The following Fedora EPEL 9 Security updates need testing: Age URL 99 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-9a55de96db xpdf-4.06-1.el9 6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-e4c468db6d python-django4.2-4.2.28-1.el9 2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-524119fe6b coturn-4.9.0-1.el9

The following builds have been pushed to Fedora EPEL 9 updates-testing

betterleaks-1.0.1-1.el9 btop-1.4.6-6.el9 centpkg-0.10.2-1.el9 license-validate-28-1.el9 nvtop-3.3.2-1.el9 prometheus-3.10.0-1.el9 python-asyncmy-0.2.11-2.el9 rust-calloop-0.14.4-1.el9 rust-dlib-0.5.3-1.el9 rust-gix-archive-0.24.0-4.el9 rust-zip-8.1.0-1.el9 tmt-1.68.0-1.el9

Details about builds:

================================================================================ betterleaks-1.0.1-1.el9 (FEDORA-EPEL-2026-5e655bea70) Secrets scanner built for configurability and speed -------------------------------------------------------------------------------- Update Information:

Initial package for betterleaks -------------------------------------------------------------------------------- ChangeLog:

* Wed Feb 25 2026 Mikel Olasagasti Uranga mikel@olasagasti.info - 1.0.1-1 - Initial package - Closes rhbz#2442477 --------------------------------------------------------------------------------

================================================================================ btop-1.4.6-6.el9 (FEDORA-EPEL-2026-3b76b8d155) Modern and colorful command line resource monitor that shows usage and stats -------------------------------------------------------------------------------- Update Information:

enable amdgpu support for epel -------------------------------------------------------------------------------- ChangeLog:

* Wed Feb 25 2026 Carl George carlwgeorge@fedoraproject.org - 1.4.6-6 - Limit EPEL builds to x86_64 to match rocm-smi rhbz#2442214 * Tue Feb 24 2026 Carl George carlwgeorge@fedoraproject.org - 1.4.6-5 - Enable AMD GPU support on EPEL rhbz#2442214 * Fri Jan 16 2026 Fedora Release Engineering releng@fedoraproject.org - 1.4.6-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Jan 16 2026 Fedora Release Engineering releng@fedoraproject.org - 1.4.6-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2442214 - btop GPU support like what Fedora has https://bugzilla.redhat.com/show_bug.cgi?id=2442214 --------------------------------------------------------------------------------

================================================================================ centpkg-0.10.2-1.el9 (FEDORA-EPEL-2026-c77846f5ff) CentOS utility for working with dist-git -------------------------------------------------------------------------------- Update Information:

Add support for cXs-aie-partner branches : CS-3294 (michal) -------------------------------------------------------------------------------- ChangeLog:

* Thu Feb 26 2026 Troy Dawson tdawson@redhat.com - 0.10.2-1 - Add support for cXs-aie-partner branches : CS-3294 (michal) - Determine_rhel_state: Add check for locked tags: CS-2997 (sgallagh) - Fix use-before-assignment (sgallagh) * Fri Jan 16 2026 Fedora Release Engineering releng@fedoraproject.org - 0.10.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Jan 16 2026 Fedora Release Engineering releng@fedoraproject.org - 0.10.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Sep 19 2025 Python Maint python-maint@redhat.com - 0.10.1-2 - Rebuilt for Python 3.14.0rc3 bytecode --------------------------------------------------------------------------------

================================================================================ license-validate-28-1.el9 (FEDORA-EPEL-2026-9dc81a6805) Validate SPEC license string -------------------------------------------------------------------------------- Update Information:

fix requires -------------------------------------------------------------------------------- ChangeLog:

* Thu Feb 26 2026 Miroslav Suchý msuchy@redhat.com 28-1 - require python3-specfile - update homepage URL --------------------------------------------------------------------------------

================================================================================ nvtop-3.3.2-1.el9 (FEDORA-EPEL-2026-a85f209251) GPU process monitoring for various devices -------------------------------------------------------------------------------- Update Information:

Bugfix Snapshot mode (-s) outputs valid JSON. Thanks @Steve-Tech Additions Loop Snapshot mode (-l) prints snapshots in a loop fashion. Thanks @Steve-Tech Extra snapshot information - @Syllo Processes Encode/decode -------------------------------------------------------------------------------- ChangeLog:

* Sun Feb 8 2026 Packit hello@packit.dev - 3.3.2-1 - Update to 3.3.2 - Resolves rhbz#2437636 -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2437636 - nvtop-3.3.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2437636 --------------------------------------------------------------------------------

================================================================================ prometheus-3.10.0-1.el9 (FEDORA-EPEL-2026-989773164c) Prometheus monitoring system and time series database -------------------------------------------------------------------------------- Update Information:

Rename from golang-github-prometheus & update to 3.10.0 -------------------------------------------------------------------------------- ChangeLog:

* Thu Feb 26 2026 Mikel Olasagasti Uranga mikel@olasagasti.info - 3.10.0-1 - Update to 3.10.0 - Closes rhbz#2390501 * Mon Feb 23 2026 Mikel Olasagasti Uranga mikel@olasagasti.info - 2.55.1-1 - Initial package after renaming from golang-github-prometheus - Closes rhbz#2383787 -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2061806 - CVE-2022-0235 golang-github-prometheus: node-fetch: exposure of sensitive information to an unauthorized actor [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2061806 [ 2 ] Bug #2062720 - CVE-2022-0536 golang-github-prometheus: follow-redirects: Exposure of Sensitive Information via Authorization Header leak [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2062720 [ 3 ] Bug #2067347 - CVE-2022-21698 golang-github-prometheus: prometheus/client_golang: Denial of service using InstrumentHandlerCounter [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2067347 [ 4 ] Bug #2069008 - CVE-2022-24771 golang-github-prometheus: node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2069008 [ 5 ] Bug #2069018 - CVE-2022-24772 golang-github-prometheus: node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2069018 [ 6 ] Bug #2069036 - CVE-2022-24773 golang-github-prometheus: node-forge: Signature verification leniency in checking `DigestInfo` structure [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2069036 [ 7 ] Bug #2075253 - CVE-2022-24785 golang-github-prometheus: Moment.js: Path traversal in moment.locale [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2075253 [ 8 ] Bug #2075278 - CVE-2022-24785 golang-github-prometheus: Moment.js: Path traversal in moment.locale [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2075278 [ 9 ] Bug #2123457 - CVE-2022-25887 golang-github-prometheus: sanitize-html: insecure global regular expression replacement logic may lead to ReDoS [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2123457 [ 10 ] Bug #2134316 - CVE-2022-21222 golang-github-prometheus: css-what: ReDoS due to insecure regular expression [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2134316 [ 11 ] Bug #2135442 - CVE-2022-3517 golang-github-prometheus: nodejs-minimatch: ReDoS via the braceExpand function [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2135442 [ 12 ] Bug #2140598 - CVE-2022-37603 golang-github-prometheus: loader-utils:Regular expression denial of service [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2140598 [ 13 ] Bug #2149437 - CVE-2022-46146 golang-github-prometheus: exporter-toolkit: authentication bypass via cache poisoning [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2149437 [ 14 ] Bug #2163043 - CVE-2022-41717 golang-github-prometheus: golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2163043 [ 15 ] Bug #2174512 - golang-github-prometheus: containerd: Supplementary groups are not set up properly [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2174512 [ 16 ] Bug #2178399 - CVE-2022-41723 golang-github-prometheus: golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2178399 [ 17 ] Bug #2209311 - CVE-2022-37599 golang-github-prometheus: loader-utils: regular expression denial of service in interpolateName.js [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2209311 [ 18 ] Bug #2216894 - CVE-2023-26115 golang-github-prometheus: word-wrap: ReDoS [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2216894 [ 19 ] Bug #2220674 - CVE-2023-26136 golang-github-prometheus: tough-cookie: prototype pollution in cookie memstore [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2220674 [ 20 ] Bug #2222508 - CVE-2022-25883 golang-github-prometheus: nodejs-semver: Regular expression denial of service [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2222508 [ 21 ] Bug #2246628 - CVE-2023-46234 golang-github-prometheus: browserify-sign: upper bound check issue in dsaVerify leads to a signature forgery attack [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2246628 [ 22 ] Bug #2248224 - golang-github-prometheus: golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325) [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2248224 [ 23 ] Bug #2252886 - TRIAGE CVE-2023-5332 golang-github-prometheus: consul: Command injection through script checks option [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2252886 [ 24 ] Bug #2253442 - CVE-2023-45133 golang-github-prometheus: babel: arbitrary code execution [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2253442 [ 25 ] Bug #2256415 - TRIAGE CVE-2023-26159 golang-github-prometheus: follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2256415 [ 26 ] Bug #2265683 - CVE-2023-42282 golang-github-prometheus: nodejs-ip: arbitrary code execution via the isPublic() function [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2265683 [ 27 ] Bug #2266115 - TRIAGE CVE-2024-21501 golang-github-prometheus: sanitize-html: Information Exposure when used on the backend [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266115 [ 28 ] Bug #2273052 - TRIAGE CVE-2024-30255 golang-github-prometheus: envoy: HTTP/2 CPU exhaustion due to CONTINUATION frame flood [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2273052 [ 29 ] Bug #2280612 - CVE-2024-4068 golang-github-prometheus: braces: fails to limit the number of characters it can handle [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2280612 [ 30 ] Bug #2280766 - CVE-2024-4067 golang-github-prometheus: micromatch: vulnerable to Regular Expression Denial of Service [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2280766 [ 31 ] Bug #2284588 - CVE-2024-29415 golang-github-prometheus: node-ip: Inomplete fix for CVE-2023-42282 [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2284588 [ 32 ] Bug #2290907 - CVE-2024-29041 golang-github-prometheus: express: cause malformed URLs to be evaluated [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2290907 [ 33 ] Bug #2303443 - CVE-2024-37890 golang-github-prometheus: denial of service when handling a request with many HTTP headers [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2303443 [ 34 ] Bug #2341885 - CVE-2022-1650 golang-github-prometheus: Exposure of Sensitive Information [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2341885 [ 35 ] Bug #2348787 - CVE-2025-22868 golang-github-prometheus: Unexpected memory consumption during token parsing in golang.org/x/oauth2 [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2348787 [ 36 ] Bug #2354395 - CVE-2025-30204 golang-github-prometheus: jwt-go allows excessive memory allocation during header parsing [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2354395 [ 37 ] Bug #2398349 - CVE-2025-47910 golang-github-prometheus: CrossOriginProtection bypass in net/http [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2398349 [ 38 ] Bug #2398997 - CVE-2025-47906 golang-github-prometheus: Unexpected paths returned from LookPath in os/exec [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2398997 [ 39 ] Bug #2407535 - CVE-2025-58189 golang-github-prometheus: go crypto/tls ALPN negotiation error contains attacker controlled information [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2407535 [ 40 ] Bug #2408548 - CVE-2025-61725 golang-github-prometheus: Excessive CPU consumption in ParseAddress in net/mail [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2408548 [ 41 ] Bug #2408990 - CVE-2025-61723 golang-github-prometheus: Quadratic complexity when parsing some invalid inputs in encoding/pem [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2408990 [ 42 ] Bug #2409932 - CVE-2025-58185 golang-github-prometheus: Parsing DER payload can cause memory exhaustion in encoding/asn1 [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2409932 [ 43 ] Bug #2410870 - CVE-2025-58188 golang-github-prometheus: Panic when validating certificates with DSA public keys in crypto/x509 [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2410870 [ 44 ] Bug #2412481 - CVE-2025-58183 golang-github-prometheus: Unbounded allocation when parsing GNU sparse map [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2412481 [ 45 ] Bug #2418990 - CVE-2024-25621 golang-github-prometheus: containerd local privilege escalation [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2418990 [ 46 ] Bug #2422170 - CVE-2025-65637 golang-github-prometheus: github.com/sirupsen/logrus: Denial-of-Service due to large single-line payload [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2422170 --------------------------------------------------------------------------------

================================================================================ python-asyncmy-0.2.11-2.el9 (FEDORA-EPEL-2026-2436e34efb) A fast asyncio MySQL/MariaDB driver -------------------------------------------------------------------------------- Update Information:

This is an upstream security and bugfix release. For details, see the release notes. -------------------------------------------------------------------------------- ChangeLog:

* Thu Feb 26 2026 Nils Philippsen nils@redhat.com - 0.2.11-1 - Update to 0.2.11 -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2418487 - CVE-2025-65896 python-asyncmy: Asyncmy SQL injection [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2418487 --------------------------------------------------------------------------------

================================================================================ rust-calloop-0.14.4-1.el9 (FEDORA-EPEL-2026-c869305f0f) Callback-based event loop -------------------------------------------------------------------------------- Update Information:

Additions Add StreamSource to adapt an async Stream to an EventSource. (#228) Bump MSRV to 1.71.1 in accordance with dependencies. Bugfixes Fix handling of notified atomic in futures source. (#227) Prevent timers from growing indefinitely. (#238) Bump nix to v0.31. (#237) Ping on drop of last instance of SyncSender. (#236) -------------------------------------------------------------------------------- ChangeLog:

* Thu Feb 26 2026 Michel Lind salimma@fedoraproject.org - 0.14.4-1 - Update to version 0.14.4; Resolves: RHBZ#2439785 * Sat Jan 17 2026 Fedora Release Engineering releng@fedoraproject.org - 0.14.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2439785 - rust-calloop-0.14.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2439785 --------------------------------------------------------------------------------

================================================================================ rust-dlib-0.5.3-1.el9 (FEDORA-EPEL-2026-f001cbecc8) Helper macros for handling manually loading optional system libraries -------------------------------------------------------------------------------- Update Information:

Various small updates, see https://github.com/Smithay/dlib/compare/v0.5.2...master -------------------------------------------------------------------------------- ChangeLog:

* Thu Feb 26 2026 Michel Lind salimma@fedoraproject.org - 0.5.3-1 - Update to version 0.5.3; Resolves: RHBZ#2442952 * Sat Jan 17 2026 Fedora Release Engineering releng@fedoraproject.org - 0.5.2-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Jul 25 2025 Fedora Release Engineering releng@fedoraproject.org - 0.5.2-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild * Sun Jan 19 2025 Fedora Release Engineering releng@fedoraproject.org - 0.5.2-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild * Fri Jul 19 2024 Fedora Release Engineering releng@fedoraproject.org - 0.5.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2442952 - rust-dlib-0.5.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2442952 --------------------------------------------------------------------------------

================================================================================ rust-gix-archive-0.24.0-4.el9 (FEDORA-EPEL-2026-72c5ffca97) Archive generation from of a worktree stream -------------------------------------------------------------------------------- Update Information:

https://github.com/zip-rs/zip2/blob/v8.1.0/CHANGELOG.md -------------------------------------------------------------------------------- ChangeLog:

* Tue Feb 24 2026 Benjamin A. Beasley code@musicinmybrain.net - 0.24.0-4 - Allow zip 8 * Sat Jan 17 2026 Fedora Release Engineering releng@fedoraproject.org - 0.24.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2429557 - rust-zip-8.1.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2429557 --------------------------------------------------------------------------------

================================================================================ rust-zip-8.1.0-1.el9 (FEDORA-EPEL-2026-72c5ffca97) Library to support the reading and writing of zip files -------------------------------------------------------------------------------- Update Information:

https://github.com/zip-rs/zip2/blob/v8.1.0/CHANGELOG.md -------------------------------------------------------------------------------- ChangeLog:

* Tue Feb 24 2026 Benjamin A. Beasley code@musicinmybrain.net - 8.1.0-1 - Update to version 8.1.0; Fixes RHBZ#2429557 -------------------------------------------------------------------------------- References:

[ 1 ] Bug #2429557 - rust-zip-8.1.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2429557 --------------------------------------------------------------------------------

================================================================================ tmt-1.68.0-1.el9 (FEDORA-EPEL-2026-eae6822822) Test Management Tool -------------------------------------------------------------------------------- Update Information:

Automatic update for tmt-1.68.0-1.el9. Changelog for tmt * Thu Feb 26 2026 Packit hello@packit.dev - 1.68.0-1 - Update to 1.68.0 upstream release -------------------------------------------------------------------------------- ChangeLog:

* Thu Feb 26 2026 Packit hello@packit.dev - 1.68.0-1 - Update to 1.68.0 upstream release --------------------------------------------------------------------------------