Fedora Security Advisories

docker-buildkit-0.26.3-1.fc42

Fedora Security Advisories
27 minutes 41 seconds ago
FEDORA-2025-9cf9edf688 Packages in this update:
  • docker-buildkit-0.26.3-1.fc42
Update description:
  • Update to release v0.26.3
  • Resolves CVE-2024-25621: rhbz#2419004, rhbz#2419033, rhbz#2419427
  • Upstream fix

docker-buildkit-0.26.3-1.fc43

Fedora Security Advisories
38 minutes 35 seconds ago
FEDORA-2025-94f9b9b1b1 Packages in this update:
  • docker-buildkit-0.26.3-1.fc43
Update description:
  • Update to release v0.26.3
  • Resolves CVE-2024-25621: rhbz#2419004, rhbz#2419033, rhbz#2419427
  • Upstream fix

docker-buildkit-0.26.3-1.fc44

Fedora Security Advisories
50 minutes 58 seconds ago
FEDORA-2025-e0f9ab8bc7 Packages in this update:
  • docker-buildkit-0.26.3-1.fc44
Update description:

Automatic update for docker-buildkit-0.26.3-1.fc44.

Changelog * Tue Dec 16 2025 Bradley G Smith <bradley.g.smith@gmail.com> - 0.26.3-1 - Update to release v0.26.3 - Resolves CVE-2024-25621: rhbz#2419004, rhbz#2419033, rhbz#2419427 - Upstream fix

php-8.4.16-1.fc42

Fedora Security Advisories
10 hours 41 minutes ago
FEDORA-2025-ce8a4096e7 Packages in this update:
  • php-8.4.16-1.fc42
Update description:

PHP version 8.4.16 (18 Dec 2025)

Core:

  • Sync all boost.context files with release 1.86.0. (mvorisek)
  • Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). (ndossche)
  • Fixed bug GH-20286 (use-after-destroy during userland stream_close()). (ndossche, David Carlier)

Bz2:

  • Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

Date:

  • Fix crashes when trying to instantiate uninstantiable classes via date static constructors. (ndossche)

DOM:

  • Fix memory leak when edge case is hit when registering xpath callback. (ndossche)
  • Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase). (ndossche)
  • Fix missing NUL byte check on C14NFile(). (ndossche)

Fibers:

  • Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). (David Carlier)

FTP:

  • Fixed bug GH-20601 (ftp_connect overflow on timeout). (David Carlier)

GD:

  • Fixed bug GH-20511 (imagegammacorrect out of range input/output values). (David Carlier)
  • Fixed bug GH-20602 (imagescale overflow with large height values). (David Carlier)

Intl:

  • Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). (DanielEScherzer)

LibXML:

  • Fix some deprecations on newer libxml versions regarding input buffer/parser handling. (ndossche)

MbString:

  • Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). (ndossche)
  • Fixed bug GH-20492 (mbstring compile warning due to non-strings). (ndossche)

MySQLnd:

  • Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). (Remi)

Opcache:

  • Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). (Arnaud)

PDO:

Phar:

  • Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). (ndossche, TimWolla)
  • Fix broken return value of fflush() for phar file entries. (ndossche)
  • Fix assertion failure when fseeking a phar file out of bounds. (ndossche)

PHPDBG:

  • Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). (Girgias)

SPL:

  • Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). (ndossche)

Standard:

  • Fix memory leak in array_diff() with custom type checks. (ndossche)
  • Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). (ndossche)
  • Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). (ndossche)
  • Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) (ndossche)
  • Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) (ndossche)

Tidy:

  • Fixed bug GH-20374 (PHP with tidy and custom-tags). (ndossche)

XML:

  • Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). (ndossche)

Zlib:

  • Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

php-8.4.16-1.fc43

Fedora Security Advisories
10 hours 41 minutes ago
FEDORA-2025-7e9290d67f Packages in this update:
  • php-8.4.16-1.fc43
Update description:

PHP version 8.4.16 (18 Dec 2025)

Core:

  • Sync all boost.context files with release 1.86.0. (mvorisek)
  • Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). (ndossche)
  • Fixed bug GH-20286 (use-after-destroy during userland stream_close()). (ndossche, David Carlier)

Bz2:

  • Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

Date:

  • Fix crashes when trying to instantiate uninstantiable classes via date static constructors. (ndossche)

DOM:

  • Fix memory leak when edge case is hit when registering xpath callback. (ndossche)
  • Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase). (ndossche)
  • Fix missing NUL byte check on C14NFile(). (ndossche)

Fibers:

  • Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). (David Carlier)

FTP:

  • Fixed bug GH-20601 (ftp_connect overflow on timeout). (David Carlier)

GD:

  • Fixed bug GH-20511 (imagegammacorrect out of range input/output values). (David Carlier)
  • Fixed bug GH-20602 (imagescale overflow with large height values). (David Carlier)

Intl:

  • Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). (DanielEScherzer)

LibXML:

  • Fix some deprecations on newer libxml versions regarding input buffer/parser handling. (ndossche)

MbString:

  • Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). (ndossche)
  • Fixed bug GH-20492 (mbstring compile warning due to non-strings). (ndossche)

MySQLnd:

  • Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). (Remi)

Opcache:

  • Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). (Arnaud)

PDO:

Phar:

  • Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). (ndossche, TimWolla)
  • Fix broken return value of fflush() for phar file entries. (ndossche)
  • Fix assertion failure when fseeking a phar file out of bounds. (ndossche)

PHPDBG:

  • Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). (Girgias)

SPL:

  • Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). (ndossche)

Standard:

  • Fix memory leak in array_diff() with custom type checks. (ndossche)
  • Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). (ndossche)
  • Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). (ndossche)
  • Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) (ndossche)
  • Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) (ndossche)

Tidy:

  • Fixed bug GH-20374 (PHP with tidy and custom-tags). (ndossche)

XML:

  • Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). (ndossche)

Zlib:

  • Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

webkitgtk-2.50.4-1.fc43

Fedora Security Advisories
11 hours 17 minutes ago
FEDORA-2025-96a708ea95 Packages in this update:
  • webkitgtk-2.50.4-1.fc43
Update description:
  • Correctly handle the program name passed to the sleep disabler.
  • Ensure GStreamer is initialized before using the Quirks.
  • Fix several crashes and rendering issues.
  • Fix CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541

webkitgtk-2.50.4-1.fc42

Fedora Security Advisories
11 hours 17 minutes ago
FEDORA-2025-3e5ba4315a Packages in this update:
  • webkitgtk-2.50.4-1.fc42
Update description:
  • Correctly handle the program name passed to the sleep disabler.
  • Ensure GStreamer is initialized before using the Quirks.
  • Fix several crashes and rendering issues.
  • Fix CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541

NetworkManager-1.54.3-2.fc43

Fedora Security Advisories
1 day 8 hours ago
FEDORA-2025-ceeda3c40d Packages in this update:
  • NetworkManager-1.54.3-2.fc43
Update description:

Update to 1.54.3 Partially fixes CVE-2025-9615. To protect totally from it, see: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2325.

Update to 1.54.3 Partially fixes CVE-2025-9615. To protect totally from it, see: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2325.

roundcubemail-1.5.12-1.el9

Fedora Security Advisories
1 day 8 hours ago
FEDORA-EPEL-2025-0d5788d77e Packages in this update:
  • roundcubemail-1.5.12-1.el9
Update description: Release 1.5.12
  • Fix Cross-Site-Scripting vulnerability via SVG's animate tag
  • Fix Information Disclosure vulnerability in the HTML style sanitizer

roundcubemail-1.6.12-1.fc42

Fedora Security Advisories
1 day 8 hours ago
FEDORA-2025-fec36f9eaf Packages in this update:
  • roundcubemail-1.6.12-1.fc42
Update description: Release 1.6.12
  • Support IPv6 in database DSN (#9937)
  • Don't force specific error_reporting setting
  • Fix compatibility with PHP 8.5 regarding array_first()
  • Remove X-XSS-Protection example from .htaccess file (#9875)
  • Fix "Assign to group" action state after creation of a first group (#9889)
  • Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
  • Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
  • Fix parsing of inline styles that aren't well-formatted (#9948)
  • Fix Cross-Site-Scripting vulnerability via SVG's animate tag
  • Fix Information Disclosure vulnerability in the HTML style sanitizer

roundcubemail-1.6.12-1.fc43

Fedora Security Advisories
1 day 8 hours ago
FEDORA-2025-58eb59741f Packages in this update:
  • roundcubemail-1.6.12-1.fc43
Update description: Release 1.6.12
  • Support IPv6 in database DSN (#9937)
  • Don't force specific error_reporting setting
  • Fix compatibility with PHP 8.5 regarding array_first()
  • Remove X-XSS-Protection example from .htaccess file (#9875)
  • Fix "Assign to group" action state after creation of a first group (#9889)
  • Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
  • Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
  • Fix parsing of inline styles that aren't well-formatted (#9948)
  • Fix Cross-Site-Scripting vulnerability via SVG's animate tag
  • Fix Information Disclosure vulnerability in the HTML style sanitizer

roundcubemail-1.6.12-1.el10_2

Fedora Security Advisories
1 day 8 hours ago
FEDORA-EPEL-2025-633e14145a Packages in this update:
  • roundcubemail-1.6.12-1.el10_2
Update description: Release 1.6.12
  • Support IPv6 in database DSN (#9937)
  • Don't force specific error_reporting setting
  • Fix compatibility with PHP 8.5 regarding array_first()
  • Remove X-XSS-Protection example from .htaccess file (#9875)
  • Fix "Assign to group" action state after creation of a first group (#9889)
  • Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
  • Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
  • Fix parsing of inline styles that aren't well-formatted (#9948)
  • Fix Cross-Site-Scripting vulnerability via SVG's animate tag
  • Fix Information Disclosure vulnerability in the HTML style sanitizer

roundcubemail-1.6.12-1.el10_1

Fedora Security Advisories
1 day 8 hours ago
FEDORA-EPEL-2025-e58ddd2daf Packages in this update:
  • roundcubemail-1.6.12-1.el10_1
Update description: Release 1.6.12
  • Support IPv6 in database DSN (#9937)
  • Don't force specific error_reporting setting
  • Fix compatibility with PHP 8.5 regarding array_first()
  • Remove X-XSS-Protection example from .htaccess file (#9875)
  • Fix "Assign to group" action state after creation of a first group (#9889)
  • Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
  • Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
  • Fix parsing of inline styles that aren't well-formatted (#9948)
  • Fix Cross-Site-Scripting vulnerability via SVG's animate tag
  • Fix Information Disclosure vulnerability in the HTML style sanitizer
Checked
13 minutes 15 seconds ago
URL
https://bodhi.fedoraproject.org/rss/updates/?type=security