Fedora 43 has received two security updates: one for yt-dlp, a command-line program to download videos from online platforms, and another for chromium, an open-source web browser. The yt-dlp update fixes a vulnerability that allowed arbitrary command injection via malicious URLs when using the --netrc-cmd option. The chromium update addresses three vulnerabilities: CVE-2026-2648, a heap buffer overflow in PDFium; CVE-2026-2649, an integer overflow in V8; and CVE-2026-2650, another heap buffer overflow in Media.

Fedora 43 Update: yt-dlp-2026.02.21-1.fc43
Fedora 43 Update: chromium-145.0.7632.109-1.fc43

[SECURITY] Fedora 43 Update: yt-dlp-2026.02.21-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d86b88630b
2026-02-25 00:51:37.749368+00:00
--------------------------------------------------------------------------------

Name : yt-dlp
Product : Fedora 43
Version : 2026.02.21
Release : 1.fc43
URL : https://github.com/yt-dlp/yt-dlp
Summary : A command-line program to download videos from online video platforms
Description :
yt-dlp is a command-line program to download videos from many different online
video platforms, such as youtube.com. The project is a fork of youtube-dl with
additional features and fixes.

--------------------------------------------------------------------------------
Update Information:

Update to 2026.02.21. Fixes rhbz#2441709.
Mitigates CVE-2026-26331 / GHSA-g3gw-q23r-pgqm (rhbz#2442244)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Feb 24 2026 Maxwell G [maxwell@gtmx.me] - 2026.02.21-1
- Update to 2026.02.21. Fixes rhbz#2441709.
- Mitigates CVE-2026-26331 / GHSA-g3gw-q23r-pgqm (rhbz#2442244)
* Sat Feb 21 2026 Dominik 'Rathann' Mierzejewski [dominik@greysector.net] - 2026.02.04-2
- fix FTBFS with python 3.14.3
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2441709 - yt-dlp-2026.02.21 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2441709
[ 2 ] Bug #2442244 - CVE-2026-26331 yt-dlp: yt-dlp: Arbitrary command injection via maliciously crafted URL when --netrc-cmd is used [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2442244
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d86b88630b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: chromium-145.0.7632.109-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-18d617b2e5
2026-02-25 00:51:37.749366+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 43
Version : 145.0.7632.109
Release : 1.fc43
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 145.0.7632.109
* CVE-2026-2648: Heap buffer overflow in PDFium
* CVE-2026-2649: Integer overflow in V8
* CVE-2026-2650: Heap buffer overflow in Media
--------------------------------------------------------------------------------
ChangeLog:

* Mon Feb 23 2026 Than Ngo [than@redhat.com] - 145.0.7632.109-1
- Update to 145.0.7632.109
* CVE-2026-2648: Heap buffer overflow in PDFium
* CVE-2026-2649: Integer overflow in V8
* CVE-2026-2650: Heap buffer overflow in Media
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-18d617b2e5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new