Fedora Security Advisories

FEDORA-EPEL-2026-f239ba40fc Packages in this update:

• composer-2.9.8-1.el10_1

Update description: Version 2.9.8 - 2026-05-13

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

FEDORA-EPEL-2026-ef81a8e1b5 Packages in this update:

• composer-2.9.8-1.el9

Update description: Version 2.9.8 - 2026-05-13

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

FEDORA-EPEL-2026-5a6471f6df Packages in this update:

• composer-2.9.8-1.el10_2

Update description: Version 2.9.8 - 2026-05-13

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

FEDORA-2026-bd05cb6c4d Packages in this update:

• composer-2.9.8-1.fc44

Update description: Version 2.9.8 - 2026-05-13

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

FEDORA-EPEL-2026-644aa1991e Packages in this update:

• composer-2.9.8-1.el10_3

Update description: Version 2.9.8 - 2026-05-13

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

FEDORA-2026-3e8172bbdb Packages in this update:

• composer-2.9.8-1.fc43

Update description: Version 2.9.8 - 2026-05-13

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

FEDORA-2026-0be1222520 Packages in this update:

• giflib-6.1.3-2.fc44

Update description:

Apply proposed fix for CVE-2026-26740.

FEDORA-2026-67917a57a3 Packages in this update:

• firefox-150.0.3-1.fc44

Update description:

• Updated to latest upstream (150.0.3)

FEDORA-2026-7b2b7837b6 Packages in this update:

• xen-4.20.3-3.fc43

Update description:

x86: CPU Opcode Cache corruption [XSA-490,CVE-2025-54518]

FEDORA-2026-b9548393aa Packages in this update:

• python-django5-5.2.14-1.fc42

Update description:

• Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
• Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
• Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
• Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
• Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
• Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
• Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
• Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
• Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects

FEDORA-2026-43e98c9972 Packages in this update:

• strongswan-6.0.6-3.fc43

Update description:

Fixes CVE-2026-25075, CVE-2026-35328, CVE-2026-35329, CVE-2026-35330, CVE-2026-35331, CVE-2026-35332, CVE-2026-35333, CVE-2026-35334

Update to address CVE-2025-9615 and CVE-2025-62291

FEDORA-2026-9b7a6474a1 Packages in this update:

• python-django5-5.2.14-1.fc44

Update description:

• Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
• Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
• Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
• Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
• Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
• Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
• Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
• Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
• Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects

FEDORA-2026-4d1404fc5d Packages in this update:

• python-django5-5.2.14-1.fc43

Update description:

• Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
• Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
• Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
• Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
• Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
• Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
• Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
• Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
• Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects

FEDORA-2026-cc6fcd3a58 Packages in this update:

• strongswan-6.0.6-2.fc44

Update description:

Fixes CVE-2026-25075, CVE-2026-35328, CVE-2026-35329, CVE-2026-35330, CVE-2026-35331, CVE-2026-35332, CVE-2026-35333, CVE-2026-35334

FEDORA-2026-8b2957222f Packages in this update:

• xen-4.21.1-3.fc44

Update description:

x86: CPU Opcode Cache corruption [XSA-490,CVE-2025-54518]

FEDORA-2026-de6e24ae07 Packages in this update:

• python-django6-6.0.5-1.fc44

Update description:

• Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
• Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
• Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
• Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
• Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
• Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
• Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
• Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
• Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects

FEDORA-2026-1704f705ab Packages in this update:

• mysql8.0-8.0.46-1.fc44

Update description:

MySQL 8.0.46

Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-46.html Known issue: s390x-specific issue - zlib with DFLTCC compressed pages with low KEY_BLOCK_SIZE values can cause ER_TOO_BIG_ROWSIZE errors in tables near the column count and their size limits. EOL notice: As of April 2026, with version 8.0.46, MySQL 8.0 reached End of Life (EoL).

FEDORA-2026-0c462e5676 Packages in this update:

• mysql8.0-8.0.46-1.fc43

Update description:

MySQL 8.0.46

Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-46.html Known issue: s390x-specific issue - zlib with DFLTCC compressed pages with low KEY_BLOCK_SIZE values can cause ER_TOO_BIG_ROWSIZE errors in tables near the column count and their size limits. EOL notice: As of April 2026, with version 8.0.46, MySQL 8.0 reached End of Life (EoL).

FEDORA-2026-b78d5204fe Packages in this update:

• mysql8.0-8.0.46-1.fc42

Update description:

MySQL 8.0.46

Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-46.html Known issue: s390x-specific issue - zlib with DFLTCC compressed pages with low KEY_BLOCK_SIZE values can cause ER_TOO_BIG_ROWSIZE errors in tables near the column count and their size limits. EOL notice: As of April 2026, with version 8.0.46, MySQL 8.0 reached End of Life (EoL).

FEDORA-EPEL-2026-f4f7a26f7a Packages in this update:

• proftpd-1.3.6e-10.el8

Update description:

This update contains an updated mod_wrap2_sql that addresses a potential SQL injection issue when connected to from a client with a maliciously-constructed reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by default and the issue can only happen if UseReverseDNS is enabled, which is also off by default.