The following Fedora EPEL 9 Security updates need testing:
Age URL
20 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-9a55de96db
xpdf-4.06-1.el9
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-7b2f9fd08b
tinyproxy-1.11.2-5.el9
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-49b2eb404d
yarnpkg-1.22.22-14.el9
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-a51b0db53c
singularity-ce-4.3.5-1.el9
4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-473cf23bc7
apptainer-1.4.5-2.el9
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-c15a630034
python3.13-3.13.11-1.el9
The following builds have been pushed to Fedora EPEL 9 updates-testing
R-qtl-1.74-1.el9
cryptopant-1.3.2-3.el9
fedpkg-1.47-2.el9
mock-6.6-1.el9
nsd-4.14.0-1.el9
php-nikic-php-parser5-5.7.0-1.el9
python-django4.2-4.2.27-1.el9
rpkg-1.69-4.el9
rust-icu_properties-2.1.2-1.el9
rust-icu_properties_data-2.1.2-1.el9
rust-libz-rs-sys-0.5.3-1.el9
rust-zlib-rs-0.5.3-1.el9
Details about builds:
================================================================================
R-qtl-1.74-1.el9 (FEDORA-EPEL-2025-cbb2711fac)
Tools for analyzing QTL experiments
--------------------------------------------------------------------------------
Update Information:
R qtl 1.74
--------------------------------------------------------------------------------
ChangeLog:
* Tue Dec 9 2025 Mattias Ellert <[email protected]> - 1.74-1
- Update to 1.74
--------------------------------------------------------------------------------
================================================================================
cryptopant-1.3.2-3.el9 (FEDORA-EPEL-2025-705a4bc52b)
IP address anonymization library shared library
--------------------------------------------------------------------------------
Update Information:
New dependency of dnscap
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 8 2025 Petr MenÅ¡Ãk <[email protected]> - 1.3.2-3
- Explicitly remove also libtool .la library
* Mon Dec 8 2025 Petr MenÅ¡Ãk <[email protected]> - 1.3.2-2
- New package dependency of dnscap (rhbz#2418607)
- Modernize upstream RPM spec according to Fedora Packaging Guidelines
- Provide also lowercase devel package name
- Remove Group: and ldconfig obsolete features
- Uploaded new sources
- Include LICENSE file
* Mon Dec 8 2025 Petr MenÅ¡Ãk <[email protected]> - 1.3.2-1
- Version from review
--------------------------------------------------------------------------------
================================================================================
fedpkg-1.47-2.el9 (FEDORA-EPEL-2025-101efaae40)
Fedora utility for working with dist-git
--------------------------------------------------------------------------------
Update Information:
Patches:
update: interactive editor is broken - https://pagure.io/rpkg/pull-request/763
Check the correct sorting of imports from now on - https://pagure.io/rpkg/pull-
request/764
Fix bash auto completion - https://src.fedoraproject.org/rpms/fedpkg/pull-
request/38
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 1 2025 Sandro <[email protected]> - 1.47-2
- Fix bash auto completion
- Add fish auto completion
--------------------------------------------------------------------------------
================================================================================
mock-6.6-1.el9 (FEDORA-EPEL-2025-89e5eff4c9)
Builds packages inside chroots
--------------------------------------------------------------------------------
Update Information:
https://rpm-software-management.github.io/mock/Release-Notes-6.6
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 8 2025 Pavel Raiskup <[email protected]> 6.6-1
- Make sure to install BuildRequires defined by macros ([email protected])
- unbreq plugin: performs action only when build is taking place
([email protected])
- simplify forcearch code
--------------------------------------------------------------------------------
================================================================================
nsd-4.14.0-1.el9 (FEDORA-EPEL-2025-f814cd8bed)
Fast and lean authoritative DNS Name Server
--------------------------------------------------------------------------------
Update Information:
upstream update
--------------------------------------------------------------------------------
ChangeLog:
* Tue Dec 9 2025 Fabio Alessandro Locati <[email protected]> - 4.14.0-1
- Update to 4.14.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2419283 - nsd-4.14.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2419283
--------------------------------------------------------------------------------
================================================================================
php-nikic-php-parser5-5.7.0-1.el9 (FEDORA-EPEL-2025-f612bfff51)
A PHP parser written in PHP - version 5
--------------------------------------------------------------------------------
Update Information:
Version 5.7.0 (2025-12-06)
Fixed
Fixed changing modifier on anonymous class with formatting preserving pretty
printer.
Emit an error for unparenthesized arrow functions in pipe operator, and print
necessary
parentheses in the pretty printer.
Fix PHP 8.5 deprecation warning in php-parse binary.
Changed
When targeting PHP 8.4 or newer, omit parentheses around immediately
dereferenced new expressions.
Added
Added shouldPrintRawValue attribute to Scalar\Int_, which makes the pretty
printer use the
rawValue of the node. This can be used to print integers with separators.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Dec 9 2025 Remi Collet <[email protected]> - 5.7.0-1
- update to 5.7.0
--------------------------------------------------------------------------------
================================================================================
python-django4.2-4.2.27-1.el9 (FEDORA-EPEL-2025-f43c018f46)
A high-level Python Web framework
--------------------------------------------------------------------------------
Update Information:
Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases
on PostgreSQL
Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML
Deserializer
Fixes CVE-2025-64459: Potential SQL injection via _connector keyword
argument (4.2.26)
Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(),
alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
Fixes CVE-2025-59682: Potential partial directory-traversal via
archive.extract() (4.2.25)
Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column
aliases (4.2.24)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Dec 9 2025 Michel Lind <[email protected]> - 4.2.27-1
- Update to version 4.2.27
- Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column
aliases on PostgreSQL
- Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML
Deserializer
- Fixes CVE-2025-64459: Potential SQL injection via _connector keyword
argument (4.2.26)
- Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(),
alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
- Fixes CVE-2025-59682: Potential partial directory-traversal via
archive.extract() (4.2.25)
- Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column
aliases (4.2.24)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2393802 - CVE-2025-57833 python-django4.2: Django SQL injection in
FilteredRelation column aliases [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2393802
[ 2 ] Bug #2416113 - CVE-2025-59681 python-django4.2: Potential SQL injection
in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB1
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2416113
--------------------------------------------------------------------------------
================================================================================
rpkg-1.69-4.el9 (FEDORA-EPEL-2025-101efaae40)
Python library for interacting with rpm+git
--------------------------------------------------------------------------------
Update Information:
Patches:
update: interactive editor is broken - https://pagure.io/rpkg/pull-request/763
Check the correct sorting of imports from now on - https://pagure.io/rpkg/pull-
request/764
Fix bash auto completion - https://src.fedoraproject.org/rpms/fedpkg/pull-
request/38
--------------------------------------------------------------------------------
ChangeLog:
* Tue Dec 9 2025 OndÅej Nosek <[email protected]> - 1.69-4
- Patch: _run_command: timeout is not supported in Python 2
* Tue Dec 9 2025 OndÅej Nosek <[email protected]> - 1.69-3
- Patch: Check the correct sorting of imports from now on
- Patch: `update`: interactive editor is broken
--------------------------------------------------------------------------------
================================================================================
rust-icu_properties-2.1.2-1.el9 (FEDORA-EPEL-2025-ae7b1ab1df)
Definitions for Unicode properties
--------------------------------------------------------------------------------
Update Information:
Updated icu_properties / icu_properties_data.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Dec 9 2025 Benjamin A. Beasley <[email protected]> - 2.1.2-1
- Update to version 2.1.2; Fixes RHBZ#2420670
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2420670 - rust-icu_properties-2.1.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2420670
[ 2 ] Bug #2420671 - rust-icu_properties_data-2.1.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2420671
--------------------------------------------------------------------------------
================================================================================
rust-icu_properties_data-2.1.2-1.el9 (FEDORA-EPEL-2025-ae7b1ab1df)
Data for the icu_properties crate
--------------------------------------------------------------------------------
Update Information:
Updated icu_properties / icu_properties_data.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Dec 9 2025 Benjamin A. Beasley <[email protected]> - 2.1.2-1
- Update to version 2.1.2; Fixes RHBZ#2420671
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2420670 - rust-icu_properties-2.1.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2420670
[ 2 ] Bug #2420671 - rust-icu_properties_data-2.1.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2420671
--------------------------------------------------------------------------------
================================================================================
rust-libz-rs-sys-0.5.3-1.el9 (FEDORA-EPEL-2025-886c76be5a)
Memory-safe zlib implementation written in rust
--------------------------------------------------------------------------------
Update Information:
https://github.com/trifectatechfoundation/zlib-rs/releases/tag/v0.5.3
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 8 2025 Benjamin A. Beasley <[email protected]> - 0.5.3-1
- Update to version 0.5.3; Fixes RHBZ#2419267
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2419267 - rust-libz-rs-sys-0.5.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2419267
[ 2 ] Bug #2419340 - rust-zlib-rs-0.5.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2419340
--------------------------------------------------------------------------------
================================================================================
rust-zlib-rs-0.5.3-1.el9 (FEDORA-EPEL-2025-886c76be5a)
Memory-safe zlib implementation written in rust
--------------------------------------------------------------------------------
Update Information:
https://github.com/trifectatechfoundation/zlib-rs/releases/tag/v0.5.3
--------------------------------------------------------------------------------
ChangeLog:
* Mon Dec 8 2025 Benjamin A. Beasley <[email protected]> - 0.5.3-1
- Update to version 0.5.3; Fixes RHBZ#2419340
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2419267 - rust-libz-rs-sys-0.5.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2419267
[ 2 ] Bug #2419340 - rust-zlib-rs-0.5.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2419340
--------------------------------------------------------------------------------
--
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
