Fedora Security Advisories

• vaultwarden-web-2026.4.1-1.el10_2

update to 2026.4.1

• vaultwarden-web-2026.4.1-1.el10_3

update to 2026.4.1

• vaultwarden-web-2026.4.1-1.fc43

update to 2026.4.1

• vaultwarden-web-2026.4.1-1.fc44

update to 2026.4.1

• vaultwarden-web-2026.4.1-1.el9

update to 2026.4.1

• perl-Archive-Tar-3.04-522.fc43

Fixed CVE-2026-42496 - Path traversal via crafted symlinks allows arbitrary file access Backported from 3.08

• php-extras-8.3.31-1.el10_2

PHP version 8.3.31 (07 May 2026)

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

• php-extras-8.3.31-1.el10_3

PHP version 8.3.31 (07 May 2026)

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

• php8.4-extras-8.4.21-1.el10_3

PHP version 8.4.21 (07 May 2026)

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

• php8.4-extras-8.4.21-1.el10_2

PHP version 8.4.21 (07 May 2026)

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

• php-extras-8.0.30-3.el9

Backported from 8.2.31

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

• xmlstarlet-1.6.1-30.fc44

Fixes XML external entity vulnerability. For more information, refer to https://src.fedoraproject.org/rpms/xmlstarlet/pull-request/4.

• xmlstarlet-1.6.1-30.fc43

Fixes XML external entity vulnerability. For more information, refer to https://src.fedoraproject.org/rpms/xmlstarlet/pull-request/4.

• rust-1.96.0-1.fc43

Update to Rust 1.96.0:

• New Range* types
• Assert matching patterns
• Changes to WebAssembly targets
• Stabilized APIs
• Cargo CVE-2026-5222 and CVE-2026-5223 for third-party registries.

See the blog post and release notes for more details.

• rust-1.96.0-1.fc44

Update to Rust 1.96.0:

• New Range* types
• Assert matching patterns
• Changes to WebAssembly targets
• Stabilized APIs
• Cargo CVE-2026-5222 and CVE-2026-5223 for third-party registries.

See the blog post and release notes for more details.

• perl-Sereal-5.006-1.el10_2
• perl-Sereal-Decoder-5.006-1.el10_2
• perl-Sereal-Encoder-5.006-1.el10_2

This update includes a security fix to make sure that COPY tags cannot be used to read past end of the buffer.

• xorg-x11-server-Xwayland-24.1.12-1.fc43

Update to xwayland 24.1.12, Security fixes for: ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168

• xorg-x11-server-21.1.23-1.fc43

Update to xserver 21.1.23, Security fixes for: ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168

• xorg-x11-server-21.1.23-1.fc44

Update to xserver 21.1.23, security fixes for: ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168

• xorg-x11-server-Xwayland-24.1.12-1.fc44

Update to xwayland 24.1.12, security fixes for ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168