The following Fedora EPEL 10.2 Security updates need testing:
Age URL
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-c60f76437d
libsodium-1.0.21-2.el10_2
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-b90feb26b8
foomuuri-0.31-1.el10_2
5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-50fab59f98
helm-4.0.4-1.el10_2 helm3-3.19.3-1.el10_2
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-9868aecccc
rust-lru-0.16.3-1.el10_2
The following builds have been pushed to Fedora EPEL 10.2 updates-testing
cpp-httplib-0.30.1-5.el10_2
libicu67-67.1-10.1.el10_2
mock-core-configs-43.4-1.el10_2
rpki-client-9.7-1.el10_2
ruby-build-20260113-1.el10_2
rust-libsqlite3-sys0.28-0.28.0-2.el10_2
rust-reqwest-0.13.1-1.el10_2
rust-reqwest0.12-0.12.28-1.el10_2
rust2rpm-helper-0.1.8-1.el10_2
xrootd-s3-http-0.6.0-2.el10_2
Details about builds:
================================================================================
cpp-httplib-0.30.1-5.el10_2 (FEDORA-EPEL-2026-1b5546a566)
A C++11 single-file header-only cross platform HTTP/HTTPS library
--------------------------------------------------------------------------------
Update Information:
Update to 0.30.1
Denial of service (DOS) using zip bomb (CVE-2026-22776)
CRLF injection in http headers (CVE-2026-21428)
Untrusted HTTP Header Handling: X-Forwarded-For/X-Real-IP Trust (CVE-2025-66577)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 13 2026 Petr MenÅ¡Ãk <[email protected]> - 0.30.1-5
- Switch to GCC 15 test fix with active PR
* Tue Jan 13 2026 Petr MenÅ¡Ãk <[email protected]> - 0.30.1-4
- Drop 32 bit support like upstream did
* Mon Jan 12 2026 Petr MenÅ¡Ãk <[email protected]> - 0.30.1-3
- fixup! Fix tests in last release
* Mon Jan 12 2026 Petr MenÅ¡Ãk <[email protected]> - 0.30.1-2
- Fix tests in last release
* Mon Jan 12 2026 Petr MenÅ¡Ãk <[email protected]> - 0.30.1-1
- Update to 0.30.1 (rhbz#2406686)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2338561 - cpp-httplib-0.26.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2338561
[ 2 ] Bug #2419550 - CVE-2025-66570 cpp-httplib: cpp-httplib Untrusted HTTP
Header Handling [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2419550
[ 3 ] Bug #2419628 - CVE-2025-66577 cpp-httplib: cpp-httplib Untrusted HTTP
Header Handling: X-Forwarded-For/X-Real-IP Trust [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2419628
[ 4 ] Bug #2426696 - CVE-2026-21428 cpp-httplib: cpp-httplib: Server-Side
Request Forgery via header injection [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2426696
[ 5 ] Bug #2428890 - CVE-2026-22776 cpp-httplib: cpp-httplib: Denial of
Service due to excessive memory usage from compressed HTTP request bodies
[epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2428890
--------------------------------------------------------------------------------
================================================================================
libicu67-67.1-10.1.el10_2 (FEDORA-EPEL-2026-0917b799fe)
Compat package with icu libraries
--------------------------------------------------------------------------------
Update Information:
Backport upstream fix for CVE-2025-5222.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 13 2026 Carl George <[email protected]> - 67.1-10.1
- ICU-22973 Fix buffer overflow by using CharString
- Resolves: rhbz#2428860 CVE-2025-5222
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2428860 - CVE-2025-5222 icu: Stack buffer overflow in the
SRBRoot::addTag function [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2428860
--------------------------------------------------------------------------------
================================================================================
mock-core-configs-43.4-1.el10_2 (FEDORA-EPEL-2026-b7a1301b10)
Mock core config files basic chroots
--------------------------------------------------------------------------------
Update Information:
new mock-core-configs update
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 12 2026 Jiri Kyjovsky <[email protected]> 43.4-1
- Disable bootstrap for riscv ([email protected])
- Add risc-v fedora chroots ([email protected])
- eol/epel-6: copy-paste ca-bundle from host ([email protected])
- Fix aarch64 configuration for Azure Linux 3 ([email protected])
--------------------------------------------------------------------------------
================================================================================
rpki-client-9.7-1.el10_2 (FEDORA-EPEL-2026-c3907ce405)
OpenBSD RPKI validator to support BGP Origin Validation
--------------------------------------------------------------------------------
Update Information:
rpki-client 9.7
The Canonical Cache Representation underwent a breaking change after the
adoption of https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-ccr/ as a
SIDROPS working group item. Apart from several CMS-related cosmetics it now uses
a IANA-assigned content type. As a result, rpki-client 9.7 cannot parse rpki-
client 9.6's .ccr files and vice versa.
Support for Ghostbusters Record objects (RFC 6493) has been removed. Nobody
showed interest in deploying this and there are other, widely supported ways of
exchanging operational contact information such as RDAP. RFC 6493 is undergoing
a status review to be marked as historic:
https://datatracker.ietf.org/doc/status-change-rpki-ghostbusters-record-to-
historic/
Prepare the code base for the opaque ASN1_STRING structure in OpenSSL 4.
Fixed two reliability issues: one where a malicious RPKI Certification Authority
can trigger a crash, one where malicious Trust Anchor can provoke memory
exhaustion.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 13 2026 Robert Scheck <[email protected]> 9.7-1
- Upgrade to 9.7 (#2429390)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2429390 - rpki-client-9.7 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2429390
--------------------------------------------------------------------------------
================================================================================
ruby-build-20260113-1.el10_2 (FEDORA-EPEL-2026-cdca15c273)
Compile and install Ruby
--------------------------------------------------------------------------------
Update Information:
Update to 20260113 to include CRuby 4.0.1 release
Update to 20260110
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 13 2026 Packit <[email protected]> - 20260113-1
- Update to 20260113 upstream release
- Resolves: rhbz#2428859
* Sat Jan 10 2026 Packit <[email protected]> - 20260110-1
- Update to 20260110 upstream release
- Resolves: rhbz#2428461
--------------------------------------------------------------------------------
================================================================================
rust-libsqlite3-sys0.28-0.28.0-2.el10_2 (FEDORA-EPEL-2026-6e8fa5aa08)
Native bindings to the libsqlite3 library
--------------------------------------------------------------------------------
Update Information:
Bump bindgen build-dependency to 0.72 to avoid pulling in old compat packages.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 12 2026 Fabio Valentini <[email protected]> - 0.28.0-2
- Bump bindgen build-dependency from 0.69 to 0.72
--------------------------------------------------------------------------------
================================================================================
rust-reqwest-0.13.1-1.el10_2 (FEDORA-EPEL-2026-bc9e962e2b)
Higher level HTTP client library
--------------------------------------------------------------------------------
Update Information:
Update the reqwest crate to version 0.13.1 and add a compat package for version
0.12.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jan 9 2026 Fabio Valentini <[email protected]> - 0.13.1-1
- Update to version 0.13.1; Fixes RHBZ#2420203
--------------------------------------------------------------------------------
================================================================================
rust-reqwest0.12-0.12.28-1.el10_2 (FEDORA-EPEL-2026-bc9e962e2b)
Higher level HTTP client library
--------------------------------------------------------------------------------
Update Information:
Update the reqwest crate to version 0.13.1 and add a compat package for version
0.12.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 13 2026 Fabio Valentini <[email protected]> - 0.12.28-1
- Initial import (reqwest v0.12 compat package)
--------------------------------------------------------------------------------
================================================================================
rust2rpm-helper-0.1.8-1.el10_2 (FEDORA-EPEL-2026-2058fcc659)
Helper program for rust2rpm
--------------------------------------------------------------------------------
Update Information:
Update to version 0.1.8.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 12 2026 Fabio Valentini <[email protected]> - 0.1.8-1
- Update to version 0.1.8; Fixes RHBZ#2354889
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
0.1.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
xrootd-s3-http-0.6.0-2.el10_2 (FEDORA-EPEL-2026-8efdf04f17)
S3/HTTP/Globus filesystem plugins for XRootD
--------------------------------------------------------------------------------
Update Information:
XRootD S3/HTTP 0.6.0
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 13 2026 Mattias Ellert <[email protected]> - 0.6.0-2
- Correct naming of helper library libXrdPelicanHttpCore (not a plugin)
- Fix parallel running of Posc tests
* Mon Jan 12 2026 Mattias Ellert <[email protected]> - 0.6.0-1
- Update to version 0.6.0
--------------------------------------------------------------------------------
--
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
