Fedora alert FEDORA-2025-a77c1f005b (ruff)
| From: | updates--- via package-announce <package-announce@lists.fedoraproject.org> | |
| To: | package-announce@lists.fedoraproject.org | |
| Subject: | [SECURITY] Fedora 42 Update: ruff-0.14.2-1.fc42 | |
| Date: | Mon, 03 Nov 2025 01:07:56 +0000 | |
| Message-ID: | <20251103010756.902AD79631@bastion01.rdu3.fedoraproject.org> | |
| Archive-link: | Article |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-a77c1f005b 2025-11-03 01:05:58.219415+00:00 -------------------------------------------------------------------------------- Name : ruff Product : Fedora 42 Version : 0.14.2 Release : 1.fc42 URL : https://github.com/astral-sh/ruff Summary : Extremely fast Python linter and code formatter Description : An extremely fast Python linter and code formatter, written in Rust. Ruff aims to be orders of magnitude faster than alternative tools while integrating more functionality behind a single, common interface. Ruff can be used to replace Flake8 (plus dozens of plugins), Black, isort, pydocstyle, pyupgrade, autoflake, and more, all while executing tens or hundreds of times faster than any individual tool. -------------------------------------------------------------------------------- Update Information: uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1 Update openapi-python-client to 0.26.2 and patch it to allow ruff 0.14 -------------------------------------------------------------------------------- ChangeLog: * Thu Oct 23 2025 Benjamin A. Beasley <code@musicinmybrain.net> - 0.14.2-1 - Update to version 0.14.2; Fixes RHBZ#2406135 * Wed Oct 22 2025 Benjamin A. Beasley <code@musicinmybrain.net> - 0.14.1-2 - Double _smp_tasksize_proc again - Builds for F41 were failing consistently on s390x * Mon Oct 20 2025 Benjamin A. Beasley <code@musicinmybrain.net> - 0.14.1-1 - Update to 0.14.1 (close RHBZ#2360699) * Mon Oct 20 2025 Benjamin A. Beasley <code@musicinmybrain.net> - 0.14.0-2 - Skip salsa’s execute_cancellation tests on all architectures * Mon Oct 20 2025 Benjamin A. Beasley <code@musicinmybrain.net> - 0.14.0-1 - Update to 0.14.0 * Mon Oct 20 2025 Benjamin A. Beasley <code@musicinmybrain.net> - 0.13.3-1 - Update to 0.13.3 * Mon Oct 20 2025 Benjamin A. Beasley <code@musicinmybrain.net> - 0.13.2-1 - Update to 0.13.2 * Thu Oct 16 2025 Gordon Messmer <gordon.messmer@gmail.com> - 0.12.1-2 - Use rpm's native resource tunable to limit parallelism. * Wed Sep 24 2025 Benjamin A. Beasley <code@musicinmybrain.net> - 0.12.1-1 - Update to 0.12.1 * Wed Sep 24 2025 Benjamin A. Beasley <code@musicinmybrain.net> - 0.12.0-1 - Update to 0.12.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405474 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405474 [ 8 ] Bug #2405476 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405476 [ 9 ] Bug #2406135 - ruff-0.14.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406135 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-a77c1f005b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgr... All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
Attachment: None (type=text/plain)
-- _______________________________________________ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-cond... List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-ann... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue