Fedora Security Advisories

FEDORA-2025-b712778148 Packages in this update:

• salt-3007.5-2.fc41

Update description:

Contains fixes for regressions introduced during CVE bugfix update (3007.4).

FEDORA-2025-c903306aee Packages in this update:

• salt-3007.5-2.fc42

Update description:

Contains fixes for regressions introduced during CVE bugfix update (3007.4).

FEDORA-2025-e286662e59 Packages in this update:

• mingw-djvulibre-3.5.29-1.fc42

Update description:

Update to 3.5.29, fixes CVE-2025-53367.

FEDORA-2025-0f35c5dbbb Packages in this update:

• mingw-djvulibre-3.5.29-1.fc41

Update description:

Update to 3.5.29, fixes CVE-2025-53367.

FEDORA-2025-47916db6c7 Packages in this update:

• mingw-python-requests-2.32.4-1.fc41

Update description:

Update to 2.32.4. Fixes CVE-2024-47081.

FEDORA-2025-5ea2b69c03 Packages in this update:

• mingw-python-requests-2.32.4-1.fc42

Update description:

Update to 2.32.4. Fixes CVE-2024-47081.

FEDORA-2025-29c6186ffb Packages in this update:

• sudo-1.9.17-2.p1.fc41

Update description:

Rebase to sudo 1.9.17p1

• sudo-1_9_16p2 is available. Resolves: rhbz#2309626
• sudo: LPE via host option. Resolves: CVE-2025-32462
• Properly apply system buildflags.
• Use new build macros, drop unneeded %defattr.

FEDORA-2025-44c3b13554 Packages in this update:

• sudo-1.9.17-2.p1.fc42

Update description:

Rebase to sudo 1.9.17p1

• sudo-1_9_16p2 is available. Resolves: rhbz#2309626
• sudo: LPE via host option. Resolves: CVE-2025-32462
• Properly apply system buildflags.
• Use new build macros, drop unneeded %defattr.

FEDORA-2025-266a1353a1 Packages in this update:

• python3.6-3.6.15-47.fc42

Update description:

Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435

FEDORA-2025-a8abfbb35c Packages in this update:

• python3.6-3.6.15-47.fc41

Update description:

Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435

FEDORA-2025-c4c8863fd7 Packages in this update:

• ov-0.42.1-1.fc43

Update description:

Automatic update for ov-0.42.1-1.fc43.

Changelog * Fri Jul 4 2025 Mikel Olasagasti Uranga <mikel@olasagasti.info> - 0.42.1-1 - Update to 0.42.1 and go-vendor-tools. Closes rhbz#2348375 rhbz#2352321

FEDORA-2025-c05ae72339 Packages in this update:

• chromium-138.0.7204.92-1.fc41

Update description:

Update to 138.0.7204.92

* High CVE-2025-6554: Type Confusion in V8

FEDORA-2025-87af8315ff Packages in this update:

• chromium-138.0.7204.92-1.fc42

Update description:

Update to 138.0.7204.92

* High CVE-2025-6554: Type Confusion in V8

FEDORA-EPEL-2025-4a1990d54d Packages in this update:

• chromium-138.0.7204.92-1.el9

Update description:

Update to 138.0.7204.92

* High CVE-2025-6554: Type Confusion in V8

FEDORA-EPEL-2025-739b3d89c8 Packages in this update:

• chromium-138.0.7204.92-1.el10_1

Update description:

Update to 138.0.7204.92

* High CVE-2025-6554: Type Confusion in V8

FEDORA-2025-dda04d7a84 Packages in this update:

• selenium-manager-4.34.0-2.fc41

Update description:

Update to version 4.34.0

FEDORA-2025-89abd49c4a Packages in this update:

• selenium-manager-4.34.0-2.fc42

Update description:

Update to version 4.34.0

FEDORA-2025-da047483d8 Packages in this update:

• php-8.3.23-1.fc41

Update description:

PHP version 8.3.23 (03 Jul 2025)

Core:

• Fixed GH-18695 (zend_ast_export() - float number is not preserved). (Oleg Efimov)
• Do not delete main chunk in zend_gc. (danog, Arnaud)
• Fix compile issues with zend_alloc and some non-default options. (nielsdos)

Curl:

• Fix memory leak when setting a list via curl_setopt fails. (nielsdos)
• Fix incorrect OpenSSL version detection. (Peter Kokot)

Date:

• Fix leaks with multiple calls to DatePeriod iterator current(). (nielsdos)

FPM:

• Fixed GH-18662 (fpm_get_status segfault). (txuna)

Hash:

• Fixed bug GH-14551 (PGO build fails with xxhash). (nielsdos)

Intl:

• Fix memory leak in intl_datetime_decompose() on failure. (nielsdos)
• Fix memory leak in locale lookup on failure. (nielsdos)

ODBC:

• Fix memory leak on php_odbc_fetch_hash() failure. (nielsdos)

Opcache:

• Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22). (nielsdos, Arnaud)

OpenSSL:

• Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure. (nielsdos)
• Fixed bug php#74796 (Requests through http proxy set peer name). (Jakub Zelenka)

PGSQL:

• Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735) (Jakub Zelenka)

Phar:

• Add missing filter cleanups on phar failure. (nielsdos)
• Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek). (nielsdos)

PHPDBG:

• Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0. (nielsdos)

PDO ODBC:

• Fix memory leak if WideCharToMultiByte() fails. (nielsdos)

PGSQL:

• Fix warning not being emitted when failure to cancel a query with pg_cancel_query(). (Girgias)

Random:

• Fix reference type confusion and leak in user random engine. (nielsdos, timwolla)

Readline:

• Fix memory leak when calloc() fails in php_readline_completion_cb(). (nielsdos)

SOAP:

• Fix memory leaks in php_http.c when call_user_function() fails. (nielsdos)
• Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix). (CVE-2025-6491) (Lekssays, nielsdos)

Standard:

• Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220) (Jakub Zelenka)

Tidy:

• Fix memory leak in tidy output handler on error. (nielsdos)
• Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory. (David Carlier)

FEDORA-2025-2c344545bf Packages in this update:

• php-8.4.10-1.fc42

Update description:

PHP version 8.4.10 (03 Jul 2025)

BcMath:

• Fixed bug GH-18641 (Accessing a BcMath\Number property by ref crashes). (nielsdos)

Core:

• Fixed bugs GH-17711 and GH-18022 (Infinite recursion on deprecated attribute evaluation) and GH-18464 (Recursion protection for deprecation constants not released on bailout). (DanielEScherzer and ilutov)
• Fixed GH-18695 (zend_ast_export() - float number is not preserved). (Oleg Efimov)
• Fix handling of references in zval_try_get_long(). (nielsdos)
• Do not delete main chunk in zend_gc. (danog, Arnaud)
• Fix compile issues with zend_alloc and some non-default options. (nielsdos)

Curl:

• Fix memory leak when setting a list via curl_setopt fails. (nielsdos)

Date:

• Fix leaks with multiple calls to DatePeriod iterator current(). (nielsdos)

DOM:

• Fixed bug GH-18744 (classList works not correctly if copy HTMLElement by clone keyword). (nielsdos)

FPM:

• Fixed GH-18662 (fpm_get_status segfault). (txuna)

Hash:

• Fixed bug GH-14551 (PGO build fails with xxhash). (nielsdos)

Intl:

• Fix memory leak in intl_datetime_decompose() on failure. (nielsdos)
• Fix memory leak in locale lookup on failure. (nielsdos)

Opcache:

• Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22). (nielsdos, Arnaud)

ODBC:

• Fix memory leak on php_odbc_fetch_hash() failure. (nielsdos)

OpenSSL:

• Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure. (nielsdos)
• Fixed bug php#74796 (Requests through http proxy set peer name). (Jakub Zelenka)

PGSQL:

• Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735) (Jakub Zelenka)

PDO ODBC:

• Fix memory leak if WideCharToMultiByte() fails. (nielsdos)

PDO Sqlite:

• Fixed memory leak with Pdo_Sqlite::createCollation when the callback has an incorrect return type. (David Carlier)

Phar:

• Add missing filter cleanups on phar failure. (nielsdos)
• Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek). (nielsdos)

PHPDBG:

• Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0. (nielsdos)

PGSQL:

• Fix warning not being emitted when failure to cancel a query with pg_cancel_query(). (Girgias)

Random:

• Fix reference type confusion and leak in user random engine. (nielsdos, timwolla)

Readline:

• Fix memory leak when calloc() fails in php_readline_completion_cb(). (nielsdos)

SimpleXML:

• Fixed bug GH-18597 (Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes). (nielsdos)

SOAP:

• Fix memory leaks in php_http.c when call_user_function() fails. (nielsdos)
• Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix). (CVE-2025-6491) (Lekssays, nielsdos)

Standard:

• Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220) (Jakub Zelenka)

Tidy:

• Fix memory leak in tidy output handler on error. (nielsdos)
• Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory. (David Carlier)

FEDORA-2025-90442d9001 Packages in this update:

• doctl-1.132.0-1.fc43

Update description:

Automatic update for doctl-1.132.0-1.fc43.

Changelog * Thu Jul 3 2025 Mikel Olasagasti Uranga <mikel@olasagasti.info> - 1.132.0-1 - Update to 1.320.0 - Closes rhbz#2335930 rhbz#2340087 rhbz#2350817 rhbz#2352159 * Wed Feb 26 2025 Maxwell G <maxwell@gtmx.me> - 1.122.0-1 - Update to 1.122.0 (rhbz#2335930). Vendor dependencies. * Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.120.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild