32 minutes 53 seconds ago
FEDORA-2026-ee7b1c75b6
Packages in this update:
Update description:
Update to 3.1.50; fixes CVE-2026-42215 / GHSA-mv93-w799-cj2w.
44 minutes 18 seconds ago
FEDORA-2026-b4653c757d
Packages in this update:
Update description:
Update to 3.1.50; fixes CVE-2026-42215 / GHSA-mv93-w799-cj2w.
2 hours 26 minutes ago
FEDORA-2026-c66eaae759
Packages in this update:
Update description:
PHP version 8.5.6 (07 May 2026)
Core:
- Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). (iliaal)
- Fixed ZEND_API mismatch on zend_ce_closure forward decl for Windows+Clang. (henderkes)
- Fixed bug GH-21504 (Incorrect RC-handling for ZEND_EXT_STMT op1). (ilutov)
- Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). (iliaal)
- Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
- Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). (macoaure)
- Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
- Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). (Pratik Bhujel)
CLI:
- Fixed bug GH-21754 (--rf command line option with a method triggers ext/reflection deprecation warnings). (DanielEScherzer)
Curl:
- Add support for brotli and zstd on Windows. (Shivam Mathur)
DOM:
- Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier)
FPM:
Iconv:
- Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)
Lexbor:
- Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov)
MBString:
- Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s)
- Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) (ilutov)
Opcache:
- Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). (Arnaud)
- Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
- Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
- Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)
OpenSSL:
- Fix memory leak regression in openssl_pbkdf2(). (ndossche)
- Fix a bunch of memory leaks and crashes on edge cases. (ndossche)
PDO_Firebird:
- Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)
PDO_PGSQL:
- Fixed bug GH-21683 (pdo_pgsql throws with ATTR_PREFETCH=0 on empty result set). (thomasschiet)
Phar:
- Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
- Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). (iliaal)
- Fix memory leak in Phar::offsetGet(). (iliaal)
- Fix memory leak in phar_add_file(). (iliaal)
- Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). (iliaal)
- Fix memory leak in phar_verify_signature() when md_ctx is invalid. (JarneClauw)
Random:
- Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). (iliaal)
Session:
- Fixed memory leak when session GC callback return a refcounted value. (jorgsowa)
SOAP:
- Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) (ilutov)
- Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
- Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) (ilutov)
SPL:
- Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). (Girgias)
- Fix concurrent iteration and deletion issues in SplObjectStorage. (ndossche)
Sqlite3:
- Fixed wrong free list comparator pointer type. (David Carlier)
Standard:
- Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) (TimWolla)
- Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) (ilutov)
Streams:
- Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). (ndossche)
3 hours 16 minutes ago
FEDORA-2026-c4d1ca4f16
Packages in this update:
Update description:
PHP version 8.4.21 (07 May 2026)
Core:
- Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). (iliaal)
- Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). (iliaal)
- Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
- Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). (macoaure)
- Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
- Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). (Pratik Bhujel)
CLI:
- Fixed bug GH-21754 (--rf command line option with a method triggers ext/reflection deprecation warnings). (DanielEScherzer)
Curl:
- Add support for brotli and zstd on Windows. (Shivam Mathur)
DOM:
- Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier)
- Fixed bug GH-21688 (segmentation fault on empty HTMLDocument). (David Carlier)
- Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov)
FPM:
Iconv:
- Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)
MBString:
- Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s)
- Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) (ilutov)
Opcache:
- Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). (Arnaud)
- Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
- Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
- Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)
OpenSSL:
- Fix a bunch of memory leaks and crashes on edge cases. (ndossche)
PDO_Firebird:
- Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)
Phar:
- Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
- Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). (iliaal)
- Fix memory leak in Phar::offsetGet(). (iliaal)
- Fix memory leak in phar_add_file(). (iliaal)
- Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). (iliaal)
- Fix memory leak in phar_verify_signature() when md_ctx is invalid. (JarneClauw)
Random:
- Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). (iliaal)
Session:
- Fixed memory leak when session GC callback return a refcounted value. (jorgsowa)
SOAP:
- Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) (ilutov)
- Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
- Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) (ilutov)
SPL:
- Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). (Girgias)
- Fix concurrent iteration and deletion issues in SplObjectStorage. (ndossche)
Standard:
- Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) (TimWolla)
- Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) (ilutov)
Streams:
- Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). (ndossche)
XSL:
- Fixed bug GH-21600 (Segfault on module shutdown). (David Carlier)
3 hours 16 minutes ago
FEDORA-2026-3a58db70ca
Packages in this update:
Update description:
PHP version 8.4.21 (07 May 2026)
Core:
- Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). (iliaal)
- Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). (iliaal)
- Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
- Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). (macoaure)
- Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
- Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). (Pratik Bhujel)
CLI:
- Fixed bug GH-21754 (--rf command line option with a method triggers ext/reflection deprecation warnings). (DanielEScherzer)
Curl:
- Add support for brotli and zstd on Windows. (Shivam Mathur)
DOM:
- Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier)
- Fixed bug GH-21688 (segmentation fault on empty HTMLDocument). (David Carlier)
- Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov)
FPM:
Iconv:
- Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)
MBString:
- Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s)
- Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) (ilutov)
Opcache:
- Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). (Arnaud)
- Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
- Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
- Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)
OpenSSL:
- Fix a bunch of memory leaks and crashes on edge cases. (ndossche)
PDO_Firebird:
- Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)
Phar:
- Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
- Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). (iliaal)
- Fix memory leak in Phar::offsetGet(). (iliaal)
- Fix memory leak in phar_add_file(). (iliaal)
- Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). (iliaal)
- Fix memory leak in phar_verify_signature() when md_ctx is invalid. (JarneClauw)
Random:
- Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). (iliaal)
Session:
- Fixed memory leak when session GC callback return a refcounted value. (jorgsowa)
SOAP:
- Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) (ilutov)
- Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
- Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) (ilutov)
SPL:
- Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). (Girgias)
- Fix concurrent iteration and deletion issues in SplObjectStorage. (ndossche)
Standard:
- Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) (TimWolla)
- Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) (ilutov)
Streams:
- Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). (ndossche)
XSL:
- Fixed bug GH-21600 (Segfault on module shutdown). (David Carlier)
5 hours 42 minutes ago
It was discovered that BuildKit, contained within Docker, incorrectly
handled file path validation when processing frontend API messages. An
attacker could possibly use this issue to write files outside of the
intended state directory. (CVE-2026-33747)
It was discovered that BuildKit, contained within Docker, incorrectly
validated the subdir component of Git URL fragments. An attacker could
possibly use this issue to access files outside of the checked-out
repository root. (CVE-2026-33748)
14 hours 43 minutes ago
It was discovered that Mako incorrectly handled URIs with double-slash
prefixes in TemplateLookup. A remote attacker could possibly use this issue
to obtain sensitive information.
15 hours 43 minutes ago
FEDORA-2026-65ce3da435
Packages in this update:
Update description:
16 hours 4 minutes ago
Andrew MacPherson discovered that nghttp2 did not properly validate
internal state when the session termination API was called. A remote
attacker could possibly use this issue to cause nghttp2 to crash, resulting
in a denial of service.
16 hours 25 minutes ago
FEDORA-EPEL-2026-3faabe7ef7
Packages in this update:
Update description:
Security fix for CVE-2026-7246
17 hours 4 minutes ago
FEDORA-EPEL-2026-f98849630c
Packages in this update:
- python-click-8.1.7-7.el10_2
Update description:
Security fix for CVE-2026-7246
17 hours 5 minutes ago
FEDORA-EPEL-2026-a0e68dfa17
Packages in this update:
- python-click-8.1.7-7.el10_3
Update description:
Security fix for CVE-2026-7246
17 hours 41 minutes ago
It was discovered that Django did not vary cached response headers on
cookies when sessions were not modified while SESSION_SAVE_EVERY_REQUEST
was enabled. A remote attacker could possibly use this issue to steal a
user's session. (CVE-2026-35192)
Kyle Agronick and Jacob Walls discovered that Django incorrectly handled
ASGI requests with missing or understated Content-Length header values.
A remote attacker could possibly use this issue to cause Django to use
excessive resources, leading to a denial of service. (CVE-2026-5766)
Ahmad Sadeddin discovered that Django UpdateCacheMiddleware incorrectly
cached requests where the Vary header contained an asterisk. A remote
attacker could possibly use this issue to obtain sensitive information.
(CVE-2026-6907)
17 hours 43 minutes ago
FEDORA-2026-599dafe4ae
Packages in this update:
- python-click-8.1.7-12.fc43
Update description:
Security fix for CVE-2026-7246
18 hours 50 minutes ago
FEDORA-EPEL-2026-66ed147b70
Packages in this update:
Update description:
Update to 2.92.0 and make telemetry sending opt in.
18 hours 51 minutes ago
FEDORA-2026-5df889949e
Packages in this update:
Update description:
Update to 2.92.0 and make telemetry sending opt in.
20 hours 14 minutes ago
Version:next-20260505 (linux-next)
Released:2026-05-05
21 hours 1 minute ago
FEDORA-EPEL-2026-76e7234279
Packages in this update:
- rust-astral-tokio-tar-0.6.1-1.el9
Update description:
Update the astral-tokio-tar Rust crate to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-fp55-jw48-c537.
21 hours 3 minutes ago
FEDORA-EPEL-2026-4b95f570ed
Packages in this update:
- rust-astral-tokio-tar-0.6.1-1.el10_3
- uv-0.11.9-1.el10_3
Update description:
Update uv to 0.11.9. Update the astral-tokio-tar Rust crate to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-fp55-jw48-c537.
21 hours 4 minutes ago
FEDORA-2026-8d8aee6aaf
Packages in this update:
- python-uv-build-0.11.9-1.fc42
- rust-astral-tokio-tar-0.6.1-1.fc42
- uv-0.11.9-1.fc42
Update description:
Update uv and python-uv-build to 0.11.9. Update the astral-tokio-tar Rust crate to 0.6.1, fixing security advisories GHSA-xx64-wwv2-hcqq and GHSA-fp55-jw48-c537.