The following Fedora EPEL 10.2 Security updates need testing:
Age URL
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-12b5bcc5d5
nextcloud-32.0.2-1.el10_2
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-228b3430e8
restic-0.18.1-1.el10_2
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-c7b9b07dd3
rclone-1.72.0-1.el10_2
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-fae772942c
openbao-2.4.4-1.el10_2
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-3c4c4e0490
stb-0^20251025gitf1c79c0-2.el10_2
4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-596d7a5bb9
fcgi-2.4.7-1.el10_2
The following builds have been pushed to Fedora EPEL 10.2 updates-testing
baresip-4.3.0-1.el10_2
imhex-1.37.4-3.el10_2
libre-4.3.0-1.el10_2
libwebsockets-4.3.7-2.el10_2
lunasvg-3.5.0-1.el10_2
partclone-0.3.40-1.el10_2
plutovg-1.3.2-1.el10_2
python-nanobind-2.9.2-3.el10_2
Details about builds:
================================================================================
baresip-4.3.0-1.el10_2 (FEDORA-EPEL-2025-e53b3ec7eb)
Modular SIP user-agent with audio and video support
--------------------------------------------------------------------------------
Update Information:
Baresip v4.3.0 (2025-11-19)
video: find new encoder if not available
video: null pointer checks for codec functions
test/ccheck: ignore reversed list_unlink
g722: add libg722 module as alternative to avoid spandsp dependency
pulse: return err if unsupported stream
jbuf: update copyright
jbuf: remove unused jbuf_frames() in API
rtprecv, aureceiver: fix ssrc re-invite
test: remove include to menu.h
play: warnings for failed audio devices
account: added account_set_pubint API function
Baresip v4.2.0 (2025-10-15)
menu: check return value from str_dup()
ctrl_dbus: check return value of str_dup()
core: set bundle rtpext before aulevel
ice: use icem_rcand_ready
mpa: move MPA audio codec to baresip-apps
webrtc_aecm: removed module
ci-windows: bump choco openssl version to 3.5.3
audiounit: remove unused member int fmt
audiounit: remove int ch already present in struct ausrc_prm
call,bevent: add call contacturi
test/ua: add test_ua_cuser
ua: rename setting to sip_cuser_random
menu: fix some typos
call: send local SDP event not too early
call: call_modify() - local SDP event before SDP encode
test: add test_uag_find_msg()
video: better sendrate and burst_bits defaults
webrtc_aec: update module to Debian Trixie compatibility
call: add missing input argument checking (struct call pointer)
ci,windows: bump Choco to OpenSSL version 3.5.4
modules: fix minor typos
config: remove mpa module from template
avfilter: fix av_opt_set_int_list deprecation warning
ci/macos: use default ffmpeg (currently 8.0)
cmake: fix usage of SPANDSP_HINTS
ci/coverage: increase min. coverage
bump version number to 4.2.0
libre v4.3.0 (2025-11-19)
cmake: remove macOS include path
test: sort testcases in alphabetical order
test: increase coverage of websock test with protocol on/off
sdp/media: fix sdp_media_align_formats pt handling
dns: fix AAAA address comparison in getaddr_dup()
test: add support for IPv6 DNS testing
ci: add clang-21
sys/fs: improve fs_fread error handling
test: compare DNS RR records data in order to increase test-coverage
dns: correct comment in dnsc_query_srv()
h265: Fix NAL Decode nuh_layer_id
auframe: avoid auframe_bytes_to_ms division by zero
aumix: add aumix_latency and new defaults
dns: remove get_android_dns()
test: add testing of DNS nameservers
cmake/re-config: fix HAVE_THREADS discovery
libre v4.2.0 (2025-10-15)
test: add testcode for btrace module
types: add ETIME fallback
test: add testing of conf_get_bool()
test/btrace: skip thread test
Revert "dtls: remove dtls_set_handlers() -- unused"
ice/icem: add icem_rcand_ready helper
ice/sdp: remove mDNS AI_V4MAPPED and log late candidate
tls: minor improvements to SNI and Common-name comparison
tls: revert wrong match-checking in SNI function
ci-windows: bump choco openssl version to 3.5.3
tls: sni - a null pointer check
test: fix some minor typos
dbg: remove dbg_close() -- unused
ci,windows: bump choco openssl to 3.5.4
misc: fix some minor typos
test: test both fragmented and non-fragmented H.265 packets
test: add negative AES testcases
test: add test for conf_apply()
ci/android: Upgrade to API-level 29 (Android 10.0)
ci/android: remove AVD cache
ci/android: revert to android api level 26
bump version number to 4.2.0
--------------------------------------------------------------------------------
ChangeLog:
* Sat Nov 29 2025 Robert Scheck <[email protected]> 4.3.0-1
- Upgrade to 4.3.0 (#2404130)
* Tue Nov 11 2025 Adam Williamson <[email protected]> - 4.1.0-3
- rebuild against libre with fixed thread detection
* Mon Nov 10 2025 Adam Williamson <[email protected]> - 4.1.0-2
- rebuild for FFmpeg 8
- build with -DHAVE_THREADS=1 to fix build failure with recent glibc
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2404092 - libre-4.3.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2404092
[ 2 ] Bug #2404130 - baresip-4.3.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2404130
--------------------------------------------------------------------------------
================================================================================
imhex-1.37.4-3.el10_2 (FEDORA-EPEL-2025-85c58e7712)
A hex editor for reverse engineers and programmers
--------------------------------------------------------------------------------
Update Information:
Unbundle plutovg from lunasvg, this avoids shipping a duplicate library with
conflicting files.
Update lunasvg to consume the plutovg version already available in the
repositories and to fix various CVEs.
Rebuild imhex for the updated lunasvg.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 1 2025 Simone Caronni <[email protected]> - 1.37.4-3
- Rebuild for updated build requirements.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2295891 - lunasvg-3.5.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2295891
[ 2 ] Bug #2341675 - CVE-2024-57719 CVE-2024-57720 CVE-2024-57721
CVE-2024-57722 CVE-2024-57723 CVE-2024-57724 lunasvg: various flaws [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2341675
[ 3 ] Bug #2343567 - CVE-2024-55456 lunasvg: From CVEorg collector [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2343567
[ 4 ] Bug #2400407 - file conflict between plutovg-devel and lunasvg-devel
https://bugzilla.redhat.com/show_bug.cgi?id=2400407
--------------------------------------------------------------------------------
================================================================================
libre-4.3.0-1.el10_2 (FEDORA-EPEL-2025-e53b3ec7eb)
Generic library for real-time communications
--------------------------------------------------------------------------------
Update Information:
Baresip v4.3.0 (2025-11-19)
video: find new encoder if not available
video: null pointer checks for codec functions
test/ccheck: ignore reversed list_unlink
g722: add libg722 module as alternative to avoid spandsp dependency
pulse: return err if unsupported stream
jbuf: update copyright
jbuf: remove unused jbuf_frames() in API
rtprecv, aureceiver: fix ssrc re-invite
test: remove include to menu.h
play: warnings for failed audio devices
account: added account_set_pubint API function
Baresip v4.2.0 (2025-10-15)
menu: check return value from str_dup()
ctrl_dbus: check return value of str_dup()
core: set bundle rtpext before aulevel
ice: use icem_rcand_ready
mpa: move MPA audio codec to baresip-apps
webrtc_aecm: removed module
ci-windows: bump choco openssl version to 3.5.3
audiounit: remove unused member int fmt
audiounit: remove int ch already present in struct ausrc_prm
call,bevent: add call contacturi
test/ua: add test_ua_cuser
ua: rename setting to sip_cuser_random
menu: fix some typos
call: send local SDP event not too early
call: call_modify() - local SDP event before SDP encode
test: add test_uag_find_msg()
video: better sendrate and burst_bits defaults
webrtc_aec: update module to Debian Trixie compatibility
call: add missing input argument checking (struct call pointer)
ci,windows: bump Choco to OpenSSL version 3.5.4
modules: fix minor typos
config: remove mpa module from template
avfilter: fix av_opt_set_int_list deprecation warning
ci/macos: use default ffmpeg (currently 8.0)
cmake: fix usage of SPANDSP_HINTS
ci/coverage: increase min. coverage
bump version number to 4.2.0
libre v4.3.0 (2025-11-19)
cmake: remove macOS include path
test: sort testcases in alphabetical order
test: increase coverage of websock test with protocol on/off
sdp/media: fix sdp_media_align_formats pt handling
dns: fix AAAA address comparison in getaddr_dup()
test: add support for IPv6 DNS testing
ci: add clang-21
sys/fs: improve fs_fread error handling
test: compare DNS RR records data in order to increase test-coverage
dns: correct comment in dnsc_query_srv()
h265: Fix NAL Decode nuh_layer_id
auframe: avoid auframe_bytes_to_ms division by zero
aumix: add aumix_latency and new defaults
dns: remove get_android_dns()
test: add testing of DNS nameservers
cmake/re-config: fix HAVE_THREADS discovery
libre v4.2.0 (2025-10-15)
test: add testcode for btrace module
types: add ETIME fallback
test: add testing of conf_get_bool()
test/btrace: skip thread test
Revert "dtls: remove dtls_set_handlers() -- unused"
ice/icem: add icem_rcand_ready helper
ice/sdp: remove mDNS AI_V4MAPPED and log late candidate
tls: minor improvements to SNI and Common-name comparison
tls: revert wrong match-checking in SNI function
ci-windows: bump choco openssl version to 3.5.3
tls: sni - a null pointer check
test: fix some minor typos
dbg: remove dbg_close() -- unused
ci,windows: bump choco openssl to 3.5.4
misc: fix some minor typos
test: test both fragmented and non-fragmented H.265 packets
test: add negative AES testcases
test: add test for conf_apply()
ci/android: Upgrade to API-level 29 (Android 10.0)
ci/android: remove AVD cache
ci/android: revert to android api level 26
bump version number to 4.2.0
--------------------------------------------------------------------------------
ChangeLog:
* Sat Nov 29 2025 Robert Scheck <[email protected]> 4.3.0-1
- Upgrade to 4.3.0 (#2404092)
* Tue Nov 11 2025 Adam Williamson <[email protected]> - 4.1.0-2
- Backport PR #1466 to fix threading detection
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2404092 - libre-4.3.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2404092
[ 2 ] Bug #2404130 - baresip-4.3.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2404130
--------------------------------------------------------------------------------
================================================================================
libwebsockets-4.3.7-2.el10_2 (FEDORA-EPEL-2025-384a4defc5)
Lightweight C library for Websockets
--------------------------------------------------------------------------------
Update Information:
Update to 4.3.7, enable glib event loop
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 1 2025 Peter Robinson <[email protected]> - 4.3.7-2
- Enable glib event loop support
* Sun Nov 30 2025 Peter Robinson <[email protected]> - 4.3.7-1
- Update to 4.3.7
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405213 - CVE-2025-11679 libwebsockets: Out-of-bounds Read in
libwebsockets PNG parsing [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405213
[ 2 ] Bug #2405215 - CVE-2025-11679 libwebsockets: Out-of-bounds Read in
libwebsockets PNG parsing [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2405215
[ 3 ] Bug #2405217 - CVE-2025-11679 libwebsockets: Out-of-bounds Read in
libwebsockets PNG parsing [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2405217
[ 4 ] Bug #2405247 - CVE-2025-11677 libwebsockets: Use After Free in
libwebsockets WebSocket server [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405247
[ 5 ] Bug #2405249 - CVE-2025-11677 libwebsockets: Use After Free in
libwebsockets WebSocket server [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2405249
[ 6 ] Bug #2405251 - CVE-2025-11677 libwebsockets: Use After Free in
libwebsockets WebSocket server [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2405251
[ 7 ] Bug #2405258 - CVE-2025-11680 libwebsockets: Out-of-bounds Write in
libwebsockets PNG parsing [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405258
[ 8 ] Bug #2405260 - CVE-2025-11680 libwebsockets: Out-of-bounds Write in
libwebsockets PNG parsing [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2405260
[ 9 ] Bug #2405262 - CVE-2025-11680 libwebsockets: Out-of-bounds Write in
libwebsockets PNG parsing [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2405262
[ 10 ] Bug #2405566 - CVE-2025-11678 libwebsockets: Stack-based Buffer
Overflow in libwebsockets [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405566
[ 11 ] Bug #2405569 - CVE-2025-11678 libwebsockets: Stack-based Buffer
Overflow in libwebsockets [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2405569
--------------------------------------------------------------------------------
================================================================================
lunasvg-3.5.0-1.el10_2 (FEDORA-EPEL-2025-85c58e7712)
Standalone SVG rendering library in C++
--------------------------------------------------------------------------------
Update Information:
Unbundle plutovg from lunasvg, this avoids shipping a duplicate library with
conflicting files.
Update lunasvg to consume the plutovg version already available in the
repositories and to fix various CVEs.
Rebuild imhex for the updated lunasvg.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 1 2025 Simone Caronni <[email protected]> - 3.5.0-1
- Update to 3.5.0, remove bundled plutovg (#2400407)
* Thu Jul 24 2025 Fedora Release Engineering <[email protected]> -
3.1.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Fri Jan 17 2025 Fedora Release Engineering <[email protected]> -
3.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2295891 - lunasvg-3.5.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2295891
[ 2 ] Bug #2341675 - CVE-2024-57719 CVE-2024-57720 CVE-2024-57721
CVE-2024-57722 CVE-2024-57723 CVE-2024-57724 lunasvg: various flaws [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2341675
[ 3 ] Bug #2343567 - CVE-2024-55456 lunasvg: From CVEorg collector [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2343567
[ 4 ] Bug #2400407 - file conflict between plutovg-devel and lunasvg-devel
https://bugzilla.redhat.com/show_bug.cgi?id=2400407
--------------------------------------------------------------------------------
================================================================================
partclone-0.3.40-1.el10_2 (FEDORA-EPEL-2025-9fb8010f01)
Utility to clone and restore a partition
--------------------------------------------------------------------------------
Update Information:
partclone v0.3.40
xfsclone: prevent startblock truncation to support filesystems larger than 16 TB
Localization: Updated PO files, removed \r escape sequences from gettext
messages
Documentation: Updated logs, docs, and formatting
Miscellaneous: Minor test updates, merges, and configure.ac changes
--------------------------------------------------------------------------------
ChangeLog:
* Sat Nov 29 2025 Robert Scheck <[email protected]> 0.3.40-1
- Upgrade to 0.3.40 (#2416946)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2416946 - partclone-0.3.40 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2416946
--------------------------------------------------------------------------------
================================================================================
plutovg-1.3.2-1.el10_2 (FEDORA-EPEL-2025-4edb0efc7c)
Tiny 2D vector graphics library in C
--------------------------------------------------------------------------------
Update Information:
Update to 1.3.2.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Nov 27 2025 Simone Caronni <[email protected]> - 1.3.2-1
- Update to 1.3.2
--------------------------------------------------------------------------------
================================================================================
python-nanobind-2.9.2-3.el10_2 (FEDORA-EPEL-2025-15c9de8e9d)
Tiny and efficient C++/Python bindings
--------------------------------------------------------------------------------
Update Information:
Bring python-nanobind to epel10
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 4 2025 Konrad Kleine <[email protected]> - 2.9.2-3
- Remove librsvg2 build dependency
* Fri Sep 19 2025 Python Maint <[email protected]> - 2.9.2-2
- Rebuilt for Python 3.14.0rc3 bytecode
* Thu Sep 4 2025 Packit <[email protected]> - 2.9.2-1
- Update to 2.9.2 upstream release
- Resolves: rhbz#2393136
* Thu Sep 4 2025 Packit <[email protected]> - 2.9.0-1
- Update to 2.9.0 upstream release
- Resolves: rhbz#2393088
* Fri Aug 15 2025 Python Maint <[email protected]> - 2.8.0-3
- Rebuilt for Python 3.14.0rc2 bytecode
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
2.8.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Wed Jul 16 2025 Packit <[email protected]> - 2.8.0-1
- Update to 2.8.0 upstream release
- Resolves: rhbz#2380424
* Wed Jun 4 2025 Python Maint <[email protected]> - 2.7.0-3
- Rebuilt for Python 3.14
* Wed Apr 23 2025 Tulio Magno Quites Machado Filho <[email protected]> - 2.7.0-2
- packit: Do not create a README.packit
* Wed Apr 23 2025 Packit <[email protected]> - 2.7.0-1
- Update to 2.7.0 upstream release
* Wed Apr 23 2025 Tulio Magno Quites Machado Filho <[email protected]> - 2.6.1-5
- packit: Specify a different upstream tag template
* Wed Apr 16 2025 Konrad Kleine <[email protected]> - 2.6.1-4
- Drop -devel package
- Everything it included is now part of the main package
- The main package obsoletes the -devel package
- The main package provides the -devel name
* Fri Mar 28 2025 Konrad Kleine <[email protected]> - 2.6.1-1
- Update to nanobind 2.6.1
* Tue Mar 18 2025 Konrad Kleine <[email protected]> - 2.5.0-1
- Update to nanobind 2.5.0
* Sat Jan 18 2025 Fedora Release Engineering <[email protected]> -
2.4.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Thu Dec 19 2024 Konrad Kleine <[email protected]> - 2.4.0-9
- Add python3-devel
- Fix shebang in src/stubgen.py
* Sat Dec 14 2024 Konrad Kleine <[email protected]> - 2.4.0-8
- Requirement and %autosetup cleanup
* Fri Dec 13 2024 Konrad Kleine <[email protected]> - 2.4.0-7
- Fix: Empty %files file ... debugsourcefiles.list
* Fri Dec 13 2024 Konrad Kleine <[email protected]> - 2.4.0-6
- Make main package arched and sub-packages noarch.
* Fri Dec 13 2024 Konrad Kleine <[email protected]> - 2.4.0-5
- Better license and files section handling
* Fri Dec 13 2024 Konrad Kleine <[email protected]> - 2.4.0-4
- No more manual cmake invocation and proper use of %pyproject_save_files
* Fri Dec 13 2024 Konrad Kleine <[email protected]> - 2.4.0-3
- License and patch cleanup
* Fri Dec 13 2024 Konrad Kleine <[email protected]> - 2.4.0-2
- Do not vendor robin-map but use system package robin-map-devel
* Fri Dec 13 2024 Konrad Kleine <[email protected]> - 2.4.0-1
- First release of python-nanobind
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2402409 - Please branch and build python-nanobind in epel10
https://bugzilla.redhat.com/show_bug.cgi?id=2402409
--------------------------------------------------------------------------------
--
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
