Aggregator

USN-8138-1 fixed a vulnerability in tar-rs. This update provides the corresponding update for Ubuntu 20.04 LTS. Original advisory details: It was discovered that tar-rs incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside the extraction root, and possibly escalate privileges.

FEDORA-2026-156e6bfb27 Packages in this update:

• buildah-1.43.1-1.fc42
• podman-5.8.2-1.fc42
• skopeo-1.22.2-1.fc42

Update description:

Automatic update for buildah-1.43.1-1.fc42, skopeo-1.22.2-1.fc42, podman-5.8.2-1.fc42.

Changelog for buildah * Wed Apr 08 2026 Packit <hello@packit.dev> - 2:1.43.1-1 - Update to 1.43.1 upstream release Changelog for skopeo * Tue Apr 14 2026 Packit <hello@packit.dev> - 1:1.22.2-1 - Update to 1.22.2 upstream release * Fri Apr 10 2026 Lokesh Mandvekar <lsm5@redhat.com> - 1:1.22.1-2 - TMT: fix ref in plan * Thu Apr 09 2026 Packit <hello@packit.dev> - 1:1.22.1-1 - Update to 1.22.1 upstream release Changelog for podman * Tue Apr 14 2026 Packit <hello@packit.dev> - 5:5.8.2-1 - Update to 5.8.2 upstream release

Security fix for CVE-2026-34986

FEDORA-2026-75c2b7868a Packages in this update:

• buildah-1.43.1-1.fc43
• podman-5.8.2-1.fc43
• skopeo-1.22.2-1.fc43

Update description:

Automatic update for skopeo-1.22.2-1.fc43, podman-5.8.2-1.fc43, buildah-1.43.1-1.fc43.

Changelog for skopeo * Tue Apr 14 2026 Packit <hello@packit.dev> - 1:1.22.2-1 - Update to 1.22.2 upstream release * Fri Apr 10 2026 Lokesh Mandvekar <lsm5@redhat.com> - 1:1.22.1-2 - TMT: fix ref in plan * Thu Apr 09 2026 Packit <hello@packit.dev> - 1:1.22.1-1 - Update to 1.22.1 upstream release Changelog for podman * Tue Apr 14 2026 Packit <hello@packit.dev> - 5:5.8.2-1 - Update to 5.8.2 upstream release Changelog for buildah * Wed Apr 08 2026 Packit <hello@packit.dev> - 2:1.43.1-1 - Update to 1.43.1 upstream release

Security fix for CVE-2026-34986

FEDORA-2026-605559bfe2 Packages in this update:

• buildah-1.43.1-1.fc44
• podman-5.8.2-1.fc44
• skopeo-1.22.2-1.fc44

Update description:

Automatic update for buildah-1.43.1-1.fc44, podman-5.8.2-1.fc44, skopeo-1.22.2-1.fc44.

Changelog for buildah * Wed Apr 08 2026 Packit <hello@packit.dev> - 2:1.43.1-1 - Update to 1.43.1 upstream release Changelog for podman * Tue Apr 14 2026 Packit <hello@packit.dev> - 5:5.8.2-1 - Update to 5.8.2 upstream release Changelog for skopeo * Tue Apr 14 2026 Packit <hello@packit.dev> - 1:1.22.2-1 - Update to 1.22.2 upstream release * Fri Apr 10 2026 Lokesh Mandvekar <lsm5@redhat.com> - 1:1.22.1-2 - TMT: fix ref in plan * Thu Apr 09 2026 Packit <hello@packit.dev> - 1:1.22.1-1 - Update to 1.22.1 upstream release

Security fix for CVE-2026-34986

USN-8168-1 fixed a vulnerability in Rust. This update provides the corresponding update to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Original advisory details: It was discovered that tar-rs embedded in rustc incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside the extraction root, and possibly escalate privileges.

Version:next-20260414 (linux-next) Released:2026-04-14

FEDORA-2026-3b2063832d Packages in this update:

• pie-1.4.1-1.fc42

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement

FEDORA-EPEL-2026-7812671be8 Packages in this update:

• pie-1.4.1-1.el10_3

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement

FEDORA-EPEL-2026-f0077847e2 Packages in this update:

• pie-1.4.1-1.el10_1

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement

FEDORA-EPEL-2026-128f171ef6 Packages in this update:

• pie-1.4.1-1.el10_2

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement

FEDORA-2026-7acc0ad1fc Packages in this update:

• pie-1.4.1-1.fc44

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement

FEDORA-2026-3f4283f831 Packages in this update:

• pie-1.4.1-1.fc43

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement

FEDORA-2026-907bbf2a13 Packages in this update:

• curl-8.11.1-8.fc42

Update description:

• fix bad reuse of HTTP Negotiate connection (CVE-2026-1965)
• fix token leak with redirect and netrc (CVE-2026-3783)
• fix wrong proxy connection reuse with credentials (CVE-2026-3784)
• fix use after free in SMB connection reuse (CVE-2026-3805)

FEDORA-EPEL-2026-de8ec2aa2e Packages in this update:

• composer-2.9.7-1.el10_3

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-EPEL-2026-a47812ee6c Packages in this update:

• composer-2.9.7-1.el9

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-2026-1140c02041 Packages in this update:

• composer-2.9.7-1.fc44

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-EPEL-2026-7babf884c7 Packages in this update:

• composer-2.9.7-1.el10_2

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-2026-d91f313a63 Packages in this update:

• composer-2.9.7-1.fc42

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-2026-02c1f66b6a Packages in this update:

• composer-2.9.7-1.fc43

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-EPEL-2026-e7a666ddb5 Packages in this update:

• composer-2.9.7-1.el10_1

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)