Fedora Security Advisories

7zip-26.02-1.el9

54 minutes 1 second ago
FEDORA-EPEL-2026-f9c4dcd003 Packages in this update:
  • 7zip-26.02-1.el9
Update description:

7-zip 26.02

  • Some bugs and vulnerabilities were fixed.

kernel-7.0.14-201.fc44

3 hours 50 minutes ago
FEDORA-2026-7ae597d1d2 Packages in this update:
  • kernel-7.0.14-201.fc44
Update description:

The 7.0.14-101/201 kernel builds contain a fix for an unprivileged container / jail escape. This has not been assigned a CVE number yet, but a POC is in the wild.

The 7.0.14 stable kernel update contains a number of important fixes across the tree.

kernel-7.0.14-101.fc43

3 hours 52 minutes ago
FEDORA-2026-35e2185559 Packages in this update:
  • kernel-7.0.14-101.fc43
Update description:

The 7.0.14-101/201 kernel builds contain a fix for an unprivileged container / jail escape. This has not been assigned a CVE number yet, but a POC is in the wild.

The 7.0.14 stable kernel update contains a number of important fixes across the tree.

nmap-7.92-11.fc45

6 hours 10 minutes ago
FEDORA-2026-0245fd9f84 Packages in this update:
  • nmap-7.92-11.fc45
Update description:

Automatic update for nmap-7.92-11.fc45.

Changelog * Tue Jun 30 2026 Martin Osvald <mosvald@redhat.com> - 4:7.92-11 - Fix CVE-2026-58058 (rhbz#2494410)

python-pendulum-3.2.0-1.fc43

9 hours 46 minutes ago
FEDORA-2026-e55bcd0c54 Packages in this update:
  • python-pendulum-3.2.0-1.fc43
Update description:

Update to 3.2.0 (final). Update PyO3 to 0.29, fixing RUSTSEC-2026-0176 and RUSTSEC-2026-0177.

php-8.4.23-1.fc43

13 hours 4 minutes ago
FEDORA-2026-f4272d87ef Packages in this update:
  • php-8.4.23-1.fc43
Update description:

PHP version 8.4.23 (03 Jul 2026)

Core:

  • Fixed bug GH-22280 (Incorrect compile error for goto to label preceding try/finally block). (Pratik Bhujel)

BCMath:

  • Fixed issues with oversized allocations and signed overflow in bcround() and BcMath\Number::round(). (edorian)

Date:

  • Fix incorrect recurrence check of DatePeriod::createFromISO8601String(). (ndossche)

DOM:

  • Fix GH-22219 (Dom\XMLDocument::schemaValidate fails to resolve xs:QName with prefix from imported schema). (David Carlier)

Exif:

  • Read correct value for single and double tags. (ndossche)

GD:

  • Fixed bug GH-22121 (Double free in gdImageSetStyle() after overflow-triggered early return). (iliaal)
  • Fixed bug GH-19666 (imageconvolution() unexpected nan filter value). (David Carlier)
  • Fixed bug GH-19739 (imageellipse/imagefilledellipse overflow). (David Carlier)
  • Fixed bug GH-19730 (imageaffine overflow). (David Carlier)

Intl:

  • Fix incorrect argument positions for uninitialized calendar arguments in IntlCalendar::equals(), ::before(), ::after(), and ::isEquivalentTo(), and for invalid start/end arguments in transliterator_transliterate(). (Weilin Du)
  • Fixed IntlTimeZone::getDisplayName() to synchronize object error state for invalid display types. (Weilin Du)
  • Fixed Spoofchecker restriction-level APIs to only be exposed with ICU 53 and later. (Graham Campbell)

mysqli:

  • Fix stmt->query leak in mysqli_execute_query() validation errors. (David Carlier)

Opcache:

  • Fixed bug GH-20469 (Unsafe inheritance cache replay with reentrant autoloading). (Levi Morrison)

OpenSSL:

  • Fixed bug GH-22187 (Memory corruption (zend_mm_heap corrupted) in openssl_encrypt with AES-WRAP-PAD). (David Carlier)

Phar:

  • Fixed a bypass of the magic ".phar" directory protection in Phar::addEmptyDir() for paths starting with "/.phar", while allowing non-magic directory names that merely share the ".phar" prefix. (Weilin Du)

Reflection:

  • Preserve class-name case in ReflectionClass::getProperty() error messages and autoloading. (jorgsowa)

Sqlite:

  • Fix error checks for column retrieval. (ndossche)

Zlib:

  • Fixed memory leak if deflate initialization fails and there is a dict. (ndossche)
  • Fixed memory leak in inflate_add(). (ndossche)

php-8.5.8-1.fc44

14 hours 16 minutes ago
FEDORA-2026-ec9cb4652f Packages in this update:
  • php-8.5.8-1.fc44
Update description:

PHP version 8.5.8 (02 Jul 2026)

Core:

  • Fixed bug GH-22280 (Incorrect compile error for goto to label preceding try/finally block). (Pratik Bhujel)
  • Fixed bug GH-22112 (Assertion when error handler throws during NaN to bool/string coercion). (iliaal)

BCMath:

  • Fixed issues with oversized allocations and signed overflow in bcround() and BcMath\Number::round(). (edorian)

Date:

  • Fix incorrect recurrence check of DatePeriod::createFromISO8601String(). (ndossche)

Exif:

  • Read correct value for single and double tags. (ndossche)

GD:

  • Fixed bug GH-22121 (Double free in gdImageSetStyle() after overflow-triggered early return). (iliaal)

Intl:

  • Fix incorrect argument positions for invalid start/end arguments in transliterator_transliterate(). (Weilin Du)
  • Fixed IntlTimeZone::getDisplayName() to synchronize object error state for invalid display types. (Weilin Du)

Lexbor:

  • Merge patch c3a6847. (ilutov, timwolla)

Opcache:

  • Fixed bug GH-22265 (Another tailcall vm_interrupt bug). (Levi Morrison)
  • Fixed bug GH-20469 (Unsafe inheritance cache replay with reentrant autoloading). (Levi Morrison)
  • Fixed bug GH-21972 (Corrupted variable type when a typed by-value return contains a reference wrapper). (Weilin Du)

OpenSSL:

  • Fixed bug GH-22187 (Memory corruption (zend_mm_heap corrupted) in openssl_encrypt with AES-WRAP-PAD). (David Carlier)

Phar:

  • Fixed a bypass of the magic ".phar" directory protection in Phar::addEmptyDir() for paths starting with "/.phar", while allowing non-magic directory names that merely share the ".phar" prefix. (Weilin Du)

Reflection:

  • Preserve class-name case in ReflectionClass::getProperty() error messages and autoloading. (jorgsowa)

SOAP:

  • Fixed bug GH-22218 (SoapServer::handle() crash on $_SERVER not being an array). (David Carlier / Rex-Reynolds)
  • Fixed bug GH-22285 (Soap server requires the raw input to be passed to $server->handle). (David Carlier / ndossche)

Sqlite:

  • Fix error checks for column retrieval. (ndossche)

URI:

  • Add LEXBOR_STATIC to CFLAGS_URI on Windows so ext/uri does not see LXB_API as __declspec(dllimport) when linked statically into PHP. (Luther Monson)
  • Clean error logs before each Uri\WhatWg\Url wither call so that errors from previous wither calls are not returned the next time a UrlValidationError is thrown. (kocsismate)

Zlib:

  • Fixed memory leak if deflate initialization fails and there is a dict. (ndossche)
  • Fixed memory leak in inflate_add(). (ndossche)

perl-CSS-Minifier-XS-0.15-1.fc43

20 hours 29 minutes ago
FEDORA-2026-abc468979d Packages in this update:
  • perl-CSS-Minifier-XS-0.15-1.fc43
Update description:

This package contains the Perl module CSS::Minifier::XS.

Versions of the module before 0.14 have a memory leak when the entire document is minified away (CVE-2026-13593). This update brings version 0.15 which fixes this issue.

perl-CSS-Minifier-XS-0.15-1.fc44

20 hours 29 minutes ago
FEDORA-2026-9f14575d85 Packages in this update:
  • perl-CSS-Minifier-XS-0.15-1.fc44
Update description:

This package contains the Perl module CSS::Minifier::XS.

Versions of the module before 0.14 have a memory leak when the entire document is minified away (CVE-2026-13593). This update brings version 0.15 which fixes this issue.

jq-1.8.2-4.fc45

21 hours 2 minutes ago
FEDORA-2026-b43264dedb Packages in this update:
  • jq-1.8.2-4.fc45
Update description:

Automatic update for jq-1.8.2-4.fc45.

Changelog * Sat Jun 20 2026 Filipe Rosset <filiperosset@fedoraproject.org> - 1.8.2-4 - removed old upstreamed patches * Sat Jun 20 2026 Filipe Rosset <filiperosset@fedoraproject.org> - 1.8.2-3 - opt-in to packit for rawhide * Sat Jun 20 2026 Filipe Rosset <filiperosset@fedoraproject.org> - 1.8.2-2 - simplify .gitignore file * Sat Jun 20 2026 Filipe Rosset <filiperosset@fedoraproject.org> - 1.8.2-1 - update to 1.8.2 fixes rhbz#2458354 rhbz#2477179 rhbz#2477180 rhbz#2477235 rhbz#2477236 rhbz#2477522 rhbz#2477523

python-pendulum-3.2.0-1.fc44

21 hours 32 minutes ago
FEDORA-2026-2559684e58 Packages in this update:
  • python-pendulum-3.2.0-1.fc44
Update description:

Update to 3.2.0 (final). Update PyO3 to 0.29, fixing RUSTSEC-2026-0176 and RUSTSEC-2026-0177.

transmission-4.1.3-1.fc43

1 day 3 hours ago
FEDORA-2026-0ed2011b62 Packages in this update:
  • transmission-4.1.3-1.fc43
Update description:

Fixed a CORS bug that leaked the anti-CSRF nonce. (#8938) Fixed a use-after-free bug in peer code. (#8921) Fixed build error when compiling with fmt 12.2.0. (#8942)

Fix qt icon

Checked
12 minutes 2 seconds ago