|
|
Subscribe / Log in / New account

Fedora alert FEDORA-2025-a77c1f005b (rust-reqsign-file-read-tokio)



From:
              updates--- via package-announce <package-announce@lists.fedoraproject.org>


To:
              package-announce@lists.fedoraproject.org


Subject:
              [SECURITY] Fedora 42 Update: rust-reqsign-file-read-tokio-2.0.0-1.fc42


Date:
              Mon, 03 Nov 2025 01:07:58 +0000


Message-ID:
              <20251103010758.291476FEDD@bastion01.rdu3.fedoraproject.org>


Archive-link:
              Article


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-a77c1f005b
2025-11-03 01:05:58.219415+00:00
--------------------------------------------------------------------------------

Name        : rust-reqsign-file-read-tokio
Product     : Fedora 42
Version     : 2.0.0
Release     : 1.fc42
URL         : https://crates.io/crates/reqsign-file-read-tokio
Summary     : Tokio-based file reader implementation for reqsign
Description :
Tokio-based file reader implementation for reqsign.

--------------------------------------------------------------------------------
Update Information:

uv 0.9.5
https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
ruff 0.14.2
https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
  contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Initial package for python-uv-build in Fedora 42
Initial packages for a number of new dependencies for ruff and uv
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1
Update openapi-python-client to 0.26.2 and patch it to allow ruff 0.14
--------------------------------------------------------------------------------
ChangeLog:

* Thu Oct 23 2025 Benjamin A. Beasley <code@musicinmybrain.net> - 2.0.0-1
- Update to version 2.0.0
* Wed Oct  8 2025 Benjamin A. Beasley <code@musicinmybrain.net> - 1.0.0-1
- Initial package (close RHBZ#2400101)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2360699 - ruff-0.14.1 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2360699
  [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2402441
  [ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2402442
  [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2402443
  [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2402881
  [ 6 ] Bug #2402923 - uv-0.9.5 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2402923
  [ 7 ] Bug #2405474 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [fedora-42]
        https://bugzilla.redhat.com/show_bug.cgi?id=2405474
  [ 8 ] Bug #2405476 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header
Desynchronization [fedora-42]
        https://bugzilla.redhat.com/show_bug.cgi?id=2405476
  [ 9 ] Bug #2406135 - ruff-0.14.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2406135
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-a77c1f005b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgr...

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

-- 
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-cond...
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/package-ann...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds