Fedora Security Advisories

FEDORA-2026-c346e5cd24 Packages in this update:

• nasm-3.01-3.fc45

Update description:

Automatic update for nasm-3.01-3.fc45.

Changelog * Wed Apr 22 2026 Dominik Mierzejewski <rpm@greysector.net> - 3.01-3 - fix CVE-2026-6067 (resolves rhbz#2458087, rhbz#2458089) patch by Nick Clifton

FEDORA-EPEL-2026-62728108d7 Packages in this update:

• python-python-multipart-0.0.32-1.el10_3

Update description: 0.0.32 (2026-06-04)

• Speed up partial-boundary scanning for CR/LF-dense part data.

0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch.
• Bound header field name size before validating.
• Validate Content-Length is non-negative in parse_form.

Fixes security issues GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf, GHSA-6jv3-5f52-599m, and GHSA-vffw-93wf-4j4q.

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.

FEDORA-2026-2cfc16a621 Packages in this update:

• python-python-multipart-0.0.32-1.fc43

Update description: 0.0.32 (2026-06-04)

• Speed up partial-boundary scanning for CR/LF-dense part data.

0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch.
• Bound header field name size before validating.
• Validate Content-Length is non-negative in parse_form.

Fixes security issues GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf, GHSA-6jv3-5f52-599m, and GHSA-vffw-93wf-4j4q.

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.

FEDORA-2026-6d00814a85 Packages in this update:

• 389-ds-base-3.2.2-2.fc44

Update description:

Resolves: CVE-2026-9064

FEDORA-2026-5ac414ddcd Packages in this update:

• 389-ds-base-3.1.4-11.fc43

Update description:

Resolves: CVE-2026-9064

FEDORA-2026-104e079187 Packages in this update:

• python-python-multipart-0.0.32-1.fc44

Update description: 0.0.32 (2026-06-04)

• Speed up partial-boundary scanning for CR/LF-dense part data.

0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch.
• Bound header field name size before validating.
• Validate Content-Length is non-negative in parse_form.

Fixes security issues GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf, GHSA-6jv3-5f52-599m, and GHSA-vffw-93wf-4j4q.

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.

FEDORA-2026-91bc662689 Packages in this update:

• firefox-151.0.3-1.fc43

Update description:

• New upstream release (151.0.3)

FEDORA-2026-d1aae27e8b Packages in this update:

• firefox-151.0.3-1.fc44

Update description:

• New upstream release (151.0.3)

FEDORA-EPEL-2026-6821fe2971 Packages in this update:

• apptainer-1.5.1-1.el8

Update description:

Update to upstream 1.5.1. Fixes CVE-2026-48785

FEDORA-2026-ff5370cd61 Packages in this update:

• apptainer-1.5.1-1.fc44

Update description:

Update to upstream 1.5.1. Fixes CVE-2026-48785

FEDORA-EPEL-2026-78c9d246b0 Packages in this update:

• apptainer-1.5.1-1.el9

Update description:

Update to upstream 1.5.1. Fixes CVE-2026-48785

FEDORA-EPEL-2026-5afb48ca9e Packages in this update:

• apptainer-1.5.1-1.el10_2

Update description:

Update to upstream 1.5.1. Fixes CVE-2026-48785

FEDORA-EPEL-2026-c26294a28d Packages in this update:

• apptainer-1.5.1-1.el10_3

Update description:

Update to upstream 1.5.1. Fixes CVE-2026-48785

FEDORA-2026-77b4ea4fb8 Packages in this update:

• apptainer-1.5.1-1.fc43

Update description:

Update to upstream 1.5.1. Fixes CVE-2026-48785

FEDORA-2026-4280f7beb8 Packages in this update:

• systemd-261~rc3-1.fc45

Update description:

Automatic update for systemd-261~rc3-1.fc45.

Changelog * Thu Jun 4 2026 Zbigniew Jędrzejewski-Szmek <zbyszek@amutable.com> - 261~rc3-1 - Version 261~rc3 - Various smaller and larger fixes - A hint is emitted if init is called with the legacy telinit args (rhbz#2479961) - Various messages for missing dlopened libraries have been downgraded (rhbz#2463540)

FEDORA-EPEL-2026-4dc7d2c6bb Packages in this update:

• python-python-multipart-0.0.31-1.el10_2

Update description: 0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch.
• Bound header field name size before validating.
• Validate Content-Length is non-negative in parse_form.

Fixes security issues GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf, GHSA-6jv3-5f52-599m, and GHSA-vffw-93wf-4j4q.

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.

FEDORA-EPEL-2026-63f4d4a3b2 Packages in this update:

• python-python-multipart-0.0.31-1.el10_3

Update description: 0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch.
• Bound header field name size before validating.

• Validate Content-Length is non-negative in parse_form.

• GHSA-v9pg-7xvm-68hf

• GHSA-5rvq-cxj2-64vf
• GHSA-6jv3-5f52-599m
• GHSA-vffw-93wf-4j4q

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.

FEDORA-2026-4d81c2ff49 Packages in this update:

• python-python-multipart-0.0.31-1.fc43

Update description: 0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch.
• Bound header field name size before validating.
• Validate Content-Length is non-negative in parse_form.

Fixes security issues GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf, GHSA-6jv3-5f52-599m, and GHSA-vffw-93wf-4j4q.

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.

FEDORA-2026-c7869a8216 Packages in this update:

• python-python-multipart-0.0.31-1.fc44

Update description: 0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch.
• Bound header field name size before validating.
• Validate Content-Length is non-negative in parse_form.

Fixes security issues GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf, GHSA-6jv3-5f52-599m, and GHSA-vffw-93wf-4j4q.

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2.

FEDORA-2026-a63aad0224 Packages in this update:

• webkitgtk-2.52.4-1.fc44

Update description:

• Add support for half-width fonts.
• Improve content filter compilation by avoiding file copies.
• Improve handling of out of disk space conditions when the NetworkProcess tried to write data in caches.
• Fix painting scrollbars when their width changes.
• Fix playback of certain YouTube videos with low frame rates.
• Fix webkit://gpu not working in systems where neither libGL.so.1 nor libOpenGL.so.0 are available.
• Fix several crashes and rendering issues.
• Security fixes: CVE-2026-28847, CVE-2026-28883, CVE-2026-28901, CVE-2026-28902, CVE-2026-28903, CVE-2026-28904, CVE-2026-28905, CVE-2026-28907, CVE-2026-28942, CVE-2026-28946, CVE-2026-28947, CVE-2026-28953, CVE-2026-28955, CVE-2026-28958, CVE-2026-43658, CVE-2026-43660