The following Fedora EPEL 9 Security updates need testing:
Age URL
55 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-9a55de96db
xpdf-4.06-1.el9
5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-8ec67a8105
libsodium-1.0.18-9.el9
5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-8919df6bce
foomuuri-0.31-1.el9
5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-8461f97b9d
helm-4.0.4-1.el9 helm3-3.19.3-1.el9
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-75ca846030
rust-lru-0.16.3-1.el9
The following builds have been pushed to Fedora EPEL 9 updates-testing
cpp-httplib-0.30.1-5.el9
mock-core-configs-43.4-1.el9
python-pathspec-1.0.3-1.el9
rpki-client-9.7-1.el9
ruby-build-20260113-1.el9
rust-exacl-0.12.0-5.el9
rust-icu_locale_data-2.1.2-1.el9
rust-libsqlite3-sys0.28-0.28.0-2.el9
rust-reqwest-0.13.1-1.el9
rust-reqwest0.12-0.12.28-1.el9
xrootd-s3-http-0.6.0-2.el9
Details about builds:
================================================================================
cpp-httplib-0.30.1-5.el9 (FEDORA-EPEL-2026-aecc6f21f3)
A C++11 single-file header-only cross platform HTTP/HTTPS library
--------------------------------------------------------------------------------
Update Information:
Update to 0.30.1
Denial of service (DOS) using zip bomb (CVE-2026-22776)
CRLF injection in http headers (CVE-2026-21428)
Untrusted HTTP Header Handling: X-Forwarded-For/X-Real-IP Trust (CVE-2025-66577)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 13 2026 Petr MenÅ¡Ãk <[email protected]> - 0.30.1-5
- Switch to GCC 15 test fix with active PR
* Tue Jan 13 2026 Petr MenÅ¡Ãk <[email protected]> - 0.30.1-4
- Drop 32 bit support like upstream did
* Mon Jan 12 2026 Petr MenÅ¡Ãk <[email protected]> - 0.30.1-3
- fixup! Fix tests in last release
* Mon Jan 12 2026 Petr MenÅ¡Ãk <[email protected]> - 0.30.1-2
- Fix tests in last release
* Mon Jan 12 2026 Petr MenÅ¡Ãk <[email protected]> - 0.30.1-1
- Update to 0.30.1 (rhbz#2406686)
* Sat Aug 30 2025 Orion Poplawski <[email protected]> - 0.26.0-1
- Update to 0.26.0 (CVE-2025-53629)
* Wed Jul 23 2025 Fedora Release Engineering <[email protected]> -
0.20.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Fri May 9 2025 Orion Poplawski <[email protected]> - 0.20.1-1
- Update to 0.20.1
* Mon Feb 17 2025 Orion Poplawski <[email protected]> - 0.19.0-1
- Update to 0.19.0 (CVE-2025-0825) (rhbz#2343758)
* Thu Jan 16 2025 Fedora Release Engineering <[email protected]> -
0.18.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Tue Dec 10 2024 Petr MenÅ¡Ãk <[email protected]> - 0.18.3-1
- Update to 0.18.3 (rhbz#2227575)
* Sat Nov 9 2024 Orion Poplawski <[email protected]> - 0.18.1-1
- Update to 0.18.1
* Tue Sep 17 2024 Orion Poplawski <[email protected]> - 0.18.0-1
- Update to 0.18.0
* Wed Jul 17 2024 Fedora Release Engineering <[email protected]> -
0.13.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Wed Jan 24 2024 Fedora Release Engineering <[email protected]> -
0.13.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <[email protected]> -
0.13.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2338561 - cpp-httplib-0.26.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2338561
[ 2 ] Bug #2364281 - CVE-2025-46728 cpp-httplib: cpp-httplib has Unbounded
Memory Allocation in Chunked/No-Length Requests [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2364281
[ 3 ] Bug #2379426 - CVE-2025-53629 cpp-httplib: cpp-httplib Unbounded Memory
Allocation in Chunked/No-Length Requests Vulnerability [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2379426
[ 4 ] Bug #2379427 - CVE-2025-53628 cpp-httplib: cpp-httplib does not limit
the length of a line [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2379427
[ 5 ] Bug #2419547 - CVE-2025-66570 cpp-httplib: cpp-httplib Untrusted HTTP
Header Handling [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2419547
[ 6 ] Bug #2419630 - CVE-2025-66577 cpp-httplib: cpp-httplib Untrusted HTTP
Header Handling: X-Forwarded-For/X-Real-IP Trust [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2419630
--------------------------------------------------------------------------------
================================================================================
mock-core-configs-43.4-1.el9 (FEDORA-EPEL-2026-39c8e82e1f)
Mock core config files basic chroots
--------------------------------------------------------------------------------
Update Information:
new mock-core-configs update
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 12 2026 Jiri Kyjovsky <[email protected]> 43.4-1
- Disable bootstrap for riscv ([email protected])
- Add risc-v fedora chroots ([email protected])
- eol/epel-6: copy-paste ca-bundle from host ([email protected])
- Fix aarch64 configuration for Azure Linux 3 ([email protected])
--------------------------------------------------------------------------------
================================================================================
python-pathspec-1.0.3-1.el9 (FEDORA-EPEL-2026-03f9faad64)
Utility library for gitignore style pattern matching of file paths
--------------------------------------------------------------------------------
Update Information:
Update to latest upstream version
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 13 2026 Adrien Vergé - 1.0.3-1
- Update to latest upstream version
--------------------------------------------------------------------------------
================================================================================
rpki-client-9.7-1.el9 (FEDORA-EPEL-2026-e8927bc057)
OpenBSD RPKI validator to support BGP Origin Validation
--------------------------------------------------------------------------------
Update Information:
rpki-client 9.7
The Canonical Cache Representation underwent a breaking change after the
adoption of https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-ccr/ as a
SIDROPS working group item. Apart from several CMS-related cosmetics it now uses
a IANA-assigned content type. As a result, rpki-client 9.7 cannot parse rpki-
client 9.6's .ccr files and vice versa.
Support for Ghostbusters Record objects (RFC 6493) has been removed. Nobody
showed interest in deploying this and there are other, widely supported ways of
exchanging operational contact information such as RDAP. RFC 6493 is undergoing
a status review to be marked as historic:
https://datatracker.ietf.org/doc/status-change-rpki-ghostbusters-record-to-
historic/
Prepare the code base for the opaque ASN1_STRING structure in OpenSSL 4.
Fixed two reliability issues: one where a malicious RPKI Certification Authority
can trigger a crash, one where malicious Trust Anchor can provoke memory
exhaustion.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 13 2026 Robert Scheck <[email protected]> 9.7-1
- Upgrade to 9.7 (#2429390)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2429390 - rpki-client-9.7 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2429390
--------------------------------------------------------------------------------
================================================================================
ruby-build-20260113-1.el9 (FEDORA-EPEL-2026-434b61c95b)
Compile and install Ruby
--------------------------------------------------------------------------------
Update Information:
Update to 20260113 to include CRuby 4.0.1 release
Update to 20260110
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 13 2026 Packit <[email protected]> - 20260113-1
- Update to 20260113 upstream release
- Resolves: rhbz#2428859
* Sat Jan 10 2026 Packit <[email protected]> - 20260110-1
- Update to 20260110 upstream release
- Resolves: rhbz#2428461
--------------------------------------------------------------------------------
================================================================================
rust-exacl-0.12.0-5.el9 (FEDORA-EPEL-2026-d88face6b2)
Manipulate file system access control lists
--------------------------------------------------------------------------------
Update Information:
Bump bindgen build-dependency from 0.69 to 0.72 to avoid pulling in old compat
packages.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 12 2026 Fabio Valentini <[email protected]> - 0.12.0-5
- Bump bindgen build-dependency from 0.69 to 0.72
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
0.12.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Sun Jan 19 2025 Fedora Release Engineering <[email protected]> -
0.12.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
rust-icu_locale_data-2.1.2-1.el9 (FEDORA-EPEL-2026-d2ffbdc41d)
Data for the icu_locale crate
--------------------------------------------------------------------------------
Update Information:
Update to version 2.1.2, with data from CLDR version 48.1.0 (and still ICU
version release-78.1rc and LSTM segmenter version v0.1.0).
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 12 2026 Benjamin A. Beasley <[email protected]> - 2.1.2-1
- Update to version 2.1.2; Fixes RHBZ#2428801
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2428801 - rust-icu_locale_data-2.1.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2428801
--------------------------------------------------------------------------------
================================================================================
rust-libsqlite3-sys0.28-0.28.0-2.el9 (FEDORA-EPEL-2026-fc207cffc9)
Native bindings to the libsqlite3 library
--------------------------------------------------------------------------------
Update Information:
Bump bindgen build-dependency to 0.72 to avoid pulling in old compat packages.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 12 2026 Fabio Valentini <[email protected]> - 0.28.0-2
- Bump bindgen build-dependency from 0.69 to 0.72
--------------------------------------------------------------------------------
================================================================================
rust-reqwest-0.13.1-1.el9 (FEDORA-EPEL-2026-4fb7264d87)
Higher level HTTP client library
--------------------------------------------------------------------------------
Update Information:
Update the reqwest crate to version 0.13.1 and add a compat package for version
0.12.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jan 9 2026 Fabio Valentini <[email protected]> - 0.13.1-1
- Update to version 0.13.1; Fixes RHBZ#2420203
--------------------------------------------------------------------------------
================================================================================
rust-reqwest0.12-0.12.28-1.el9 (FEDORA-EPEL-2026-4fb7264d87)
Higher level HTTP client library
--------------------------------------------------------------------------------
Update Information:
Update the reqwest crate to version 0.13.1 and add a compat package for version
0.12.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 13 2026 Fabio Valentini <[email protected]> - 0.12.28-1
- Initial import (reqwest v0.12 compat package)
--------------------------------------------------------------------------------
================================================================================
xrootd-s3-http-0.6.0-2.el9 (FEDORA-EPEL-2026-349b0b4a54)
S3/HTTP/Globus filesystem plugins for XRootD
--------------------------------------------------------------------------------
Update Information:
XRootD S3/HTTP 0.6.0
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 13 2026 Mattias Ellert <[email protected]> - 0.6.0-2
- Correct naming of helper library libXrdPelicanHttpCore (not a plugin)
- Fix parallel running of Posc tests
* Mon Jan 12 2026 Mattias Ellert <[email protected]> - 0.6.0-1
- Update to version 0.6.0
--------------------------------------------------------------------------------
--
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
