Fedora Security Advisories

• pie-1.4.4-1.el10_3

Dependencies

• Update Composer to 2.9.8

• pie-1.4.4-1.fc44

Dependencies

• Update Composer to 2.9.8

• pie-1.4.4-1.fc43

Dependencies

• Update Composer to 2.9.8

• rsync-3.4.1-7.fc44

Fixing various bugs from Upstream.

I did not do a rebase since the Upstream stopped supporting the rsync-patches repo. I accepted this change in Rawhide but it changes the usage of one option that is no longer available in rsync. This is why I avoided the rebase in older stable branches.

• rsync-3.4.1-6.fc43

Fixing various bugs from Upstream.

I did not do a rebase since the Upstream stopped supporting the rsync-patches repo. I accepted this change in Rawhide but it changes the usage of one option that is no longer available in rsync. This is why I avoided the rebase in older stable branches.

• composer-2.9.8-1.el10_1

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

• composer-2.9.8-1.el9

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

• composer-2.9.8-1.el10_2

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

• composer-2.9.8-1.fc44

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

• composer-2.9.8-1.el10_3

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

• composer-2.9.8-1.fc43

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

• giflib-6.1.3-2.fc44

Apply proposed fix for CVE-2026-26740.

• firefox-150.0.3-1.fc44

• Updated to latest upstream (150.0.3)

• xen-4.20.3-3.fc43

x86: CPU Opcode Cache corruption [XSA-490,CVE-2025-54518]

• python-django5-5.2.14-1.fc42

• Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
• Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
• Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
• Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
• Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
• Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
• Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
• Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
• Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects

• strongswan-6.0.6-3.fc43

Fixes CVE-2026-25075, CVE-2026-35328, CVE-2026-35329, CVE-2026-35330, CVE-2026-35331, CVE-2026-35332, CVE-2026-35333, CVE-2026-35334

Update to address CVE-2025-9615 and CVE-2025-62291

• python-django5-5.2.14-1.fc44

• Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
• Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
• Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
• Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
• Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
• Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
• Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
• Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
• Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects

• python-django5-5.2.14-1.fc43

• Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
• Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
• Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
• Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
• Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
• Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
• Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
• Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
• Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects

• strongswan-6.0.6-2.fc44

Fixes CVE-2026-25075, CVE-2026-35328, CVE-2026-35329, CVE-2026-35330, CVE-2026-35331, CVE-2026-35332, CVE-2026-35333, CVE-2026-35334

• xen-4.21.1-3.fc44

x86: CPU Opcode Cache corruption [XSA-490,CVE-2025-54518]