Fedora Security Advisories

FEDORA-2026-dafdad8fd3 Packages in this update:

• perl-Crypt-Argon2-0.031-1.fc44
• perl-Dist-Build-0.028-1.fc44
• perl-ExtUtils-Builder-0.020-1.fc44
• perl-ExtUtils-Builder-Compiler-0.036-1.fc44

Update description:

Update to 0.031 #2477035 #2481131 fixes CVE-2026-8463

FEDORA-2026-5d15cef372 Packages in this update:

• perl-Crypt-Argon2-0.031-1.fc45
• perl-Dist-Build-0.028-1.fc45
• perl-ExtUtils-Builder-0.020-1.fc45
• perl-ExtUtils-Builder-Compiler-0.036-1.fc45

Update description:

Update perl-Crypt-Argon2 to 0.031 #2477035 #2481131 fixes CVE-2026-8463

FEDORA-2026-e5d5fc359d Packages in this update:

• pie-1.4.5-1.fc44

Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

• GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
• GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
• GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
• GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
• GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
• GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

FEDORA-EPEL-2026-4114f4323c Packages in this update:

• pie-1.4.5-1.el10_2

Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

• GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
• GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
• GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
• GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
• GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
• GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

FEDORA-EPEL-2026-e9a72cc7ed Packages in this update:

• pie-1.4.5-1.el10_3

Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

• GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
• GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
• GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
• GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
• GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
• GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

FEDORA-2026-b2fe14ec86 Packages in this update:

• pie-1.4.5-1.fc43

Update description: Version 1.4.5

This release contains vulnerability fixes for the following security advisories:

• GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
• GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
• GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
• GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
• GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
• GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie

FEDORA-2026-1151ae6bdf Packages in this update:

• libcaca-0.99-0.83.beta20.fc45

Update description:

Automatic update for libcaca-0.99-0.83.beta20.fc45.

Changelog * Tue May 26 2026 Xavier Bachelot <xavier@bachelot.org> - 0.99-0.83.beta20 - Fix CVE-2026-42046 (RHBZ#2475408)

FEDORA-2026-3e75b379d4 Packages in this update:

• jpegxl-0.11.2-1.fc43

Update description:

Update to version 0.11.2. Resolves CVE-2025-12474 and CVE-2026-1837.

Release notes: https://github.com/libjxl/libjxl/releases/tag/v0.11.2

FEDORA-2026-aa2e960a9f Packages in this update:

• jpegxl-0.11.2-1.fc44

Update description:

Update to version 0.11.2. Resolves CVE-2025-12474 and CVE-2026-1837.

Release notes: https://github.com/libjxl/libjxl/releases/tag/v0.11.2

FEDORA-2026-a109a9ac2c Packages in this update:

• libpng-1.6.58-1.fc43

Update description:

• updated to 1.6.58
• 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
• 1.6.57 is released with fixes for the following security vulnerability:
• CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

FEDORA-2026-9a678a08c8 Packages in this update:

• libpng-1.6.58-1.fc42

Update description:

• updated to 1.6.58
• 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
• 1.6.57 is released with fixes for the following security vulnerability:
• CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

FEDORA-2026-67c1138ed2 Packages in this update:

• libpng-1.6.58-1.fc44

Update description:

• updated to 1.6.58
• 1.6.58 is released with a fix for a simple correctness bug (not a security issue) this time: png_get_PLTE() returns stale palette data when either gamma correction or alpha-compositing is the only transform applied. Like the issues addressed in the previous release, this bug was a regression introduced in the fix for CVE-2026-33416 in 1.6.56.
• 1.6.57 is released with fixes for the following security vulnerability:
• CVE-2026-34757 (medium severity): Use-after-free memory bug in the chunk setter API. The hIST variant has existed since version 1.0.9, but the PLTE and tRNS ones are regressions introduced in the fix for CVE-2026-33416 in 1.6.56 (oops).

FEDORA-EPEL-2026-05f02b89ad Packages in this update:

• roundcubemail-1.6.16-1.el10_3

Update description: Release 1.6.16

• Fix potential too long value in IMAP ID command (#10136)
• Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
• Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
• Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
• Security: Fix SSRF bypass via specific local address URLs
• Security: Fix bypass of remote image blocking via CSS var()
• Security: Fix local/private URL fetch bypass when remote resources were not allowed
• Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
• Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

FEDORA-2026-07ee097ffe Packages in this update:

• roundcubemail-1.6.16-1.fc43

Update description: Release 1.6.16

• Fix potential too long value in IMAP ID command (#10136)
• Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
• Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
• Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
• Security: Fix SSRF bypass via specific local address URLs
• Security: Fix bypass of remote image blocking via CSS var()
• Security: Fix local/private URL fetch bypass when remote resources were not allowed
• Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
• Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

FEDORA-EPEL-2026-aa33047e8e Packages in this update:

• roundcubemail-1.6.16-1.el10_2

Update description: Release 1.6.16

• Fix potential too long value in IMAP ID command (#10136)
• Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
• Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
• Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
• Security: Fix SSRF bypass via specific local address URLs
• Security: Fix bypass of remote image blocking via CSS var()
• Security: Fix local/private URL fetch bypass when remote resources were not allowed
• Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
• Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

FEDORA-2026-75b5ddf8c3 Packages in this update:

• vim-9.2.530-1.fc43

Update description:

keep GTK4 in rawhide for now

switch to GTK4 for GVim

Fix CVE-2026-46483

FEDORA-2026-f3e466ea26 Packages in this update:

• bind-9.18.49-1.fc42
• bind-dyndb-ldap-11.11-12.fc42

Update description: Update to 9.18.49 (rhbz#2480121) Security Fixes:

• Limit resolver server list size. (CVE-2026-3592)
• Fix GSS-API resource leak. (CVE-2026-3039)
• Disable recursion, UPDATE, and NOTIFY for non-IN views. (CVE-2026-5946)
• Avoid unbounded recursion loop. (CVE-2026-5950)
• Fix outgoing zone transfers' quota issue.

Feature Changes:

• Fix CPU spikes and slow queries when cache approaches memory limit.

Bug Fixes:

• Fix named crash when processing SIG records in dynamic updates.
• Fix rndc modzone behavior for a zone in named.conf.
• Fix zone verification of NSEC3 signed zones.
• Prevent a crash when using both dns64 and filter-aaaa.
• Fixed an assertion failure when processing catalog zones.
• Prevent malicious DNSSEC zones from exhausting validator CPU.
• Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits.
• Prevent crafted queries from degrading RRL performance.
• Fix a bug in allow-query/allow-transfer catalog zone custom properties.
• Fix a memory leak issue in catalog zones.
• Fix suppressed missing-glue check in named-checkzone.
• Reject record sets too large to serve in DNS.

Source: https://downloads.isc.org/isc/bind9/9.18.49/doc/arm/html/notes.html#notes-for-bind-9-18-49

FEDORA-EPEL-2026-7158896891 Packages in this update:

• python-wsgidav-4.3.4-1.el10_3

Update description: 4.3.4 / 2026-05-24

• Resolve security advisory CVE-2026-48099

FEDORA-2026-7d942b469f Packages in this update:

• python-wsgidav-4.3.4-1.fc43

Update description: 4.3.4 / 2026-05-24

• Resolve security advisory CVE-2026-48099

FEDORA-2026-b2212b4742 Packages in this update:

• python-wsgidav-4.3.4-1.fc44

Update description: 4.3.4 / 2026-05-24

• Resolve security advisory CVE-2026-48099