Fedora Security Advisories

composer-2.9.7-1.el10_3

48 minutes 20 seconds ago
FEDORA-EPEL-2026-de8ec2aa2e Packages in this update:
  • composer-2.9.7-1.el10_3
Update description: Version 2.9.7 - 2026-04-14
  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)
Version 2.9.6 - 2026-04-14
  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

composer-2.9.7-1.el9

48 minutes 20 seconds ago
FEDORA-EPEL-2026-a47812ee6c Packages in this update:
  • composer-2.9.7-1.el9
Update description: Version 2.9.7 - 2026-04-14
  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)
Version 2.9.6 - 2026-04-14
  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

composer-2.9.7-1.fc44

48 minutes 20 seconds ago
FEDORA-2026-1140c02041 Packages in this update:
  • composer-2.9.7-1.fc44
Update description: Version 2.9.7 - 2026-04-14
  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)
Version 2.9.6 - 2026-04-14
  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

composer-2.9.7-1.el10_2

48 minutes 21 seconds ago
FEDORA-EPEL-2026-7babf884c7 Packages in this update:
  • composer-2.9.7-1.el10_2
Update description: Version 2.9.7 - 2026-04-14
  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)
Version 2.9.6 - 2026-04-14
  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

composer-2.9.7-1.fc42

48 minutes 21 seconds ago
FEDORA-2026-d91f313a63 Packages in this update:
  • composer-2.9.7-1.fc42
Update description: Version 2.9.7 - 2026-04-14
  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)
Version 2.9.6 - 2026-04-14
  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

composer-2.9.7-1.fc43

48 minutes 21 seconds ago
FEDORA-2026-02c1f66b6a Packages in this update:
  • composer-2.9.7-1.fc43
Update description: Version 2.9.7 - 2026-04-14
  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)
Version 2.9.6 - 2026-04-14
  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

composer-2.9.7-1.el10_1

48 minutes 22 seconds ago
FEDORA-EPEL-2026-e7a666ddb5 Packages in this update:
  • composer-2.9.7-1.el10_1
Update description: Version 2.9.7 - 2026-04-14
  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)
Version 2.9.6 - 2026-04-14
  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

pgadmin4-9.14-3.fc44

4 hours 19 minutes ago
FEDORA-2026-34c2bf6df4 Packages in this update:
  • pgadmin4-9.14-3.fc44
Update description:

Update axios to 1.15.0, fixes CVE-2026-40175 and CVE-2025-62718.

Update to pgadmin4-9.14.

pgadmin4-9.14-3.fc43

4 hours 19 minutes ago
FEDORA-2026-e9ecdd44c4 Packages in this update:
  • pgadmin4-9.14-3.fc43
Update description:

Update axios to 1.15.0, fixes CVE-2026-40175 and CVE-2025-62718.

Update to pgadmin4-9.14.

pgadmin4-9.14-3.fc42

4 hours 19 minutes ago
FEDORA-2026-b4633cbe23 Packages in this update:
  • pgadmin4-9.14-3.fc42
Update description:

Update axios to 1.15.0, fixes CVE-2026-40175 and CVE-2025-62718.

Update to pgadmin4-9.14.

curl-8.15.0-6.fc43

7 hours 31 minutes ago
FEDORA-2026-66db242036 Packages in this update:
  • curl-8.15.0-6.fc43
Update description:
  • Fix bad reuse of HTTP Negotiate connection (CVE-2026-1965)
  • Fix token leak with redirect and netrc (CVE-2026-3783)
  • Fix wrong proxy connection reuse with credentials (CVE-2026-3784)
  • Fix use after free in SMB connection reuse (CVE-2026-3805)

asterisk-18.26.4-1.el9

2 days 2 hours ago
FEDORA-EPEL-2026-d5cc2324a0 Packages in this update:
  • asterisk-18.26.4-1.el9
Update description:

Update to Asterisk 18.26.4, addressing numerous security vulnerabilities accumulated since the long-stale 18.12.1 package. The following CVEs are fixed in this update:

  • CVE-2022-26498 (fixed in 18.13.0): use-after-free in chan_ooh323
  • CVE-2022-42705 (fixed in 18.15.0): use-after-free in res_pjsip_pubsub
  • CVE-2022-37325 (fixed in 18.15.1): crash in H323 channel via malformed IE
  • CVE-2023-37457 (fixed in 18.20.0): buffer overflow in PJSIP_HEADER function
  • CVE-2023-49294 (fixed in 18.20.1): arbitrary file read via AMI GetConfig
  • CVE-2023-49786 (fixed in 18.20.1): DTLS race condition causing DoS
  • CVE-2024-35190 (fixed in 18.23.1): unauthorized SIP requests matched as endpoint
  • CVE-2024-42365 (fixed in 18.24.2): Write=originate allows code execution
  • CVE-2024-42491 (fixed in 18.25.0): crash via malformed Contact/Record-Route URI
  • CVE-2025-49832 (fixed in 18.26.3): DoS/RCE in res_stir_shaken
  • CVE-2025-47779 (fixed in 18.26.2): identity forging via malformed From header
  • CVE-2025-1131 (fixed in 18.26.3): local privilege escalation via safe_asterisk
  • CVE-2025-54995 (fixed in 18.26.4): resource exhaustion via RTP port leak

asterisk-18.26.4-1.el8

2 days 2 hours ago
FEDORA-EPEL-2026-f2281acb03 Packages in this update:
  • asterisk-18.26.4-1.el8
Update description:

Update to Asterisk 18.26.4, addressing numerous security vulnerabilities accumulated since the long-stale 18.12.1 package. The following CVEs are fixed in this update:

  • CVE-2022-26498 (fixed in 18.13.0): use-after-free in chan_ooh323
  • CVE-2022-42705 (fixed in 18.15.0): use-after-free in res_pjsip_pubsub
  • CVE-2022-37325 (fixed in 18.15.1): crash in H323 channel via malformed IE
  • CVE-2023-37457 (fixed in 18.20.0): buffer overflow in PJSIP_HEADER function
  • CVE-2023-49294 (fixed in 18.20.1): arbitrary file read via AMI GetConfig
  • CVE-2023-49786 (fixed in 18.20.1): DTLS race condition causing DoS
  • CVE-2024-35190 (fixed in 18.23.1): unauthorized SIP requests matched as endpoint
  • CVE-2024-42365 (fixed in 18.24.2): Write=originate allows code execution
  • CVE-2024-42491 (fixed in 18.25.0): crash via malformed Contact/Record-Route URI
  • CVE-2025-49832 (fixed in 18.26.3): DoS/RCE in res_stir_shaken
  • CVE-2025-47779 (fixed in 18.26.2): identity forging via malformed From header
  • CVE-2025-1131 (fixed in 18.26.3): local privilege escalation via safe_asterisk
  • CVE-2025-54995 (fixed in 18.26.4): resource exhaustion via RTP port leak
Checked
12 minutes 30 seconds ago