Fedora 38: FEDORA-2023-cc21019773 Critical: Mirrorlist-Server Update

The mirrorlist-server uses the data created by `MirrorManager2

`_ to answer client request for

the "best" mirror.

This implementation of the mirrorlist-server is written in Rust. The original

version of the mirrorlist-server was part of the MirrorManager2 repository and

it is implemented using Python. While moving from Python2 to Python3 one of

the problems was that the data exchange format (Python Pickle) did not support

running the MirrorManager2 backend with Python2 and the mirrorlist frontend

with Python3. To have a Pickle independent data exchange format protobuf was

introduced. The first try to use protobuf in the python mirrorlist

implementation required a lot more memory than the Pickle based implementation

(3.5GB instead of 1.1GB). That is one of the reasons a new mirrorlist-server

implementation was needed.

Another reason to rewrite the mirrorlist-server is its architecture. The

Python based version requires the Apache HTTP server or something that can

run the included wsgi. The wsgi talks over a socket to the actual

mirrorlist-server. In Fedora's MirrorManager2 instance this runs in a container

which runs behind HAProxy. This implementation in Rust directly uses a HTTP

library to reduce the number of involved components.

In addition to being simpler this implementation also requires less memory

than the Python version.

Recent updates for the `tokio`, `h2`, and `openssl` crates addressed some

(potential or confirmed) security or soundness issues: - `tokio`:

[RUSTSEC-2023-0005](https://rustsec.org/advisories/RUSTSEC-2023-0005.html) -`h2`: [RUSTSEC-2023-0034](https://rustsec.org/advisories/RUSTSEC-2023-0034.html)

/ [CVE-2023-26964](https://nvd.nist.gov/vuln/detail/CVE-2023-26964) - `openssl`:

[RUSTSEC-2023-0022](https://rustsec.org/advisories/RUSTSEC-2023-0022.html),

[RUSTSEC-2023-0023](https://rustsec.org/advisories/RUSTSEC-2023-0023.html),

[RUSTSEC-2023-0024](https://rustsec.org/advisories/RUSTSEC-2023-0024.html) This

update contains rebuilds of all affected applications against the latest

versions of these crates, which have addressed all linked issues.

* Wed May 3 2023 Fabio Valentini - 3.0.6-6

- Rebuild with h2 >= v0.3.18 and tokio >= v1.24.2 (RUSTSEC-2023-{0005,0034})

su -c 'dnf upgrade --advisory FEDORA-2023-cc21019773' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam, report it: