Fedora 41: ruff 0.14.2 Security Update for CVE-2025-62518 Released
fedora
November 3, 2025
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518
Summary
An extremely fast Python linter and code formatter, written in Rust.
Ruff aims to be orders of magnitude faster than alternative tools while
integrating more functionality behind a single, common interface.
Ruff can be used to replace Flake8 (plus dozens of plugins), Black, isort,
pydocstyle, pyupgrade, autoflake, and more, all while executing tens or
hundreds of times faster than any individual tool.
Update Information:
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv. Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1. Patch openapi-python-client to allow ruff 0.14
Topics Covered
Change Log
* Thu Oct 23 2025 Benjamin A. Beasley
References
[ 1 ] Bug #2360699 - ruff-0.14.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2360699
[ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2402441
[ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2402442
[ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2402443
[ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2402881
[ 6 ] Bug #2402923 - uv-0.9.5 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2402923
[ 7 ] Bug #2405471 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2405471
[ 8 ] Bug #2405472 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header...
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-43a0bff5ea' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Name: ruff
Product: Fedora 41
Version: 0.14.2
Release: 1.fc41
Summary: Extremely fast Python linter and code formatter
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!