Fedora Security Advisories

• php-extras-8.3.31-1.el10_2

PHP version 8.3.31 (07 May 2026)

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

• php-extras-8.3.31-1.el10_3

PHP version 8.3.31 (07 May 2026)

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

• php8.4-extras-8.4.21-1.el10_3

PHP version 8.4.21 (07 May 2026)

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

• php8.4-extras-8.4.21-1.el10_2

PHP version 8.4.21 (07 May 2026)

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

• php-extras-8.0.30-3.el9

Backported from 8.2.31

PDO_Firebird:

• Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi)

• xmlstarlet-1.6.1-30.fc44

Fixes XML external entity vulnerability. For more information, refer to https://src.fedoraproject.org/rpms/xmlstarlet/pull-request/4.

• xmlstarlet-1.6.1-30.fc43

Fixes XML external entity vulnerability. For more information, refer to https://src.fedoraproject.org/rpms/xmlstarlet/pull-request/4.

• rust-1.96.0-1.fc43

Update to Rust 1.96.0:

• New Range* types
• Assert matching patterns
• Changes to WebAssembly targets
• Stabilized APIs
• Cargo CVE-2026-5222 and CVE-2026-5223 for third-party registries.

See the blog post and release notes for more details.

• rust-1.96.0-1.fc44

Update to Rust 1.96.0:

• New Range* types
• Assert matching patterns
• Changes to WebAssembly targets
• Stabilized APIs
• Cargo CVE-2026-5222 and CVE-2026-5223 for third-party registries.

See the blog post and release notes for more details.

• perl-Sereal-5.006-1.el10_2
• perl-Sereal-Decoder-5.006-1.el10_2
• perl-Sereal-Encoder-5.006-1.el10_2

This update includes a security fix to make sure that COPY tags cannot be used to read past end of the buffer.

• xorg-x11-server-Xwayland-24.1.12-1.fc43

Update to xwayland 24.1.12, Security fixes for: ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168

• xorg-x11-server-21.1.23-1.fc43

Update to xserver 21.1.23, Security fixes for: ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168

• xorg-x11-server-21.1.23-1.fc44

Update to xserver 21.1.23, security fixes for: ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168

• xorg-x11-server-Xwayland-24.1.12-1.fc44

Update to xwayland 24.1.12, security fixes for ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168

• exim-4.99.4-1.el8

This is an update fixing a pre-authentication information disclosure (CVE-2026-48840).

• exim-4.99.4-1.el9

This is an update fixing a pre-authentication information disclosure (CVE-2026-48840).

• exim-4.99.4-1.el10_3

This is an update fixing a pre-authentication information disclosure (CVE-2026-48840).

• exim-4.99.4-1.fc43

This is an update fixing a pre-authentication information disclosure (CVE-2026-48840).

• exim-4.99.4-1.fc44

This is an update fixing a pre-authentication information disclosure (CVE-2026-48840).

• putty-0.84-1.el8

This is an update fixing several security related problems in putty.