Fedora Security Advisories

FEDORA-2026-3062e10d87 Packages in this update:

• pgadmin4-9.11-3.fc42

Update description:

Regenerate vendor tarball. Fixes CVE-2025-13465.

FEDORA-2026-4e47f4d911 Packages in this update:

• pgadmin4-9.11-3.fc43

Update description:

Regenerate vendor tarball. Fixes CVE-2025-13465.

FEDORA-2026-8c25940d05 Packages in this update:

• phpunit12-12.5.8-1.fc42

Update description: Version 12.5.8 - 2026-01-27 Changed

• To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

Version 12.5.7 - 2026-01-24 Fixed

• #6362: Manually instantiated test doubles are broken since PHPUnit 11.2
• #6470: Infinite recursion in Count::getCountOf() for unusal implementations of Iterator or IteratorAggregate

Version 12.5.6 - 2026-01-16 Changed

• Reverted a change that caused a build failure for the PHP project's nightly community job

Version 12.5.5 - 2026-01-15 Deprecated

• #6461: any() matcher (soft deprecation)

Fixed

• #6470: Mocking a class with a property hook setter accepting more types than the property results in a fatal error

FEDORA-2026-470a48f838 Packages in this update:

• phpunit12-12.5.8-1.fc43

Update description: Version 12.5.8 - 2026-01-27 Changed

• To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

Version 12.5.7 - 2026-01-24 Fixed

• #6362: Manually instantiated test doubles are broken since PHPUnit 11.2
• #6470: Infinite recursion in Count::getCountOf() for unusal implementations of Iterator or IteratorAggregate

Version 12.5.6 - 2026-01-16 Changed

• Reverted a change that caused a build failure for the PHP project's nightly community job

Version 12.5.5 - 2026-01-15 Deprecated

• #6461: any() matcher (soft deprecation)

Fixed

• #6470: Mocking a class with a property hook setter accepting more types than the property results in a fatal error

FEDORA-2026-8ccfe50c58 Packages in this update:

• phpunit11-11.5.50-1.fc43

Update description: Version 11.5.50 - 2026-01-27 Changed

• To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

Version 11.5.49 - 2026-01-24 Fixed

• #6362: Manually instantiated test doubles are broken since PHPUnit 11.2
• #6470: Infinite recursion in Count::getCountOf() for unusal implementations of Iterator or IteratorAggregate

Version 11.5.48 - 2026-01-16 Changed

• Reverted a change that caused a build failure for the PHP project's nightly community job

Version 11.5.47 - 2026-01-15 Fixed

• #6470: Mocking a class with a property hook setter accepting more types than the property results in a fatal error

FEDORA-2026-c3b42a28dd Packages in this update:

• phpunit11-11.5.50-1.fc42

Update description: Version 11.5.50 - 2026-01-27 Changed

• To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

Version 11.5.49 - 2026-01-24 Fixed

• #6362: Manually instantiated test doubles are broken since PHPUnit 11.2
• #6470: Infinite recursion in Count::getCountOf() for unusal implementations of Iterator or IteratorAggregate

Version 11.5.48 - 2026-01-16 Changed

• Reverted a change that caused a build failure for the PHP project's nightly community job

Version 11.5.47 - 2026-01-15 Fixed

• #6470: Mocking a class with a property hook setter accepting more types than the property results in a fatal error

FEDORA-EPEL-2026-cf486df588 Packages in this update:

• opencc-1.0.5-4.el8

Update description:

Fix CVE-2025-15536

FEDORA-2026-abd2d2d60c Packages in this update:

• openqa-5^20260126git19189f0-1.fc43
• os-autoinst-5^20260123git72cabd0-1.fc43

Update description:

This update provides new upstream snapshots of openQA and os-autoinst, with various fixes and enhancements. Please see upstream changelogs for details. They also address a CVE by updating a bundled javascript library, though we're fairly sure openQA didn't actually expose the vulnerability anyway.

FEDORA-2026-d3c5092654 Packages in this update:

• python-jupytext-1.19.1-1.fc42

Update description:

See https://github.com/mwouts/jupytext/blob/main/CHANGELOG.md for changes in versions 1.19.0 and 1.19.1. This update contains a fix for CVE-2025-13465.

FEDORA-2026-9111b2e330 Packages in this update:

• python-jupytext-1.19.1-1.fc43

Update description:

See https://github.com/mwouts/jupytext/blob/main/CHANGELOG.md for changes in versions 1.19.0 and 1.19.1. This update contains a fix for CVE-2025-13465.

FEDORA-EPEL-2026-0e3aa1d4ee Packages in this update:

• rust-sequoia-keystore-server-0.2.0-5.el9
• rust-sequoia-sq-1.3.1-9.el9

Update description:

Rebuild with sequoia-openpgp v2.1.0 to apply fixes for RUSTSEC-2025-0136 / CVE-2025-67897.

FEDORA-2026-9317b8ea7b Packages in this update:

• rust-sequoia-keystore-server-0.2.0-5.fc43
• rust-sequoia-octopus-librnp-1.11.1-4.fc43
• rust-sequoia-sq-1.3.1-9.fc43
• rust-sequoia-sqv-1.3.0-5.fc43

Update description:

Rebuild with sequoia-openpgp v2.1.0 to apply fixes for RUSTSEC-2025-0136 / CVE-2025-67897.

FEDORA-2026-304a740a0b Packages in this update:

• rust-sequoia-keystore-server-0.2.0-5.fc42
• rust-sequoia-octopus-librnp-1.11.1-4.fc42
• rust-sequoia-sq-1.3.1-9.fc42
• rust-sequoia-sqv-1.3.0-5.fc42

Update description:

Rebuild with sequoia-openpgp v2.1.0 to apply fixes for RUSTSEC-2025-0136 / CVE-2025-67897.

FEDORA-2026-5e8ffdd3b9 Packages in this update:

• retroarch-1.22.0-20.fc44

Update description:

Automatic update for retroarch-1.22.0-20.fc44.

Changelog * Mon Jan 26 2026 Artem Polishchuk <ego.cordatus@gmail.com> - 1.22.0-20 - Disable 7zip support due CVE - rhbz#2432835

FEDORA-EPEL-2026-1f5a2c5f39 Packages in this update:

• python-python-multipart-0.0.22-1.el10_1

Update description:

Security fix for CVE-2026-24486 / GHSA-wp53-j4wj-2cfg.

0.0.22 (2026-01-25)

• Drop directory path from filename in File

FEDORA-2026-720b8d0c6c Packages in this update:

• python-python-multipart-0.0.22-1.fc42

Update description:

Security fix for CVE-2026-24486 / GHSA-wp53-j4wj-2cfg.

0.0.22 (2026-01-25)

• Drop directory path from filename in File

FEDORA-2026-08c12edc84 Packages in this update:

• python-python-multipart-0.0.22-1.fc43

Update description:

Security fix for CVE-2026-24486 / GHSA-wp53-j4wj-2cfg.

0.0.22 (2026-01-25)

• Drop directory path from filename in File

FEDORA-2026-ebabb127fb Packages in this update:

• gimp-3.0.8-4.fc43

Update description:

This is an upstream bugfix and security update. Please refer to the upstream release notes for details about the changes in this version.

FEDORA-2026-bda4a20a3c Packages in this update:

• gimp-3.0.8-4.fc42

Update description:

This is an upstream bugfix and security update. Please refer to the upstream release notes for details about the changes in this version.

FEDORA-2026-216041a3e7 Packages in this update:

• openttd-15.1-1.fc42

Update description: 15.x 15.1 (2026-01-24)

• Fix #15088: When building a new train, the refit button state may be incorrect (#15162)
• Fix #15160: Incorrect company names displayed in load game window (#15161)
• Fix #15153: Wrong tile used to get bridge reservation overlay (#15154)
• Fix #15116: Old cargo/industry sets without cargo translation table broken (#15150)
• Fix: Possible crash converting company liveries in older savegames/scenarios (#15148)
• Fix: Allow infinite water to be (de)selected when loading heightmap (#15146)
• Fix: Tile suitability test for farm field no longer handled snow tiles (#15134)
• Fix #15131: Trees no longer spread on partially snowy tiles (#15133)
• Fix: Change tooltips to match change from checkboxes to switches (#15123)
• Fix: [Script] Potential out of bounds array/string slice indexes (#15106)
• Fix: [Script] Potential out of bounds indexed string access (#15106)
• Fix: [Script] Check if array sort function modified array (#15106)
• Fix #15069: World generation map edges GUI starts in an invalid state (#15082)
• Fix #15079: Incorrect dates shown on town cargo history graph (#15080)
• Fix #15067: Mark NewGRF settings as modified after moving by drag & drop (#15068)
• Fix: Incorrect error message for aqueducts reaching northern map borders (#14974)
• Fix: Standardize wording of GRF/NewGRF (#15059)
• Fix #15046: Crash on loading game due to invalid group parents (#15049)
• Fix: Disable_elrails handling with engines that use both RAIL and ELRL (#15045)
• Fix: [Fluidsynth] Read settings from system and user config files if available (#15044)
• Fix #15039: Name and version can disappear from content list (#15040)
• Fix #15026: Remove incorrect info from base sounds tooltip (#15029)
• Fix: [Script] Improve reporting of invalid GetAPIVersion return (#15015)
• Fix: [Script] Undefined behaviour after calling SwapList during iteration (#14805)