Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
See https://www.cve.org/CVERecord?id=CVE-2026-29022. This is fixed in dr_wav 0.14.5. Fedora 42 has 0.13.17, https://bodhi.fedoraproject.org/updates/FEDORA-2024-b369b28c3c. Since there were significant incompatible changes from 0.13.17 to 0.14.x (and the other two dr_* libraries had incompatible changes at the same time), updating would require an Updates Policy exception and significant coordination. This is not the only potentially security-relevant issue fixed since dr_flac 0.12.x / dr_mp3 0.6.x / dr_wav 0.13.x. It is just the only one that has been assigned a CVE, as far as I know. Backporting the fix for this CVE in particular, https://github.com/mackron/dr_libs/commit/8a7258cc66b49387ad58cc5b81568982a3560d49, does seam feasible, so I will at least do that.
FEDORA-2026-2350c6fd8c (dr_libs-0^20241216git660795b-4.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2026-2350c6fd8c
FEDORA-2026-2350c6fd8c has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-2350c6fd8c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-2350c6fd8c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-2350c6fd8c (dr_libs-0^20241216git660795b-4.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.