Fedora Security Advisories

python-pendulum-3.2.0-1.fc43

4 hours 10 minutes ago
FEDORA-2026-e55bcd0c54 Packages in this update:
  • python-pendulum-3.2.0-1.fc43
Update description:

Update to 3.2.0 (final). Update PyO3 to 0.29, fixing RUSTSEC-2026-0176 and RUSTSEC-2026-0177.

php-8.4.23-1.fc43

7 hours 28 minutes ago
FEDORA-2026-f4272d87ef Packages in this update:
  • php-8.4.23-1.fc43
Update description:

PHP version 8.4.23 (03 Jul 2026)

Core:

  • Fixed bug GH-22280 (Incorrect compile error for goto to label preceding try/finally block). (Pratik Bhujel)

BCMath:

  • Fixed issues with oversized allocations and signed overflow in bcround() and BcMath\Number::round(). (edorian)

Date:

  • Fix incorrect recurrence check of DatePeriod::createFromISO8601String(). (ndossche)

DOM:

  • Fix GH-22219 (Dom\XMLDocument::schemaValidate fails to resolve xs:QName with prefix from imported schema). (David Carlier)

Exif:

  • Read correct value for single and double tags. (ndossche)

GD:

  • Fixed bug GH-22121 (Double free in gdImageSetStyle() after overflow-triggered early return). (iliaal)
  • Fixed bug GH-19666 (imageconvolution() unexpected nan filter value). (David Carlier)
  • Fixed bug GH-19739 (imageellipse/imagefilledellipse overflow). (David Carlier)
  • Fixed bug GH-19730 (imageaffine overflow). (David Carlier)

Intl:

  • Fix incorrect argument positions for uninitialized calendar arguments in IntlCalendar::equals(), ::before(), ::after(), and ::isEquivalentTo(), and for invalid start/end arguments in transliterator_transliterate(). (Weilin Du)
  • Fixed IntlTimeZone::getDisplayName() to synchronize object error state for invalid display types. (Weilin Du)
  • Fixed Spoofchecker restriction-level APIs to only be exposed with ICU 53 and later. (Graham Campbell)

mysqli:

  • Fix stmt->query leak in mysqli_execute_query() validation errors. (David Carlier)

Opcache:

  • Fixed bug GH-20469 (Unsafe inheritance cache replay with reentrant autoloading). (Levi Morrison)

OpenSSL:

  • Fixed bug GH-22187 (Memory corruption (zend_mm_heap corrupted) in openssl_encrypt with AES-WRAP-PAD). (David Carlier)

Phar:

  • Fixed a bypass of the magic ".phar" directory protection in Phar::addEmptyDir() for paths starting with "/.phar", while allowing non-magic directory names that merely share the ".phar" prefix. (Weilin Du)

Reflection:

  • Preserve class-name case in ReflectionClass::getProperty() error messages and autoloading. (jorgsowa)

Sqlite:

  • Fix error checks for column retrieval. (ndossche)

Zlib:

  • Fixed memory leak if deflate initialization fails and there is a dict. (ndossche)
  • Fixed memory leak in inflate_add(). (ndossche)

php-8.5.8-1.fc44

8 hours 40 minutes ago
FEDORA-2026-ec9cb4652f Packages in this update:
  • php-8.5.8-1.fc44
Update description:

PHP version 8.5.8 (02 Jul 2026)

Core:

  • Fixed bug GH-22280 (Incorrect compile error for goto to label preceding try/finally block). (Pratik Bhujel)
  • Fixed bug GH-22112 (Assertion when error handler throws during NaN to bool/string coercion). (iliaal)

BCMath:

  • Fixed issues with oversized allocations and signed overflow in bcround() and BcMath\Number::round(). (edorian)

Date:

  • Fix incorrect recurrence check of DatePeriod::createFromISO8601String(). (ndossche)

Exif:

  • Read correct value for single and double tags. (ndossche)

GD:

  • Fixed bug GH-22121 (Double free in gdImageSetStyle() after overflow-triggered early return). (iliaal)

Intl:

  • Fix incorrect argument positions for invalid start/end arguments in transliterator_transliterate(). (Weilin Du)
  • Fixed IntlTimeZone::getDisplayName() to synchronize object error state for invalid display types. (Weilin Du)

Lexbor:

  • Merge patch c3a6847. (ilutov, timwolla)

Opcache:

  • Fixed bug GH-22265 (Another tailcall vm_interrupt bug). (Levi Morrison)
  • Fixed bug GH-20469 (Unsafe inheritance cache replay with reentrant autoloading). (Levi Morrison)
  • Fixed bug GH-21972 (Corrupted variable type when a typed by-value return contains a reference wrapper). (Weilin Du)

OpenSSL:

  • Fixed bug GH-22187 (Memory corruption (zend_mm_heap corrupted) in openssl_encrypt with AES-WRAP-PAD). (David Carlier)

Phar:

  • Fixed a bypass of the magic ".phar" directory protection in Phar::addEmptyDir() for paths starting with "/.phar", while allowing non-magic directory names that merely share the ".phar" prefix. (Weilin Du)

Reflection:

  • Preserve class-name case in ReflectionClass::getProperty() error messages and autoloading. (jorgsowa)

SOAP:

  • Fixed bug GH-22218 (SoapServer::handle() crash on $_SERVER not being an array). (David Carlier / Rex-Reynolds)
  • Fixed bug GH-22285 (Soap server requires the raw input to be passed to $server->handle). (David Carlier / ndossche)

Sqlite:

  • Fix error checks for column retrieval. (ndossche)

URI:

  • Add LEXBOR_STATIC to CFLAGS_URI on Windows so ext/uri does not see LXB_API as __declspec(dllimport) when linked statically into PHP. (Luther Monson)
  • Clean error logs before each Uri\WhatWg\Url wither call so that errors from previous wither calls are not returned the next time a UrlValidationError is thrown. (kocsismate)

Zlib:

  • Fixed memory leak if deflate initialization fails and there is a dict. (ndossche)
  • Fixed memory leak in inflate_add(). (ndossche)

perl-CSS-Minifier-XS-0.15-1.fc43

14 hours 53 minutes ago
FEDORA-2026-abc468979d Packages in this update:
  • perl-CSS-Minifier-XS-0.15-1.fc43
Update description:

This package contains the Perl module CSS::Minifier::XS.

Versions of the module before 0.14 have a memory leak when the entire document is minified away (CVE-2026-13593). This update brings version 0.15 which fixes this issue.

perl-CSS-Minifier-XS-0.15-1.fc44

14 hours 53 minutes ago
FEDORA-2026-9f14575d85 Packages in this update:
  • perl-CSS-Minifier-XS-0.15-1.fc44
Update description:

This package contains the Perl module CSS::Minifier::XS.

Versions of the module before 0.14 have a memory leak when the entire document is minified away (CVE-2026-13593). This update brings version 0.15 which fixes this issue.

jq-1.8.2-4.fc45

15 hours 26 minutes ago
FEDORA-2026-b43264dedb Packages in this update:
  • jq-1.8.2-4.fc45
Update description:

Automatic update for jq-1.8.2-4.fc45.

Changelog * Sat Jun 20 2026 Filipe Rosset <filiperosset@fedoraproject.org> - 1.8.2-4 - removed old upstreamed patches * Sat Jun 20 2026 Filipe Rosset <filiperosset@fedoraproject.org> - 1.8.2-3 - opt-in to packit for rawhide * Sat Jun 20 2026 Filipe Rosset <filiperosset@fedoraproject.org> - 1.8.2-2 - simplify .gitignore file * Sat Jun 20 2026 Filipe Rosset <filiperosset@fedoraproject.org> - 1.8.2-1 - update to 1.8.2 fixes rhbz#2458354 rhbz#2477179 rhbz#2477180 rhbz#2477235 rhbz#2477236 rhbz#2477522 rhbz#2477523

python-pendulum-3.2.0-1.fc44

15 hours 56 minutes ago
FEDORA-2026-2559684e58 Packages in this update:
  • python-pendulum-3.2.0-1.fc44
Update description:

Update to 3.2.0 (final). Update PyO3 to 0.29, fixing RUSTSEC-2026-0176 and RUSTSEC-2026-0177.

transmission-4.1.3-1.fc43

21 hours 54 minutes ago
FEDORA-2026-0ed2011b62 Packages in this update:
  • transmission-4.1.3-1.fc43
Update description:

Fixed a CORS bug that leaked the anti-CSRF nonce. (#8938) Fixed a use-after-free bug in peer code. (#8921) Fixed build error when compiling with fmt 12.2.0. (#8942)

Fix qt icon

transmission-4.1.3-1.fc44

21 hours 54 minutes ago
FEDORA-2026-0c067e5040 Packages in this update:
  • transmission-4.1.3-1.fc44
Update description:

Fixed a CORS bug that leaked the anti-CSRF nonce. (#8938) Fixed a use-after-free bug in peer code. (#8921) Fixed build error when compiling with fmt 12.2.0. (#8942)

ipp-usb-0.9.34-2.fc45

22 hours 40 minutes ago
FEDORA-2026-7eaf5e3510 Packages in this update:
  • ipp-usb-0.9.34-2.fc45
Update description:

Automatic update for ipp-usb-0.9.34-2.fc45.

Changelog * Tue Jun 30 2026 Zdenek Dohnal <zdohnal@redhat.com> - 0.9.34-2 - ipp-usb-0.9.34 is available (fedora#2463247, fedora#2484207, fedora#2494316)

python-nh3-0.3.6-1.fc44

1 day 2 hours ago
FEDORA-2026-5ebb12f543 Packages in this update:
  • python-nh3-0.3.6-1.fc44
Update description:

Update to 0.3.6; this includes an update to PyO3 0.29, which fixes RUSTSEC-2026-0176 and RUSTSEC-2026-0177.

Checked
38 minutes ago