Fedora 42 Update: yt-dlp-2026.02.21-1.fc42
Fedora 42 Update: coturn-4.9.0-1.fc42
Fedora 42 Update: valkey-8.0.7-1.fc42
Fedora 42 Update: php-zumba-json-serializer-3.2.4-1.fc42
Fedora 43 Update: coturn-4.9.0-1.fc43
Fedora 43 Update: valkey-8.1.6-1.fc43
Fedora 43 Update: php-zumba-json-serializer-3.2.4-1.fc43
[SECURITY] Fedora 42 Update: yt-dlp-2026.02.21-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7d3c7180c7
2026-03-05 01:12:27.918866+00:00
--------------------------------------------------------------------------------
Name : yt-dlp
Product : Fedora 42
Version : 2026.02.21
Release : 1.fc42
URL : https://github.com/yt-dlp/yt-dlp
Summary : A command-line program to download videos from online video platforms
Description :
yt-dlp is a command-line program to download videos from many different online
video platforms, such as youtube.com. The project is a fork of youtube-dl with
additional features and fixes.
--------------------------------------------------------------------------------
Update Information:
Update to 2026.02.21. Fixes rhbz#2441709.
Mitigates CVE-2026-26331 / GHSA-g3gw-q23r-pgqm (rhbz#2442244)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 24 2026 Maxwell G [maxwell@gtmx.me] - 2026.02.21-1
- Update to 2026.02.21. Fixes rhbz#2441709.
- Mitigates CVE-2026-26331 / GHSA-g3gw-q23r-pgqm (rhbz#2442244)
* Sat Feb 21 2026 Dominik 'Rathann' Mierzejewski [dominik@greysector.net] - 2026.02.04-2
- fix FTBFS with python 3.14.3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2441709 - yt-dlp-2026.02.21 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2441709
[ 2 ] Bug #2442244 - CVE-2026-26331 yt-dlp: yt-dlp: Arbitrary command injection via maliciously crafted URL when --netrc-cmd is used [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2442244
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7d3c7180c7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: coturn-4.9.0-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2a1aa1f57f
2026-03-05 01:12:27.918887+00:00
--------------------------------------------------------------------------------
Name : coturn
Product : Fedora 42
Version : 4.9.0
Release : 1.fc42
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.
This implementation also includes some extra features. Supported RFCs:
TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.
STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support
The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)
Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)
Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis
Redis can also be used for status and statistics storage and notification.
Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)
The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.
--------------------------------------------------------------------------------
Update Information:
Coturn 4.9.0
Multiple security fixes
Fix to Web Admin password check
Cleanup of deprecated OpenSSL APIs
Fix for CVE-2026-27624: Bypass localhost and IP range block using IPv4-mapped
IPv6
--------------------------------------------------------------------------------
ChangeLog:
* Wed Feb 25 2026 Robert Scheck [robert@fedoraproject.org] - 4.9.0-1
- Upgrade to 4.9.0 (#2442144)
- Add patch to build successfully using OpenSSL 1.1.1 on RHEL 8
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.8.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.8.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2442550 - CVE-2026-27624 coturn: IPv4-mapped IPv6 bypasses denied-peer-ip ACL
https://bugzilla.redhat.com/show_bug.cgi?id=2442550
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2a1aa1f57f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: valkey-8.0.7-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1d05f1d152
2026-03-05 01:12:27.918796+00:00
--------------------------------------------------------------------------------
Name : valkey
Product : Fedora 42
Version : 8.0.7
Release : 1.fc42
URL : https://valkey.io
Summary : A persistent key-value database
Description :
Valkey is an advanced key-value store. It is often referred to as a data
structure server since keys can contain strings, hashes, lists, sets and
sorted sets.
You can run atomic operations on these types, like appending to a string;
incrementing the value in a hash; pushing to a list; computing set
intersection, union and difference; or getting the member with highest
ranking in a sorted set.
In order to achieve its outstanding performance, Valkey works with an
in-memory dataset. Depending on your use case, you can persist it either
by dumping the dataset to disk every once in a while, or by appending
each command to a log.
Valkey also supports trivial-to-setup master-slave replication, with very
fast non-blocking first synchronization, auto-reconnection on net split
and so forth.
Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
limited time-to-live, and configuration settings to make Valkey behave like
a cache.
You can use Valkey from most programming languages also.
--------------------------------------------------------------------------------
Update Information:
Valkey 8.0.7 - Released Mon 23 February 2026
Upgrade urgency SECURITY: This release includes security fixes we recommend you
apply as soon as possible.
Security fixes
(CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message
(CVE-2025-67733) RESP Protocol Injection via Lua error_reply
Bug fixes
Fix ltrim should not call signalModifiedKey when no elements are removed (#2787)
Fix chained replica crash when doing dual channel replication (#2983)
Fix used_memory_dataset underflow due to miscalculated used_memory_overhead
(#3005)
Avoids crash during MODULE UNLOAD when ACL rules reference a module command and
subcommand (#3160)
Fix server assert on ACL LOAD and resetchannels (#3182)
Fix bug causing no response flush sometimes when IO threads are busy (#3205)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 24 2026 Remi Collet [remi@fedoraproject.org] - 8.0.7-1
- Valkey 8.0.7 - Released Mon 23 February 2026
- Upgrade urgency SECURITY: This release includes security fixes
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2442220 - CVE-2025-67733 valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2442220
[ 2 ] Bug #2442231 - CVE-2026-21863 valkey: Valkey: Denial of Service via invalid clusterbus packet [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2442231
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1d05f1d152' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 42 Update: php-zumba-json-serializer-3.2.4-1.fc42
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-d781fd2f6b
2026-03-05 01:12:27.918785+00:00
--------------------------------------------------------------------------------
Name : php-zumba-json-serializer
Product : Fedora 42
Version : 3.2.4
Release : 1.fc42
URL : https://github.com/zumba/json-serializer
Summary : Serialize PHP variables
Description :
This is a library to serialize PHP variables in JSON format. It is similar
of the serialize() function in PHP, but the output is a string JSON encoded.
You can also unserialize the JSON generated by this tool and have you PHP
content back.
Autoloader: /usr/share/php/Zumba/JsonSerializer/autoload.php
--------------------------------------------------------------------------------
Update Information:
Version 3.2.4
Fix serialization of parent class private properties by @Copilot in #71
Fix fatal error when serializing objects with uninitialized typed properties by
@Copilot in #68
Version 3.2.3
[Security] Added method to restrict which classes can be unserialized.
Security Advisory GHSA-v7m3-fpcr-h7m2
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 24 2026 Remi Collet [remi@remirepo.net] - 3.2.4-1
- update to 3.2.4
* Thu Feb 19 2026 Remi Collet [remi@remirepo.net] - 3.2.3-1
- update to 3.2.3
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-d781fd2f6b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: coturn-4.9.0-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8cb5571ddc
2026-03-05 00:55:43.533502+00:00
--------------------------------------------------------------------------------
Name : coturn
Product : Fedora 43
Version : 4.9.0
Release : 1.fc43
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.
This implementation also includes some extra features. Supported RFCs:
TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.
STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support
The implementation fully supports the following client-to-TURN-server protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)
Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)
Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis
Redis can also be used for status and statistics storage and notification.
Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)
The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.
--------------------------------------------------------------------------------
Update Information:
Coturn 4.9.0
Multiple security fixes
Fix to Web Admin password check
Cleanup of deprecated OpenSSL APIs
Fix for CVE-2026-27624: Bypass localhost and IP range block using IPv4-mapped
IPv6
--------------------------------------------------------------------------------
ChangeLog:
* Wed Feb 25 2026 Robert Scheck [robert@fedoraproject.org] - 4.9.0-1
- Upgrade to 4.9.0 (#2442144)
- Add patch to build successfully using OpenSSL 1.1.1 on RHEL 8
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.8.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.8.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2442550 - CVE-2026-27624 coturn: IPv4-mapped IPv6 bypasses denied-peer-ip ACL
https://bugzilla.redhat.com/show_bug.cgi?id=2442550
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8cb5571ddc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: valkey-8.1.6-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-8d275f4438
2026-03-05 00:55:43.533411+00:00
--------------------------------------------------------------------------------
Name : valkey
Product : Fedora 43
Version : 8.1.6
Release : 1.fc43
URL : https://valkey.io
Summary : A persistent key-value database
Description :
Valkey is an advanced key-value store. It is often referred to as a data
structure server since keys can contain strings, hashes, lists, sets and
sorted sets.
You can run atomic operations on these types, like appending to a string;
incrementing the value in a hash; pushing to a list; computing set
intersection, union and difference; or getting the member with highest
ranking in a sorted set.
In order to achieve its outstanding performance, Valkey works with an
in-memory dataset. Depending on your use case, you can persist it either
by dumping the dataset to disk every once in a while, or by appending
each command to a log.
Valkey also supports trivial-to-setup master-slave replication, with very
fast non-blocking first synchronization, auto-reconnection on net split
and so forth.
Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
limited time-to-live, and configuration settings to make Valkey behave like
a cache.
You can use Valkey from most programming languages also.
See https://valkey.io/topics/
--------------------------------------------------------------------------------
Update Information:
Valkey 8.1.6 - Released Mon 23 February 2026
Upgrade urgency SECURITY: This release includes security fixes we recommend you
apply as soon as possible.
Security fixes
(CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message
(CVE-2025-67733) RESP Protocol Injection via Lua error_reply
Bug fixes
Restrict ttl from being negative and avoid crash in import-mode (#2944)
Fix chained replica crash when doing dual channel replication (#2983)
Fix used_memory_dataset underflow due to miscalculated used_memory_overhead
(#3005)
Fix crashing while MODULE UNLOAD when ACL rules reference a module command or
subcommand (#3160)
Fix server assert on ACL LOAD and resetchannels (#3182)
Fix bug causing no response flush sometimes when IO threads are busy (#3205)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 24 2026 Remi Collet [remi@fedoraproject.org] - 8.1.6-1
- Valkey 8.1.6 - Released Mon 23 February 2026
- Upgrade urgency SECURITY: This release includes security fixes
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2442220 - CVE-2025-67733 valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2442220
[ 2 ] Bug #2442231 - CVE-2026-21863 valkey: Valkey: Denial of Service via invalid clusterbus packet [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2442231
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-8d275f4438' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
[SECURITY] Fedora 43 Update: php-zumba-json-serializer-3.2.4-1.fc43
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5ff99e948e
2026-03-05 00:55:43.533403+00:00
--------------------------------------------------------------------------------
Name : php-zumba-json-serializer
Product : Fedora 43
Version : 3.2.4
Release : 1.fc43
URL : https://github.com/zumba/json-serializer
Summary : Serialize PHP variables
Description :
This is a library to serialize PHP variables in JSON format. It is similar
of the serialize() function in PHP, but the output is a string JSON encoded.
You can also unserialize the JSON generated by this tool and have you PHP
content back.
Autoloader: /usr/share/php/Zumba/JsonSerializer/autoload.php
--------------------------------------------------------------------------------
Update Information:
Version 3.2.4
Fix serialization of parent class private properties by @Copilot in #71
Fix fatal error when serializing objects with uninitialized typed properties by
@Copilot in #68
Version 3.2.3
[Security] Added method to restrict which classes can be unserialized.
Security Advisory GHSA-v7m3-fpcr-h7m2
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 24 2026 Remi Collet [remi@remirepo.net] - 3.2.4-1
- update to 3.2.4
* Thu Feb 19 2026 Remi Collet [remi@remirepo.net] - 3.2.3-1
- update to 3.2.3
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5ff99e948e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
