Fedora Security Advisories

systemd-261~rc3-1.fc45

1 hour 54 minutes ago
FEDORA-2026-4280f7beb8 Packages in this update:
  • systemd-261~rc3-1.fc45
Update description:

Automatic update for systemd-261~rc3-1.fc45.

Changelog * Thu Jun 4 2026 Zbigniew Jędrzejewski-Szmek <zbyszek@amutable.com> - 261~rc3-1 - Version 261~rc3 - Various smaller and larger fixes - A hint is emitted if init is called with the legacy telinit args (rhbz#2479961) - Various messages for missing dlopened libraries have been downgraded (rhbz#2463540)

python-python-multipart-0.0.31-1.el10_2

5 hours 7 minutes ago
FEDORA-EPEL-2026-4dc7d2c6bb Packages in this update:
  • python-python-multipart-0.0.31-1.el10_2
Update description:

Update to 0.0.31 upstream release

0.34.0 — 2026-05-29 Added
  • get_snapshot_value() now accepts a which parameter ("new" or "old") to select whether to return the new (just-compared) or the old (previously stored) snapshot value
Fixed
  • Example.run_pytest: deterministic test order by using -p no:ranodmly

python-python-multipart-0.0.31-1.el10_3

5 hours 15 minutes ago
FEDORA-EPEL-2026-63f4d4a3b2 Packages in this update:
  • python-python-multipart-0.0.31-1.el10_3
Update description:

Update to 0.0.31 upstream release

0.34.0 — 2026-05-29 Added
  • get_snapshot_value() now accepts a which parameter ("new" or "old") to select whether to return the new (just-compared) or the old (previously stored) snapshot value
Fixed
  • Example.run_pytest: deterministic test order by using -p no:ranodmly

python-python-multipart-0.0.31-1.fc43

5 hours 25 minutes ago
FEDORA-2026-4d81c2ff49 Packages in this update:
  • python-python-multipart-0.0.31-1.fc43
Update description:

Update to 0.0.31 upstream release

0.34.0 — 2026-05-29 Added
  • get_snapshot_value() now accepts a which parameter ("new" or "old") to select whether to return the new (just-compared) or the old (previously stored) snapshot value
Fixed
  • Example.run_pytest: deterministic test order by using -p no:ranodmly

python-python-multipart-0.0.31-1.fc44

5 hours 53 minutes ago
FEDORA-2026-c7869a8216 Packages in this update:
  • python-python-multipart-0.0.31-1.fc44
Update description:

Update to 0.0.31 upstream release

0.34.0 — 2026-05-29 Added
  • get_snapshot_value() now accepts a which parameter ("new" or "old") to select whether to return the new (just-compared) or the old (previously stored) snapshot value
Fixed
  • Example.run_pytest: deterministic test order by using -p no:ranodmly

webkitgtk-2.52.4-1.fc44

6 hours ago
FEDORA-2026-a63aad0224 Packages in this update:
  • webkitgtk-2.52.4-1.fc44
Update description:
  • Add support for half-width fonts.
  • Improve content filter compilation by avoiding file copies.
  • Improve handling of out of disk space conditions when the NetworkProcess tried to write data in caches.
  • Fix painting scrollbars when their width changes.
  • Fix playback of certain YouTube videos with low frame rates.
  • Fix webkit://gpu not working in systems where neither libGL.so.1 nor libOpenGL.so.0 are available.
  • Fix several crashes and rendering issues.
  • Security fixes: CVE-2026-28847, CVE-2026-28883, CVE-2026-28901, CVE-2026-28902, CVE-2026-28903, CVE-2026-28904, CVE-2026-28905, CVE-2026-28907, CVE-2026-28942, CVE-2026-28946, CVE-2026-28947, CVE-2026-28953, CVE-2026-28955, CVE-2026-28958, CVE-2026-43658, CVE-2026-43660

webkitgtk-2.52.4-1.fc43

6 hours ago
FEDORA-2026-1557aaef26 Packages in this update:
  • webkitgtk-2.52.4-1.fc43
Update description:
  • Add support for half-width fonts.
  • Improve content filter compilation by avoiding file copies.
  • Improve handling of out of disk space conditions when the NetworkProcess tried to write data in caches.
  • Fix painting scrollbars when their width changes.
  • Fix playback of certain YouTube videos with low frame rates.
  • Fix webkit://gpu not working in systems where neither libGL.so.1 nor libOpenGL.so.0 are available.
  • Fix several crashes and rendering issues.
  • Security fixes: CVE-2026-28847, CVE-2026-28883, CVE-2026-28901, CVE-2026-28902, CVE-2026-28903, CVE-2026-28904, CVE-2026-28905, CVE-2026-28907, CVE-2026-28942, CVE-2026-28946, CVE-2026-28947, CVE-2026-28953, CVE-2026-28955, CVE-2026-28958, CVE-2026-43658, CVE-2026-43660

composer-2.10.1-1.fc43

9 hours 28 minutes ago
FEDORA-2026-4308b5fc39 Packages in this update:
  • composer-2.10.1-1.fc43
Update description: Version 2.10.1 - 2026-06-04
  • Security: Fixed shell escaping when opening an editor (#12903)
  • Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
  • Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
  • Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
  • Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
  • Fixed warnings from Composer repositories being printed twice in some cases (#12907)
Version 2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
  • Added --strict-psr-autoloader flag to install and update commands (#12647)
  • Added source-fallback config option to disable or enable source fallback on download failure (#12698)
  • Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
  • Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
  • Optimized PoolOptimizer memory usage (#12783)
  • Optimized classmap dumping performance
  • Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
  • Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
  • Fixed warning being shown when lock file is disabled (#12760)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed audit command returning a success code when the vendor dir was not present (#12880)

composer-2.10.1-1.el9

9 hours 28 minutes ago
FEDORA-EPEL-2026-5497484804 Packages in this update:
  • composer-2.10.1-1.el9
Update description: Version 2.10.1 - 2026-06-04
  • Security: Fixed shell escaping when opening an editor (#12903)
  • Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
  • Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
  • Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
  • Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
  • Fixed warnings from Composer repositories being printed twice in some cases (#12907)
Version 2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
  • Added --strict-psr-autoloader flag to install and update commands (#12647)
  • Added source-fallback config option to disable or enable source fallback on download failure (#12698)
  • Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
  • Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
  • Optimized PoolOptimizer memory usage (#12783)
  • Optimized classmap dumping performance
  • Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
  • Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
  • Fixed warning being shown when lock file is disabled (#12760)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed audit command returning a success code when the vendor dir was not present (#12880)

composer-2.10.1-1.el10_2

9 hours 28 minutes ago
FEDORA-EPEL-2026-15368435dd Packages in this update:
  • composer-2.10.1-1.el10_2
Update description: Version 2.10.1 - 2026-06-04
  • Security: Fixed shell escaping when opening an editor (#12903)
  • Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
  • Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
  • Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
  • Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
  • Fixed warnings from Composer repositories being printed twice in some cases (#12907)
Version 2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
  • Added --strict-psr-autoloader flag to install and update commands (#12647)
  • Added source-fallback config option to disable or enable source fallback on download failure (#12698)
  • Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
  • Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
  • Optimized PoolOptimizer memory usage (#12783)
  • Optimized classmap dumping performance
  • Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
  • Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
  • Fixed warning being shown when lock file is disabled (#12760)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed audit command returning a success code when the vendor dir was not present (#12880)

composer-2.10.1-1.el10_3

9 hours 28 minutes ago
FEDORA-EPEL-2026-30ff6c2325 Packages in this update:
  • composer-2.10.1-1.el10_3
Update description: Version 2.10.1 - 2026-06-04
  • Security: Fixed shell escaping when opening an editor (#12903)
  • Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
  • Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
  • Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
  • Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
  • Fixed warnings from Composer repositories being printed twice in some cases (#12907)
Version 2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
  • Added --strict-psr-autoloader flag to install and update commands (#12647)
  • Added source-fallback config option to disable or enable source fallback on download failure (#12698)
  • Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
  • Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
  • Optimized PoolOptimizer memory usage (#12783)
  • Optimized classmap dumping performance
  • Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
  • Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
  • Fixed warning being shown when lock file is disabled (#12760)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed audit command returning a success code when the vendor dir was not present (#12880)

composer-2.10.1-1.fc44

9 hours 28 minutes ago
FEDORA-2026-9b34a78e81 Packages in this update:
  • composer-2.10.1-1.fc44
Update description: Version 2.10.1 - 2026-06-04
  • Security: Fixed shell escaping when opening an editor (#12903)
  • Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
  • Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
  • Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
  • Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
  • Fixed warnings from Composer repositories being printed twice in some cases (#12907)
Version 2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
  • Added --strict-psr-autoloader flag to install and update commands (#12647)
  • Added source-fallback config option to disable or enable source fallback on download failure (#12698)
  • Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
  • Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
  • Optimized PoolOptimizer memory usage (#12783)
  • Optimized classmap dumping performance
  • Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
  • Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
  • Fixed warning being shown when lock file is disabled (#12760)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed audit command returning a success code when the vendor dir was not present (#12880)

libinput-1.31.3-1.fc44

10 hours 43 minutes ago
FEDORA-2026-5e2446b30f Packages in this update:
  • libinput-1.31.3-1.fc44
Update description:

libinput 1.31.3, fixes a udev property inject via uinput devices that can lead to local privilege escalation

weasyprint-69.0-1.fc43

12 hours 10 minutes ago
FEDORA-2026-2080c5c036 Packages in this update:
  • weasyprint-69.0-1.fc43
Update description:

New upstream version which also includes a security update (CVE-2026-49452).

weasyprint-69.0-1.fc44

12 hours 10 minutes ago
FEDORA-2026-6525541bb8 Packages in this update:
  • weasyprint-69.0-1.fc44
Update description:

New upstream version which also includes a security update (CVE-2026-49452).

Checked
7 minutes 8 seconds ago