Fedora Security Advisories

FEDORA-2026-de6e24ae07 Packages in this update:

• python-django6-6.0.5-1.fc44

Update description:

• Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
• Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
• Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
• Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
• Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
• Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
• Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
• Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
• Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects

FEDORA-2026-1704f705ab Packages in this update:

• mysql8.0-8.0.46-1.fc44

Update description:

MySQL 8.0.46

Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-46.html Known issue: s390x-specific issue - zlib with DFLTCC compressed pages with low KEY_BLOCK_SIZE values can cause ER_TOO_BIG_ROWSIZE errors in tables near the column count and their size limits. EOL notice: As of April 2026, with version 8.0.46, MySQL 8.0 reached End of Life (EoL).

FEDORA-2026-0c462e5676 Packages in this update:

• mysql8.0-8.0.46-1.fc43

Update description:

MySQL 8.0.46

Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-46.html Known issue: s390x-specific issue - zlib with DFLTCC compressed pages with low KEY_BLOCK_SIZE values can cause ER_TOO_BIG_ROWSIZE errors in tables near the column count and their size limits. EOL notice: As of April 2026, with version 8.0.46, MySQL 8.0 reached End of Life (EoL).

FEDORA-2026-b78d5204fe Packages in this update:

• mysql8.0-8.0.46-1.fc42

Update description:

MySQL 8.0.46

Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-46.html Known issue: s390x-specific issue - zlib with DFLTCC compressed pages with low KEY_BLOCK_SIZE values can cause ER_TOO_BIG_ROWSIZE errors in tables near the column count and their size limits. EOL notice: As of April 2026, with version 8.0.46, MySQL 8.0 reached End of Life (EoL).

FEDORA-EPEL-2026-f4f7a26f7a Packages in this update:

• proftpd-1.3.6e-10.el8

Update description:

This update contains an updated mod_wrap2_sql that addresses a potential SQL injection issue when connected to from a client with a maliciously-constructed reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by default and the issue can only happen if UseReverseDNS is enabled, which is also off by default.

FEDORA-EPEL-2026-ddf8b5eac2 Packages in this update:

• proftpd-1.3.8d-3.el9

Update description:

This update contains an updated mod_wrap2_sql that addresses a potential SQL injection issue when connected to from a client with a maliciously-constructed reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by default and the issue can only happen if UseReverseDNS is enabled, which is also off by default.

FEDORA-EPEL-2026-fda27c1b84 Packages in this update:

• proftpd-1.3.9a-2.el10_3

Update description:

This update contains an updated mod_wrap2_sql that addresses a potential SQL injection issue when connected to from a client with a maliciously-constructed reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by default and the issue can only happen if UseReverseDNS is enabled, which is also off by default.

FEDORA-EPEL-2026-9f8a61c142 Packages in this update:

• proftpd-1.3.9a-2.el10_2

Update description:

This update contains an updated mod_wrap2_sql that addresses a potential SQL injection issue when connected to from a client with a maliciously-constructed reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by default and the issue can only happen if UseReverseDNS is enabled, which is also off by default.

FEDORA-EPEL-2026-c8e9680bd3 Packages in this update:

• proftpd-1.3.9a-2.el10_1

Update description:

This update contains an updated mod_wrap2_sql that addresses a potential SQL injection issue when connected to from a client with a maliciously-constructed reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by default and the issue can only happen if UseReverseDNS is enabled, which is also off by default.

FEDORA-2026-871243b391 Packages in this update:

• proftpd-1.3.9a-2.fc44

Update description:

This update contains an updated mod_wrap2_sql that addresses a potential SQL injection issue when connected to from a client with a maliciously-constructed reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by default and the issue can only happen if UseReverseDNS is enabled, which is also off by default.

FEDORA-2026-4ddb108952 Packages in this update:

• proftpd-1.3.9a-2.fc43

Update description:

This update contains an updated mod_wrap2_sql that addresses a potential SQL injection issue when connected to from a client with a maliciously-constructed reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by default and the issue can only happen if UseReverseDNS is enabled, which is also off by default.

FEDORA-2026-79e64d2daa Packages in this update:

• python-dotenv-1.2.2-1.fc44

Update description:

Update to 1.2.2, security fix for CVE-2026-28684.

FEDORA-2026-20312e36a8 Packages in this update:

• python-dotenv-1.2.2-1.fc43

Update description:

Update to 1.2.2, security fix for CVE-2026-28684.

FEDORA-2026-4542b2d7aa Packages in this update:

• firefox-150.0.3-1.fc43

Update description:

• New upstream release (150.0.3)

FEDORA-2026-c62259888c Packages in this update:

• firefox-150.0.3-1.fc42

Update description:

• New upstream release (150.0.3)

FEDORA-2026-9cf92027ec Packages in this update:

• mingw-expat-2.8.1-1.fc43

Update description:

Update to expat-2.8.1.

FEDORA-2026-163d1fe6c0 Packages in this update:

• mingw-expat-2.8.1-1.fc44

Update description:

Update to expat-2.8.1.

FEDORA-2026-6384a3cf14 Packages in this update:

• dnsmasq-2.92rel2-2.fc43

Update description: Update to 2.92rel2 2.92 point release incorporating fixes for:

• CVE-2026-2291
• CVE-2026-4890
• CVE-2026-4891
• CVE-2026-4892
• CVE-2026-4893
• CVE-2026-5172

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html

FEDORA-2026-ac5cceec13 Packages in this update:

• dnsmasq-2.92rel2-9.fc44

Update description: Update to 2.92rel2 2.92 point release incorporating fixes for:

• CVE-2026-2291
• CVE-2026-4890
• CVE-2026-4891
• CVE-2026-4892
• CVE-2026-4893
• CVE-2026-5172

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html

FEDORA-2026-649806ee21 Packages in this update:

• nodejs22-22.22.2-3.fc42

Update description:

Update to version 22.22.2