Fedora updates have been released to address security vulnerabilities in various packages. The updates include fixes for CVE-2025-11411 in unbound, CVE-2025-58050 in pcre2, XSA-476 and XSA-475 in xen, squid, and CVE-2025-5455 in qt5-qtbase.

Fedora 42 Update: unbound-1.24.1-1.fc42
Fedora 42 Update: pcre2-10.46-1.fc42
Fedora 43 Update: xen-4.20.1-8.fc43
Fedora 43 Update: squid-7.2-1.fc43
Fedora 41 Update: qt5-qtbase-5.15.17-2.fc41

[SECURITY] Fedora 42 Update: unbound-1.24.1-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-93d7b9a5d5
2025-10-28 01:29:53.364205+00:00
--------------------------------------------------------------------------------

Name : unbound
Product : Fedora 42
Version : 1.24.1
Release : 1.fc42
URL : https://nlnetlabs.nl/projects/unbound/
Summary : Validating, recursive, and caching DNS(SEC) resolver
Description :
Unbound is a validating, recursive, and caching DNS(SEC) resolver.

The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.

Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.

--------------------------------------------------------------------------------
Update Information:

Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu,
Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct 24 2025 Petr Men????k [pemensik@redhat.com] - 1.24.1-1
- Update to 1.24.1 (rhbz#2405698)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2405698 - unbound-1.24.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2405698
[ 2 ] Bug #2405930 - CVE-2025-11411 unbound: Unbound domain hijacking via promiscuous records [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2405930
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-93d7b9a5d5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 42 Update: pcre2-10.46-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-5905c468d2
2025-10-28 01:29:53.364203+00:00
--------------------------------------------------------------------------------

Name : pcre2
Product : Fedora 42
Version : 10.46
Release : 1.fc42
URL : https://www.pcre.org/
Summary : Perl-compatible regular expression library
Description :
PCRE2 is a re-working of the original PCRE (Perl-compatible regular
expression) library to provide an entirely new API.

PCRE2 is written in C, and it has its own API. There are three sets of
functions, one for the 8-bit library, which processes strings of bytes, one
for the 16-bit library, which processes strings of 16-bit values, and one for
the 32-bit library, which processes strings of 32-bit values. There are no C++
wrappers. This package provides support for strings in 8-bit and UTF-8
encodings. Install pcre2-utf16 or pcre2-utf32 packages for the other ones.

The distribution does contain a set of C wrapper functions for the 8-bit
library that are based on the POSIX regular expression API (see the pcre2posix
man page). These can be found in a library called libpcre2posix. Note that
this just provides a POSIX calling interface to PCRE2; the regular expressions
themselves still follow Perl syntax and semantics. The POSIX API is
restricted, and does not give full access to all of PCRE2's facilities.

--------------------------------------------------------------------------------
Update Information:

Fix for CVE-2025-58050
--------------------------------------------------------------------------------
ChangeLog:

* Mon Sep 1 2025 Lukas Javorsky [ljavorsk@redhat.com] - 10.46-1
- Rebase to version 10.46
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2405311 - PCRE2 10.45 - CVD-2025-58080
https://bugzilla.redhat.com/show_bug.cgi?id=2405311
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-5905c468d2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: xen-4.20.1-8.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-22fd93478b
2025-10-28 00:58:14.247378+00:00
--------------------------------------------------------------------------------

Name : xen
Product : Fedora 43
Version : 4.20.1
Release : 8.fc43
URL : http://xen.org/
Summary : Xen is a virtual machine monitor
Description :
This package contains the XenD daemon and xm command line
tools, needed to manage virtual machines running under the
Xen hypervisor

--------------------------------------------------------------------------------
Update Information:

Incorrect removal of permissions on PCI device unplug [XSA-476,
CVE-2025-58149]
x86: Incorrect input sanitisation in Viridian hypercalls [XSA-475,
CVE-2025-58147, CVE-2025-58148]
--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct 24 2025 Michael Young [m.a.young@durham.ac.uk] - 4.20.1-8
- Incorrect removal of permissions on PCI device unplug [XSA-476,
CVE-2025-58149]
* Tue Oct 21 2025 Michael Young [m.a.young@durham.ac.uk] - 4.20.1-7
- x86: Incorrect input sanitisation in Viridian hypercalls [XSA-475,
CVE-2025-58147, CVE-2025-58148]
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-22fd93478b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: squid-7.2-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-2f124e7827
2025-10-28 00:58:14.247329+00:00
--------------------------------------------------------------------------------

Name : squid
Product : Fedora 43
Version : 7.2
Release : 1.fc43
URL : http://www.squid-cache.org
Summary : The Squid proxy caching server
Description :
Squid is a high-performance proxy caching server for Web clients,
supporting FTP and HTTP data objects. Unlike traditional
caching software, Squid handles all requests in a single,
non-blocking, I/O-driven process. Squid keeps meta data and especially
hot objects cached in RAM, caches DNS lookups, supports non-blocking
DNS lookups, and implements negative caching of failed requests.

Squid consists of a main server program squid, a Domain Name System
lookup program (dnsserver), a program for retrieving FTP data
(ftpget), and some management and client tools.

--------------------------------------------------------------------------------
Update Information:

new version
--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct 17 2025 Lubo?? Uhliarik [luhliari@redhat.com] - 7:7.2-1
- new version 7.2
* Thu Sep 11 2025 Lubo?? Uhliarik [luhliari@redhat.com] - 7:7.1-3
- Support provider keys that require NULL digest
* Thu Aug 14 2025 Lubo?? Uhliarik [luhliari@redhat.com] - 7:7.1-1
- new version 7.1
- removed squidclient
- removed purge
- removed cachemgr.cgi
- removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2347258 - squid-7.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2347258
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-2f124e7827' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 41 Update: qt5-qtbase-5.15.17-2.fc41

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-26e2e0c477
2025-10-28 01:44:45.597036+00:00
--------------------------------------------------------------------------------

Name : qt5-qtbase
Product : Fedora 41
Version : 5.15.17
Release : 2.fc41
URL : http://qt-project.org/
Summary : Qt5 - QtBase components
Description :
Qt is a software toolkit for developing applications.

This package contains base tools, like string, xml, and network
handling.

--------------------------------------------------------------------------------
Update Information:

Fix CVE-2025-5455 - QtCore Assertion Failure Denial of Service
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 22 2025 Than Ngo [than@redhat.com] - 5.15.17-2
- Fix CVE-2025-5455, qt5-qtbase: QtCore Assertion Failure Denial of Service
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2369868 - CVE-2025-5455 qt5-qtbase: QtCore Assertion Failure Denial of Service [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2369868
[ 2 ] Bug #2369869 - CVE-2025-5455 qt5-qtbase: QtCore Assertion Failure Denial of Service [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2369869
[ 3 ] Bug #2405076 - CVE-2025-5455 qt5-qtbase: QtCore Assertion Failure Denial of Service [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405076
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-26e2e0c477' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--