Aggregator

USN-8168-1 fixed a vulnerability in Rust. This update provides the corresponding update to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Original advisory details: It was discovered that tar-rs embedded in rustc incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside the extraction root, and possibly escalate privileges.

Version:next-20260414 (linux-next) Released:2026-04-14

FEDORA-2026-3b2063832d Packages in this update:

• pie-1.4.1-1.fc42

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement

FEDORA-EPEL-2026-7812671be8 Packages in this update:

• pie-1.4.1-1.el10_3

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement

FEDORA-EPEL-2026-f0077847e2 Packages in this update:

• pie-1.4.1-1.el10_1

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement

FEDORA-EPEL-2026-128f171ef6 Packages in this update:

• pie-1.4.1-1.el10_2

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement

FEDORA-2026-7acc0ad1fc Packages in this update:

• pie-1.4.1-1.fc44

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement

FEDORA-2026-3f4283f831 Packages in this update:

• pie-1.4.1-1.fc43

Update description:

Version 1.4.1

• Update bundled Composer to 2.9.7

Version 1.4.0

New features!

• Prompt to install missing system dependencies
• Prompt to install build toolchain
• Support pre-packaged-binary for download-url-method
• Support INSTALL_ROOT environment variable to override destination

For more information, see Upstream annoucenement

FEDORA-2026-907bbf2a13 Packages in this update:

• curl-8.11.1-8.fc42

Update description:

• fix bad reuse of HTTP Negotiate connection (CVE-2026-1965)
• fix token leak with redirect and netrc (CVE-2026-3783)
• fix wrong proxy connection reuse with credentials (CVE-2026-3784)
• fix use after free in SMB connection reuse (CVE-2026-3805)

FEDORA-EPEL-2026-de8ec2aa2e Packages in this update:

• composer-2.9.7-1.el10_3

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-EPEL-2026-a47812ee6c Packages in this update:

• composer-2.9.7-1.el9

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-2026-1140c02041 Packages in this update:

• composer-2.9.7-1.fc44

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-EPEL-2026-7babf884c7 Packages in this update:

• composer-2.9.7-1.el10_2

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-2026-d91f313a63 Packages in this update:

• composer-2.9.7-1.fc42

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-2026-02c1f66b6a Packages in this update:

• composer-2.9.7-1.fc43

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-EPEL-2026-e7a666ddb5 Packages in this update:

• composer-2.9.7-1.el10_1

Update description: Version 2.9.7 - 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Version 2.9.6 - 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

FEDORA-2026-f15653a0aa Packages in this update:

• mingw-python3-3.11.15-3.fc42

Update description:

Backport fixes for CVE-2026-6100, CVE-2026-3479, CVE-2026-1502

FEDORA-2026-e20864d099 Packages in this update:

• mingw-python3-3.11.15-3.fc43

Update description:

Backport fixes for CVE-2026-6100, CVE-2026-3479, CVE-2026-1502

FEDORA-2026-6ef614f23c Packages in this update:

• mingw-python3-3.11.15-3.fc44

Update description:

Backport fixes for CVE-2026-6100, CVE-2026-3479, CVE-2026-1502

FEDORA-2026-34c2bf6df4 Packages in this update:

• pgadmin4-9.14-3.fc44

Update description:

Update axios to 1.15.0, fixes CVE-2026-40175 and CVE-2025-62718.

Update to pgadmin4-9.14.