Fedora Security Advisories

FEDORA-2025-16b2da653e Packages in this update:

• openapi-python-client-0.26.2-6.fc42

Update description:

• add patch to remove dependency upper bound versions
• remove obsolete patches that updated upper bound versions
• clean up spec file formatting

FEDORA-2025-ce3d358bcc Packages in this update:

• openapi-python-client-0.26.2-6.fc43

Update description:

• add patch to remove dependency upper bound versions
• remove obsolete patches that updated upper bound versions
• clean up spec file formatting

FEDORA-2025-d11261d473 Packages in this update:

• fcitx5-5.1.16-1.fc42
• fcitx5-anthy-5.1.8-1.fc42
• fcitx5-chewing-5.1.9-1.fc42
• fcitx5-chinese-addons-5.1.10-1.fc42
• fcitx5-configtool-5.1.11-1.fc42
• fcitx5-hangul-5.1.8-1.fc42
• fcitx5-kkc-5.1.8-1.fc42
• fcitx5-libthai-5.1.7-1.fc42
• fcitx5-m17n-5.1.5-1.fc42
• fcitx5-qt-5.1.11-1.fc42
• fcitx5-rime-5.1.12-1.fc42
• fcitx5-sayura-5.1.5-1.fc42
• fcitx5-skk-5.1.8-1.fc42
• fcitx5-table-extra-5.1.9-1.fc42
• fcitx5-unikey-5.1.8-1.fc42
• fcitx5-zhuyin-5.1.5-1.fc42
• libime-1.1.12-1.fc42

Update description:

fcitx5-5.1.16 update

FEDORA-2025-1d50a0ec48 Packages in this update:

• Thunar-4.20.6-1.fc42

Update description:

Update to 4.20.6, the latest stable bugfix release.

FEDORA-2025-7a1a0e5bd8 Packages in this update:

• Thunar-4.20.6-1.fc43

Update description:

Update to 4.20.6, the latest stable bugfix release.

FEDORA-2025-934da27583 Packages in this update:

• Thunar-4.20.6-1.fc44

Update description:

Automatic update for Thunar-4.20.6-1.fc44.

Changelog * Sat Oct 25 2025 Kevin Fenzi <kevin@scrye.com> - 4.20.6-1 - Update to 4.20.6. Fixes rhbz#2406294

FEDORA-EPEL-2025-a5f0564417 Packages in this update:

• golang-github-facebook-time-0^20251021gite970944-1.el10_1

Update description:

• Update to latest snapshot
• Switch to vendoring dependencies per the upcoming Golang guidelines, this allows us to ship on EL10

FEDORA-EPEL-2025-9502d89675 Packages in this update:

• golang-github-facebook-time-0^20251021gite970944-1.el10_2

Update description:

• Update to latest snapshot
• Switch to vendoring dependencies per the upcoming Golang guidelines, this allows us to ship on EL10

FEDORA-2025-cf2e1f1604 Packages in this update:

• golang-github-facebook-time-0^20251021gite970944-1.fc41

Update description:

• Update to latest snapshot
• Switch to vendoring dependencies per the upcoming Golang guidelines, this allows us to ship on EL10

FEDORA-EPEL-2025-8d17e870a0 Packages in this update:

• golang-github-facebook-time-0^20251021gite970944-1.el9

Update description:

• Update to latest snapshot
• Switch to vendoring dependencies per the upcoming Golang guidelines, this allows us to ship on EL10

FEDORA-2025-a6cb455ca2 Packages in this update:

• golang-github-facebook-time-0^20251021gite970944-1.fc42

Update description:

• Update to latest snapshot
• Switch to vendoring dependencies per the upcoming Golang guidelines, this allows us to ship on EL10

FEDORA-2025-835acdc6c6 Packages in this update:

• golang-github-facebook-time-0^20251021gite970944-1.fc43

Update description:

• Update to latest snapshot
• Switch to vendoring dependencies per the upcoming Golang guidelines, this allows us to ship on EL10

FEDORA-2025-48dc1c8c79 Packages in this update:

• xen-4.19.3-7.fc41

Update description:

Incorrect removal of permissions on PCI device unplug [XSA-476, CVE-2025-58149]

x86: Incorrect input sanitisation in Viridian hypercalls [XSA-475, CVE-2025-58147, CVE-2025-58148]

FEDORA-2025-ec271ef07b Packages in this update:

• xen-4.19.3-8.fc42

Update description:

Incorrect removal of permissions on PCI device unplug [XSA-476, CVE-2025-58149]

x86: Incorrect input sanitisation in Viridian hypercalls [XSA-475, CVE-2025-58147, CVE-2025-58148]

FEDORA-2025-22fd93478b Packages in this update:

• xen-4.20.1-8.fc43

Update description:

Incorrect removal of permissions on PCI device unplug [XSA-476, CVE-2025-58149]

x86: Incorrect input sanitisation in Viridian hypercalls [XSA-475, CVE-2025-58147, CVE-2025-58148]

FEDORA-2025-224e937c18 Packages in this update:

• unbound-1.24.1-1.fc41

Update description:

Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University.

FEDORA-2025-93d7b9a5d5 Packages in this update:

• unbound-1.24.1-1.fc42

Update description:

Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University.

FEDORA-2025-92566203fd Packages in this update:

• bind-9.18.41-1.fc42
• bind-dyndb-ldap-11.11-7.fc42

Update description: Update to 9.18.41 (rhbz#2405786) Security fixes:

• DNSSEC validation fails if matching but invalid DNSKEY is found. (CVE-2025-8677)
• Address various spoofing attacks. (CVE-2025-40778)
• Cache-poisoning due to weak pseudo-random number generator. (CVE-2025-40780)

New Features:

• Support for parsing HHIT and BRID records has been added.

Removed Features:

• Deprecate the "tkey-domain" statement.
• Deprecate the "tkey-gssapi-credential" statement.

Bug Fixes:

• Prevent spurious SERVFAILs for certain 0-TTL resource records.
• Missing DNSSEC information when CD bit is set in query.

https://downloads.isc.org/isc/bind9/9.18.41/doc/arm/html/notes.html#notes-for-bind-9-18-41

FEDORA-2025-10c407da27 Packages in this update:

• bind-9.18.41-1.fc41
• bind-dyndb-ldap-11.10-35.fc41

Update description: Update to 9.18.41 (rhbz#2405786) Security fixes:

• DNSSEC validation fails if matching but invalid DNSKEY is found. (CVE-2025-8677)
• Address various spoofing attacks. (CVE-2025-40778)
• Cache-poisoning due to weak pseudo-random number generator. (CVE-2025-40780)

New Features:

• Support for parsing HHIT and BRID records has been added.

Removed Features:

• Deprecate the "tkey-domain" statement.
• Deprecate the "tkey-gssapi-credential" statement.

Bug Fixes:

• Prevent spurious SERVFAILs for certain 0-TTL resource records.
• Missing DNSSEC information when CD bit is set in query.

https://downloads.isc.org/isc/bind9/9.18.41/doc/arm/html/notes.html#notes-for-bind-9-18-41

FEDORA-2025-66fb3fa6b0 Packages in this update:

• bind-9.18.41-1.fc43
• bind-dyndb-ldap-11.11-8.fc43

Update description: Update to 9.18.41 (rhbz#2405786) Security fixes:

• DNSSEC validation fails if matching but invalid DNSKEY is found. (CVE-2025-8677)
• Address various spoofing attacks. (CVE-2025-40778)
• Cache-poisoning due to weak pseudo-random number generator. (CVE-2025-40780)

New Features:

• Support for parsing HHIT and BRID records has been added.

Removed Features:

• Deprecate the "tkey-domain" statement.
• Deprecate the "tkey-gssapi-credential" statement.

Bug Fixes:

• Prevent spurious SERVFAILs for certain 0-TTL resource records.
• Missing DNSSEC information when CD bit is set in query.

https://downloads.isc.org/isc/bind9/9.18.41/doc/arm/html/notes.html#notes-for-bind-9-18-41