2456135 - CVE-2026-28810 erlang: Erlang/OTP kernel: DNS cache poisoning via predictable DNS transaction IDs [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456135
[ 2 ] Bug #2456139 - CVE-2026-28808 erlang: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456139
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-dd4a7e240e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: mingw-openexr-3.3.9-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d939698c2e
2026-04-16 01:08:38.333396+00:00
--------------------------------------------------------------------------------

Name : mingw-openexr
Product : Fedora 42
Version : 3.3.9
Release : 1.fc42
URL : http://www.openexr.com/
Summary : MinGW Windows openexr library
Description :
MinGW Windows openexr library.

--------------------------------------------------------------------------------
Update Information:

Update to openexr-3.3.9.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 7 2026 Sandro Mani [manisandro@gmail.com] - 3.3.9-1
- Update to 3.3.9
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2455494 - CVE-2026-34379 mingw-openexr: OpenEXR: Denial of Service due to misaligned memory write during EXR file decoding [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455494
[ 2 ] Bug #2455498 - CVE-2026-34589 mingw-openexr: OpenEXR: Memory corruption leading to arbitrary code execution or denial of service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455498
[ 3 ] Bug #2455502 - CVE-2026-34588 mingw-openexr: OpenEXR: Arbitrary code execution and information disclosure via crafted EXR file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455502
[ 4 ] Bug #2455531 - CVE-2026-34380 mingw-openexr: OpenEXR: Denial of Service due to signed integer overflow in image decoding [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455531
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d939698c2e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: libpng-1.6.56-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ba18a54554
2026-04-16 01:08:38.333394+00:00
--------------------------------------------------------------------------------

Name : libpng
Product : Fedora 42
Version : 1.6.56
Release : 1.fc42
URL : http://www.libpng.org/pub/png/
Summary : A library of functions for manipulating PNG image format files
Description :
The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files. PNG
is a bit-mapped graphics format similar to the GIF format. PNG was
created to replace the GIF format, since GIF uses a patented data
compression algorithm.

Libpng should be installed if you need to manipulate PNG format image
files.

--------------------------------------------------------------------------------
Update Information:

1.6.56 is release fixes for the following two security vulnerabilities:
CVE-2026-33416 (high severity): Use-after-free memory bug in the transparency
and palette-handling code. Similar to its predecessor CVE-2026-25646, this
latent bug has existed for 25 years. Both Halil Oktay and Ryo Shimada discovered
it within days of one another.
CVE-2026-33636 (high severity): Out-of-bounds read and write vulnerability in
the ARM Neon palette-expansion code. This one was found and fixed by Taegu Ha
and has existed since 1.6.36.
The images that trigger these bugs are valid. Users are encouraged to update
immediately.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr 6 2026 Michal Hlavinka [mhlavink@redhat.com] - 2:1.6.56-1
- updated to 1.6.56 (#2451569)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2452116 - CVE-2026-33636 libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2452116
[ 2 ] Bug #2452144 - CVE-2026-33416 libpng: libpng: Arbitrary code execution due to use-after-free vulnerability [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2452144
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ba18a54554' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: perl-Devel-Cover-1.44-7.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-58dd426edd
2026-04-16 01:08:38.333387+00:00
--------------------------------------------------------------------------------

Name : perl-Devel-Cover
Product : Fedora 42
Version : 1.44
Release : 7.fc42
URL : https://metacpan.org/release/Devel-Cover
Summary : Code coverage metrics for Perl
Description :
This module provides code coverage metrics for Perl. Code coverage metrics
describe how thoroughly tests exercise code. By using Devel::Cover you can
discover areas of code not exercised by your tests and determine which
tests to create to increase coverage. Code coverage can be considered as an
indirect measure of quality.

--------------------------------------------------------------------------------
Update Information:

Update for Perl 5.40.4
--------------------------------------------------------------------------------
ChangeLog:

* Tue Mar 31 2026 Jitka Plesnikova [jplesnik@redhat.com] - 1.44-7
- Rebuild for Perl 5.40.4
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2453132 - CVE-2026-4176 perl: Perl: Multiple vulnerabilities due to an outdated vendored zlib library [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2453132
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-58dd426edd' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: polymake-4.15-3.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-58dd426edd
2026-04-16 01:08:38.333387+00:00
--------------------------------------------------------------------------------

Name : polymake
Product : Fedora 42
Version : 4.15
Release : 3.fc42
URL : https://polymake.org/
Summary : Algorithms on convex polytopes and polyhedra
Description :
Polymake is a tool to study the combinatorics and the geometry of convex
polytopes and polyhedra. It is also capable of dealing with simplicial
complexes, matroids, polyhedral fans, graphs, tropical objects, and so
forth.

Polymake can use various computational packages if they are installed.
Those available from Fedora are: 4ti2, azove, gfan, latte-integrale,
normaliz, qhull, Singular, TOPCOM, and vinci.

Polymake can interface with various visualization packages if they are
installed. Install one or more of the tools from the following list:
evince, geomview, graphviz, gv, and okular.

--------------------------------------------------------------------------------
Update Information:

Update for Perl 5.40.4
--------------------------------------------------------------------------------
ChangeLog:

* Tue Mar 31 2026 Jitka Plesnikova [jplesnik@redhat.com] - 4.15-3
- Rebuild for Perl 5.40.4
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2453132 - CVE-2026-4176 perl: Perl: Multiple vulnerabilities due to an outdated vendored zlib library [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2453132
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-58dd426edd' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: perl-5.40.4-520.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-58dd426edd
2026-04-16 01:08:38.333387+00:00
--------------------------------------------------------------------------------

Name : perl
Product : Fedora 42
Version : 5.40.4
Release : 520.fc42
URL : https://www.perl.org/
Summary : Practical Extraction and Report Language
Description :
Perl is a high-level programming language with roots in C, sed, awk and shell
scripting. Perl is good at handling processes and files, and is especially
good at handling text. Perl's hallmarks are practicality and efficiency.
While it is used to do a lot of different things, Perl's most common
applications are system administration utilities and web programming.

This is a metapackage with all the Perl bits and core modules that can be
found in the upstream tarball from perl.org.

If you need only a specific feature, you can install a specific package
instead. E.g. to handle Perl scripts with /usr/bin/perl interpreter,
install perl-interpreter package. See perl-interpreter description for more
details on the Perl decomposition into packages.

--------------------------------------------------------------------------------
Update Information:

Update for Perl 5.40.4
--------------------------------------------------------------------------------
ChangeLog:

* Tue Mar 31 2026 Jitka Plesnikova [jplesnik@redhat.com] - 4:5.40.4-520
- 5.40.4 bump (see ( https://metacpan.org/release/SHAY/perl-5.40.4/view/pod/perldelta.pod) )
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2453132 - CVE-2026-4176 perl: Perl: Multiple vulnerabilities due to an outdated vendored zlib library [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2453132
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-58dd426edd' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: perl-PAR-Packer-1.064-3.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-58dd426edd
2026-04-16 01:08:38.333387+00:00
--------------------------------------------------------------------------------

Name : perl-PAR-Packer
Product : Fedora 42
Version : 1.064
Release : 3.fc42
URL : https://metacpan.org/release/PAR-Packer
Summary : PAR Packager
Description :
This module implements the App::Packer::Backend interface, for generating
stand-alone executables, perl scripts and PAR files.

--------------------------------------------------------------------------------
Update Information:

Update for Perl 5.40.4
--------------------------------------------------------------------------------
ChangeLog:

* Tue Mar 31 2026 Jitka Plesnikova [jplesnik@redhat.com] - 1.064-3
- Rebuild for Perl 5.40.4
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2453132 - CVE-2026-4176 perl: Perl: Multiple vulnerabilities due to an outdated vendored zlib library [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2453132
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-58dd426edd' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: python-cairosvg-2.9.0-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ec61ca906c
2026-04-16 00:53:32.960300+00:00
--------------------------------------------------------------------------------

Name : python-cairosvg
Product : Fedora 43
Version : 2.9.0
Release : 1.fc43
URL : https://cairosvg.org/
Summary : A Simple SVG Converter for Cairo
Description :
CairoSVG is a SVG 1.1 to PNG, PDF, PS and SVG converter which can also be used
as a Python library.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2026-31899: https://nvd.nist.gov/vuln/detail/CVE-2026-31899
/ https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c
Exponential DoS via recursive element amplification
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 15 2026 Michel Lind [salimma@fedoraproject.org] - 2.9.0-1
- Update to 2.9.0 upstream release
- Resolves: rhbz#2229363
- Resolves: CVE-2026-31899
- Enable Packit
- Drop unneeded test shenanigans
- Enforce that license is preinstalled, stop installing by hand
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 2.8.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Sat Nov 29 2025 Orion Poplawski [orion@nwra.com] - 2.8.2-1
- Update to 2.8.2
* Sat Nov 29 2025 Orion Poplawski [orion@nwra.com] - 2.7.1-7
- Use pyproject macros (rhbz#2377503)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2447854 - CVE-2026-31899 python-cairosvg: CairoSVG: Denial of Service via recursive element amplification [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447854
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ec61ca906c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: cef-146.0.11^chromium146.0.7680.177-2.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ffdca48c25
2026-04-16 00:53:32.960297+00:00
--------------------------------------------------------------------------------

Name : cef
Product : Fedora 43
Version : 146.0.11^chromium146.0.7680.177
Release : 2.fc43
URL : https://bitbucket.org/chromiumembedded/cef
Summary : Chromium Embedded Framework
Description :
CEF is an embeddable build of Chromium, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 146.0.7680.177 + cef-146.0.11+g8e1262b
High CVE-2026-5273: Use after free in CSS
High CVE-2026-5272: Heap buffer overflow in GPU
High CVE-2026-5274: Integer overflow in Codecs
High CVE-2026-5275: Heap buffer overflow in ANGLE
High CVE-2026-5276: Insufficient policy enforcement in WebUSB
High CVE-2026-5277: Integer overflow in ANGLE
High CVE-2026-5278: Use after free in Web MIDI
High CVE-2026-5279: Object corruption in V8
High CVE-2026-5280: Use after free in WebCodecs
High CVE-2026-5281: Use after free in Dawn
High CVE-2026-5282: Out of bounds read in WebCodecs
High CVE-2026-5283: Inappropriate implementation in ANGLE
High CVE-2026-5284: Use after free in Dawn
High CVE-2026-5285: Use after free in WebGL
High CVE-2026-5286: Use after free in Dawn
High CVE-2026-5287: Use after free in PDF
High CVE-2026-5288: Use after free in WebView
High CVE-2026-5289: Use after free in Navigation
High CVE-2026-5290: Use after free in Compositing
Medium CVE-2026-5291: Inappropriate implementation in WebGL
Medium CVE-2026-5292: Out of bounds read in WebCodecs
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 15 2026 Hoshino Lina [lina@lina.yt] - 146.0.11^chromium146.0.7680.177-1
- Update to cef-146.0.11+g8e1262b
* Wed Apr 15 2026 Than Ngo [than@redhat.com] - 146.0.9^chromium146.0.7680.177-1
- Update to 146.0.7680.177
- * High CVE-2026-5273: Use after free in CSS
- * High CVE-2026-5272: Heap buffer overflow in GPU
- * High CVE-2026-5274: Integer overflow in Codecs
- * High CVE-2026-5275: Heap buffer overflow in ANGLE
- * High CVE-2026-5276: Insufficient policy enforcement in WebUSB
- * High CVE-2026-5277: Integer overflow in ANGLE
- * High CVE-2026-5278: Use after free in Web MIDI
- * High CVE-2026-5279: Object corruption in V8
- * High CVE-2026-5280: Use after free in WebCodecs
- * High CVE-2026-5281: Use after free in Dawn
- * High CVE-2026-5282: Out of bounds read in WebCodecs
- * High CVE-2026-5283: Inappropriate implementation in ANGLE
- * High CVE-2026-5284: Use after free in Dawn
- * High CVE-2026-5285: Use after free in WebGL
- * High CVE-2026-5286: Use after free in Dawn
- * High CVE-2026-5287: Use after free in PDF
- * High CVE-2026-5288: Use after free in WebView
- * High CVE-2026-5289: Use after free in Navigation
- * High CVE-2026-5290: Use after free in Compositing
- * Medium CVE-2026-5291: Inappropriate implementation in WebGL
- * Medium CVE-2026-5292: Out of bounds read in WebCodecs
- removed ppc64le-build-error patch that is merged in upstream
* Tue Apr 14 2026 Hoshino Lina [lina@lina.yt] - 146.0.9^chromium146.0.7680.164-2
- Fix 136 ABI backwards compat breakage
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2454750 - cef-146.0.11 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2454750
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ffdca48c25' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: pypy-7.3.21-8.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2af3865ebf
2026-04-16 00:53:32.960294+00:00
--------------------------------------------------------------------------------

Name : pypy
Product : Fedora 43
Version : 7.3.21
Release : 8.fc43
URL : https://www.pypy.org/
Summary : Python implementation with a Just-In-Time compiler
Description :
PyPy's implementation of Python, featuring a Just-In-Time compiler on some CPU
architectures, and various optimized implementations of the standard types
(strings, dictionaries, etc)

This build of PyPy has JIT-compilation enabled.

--------------------------------------------------------------------------------
Update Information:

JIT translation fix for bootstraping, require openssl 3 and fix CVE-2026-25645
and CVE-2025-8869
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 14 2026 Charalampos Stratakis [cstratak@redhat.com] - 7.3.21-7
- Security fix for CVE-2026-25645 in the bundled requests in the bundled
pip wheel
- Fixes: rhbz#2452324
* Tue Apr 14 2026 Charalampos Stratakis [cstratak@redhat.com] - 7.3.21-6
- Security fix for CVE-2025-8869 in the bundled pip wheel
- Fixes: rhbz#2397929
* Tue Apr 14 2026 Charalampos Stratakis [cstratak@redhat.com] - 7.3.21-5
- Fix bootstrapping segfaults
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2397929 - CVE-2025-8869 pypy: pip missing checks on symbolic link extraction [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2397929
[ 2 ] Bug #2452324 - CVE-2026-25645 pypy: Requests: Security bypass due to predictable temporary file creation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452324
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2af3865ebf' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: composer-2.9.7-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-02c1f66b6a
2026-04-16 00:53:32.960292+00:00
--------------------------------------------------------------------------------

Name : composer
Product : Fedora 43
Version : 2.9.7
Release : 1.fc43
URL : https://getcomposer.org/
Summary : Dependency Manager for PHP
Description :
Composer helps you declare, manage and install dependencies of PHP projects,
ensuring you have the right stack everywhere.

Documentation: https://getcomposer.org/doc/

--------------------------------------------------------------------------------
Update Information:

Version 2.9.7 - 2026-04-14
Fixes regression calling custom script command aliases that are called a
substring of a composer command (#12802)
Version 2.9.6 - 2026-04-14
Security: Fixed command injection via malicious Perforce reference (GHSA-
gqw4-4w2p-838q / CVE-2026-40261)
Security: Fixed command injection via malicious Perforce repository definition
(GHSA-wg36-wvj6-r67p / CVE-2026-40176)
Security: Fixed git credentials remaining in git mirror .git/config after clone
or update failed (2bcbfc3d)
Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing
(5e71d77e)
Security: Fixed Perforce unescaped user input in queryP4User shell command
(ef3fc088)
Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch
names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
Fixed inconsistent treatment of SingleCommandApplication script commands wrt
autoloading (#12758)
Fixed GitHub API authentication errors not being visible to the user (#12737)
Fixed some platform package parsing failing when Composer runs in web SAPIs
(#12735)
Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 14 2026 Remi Collet [remi@remirepo.net] - 2.9.7-1
- update to 2.9.7
* Tue Apr 14 2026 Remi Collet [remi@remirepo.net] - 2.9.6-1
- update to 2.9.6
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-02c1f66b6a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: micropython-1.28.0-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-29f4f47ade
2026-04-16 00:53:32.960281+00:00
--------------------------------------------------------------------------------

Name : micropython
Product : Fedora 43
Version : 1.28.0
Release : 1.fc43
URL : http://micropython.org/
Summary : Implementation of Python 3 with very low memory footprint
Description :
Implementation of Python 3 with very low memory footprint

--------------------------------------------------------------------------------
Update Information:

Update to 1.28.0
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr 6 2026 Lum??r Balhar [lbalhar@redhat.com] - 1.28.0-1
- Update to 1.28.0
- Security fix for CVE-2026-1998
- Update mbedtls submodule to 3.6.6
- mbedtls security fixes for CVE-2026-25834, CVE-2026-34871, CVE-2026-25833
- CVE-2025-52496, CVE-2025-52497, CVE-2025-49087, CVE-2025-54764, CVE-2025-59438
Resolves: rhbz#2455368, rhbz#2376688, rhbz#2376701, rhbz#2382261, rhbz#2405245,
rhbz#2405374, rhbz#2437327, rhbz#2454032, rhbz#2454086, rhbz#2454213
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.27.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2376688 - CVE-2025-52496 micropython: Mbed TLS AESNI Race Condition Vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2376688
[ 2 ] Bug #2376701 - CVE-2025-52497 micropython: Mbed TLS PEM Parsing Buffer Underflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2376701
[ 3 ] Bug #2382261 - CVE-2025-49087 micropython: Mbed TLS PKCS#7 Timing Vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2382261
[ 4 ] Bug #2405245 - CVE-2025-54764 micropython: Mbedtls timing attacks in RSA operations [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2405245
[ 5 ] Bug #2405374 - CVE-2025-59438 micropython: MbedTLS Padding oracle through timing of cipher error reporting [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2405374
[ 6 ] Bug #2437327 - CVE-2026-1998 micropython: micropython runtime.c mp_import_all memory corruption [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2437327
[ 7 ] Bug #2454032 - CVE-2026-25833 micropython: buffer underflow in x509_inet_pton_ipv6() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454032
[ 8 ] Bug #2454086 - CVE-2026-34871 micropython: entropy on Linux can fall back to /dev/urandom [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454086
[ 9 ] Bug #2454213 - CVE-2026-25834 micropython: Mbed TLS: Algorithm downgrade vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454213
[ 10 ] Bug #2455368 - micropython-1.28.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2455368
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-29f4f47ade' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: python3.15-3.15.0~a8-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7ea30e843c
2026-04-16 00:53:32.960275+00:00
--------------------------------------------------------------------------------

Name : python3.15
Product : Fedora 43
Version : 3.15.0~a8
Release : 1.fc43
URL : https://www.python.org/
Summary : Version 3.15 of the Python interpreter
Description :
Python 3.15 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

The python3.15 package provides the "python3.15" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.15-libs package,
which should be installed automatically along with python3.15.
The remaining parts of the Python standard library are broken out into the
python3.15-tkinter and python3.15-test packages, which may need to be installed
separately.

Documentation for Python is provided in the python3.15-docs package.

Packages containing additional libraries for Python are generally named with
the "python3.15-" prefix.

--------------------------------------------------------------------------------
Update Information:

New prerelease version
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 8 2026 Karolina Surma [ksurma@redhat.com] - 3.15.0~a8-1
- Update to Python 3.15.0a8
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2444708 - CVE-2026-2297 python3.15: CPython: Logging Bypass in Legacy .pyc File Handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2444708
[ 2 ] Bug #2448192 - CVE-2026-3644 python3.15: Incomplete control character validation in http.cookies [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448192
[ 3 ] Bug #2448208 - CVE-2026-4224 python3.15: Stack overflow parsing XML with deeply nested DTD content models [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448208
[ 4 ] Bug #2449260 - CVE-2026-3479 python3.15: Python pkgutil.get_data(): Path Traversal via improper resource argument validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449260
[ 5 ] Bug #2449731 - CVE-2026-4519 python3.15: Python: Command-line option injection in webbrowser.open() via crafted URLs [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449731
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7ea30e843c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: moby-engine-29.4.0-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a5015b57b9
2026-04-16 00:53:32.960264+00:00
--------------------------------------------------------------------------------

Name : moby-engine
Product : Fedora 43
Version : 29.4.0
Release : 1.fc43
URL : https://github.com/moby/moby
Summary : The open-source application container engine
Description :
Docker is an open source project to build, ship and run any application as a
lightweight container.

Docker containers are both hardware-agnostic and platform-agnostic. This means
they can run anywhere, from your laptop to the largest EC2 compute instance and
everything in between ??? and they do not require you to use a particular
language, framework or packaging system. That makes them great building blocks
for deploying and scaling web apps, databases, and backend services without
depending on a particular stack or provider.

--------------------------------------------------------------------------------
Update Information:

Update to release v29.4.0
Resolves: rhbz#2455894
Resolves CVE-2026-34986: rhbz#2455665
Upstream new features and fixes
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 7 2026 Bradley G Smith [bradley.g.smith@gmail.com] - 29.4.0-1
- Update to release v29.4.0
- Resolves: rhbz#2455894
- Resolves CVE-2026-34986: rhbz#2455665
- Upstream new features and fixes
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2455665 - CVE-2026-34986 moby-engine: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455665
[ 2 ] Bug #2455894 - moby-engine-29.4.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2455894
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a5015b57b9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: erlang-26.2.5.19-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-53a7ddccc8
2026-04-16 00:53:32.960248+00:00
--------------------------------------------------------------------------------

Name : erlang
Product : Fedora 43
Version : 26.2.5.19
Release : 1.fc43
URL : https://www.erlang.org
Summary : General-purpose programming language and runtime environment
Description :
Erlang is a general-purpose programming language and runtime
environment. Erlang has built-in support for concurrency, distribution
and fault tolerance. Erlang is used in several large telecommunication
systems from Ericsson.

--------------------------------------------------------------------------------
Update Information:

Erlang ver. 26.2.5.19
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 7 2026 Peter Lemenkov [lemenkov@gmail.com] - 26.2.5.19-1
- Ver. 26.2.5.19
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2456135 - CVE-2026-28810 erlang: Erlang/OTP kernel: DNS cache poisoning via predictable DNS transaction IDs [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456135
[ 2 ] Bug #2456139 - CVE-2026-28808 erlang: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456139
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-53a7ddccc8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: python-flask-httpauth-4.8.1-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-04d6f223e0
2026-04-16 00:53:32.960219+00:00
--------------------------------------------------------------------------------

Name : python-flask-httpauth
Product : Fedora 43
Version : 4.8.1
Release : 1.fc43
URL : http://github.com/miguelgrinberg/flask-httpauth/
Summary : Basic and Digest HTTP authentication for Flask routes
Description :
FlaskHTTPAuth Basic and Digest HTTP authentication for Flask routes.

--------------------------------------------------------------------------------
Update Information:

Update to version 4.8.1 (#2454342)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 7 2026 Javier Pe??a [jpena@redhat.com] - 4.8.0-1
- Update to version 4.8.1 (#2454342)
- Fixes CVE-2026-34531
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.8.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2454342 - CVE-2026-34531 python-flask-httpauth: token verification callback invoked when missing or empty token was given by client [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454342
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-04d6f223e0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: NetworkManager-ssh-1.4.4-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3aebe19127
2026-04-16 00:53:32.960175+00:00
--------------------------------------------------------------------------------

Name : NetworkManager-ssh
Product : Fedora 43
Version : 1.4.4
Release : 1.fc43
URL : https://github.com/danfruehauf/NetworkManager-ssh
Summary : NetworkManager VPN plugin for SSH
Description :
This package contains software for integrating VPN capabilities with
the OpenSSH server with NetworkManager.

--------------------------------------------------------------------------------
Update Information:

Add sshpass -P prompt
Fix CVE-2025-9615
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 7 2026 Dan Fruehauf [malkodan@gmail.com] - 1.4.4-1
- Add sshpass -P prompt
* Fri Apr 3 2026 Dan Fruehauf [malkodan@gmail.com] - 1.4.3-1
- Always run autoreconf -fvi
- Fix file access for private key and known hosts (rhbz#2428396)
- Fix pkg-config macro
- Move D-Bus policy file to /usr/share/dbus-1/system.d/
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2428396 - Adaptations for CVE-2025-9615 (NetworkManager)
https://bugzilla.redhat.com/show_bug.cgi?id=2428396
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3aebe19127' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: mingw-openexr-3.3.9-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c803743b67
2026-04-16 00:53:32.960172+00:00
--------------------------------------------------------------------------------

Name : mingw-openexr
Product : Fedora 43
Version : 3.3.9
Release : 1.fc43
URL : http://www.openexr.com/
Summary : MinGW Windows openexr library
Description :
MinGW Windows openexr library.

--------------------------------------------------------------------------------
Update Information:

Update to openexr-3.3.9.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr 7 2026 Sandro Mani [manisandro@gmail.com] - 3.3.9-1
- Update to 3.3.9
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2455494 - CVE-2026-34379 mingw-openexr: OpenEXR: Denial of Service due to misaligned memory write during EXR file decoding [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455494
[ 2 ] Bug #2455498 - CVE-2026-34589 mingw-openexr: OpenEXR: Memory corruption leading to arbitrary code execution or denial of service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455498
[ 3 ] Bug #2455502 - CVE-2026-34588 mingw-openexr: OpenEXR: Arbitrary code execution and information disclosure via crafted EXR file [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455502
[ 4 ] Bug #2455531 - CVE-2026-34380 mingw-openexr: OpenEXR: Denial of Service due to signed integer overflow in image decoding [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455531
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-c803743b67' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new


Systemd, Python, LXD, Incus updates for Debian

Thunderbird, Delve, Bind, and more updates for RHEL

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...