Multiple security updates have been released for Fedora 43, addressing various vulnerabilities and bugs. The updates include patches for yarnpkg, phpunit12, phpunit9, gnupg2, pgadmin4, phpunit11, phpunit10, and phpunit8, which fix issues such as arbitrary code execution via unsafe deserialization of code coverage files and stack-based buffer overflow in tpm2daemon. The updates can be installed using the "dnf" update program, with instructions provided for each package.

Fedora 43 Update: yarnpkg-1.22.22-16.fc43
Fedora 43 Update: phpunit12-12.5.8-1.fc43
Fedora 43 Update: phpunit9-9.6.34-1.fc43
Fedora 43 Update: gnupg2-2.4.9-5.fc43
Fedora 43 Update: pgadmin4-9.11-3.fc43
Fedora 43 Update: phpunit11-11.5.50-1.fc43
Fedora 43 Update: phpunit10-10.5.63-1.fc43
Fedora 43 Update: phpunit8-8.5.52-1.fc43

[SECURITY] Fedora 43 Update: yarnpkg-1.22.22-16.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a75abb3f2b
2026-02-05 00:57:20.049070+00:00
--------------------------------------------------------------------------------

Name : yarnpkg
Product : Fedora 43
Version : 1.22.22
Release : 16.fc43
URL : https://github.com/yarnpkg/yarn
Summary : Fast, reliable, and secure dependency management.
Description :
Fast, reliable, and secure dependency management.

--------------------------------------------------------------------------------
Update Information:

Regenerate vendor tarball. Fixes CVE-2025-13465.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 27 2026 Sandro Mani [manisandro@gmail.com] - 1.22.22-16
- Refresh bundle, fixes CVE-2025-13465
* Sat Jan 17 2026 Fedora Release Engineering [releng@fedoraproject.org] - 1.22.22-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2432997 - CVE-2025-13465 yarnpkg: prototype pollution in _.unset and _.omit functions [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2432997
[ 2 ] Bug #2433048 - CVE-2025-13465 yarnpkg: prototype pollution in _.unset and _.omit functions [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2433048
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a75abb3f2b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: phpunit12-12.5.8-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-470a48f838
2026-02-05 00:57:20.049055+00:00
--------------------------------------------------------------------------------

Name : phpunit12
Product : Fedora 43
Version : 12.5.8
Release : 1.fc43
URL : https://github.com/sebastianbergmann/phpunit
Summary : The PHP Unit Testing framework version 12
Description :
PHPUnit is a programmer-oriented testing framework for PHP.
It is an instance of the xUnit architecture for unit testing frameworks.

This package provides the version 12 of PHPUnit,
available using the phpunit12 command.

Documentation: https://phpunit.de/documentation.html

--------------------------------------------------------------------------------
Update Information:

Version 12.5.8 - 2026-01-27
Changed
To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage
files in pull requests, a PHPT test will no longer be run if the temporary file
for writing code coverage information already exists before the test runs
Version 12.5.7 - 2026-01-24
Fixed
#6362: Manually instantiated test doubles are broken since PHPUnit 11.2
#6470: Infinite recursion in Count::getCountOf() for unusal implementations of
Iterator or IteratorAggregate
Version 12.5.6 - 2026-01-16
Changed
Reverted a change that caused a build failure for the PHP project's nightly
community job
Version 12.5.5 - 2026-01-15
Deprecated
#6461: any() matcher (soft deprecation)
Fixed
#6470: Mocking a class with a property hook setter accepting more types than the
property results in a fatal error
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 27 2026 Remi Collet [remi@remirepo.net] - 12.5.8-1
- update to 12.5.8
* Mon Jan 26 2026 Remi Collet [remi@remirepo.net] - 12.5.7-1
- update to 12.5.7
- raise dependency on sebastian/comparator 7.1.4
* Sat Jan 17 2026 Remi Collet [remi@remirepo.net] - 12.5.6-1
- update to 12.5.6
* Thu Jan 15 2026 Remi Collet [remi@remirepo.net] - 12.5.5-1
- update to 12.5.5
- raise dependency on phpunit/php-code-coverage 12.5.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2433676 - CVE-2026-24765 phpunit12: PHPUnit: Arbitrary code execution via unsafe deserialization of code coverage files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2433676
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-470a48f838' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: phpunit9-9.6.34-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8d8a292bba
2026-02-05 00:57:20.049043+00:00
--------------------------------------------------------------------------------

Name : phpunit9
Product : Fedora 43
Version : 9.6.34
Release : 1.fc43
URL : https://github.com/sebastianbergmann/phpunit
Summary : The PHP Unit Testing framework version 9
Description :
PHPUnit is a programmer-oriented testing framework for PHP.
It is an instance of the xUnit architecture for unit testing frameworks.

This package provides the version 9 of PHPUnit,
available using the phpunit9 command.

Documentation: https://phpunit.de/documentation.html

--------------------------------------------------------------------------------
Update Information:

Version 9.6.34 - 2026-01-27
Fixed
Regression introduced in PHPUnit 9.6.33
Version 9.6.33 - 2026-01-27
Changed
To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage
files in pull requests, a PHPT test will no longer be run if the temporary file
for writing code coverage information already exists before the test runs
Version 9.6.32 - 2026-01-24
Changed
PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 27 2026 Remi Collet [remi@remirepo.net] - 9.6.34-1
- update to 9.6.34
* Mon Jan 26 2026 Remi Collet [remi@remirepo.net] - 9.6.32-1
- update to 9.6.32
- raise dependency on sebastian/comparator 4.0.10
- phpspec/prophecy is optional
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2433678 - CVE-2026-24765 phpunit9: PHPUnit: Arbitrary code execution via unsafe deserialization of code coverage files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2433678
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8d8a292bba' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: gnupg2-2.4.9-5.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d5c00a447f
2026-02-05 00:57:20.049144+00:00
--------------------------------------------------------------------------------

Name : gnupg2
Product : Fedora 43
Version : 2.4.9
Release : 5.fc43
URL : https://www.gnupg.org/
Summary : Utility for secure communication and data storage
Description :
GnuPG is GNU's tool for secure communication and data storage. It can
be used to encrypt data and to create digital signatures. It includes
an advanced key management facility and is compliant with the proposed
OpenPGP Internet standard as described in RFC2440 and the S/MIME
standard as described by several RFCs.

GnuPG 2.0 is a newer version of GnuPG with additional support for
S/MIME. It has a different design philosophy that splits
functionality up into several modules. The S/MIME and smartcard functionality
is provided by the gnupg2-smime package.

--------------------------------------------------------------------------------
Update Information:

Fix CVE-2026-24882: Stack-based buffer overflow in tpm2daemon allows arbitrary
code execution
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jan 28 2026 Jakub Jelen [jjelen@redhat.com] - 2.4.9-5
- Fix CVE-2026-24882: Stack-based buffer overflow in tpm2daemon allows arbitrary code execution
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2433665 - CVE-2026-24882 gnupg2: GnuPG: Stack-based buffer overflow in tpm2daemon allows arbitrary code execution [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2433665
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d5c00a447f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: pgadmin4-9.11-3.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4e47f4d911
2026-02-05 00:57:20.049067+00:00
--------------------------------------------------------------------------------

Name : pgadmin4
Product : Fedora 43
Version : 9.11
Release : 3.fc43
URL : https://www.pgadmin.org/
Summary : Administration tool for PostgreSQL
Description :
pgAdmin is the most popular and feature rich Open Source administration and development
platform for PostgreSQL, the most advanced Open Source database in the world.

--------------------------------------------------------------------------------
Update Information:

Regenerate vendor tarball. Fixes CVE-2025-13465.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 27 2026 Sandro Mani [manisandro@gmail.com] - 9.11-3
- Refresh bundle, fixes CVE-2025-13465
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2432986 - CVE-2025-13465 pgadmin4: prototype pollution in _.unset and _.omit functions [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2432986
[ 2 ] Bug #2433036 - CVE-2025-13465 pgadmin4: prototype pollution in _.unset and _.omit functions [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2433036
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4e47f4d911' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: phpunit11-11.5.50-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8ccfe50c58
2026-02-05 00:57:20.049049+00:00
--------------------------------------------------------------------------------

Name : phpunit11
Product : Fedora 43
Version : 11.5.50
Release : 1.fc43
URL : https://github.com/sebastianbergmann/phpunit
Summary : The PHP Unit Testing framework version 11
Description :
PHPUnit is a programmer-oriented testing framework for PHP.
It is an instance of the xUnit architecture for unit testing frameworks.

This package provides the version 11 of PHPUnit,
available using the phpunit11 command.

Documentation: https://phpunit.de/documentation.html

--------------------------------------------------------------------------------
Update Information:

Version 11.5.50 - 2026-01-27
Changed
To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage
files in pull requests, a PHPT test will no longer be run if the temporary file
for writing code coverage information already exists before the test runs
Version 11.5.49 - 2026-01-24
Fixed
#6362: Manually instantiated test doubles are broken since PHPUnit 11.2
#6470: Infinite recursion in Count::getCountOf() for unusal implementations of
Iterator or IteratorAggregate
Version 11.5.48 - 2026-01-16
Changed
Reverted a change that caused a build failure for the PHP project's nightly
community job
Version 11.5.47 - 2026-01-15
Fixed
#6470: Mocking a class with a property hook setter accepting more types than the
property results in a fatal error
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 27 2026 Remi Collet [remi@remirepo.net] - 11.5.50-1
- update to 11.5.50
* Mon Jan 26 2026 Remi Collet [remi@remirepo.net] - 11.5.49-1
- update to 11.5.49
- raise dependency on sebastian/comparator 6.3.3
* Sat Jan 17 2026 Remi Collet [remi@remirepo.net] - 11.5.48-1
- update to 11.5.48
* Thu Jan 15 2026 Remi Collet [remi@remirepo.net] - 11.5.47-1
- update to 11.5.47
- raise dependency on phpunit/php-code-coverage 11.0.12
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2433680 - CVE-2026-24765 phpunit11: PHPUnit: Arbitrary code execution via unsafe deserialization of code coverage files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2433680
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8ccfe50c58' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: phpunit10-10.5.63-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-ff411cd463
2026-02-05 00:57:20.049046+00:00
--------------------------------------------------------------------------------

Name : phpunit10
Product : Fedora 43
Version : 10.5.63
Release : 1.fc43
URL : https://github.com/sebastianbergmann/phpunit
Summary : The PHP Unit Testing framework version 10
Description :
PHPUnit is a programmer-oriented testing framework for PHP.
It is an instance of the xUnit architecture for unit testing frameworks.

This package provides the version 10 of PHPUnit,
available using the phpunit10 command.

Documentation: https://phpunit.de/documentation.html

--------------------------------------------------------------------------------
Update Information:

Version 10.5.63 - 2026-01-27
Fixed
Regression introduced in PHPUnit 9.6.33
Version 10.5.62 - 2026-01-27
Changed
To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage
files in pull requests, a PHPT test will no longer be run if the temporary file
for writing code coverage information already exists before the test runs
Version 10.5.61 - 2026-01-24
Changed
PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 27 2026 Remi Collet [remi@remirepo.net] - 10.5.63-1
- update to 10.5.63
* Mon Jan 26 2026 Remi Collet [remi@remirepo.net] - 10.5.61-1
- update to 10.5.61
- raise dependency on sebastian/comparator 5.0.5
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2433679 - CVE-2026-24765 phpunit10: PHPUnit: Arbitrary code execution via unsafe deserialization of code coverage files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2433679
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-ff411cd463' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: phpunit8-8.5.52-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-dad4e31f49
2026-02-05 00:57:20.049040+00:00
--------------------------------------------------------------------------------

Name : phpunit8
Product : Fedora 43
Version : 8.5.52
Release : 1.fc43
URL : https://github.com/sebastianbergmann/phpunit
Summary : The PHP Unit Testing framework version 8
Description :
PHPUnit is a programmer-oriented testing framework for PHP.
It is an instance of the xUnit architecture for unit testing frameworks.

This package provides the version 8 of PHPUnit,
available using the phpunit8 command.

Documentation: https://phpunit.de/documentation.html

--------------------------------------------------------------------------------
Update Information:

Version 8.5.52 - 2026-01-27
Changed
To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage
files in pull requests, a PHPT test will no longer be run if the temporary file
for writing code coverage information already exists before the test runs
Version 8.5.51 - 2026-01-24
Changed
PHPUnit\Framework\MockObject exceptions subtypes of PHPUnit\Exception
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 27 2026 Remi Collet [remi@remirepo.net] - 8.5.52-1
- update to 8.5.52
* Mon Jan 26 2026 Remi Collet [remi@remirepo.net] - 8.5.51-1
- update to 8.5.51
- raise dependency on sebastian/comparator 3.0.7
- phpspec/prophecy is optional
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2433681 - CVE-2026-24765 phpunit8: PHPUnit: Arbitrary code execution via unsafe deserialization of code coverage files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2433681
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-dad4e31f49' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new