Fedora Security Advisories

FEDORA-2025-dda924d757 Packages in this update:

• retroarch-1.22.0-1.fc42

Update description:

Update to 1.22.0

FEDORA-2025-6e0627440a Packages in this update:

• retroarch-1.22.0-1.fc43

Update description:

Update to 1.22.0

FEDORA-2025-28e625afa6 Packages in this update:

• chezmoi-2.68.1-1.fc43

Update description:

Update to 2.68.1

FEDORA-2025-9ded4c3651 Packages in this update:

• ov-0.50.2-1.fc42

Update description:

Update to 0.50.2

FEDORA-2025-0d2748fa32 Packages in this update:

• ov-0.50.2-1.fc43

Update description:

Update to 0.50.2

FEDORA-2025-6b23a0b058 Packages in this update:

• subfinder-2.10.1-1.fc43

Update description:

Update to 2.10.1

FEDORA-2025-34b0986502 Packages in this update:

• mqttcli-0.2.8-1.fc42

Update description:

Update to 0.2.8

FEDORA-2025-89758d1b13 Packages in this update:

• mqttcli-0.2.8-1.fc43

Update description:

Update to 0.2.8

FEDORA-2025-9cf9edf688 Packages in this update:

• docker-buildkit-0.26.3-1.fc42

Update description:

• Update to release v0.26.3
• Resolves CVE-2024-25621: rhbz#2419004, rhbz#2419033, rhbz#2419427
• Upstream fix

FEDORA-2025-94f9b9b1b1 Packages in this update:

• docker-buildkit-0.26.3-1.fc43

Update description:

• Update to release v0.26.3
• Resolves CVE-2024-25621: rhbz#2419004, rhbz#2419033, rhbz#2419427
• Upstream fix

FEDORA-2025-e0f9ab8bc7 Packages in this update:

• docker-buildkit-0.26.3-1.fc44

Update description:

Automatic update for docker-buildkit-0.26.3-1.fc44.

Changelog * Tue Dec 16 2025 Bradley G Smith <bradley.g.smith@gmail.com> - 0.26.3-1 - Update to release v0.26.3 - Resolves CVE-2024-25621: rhbz#2419004, rhbz#2419033, rhbz#2419427 - Upstream fix

FEDORA-2025-bf69e91bda Packages in this update:

• uriparser-1.0.0-1.fc42

Update description:

Update to uriparser-1.0.0, fixes CVE-2025-67899.

FEDORA-2025-5c12420f33 Packages in this update:

• uriparser-1.0.0-1.fc43

Update description:

Update to uriparser-1.0.0, fixes CVE-2025-67899.

FEDORA-2025-ce8a4096e7 Packages in this update:

• php-8.4.16-1.fc42

Update description:

PHP version 8.4.16 (18 Dec 2025)

Core:

• Sync all boost.context files with release 1.86.0. (mvorisek)
• Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). (ndossche)
• Fixed bug GH-20286 (use-after-destroy during userland stream_close()). (ndossche, David Carlier)

Bz2:

• Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

Date:

• Fix crashes when trying to instantiate uninstantiable classes via date static constructors. (ndossche)

DOM:

• Fix memory leak when edge case is hit when registering xpath callback. (ndossche)
• Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase). (ndossche)
• Fix missing NUL byte check on C14NFile(). (ndossche)

Fibers:

• Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). (David Carlier)

FTP:

• Fixed bug GH-20601 (ftp_connect overflow on timeout). (David Carlier)

GD:

• Fixed bug GH-20511 (imagegammacorrect out of range input/output values). (David Carlier)
• Fixed bug GH-20602 (imagescale overflow with large height values). (David Carlier)

Intl:

• Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). (DanielEScherzer)

LibXML:

• Fix some deprecations on newer libxml versions regarding input buffer/parser handling. (ndossche)

MbString:

• Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). (ndossche)
• Fixed bug GH-20492 (mbstring compile warning due to non-strings). (ndossche)

MySQLnd:

• Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). (Remi)

Opcache:

• Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). (Arnaud)

PDO:

• Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) (Jakub Zelenka)

Phar:

• Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). (ndossche, TimWolla)
• Fix broken return value of fflush() for phar file entries. (ndossche)
• Fix assertion failure when fseeking a phar file out of bounds. (ndossche)

PHPDBG:

• Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). (Girgias)

SPL:

• Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). (ndossche)

Standard:

• Fix memory leak in array_diff() with custom type checks. (ndossche)
• Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). (ndossche)
• Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). (ndossche)
• Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) (ndossche)
• Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) (ndossche)

Tidy:

• Fixed bug GH-20374 (PHP with tidy and custom-tags). (ndossche)

XML:

• Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). (ndossche)

Zlib:

• Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

FEDORA-2025-7e9290d67f Packages in this update:

• php-8.4.16-1.fc43

Update description:

PHP version 8.4.16 (18 Dec 2025)

Core:

• Sync all boost.context files with release 1.86.0. (mvorisek)
• Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). (ndossche)
• Fixed bug GH-20286 (use-after-destroy during userland stream_close()). (ndossche, David Carlier)

Bz2:

• Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

Date:

• Fix crashes when trying to instantiate uninstantiable classes via date static constructors. (ndossche)

DOM:

• Fix memory leak when edge case is hit when registering xpath callback. (ndossche)
• Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase). (ndossche)
• Fix missing NUL byte check on C14NFile(). (ndossche)

Fibers:

• Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). (David Carlier)

FTP:

• Fixed bug GH-20601 (ftp_connect overflow on timeout). (David Carlier)

GD:

• Fixed bug GH-20511 (imagegammacorrect out of range input/output values). (David Carlier)
• Fixed bug GH-20602 (imagescale overflow with large height values). (David Carlier)

Intl:

• Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). (DanielEScherzer)

LibXML:

• Fix some deprecations on newer libxml versions regarding input buffer/parser handling. (ndossche)

MbString:

• Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). (ndossche)
• Fixed bug GH-20492 (mbstring compile warning due to non-strings). (ndossche)

MySQLnd:

• Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). (Remi)

Opcache:

• Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). (Arnaud)

PDO:

• Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) (Jakub Zelenka)

Phar:

• Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). (ndossche, TimWolla)
• Fix broken return value of fflush() for phar file entries. (ndossche)
• Fix assertion failure when fseeking a phar file out of bounds. (ndossche)

PHPDBG:

• Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). (Girgias)

SPL:

• Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). (ndossche)

Standard:

• Fix memory leak in array_diff() with custom type checks. (ndossche)
• Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). (ndossche)
• Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). (ndossche)
• Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) (ndossche)
• Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) (ndossche)

Tidy:

• Fixed bug GH-20374 (PHP with tidy and custom-tags). (ndossche)

XML:

• Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). (ndossche)

Zlib:

• Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

FEDORA-2025-96a708ea95 Packages in this update:

• webkitgtk-2.50.4-1.fc43

Update description:

• Correctly handle the program name passed to the sleep disabler.
• Ensure GStreamer is initialized before using the Quirks.
• Fix several crashes and rendering issues.
• Fix CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541

FEDORA-2025-3e5ba4315a Packages in this update:

• webkitgtk-2.50.4-1.fc42

Update description:

• Correctly handle the program name passed to the sleep disabler.
• Ensure GStreamer is initialized before using the Quirks.
• Fix several crashes and rendering issues.
• Fix CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541

FEDORA-EPEL-2025-a3d878c59b Packages in this update:

• golang-github-facebook-time-0^20251216git61f7510-2.el9

Update description:

Update logrus for https://access.redhat.com/security/cve/cve-2025-65637

FEDORA-2025-6e8c819299 Packages in this update:

• golang-github-facebook-time-0^20251216git61f7510-2.fc43

Update description:

Update logrus for https://access.redhat.com/security/cve/cve-2025-65637

FEDORA-EPEL-2025-6af16f9c44 Packages in this update:

• golang-github-facebook-time-0^20251216git61f7510-2.el10_1

Update description:

Update logrus for https://access.redhat.com/security/cve/cve-2025-65637