Fedora Security Advisories

FEDORA-2026-c6c01a71f2 Packages in this update:

• maturin-1.9.6-5.fc45
• python-fastar-0.9.0-2.fc45
• python-uv-build-0.10.12-1.fc45
• rust-astral-tokio-tar-0.6.0-1.fc45
• rust-tar-0.4.45-1.fc45
• uv-0.10.12-1.fc45

Update description:

Update rust-astral-tokio-tar to 0.6.0, fixing CVE-2026-32766. Update rust-tar to 0.4.45 to 0.4.45, fixing CVE-2026-33056. Update uv and python-uv-build to [0.10.2](https://github.com/astral-sh/uv/blob/0.10.12/CHANGELOG.md, rebuilding them with the latest rust-astral-tokio-tar and rust-tar. Rebuild python-fastar and maturin with the latest rust-tar.

FEDORA-EPEL-2026-db92dee64a Packages in this update:

• rust-tar-0.4.45-1.el10_1

Update description:

Update rust-tar to 0.4.45, fixing CVE-2026-33056.

FEDORA-2026-85a7950dd4 Packages in this update:

• pypy3.11-7.3.21-3.3.11.fc43

Update description:

Fix jit backend for ppc64le and s390x

FEDORA-2026-8199b7452a Packages in this update:

• pypy3.11-7.3.21-3.3.11.fc44

Update description:

Fix jit backend for ppc64le and s390x

FEDORA-2026-ab51ea3744 Packages in this update:

• pypy3.11-7.3.21-3.3.11.fc45

Update description:

Automatic update for pypy3.11-7.3.21-3.3.11.fc45.

Changelog * Thu Mar 19 2026 Charalampos Stratakis <cstratak@redhat.com> - 7.3.21-2 - Fix CVE-2025-56005 via removing no-longer used bundled ply - Fixes: rhbz#2431978 * Thu Mar 19 2026 Charalampos Stratakis <cstratak@redhat.com> - 7.3.21-1 - Update to 7.3.21 - Fixes: rhbz#2447285

FEDORA-2026-98502d7938 Packages in this update:

• pypy3.10-7.3.19-11.3.10.fc43

Update description:

Security fix for CVE-2025-56005 for the bundled ply within the bundled pycparser

FEDORA-2026-55dd4da86b Packages in this update:

• pypy3.10-7.3.19-11.3.10.fc44

Update description:

Security fix for CVE-2025-56005 for the bundled ply within the bundled pycparser

FEDORA-2026-6c4a7cd1b1 Packages in this update:

• pypy-7.3.21-3.fc43

Update description:

Fix jit backend for ppc64le and s390x

FEDORA-2026-496bf1e0dd Packages in this update:

• pypy-7.3.21-3.fc44

Update description:

Fix jit backend for ppc64le and s390x

FEDORA-2026-06635fd623 Packages in this update:

• pypy3.10-7.3.19-11.3.10.fc45

Update description:

Automatic update for pypy3.10-7.3.19-11.3.10.fc45.

Changelog * Thu Mar 19 2026 Charalampos Stratakis <cstratak@redhat.com> - 7.3.19-11 - Security fix for CVE-2025-56005 for the bundled ply within the bundled pycparser - Fixes: rhbz#2431977

FEDORA-2026-7585365ba3 Packages in this update:

• pypy-7.3.21-3.fc45

Update description:

Automatic update for pypy-7.3.21-3.fc45.

Changelog * Thu Mar 19 2026 Charalampos Stratakis <cstratak@redhat.com> - 7.3.21-2 - Security fix for CVE-2025-56005 for the bundled ply within the bundled pycparser - Fixes: rhbz#2431976 * Thu Mar 19 2026 Charalampos Stratakis <cstratak@redhat.com> - 7.3.21-1 - Update to 7.3.21 - Fixes: rhbz#2447284

FEDORA-EPEL-2026-37ef30e238 Packages in this update:

• python-ujson-5.8.0-2.el9

Update description:

Backport fixes for CVE-2026-32874 and CVE-2026-32875

FEDORA-2026-8c07fcde49 Packages in this update:

• rubygem-json-2.13.2-2.fc43

Update description:

This new updates backports a fix for a format string injection vulnerability in JSON.parse, which is now assigned as CVE-2026-33210

FEDORA-EPEL-2026-74a1834691 Packages in this update:

• bcftools-1.23.1-1.el8
• htslib-1.23.1-1.el8
• samtools-1.23.1-1.el8

Update description:

Update to 1.23.1

FEDORA-EPEL-2026-52be5354a0 Packages in this update:

• perl-YAML-Syck-1.37-1.el9

Update description:

YAML::Syck versions up to and including 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

FEDORA-EPEL-2026-de60bba45b Packages in this update:

• perl-YAML-Syck-1.37-1.el10_2

Update description:

YAML::Syck versions up to and including 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

FEDORA-EPEL-2026-e7f8f46758 Packages in this update:

• perl-YAML-Syck-1.37-1.el10_3

Update description:

YAML::Syck versions up to and including 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

FEDORA-2026-3572f7e01c Packages in this update:

• perl-YAML-Syck-1.37-1.fc43

Update description:

YAML::Syck versions up to and including 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

FEDORA-2026-a8d89d8ae2 Packages in this update:

• perl-YAML-Syck-1.37-1.fc44

Update description:

YAML::Syck versions up to and including 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

FEDORA-2026-d226775800 Packages in this update:

• perl-YAML-Syck-1.37-1.fc42

Update description:

YAML::Syck versions up to and including 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.