Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

Fedora 41: uv Critical CVE-2025-62518 Parser Desynchronization Fix

fedora
Calendar Grey November 3, 2025
Dist Fedora Esm H88
Fedora 41 update fixes critical parser meta-desynchronization in uv affecting installation workflows. Stay secure!
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518

Summary

An extremely fast Python package installer and resolver, written in Rust.

Designed as a drop-in replacement for common pip and pip-tools workflows.

Highlights:

\u2022 \u2696\ufe0f Drop-in replacement for common pip, pip-tools, and virtualenv commands.

\u2022 \u26a1\ufe0f 10-100x faster than pip and pip-tools (pip-compile and pip-sync).

\u2022 \U0001f4be Disk-space efficient, with a global cache for dependency deduplication.

\u2022 \U0001f40d Installable via curl, pip, pipx, etc. uv is a static binary that can be

installed without Rust or Python.

\u2022 \U0001f9ea Tested at-scale against the top 10,000 PyPI packages.

\u2022 \U0001f5a5\ufe0f Support for macOS, Linux, and Windows.

\u2022 \U0001f9f0 Advanced features such as dependency version overrides and alternative

resolution strategies.

\u2022 \u2049\ufe0f Best-in-class error messages with a conflict-tracking resolver.

\u2022 \U0001f91d Support for a wide range of advanced pip features, including editable

installs, Git dependencies, direct URL dependencies, local dependencies,

constraints, source distributions, HTML and JSON indexes, and more.

Update Information:

uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv. Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1. Patch openapi-python-client to allow ruff 0.14

Topics%20covered

Topics Covered

security advisory fedora critical CVE uv parser desynchronization

Change Log

* Fri Oct 24 2025 Benjamin A. Beasley - 0.9.5-1 - Update to 0.9.5 (close RHBZ#2402923) * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.4-1 - Update to 0.9.4 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.3-1 - Update to 0.9.3 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.2-1 - Update to 0.9.2 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.1-1 - Update to 0.9.1 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.0-1 - Update to 0.9.0 * Thu Oct 23 2025 Benjamin A. Beasley - 0.8.24-4 - Try to work around \u201ctoo many open files\u201d on 192-core builders * Thu Oct 23 2025 Benjamin A. Beasley - 0.8.24-3 - Revert "Allow hashbrown 0.15 (for EPEL10.1)" * Thu Oct 23 2025 Benjamin A. Beasley - 0.8.24-2 - Allow hashbrown 0.15 (for EPEL10.1) * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.24-1 - Update to 0.8.24 * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.23-1 - Update to 0.8.23 * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.22-1 - Update to 0.8.22 * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.21-1 - Update to 0.8.21 * Thu Oct 16 2025 Gordon Messmer - 0.8.20-2 - Use rpm's native resource tunable to limit parallelism. * Mon Sep 29 2025 Benjamin A. Beasley - 0.8.20-1 - Update to 0.8.20 (close RHBZ#2389326) * Mon Sep 29 2025 Benjamin A. Beasley - 0.8.19-1 - Update to 0.8.19 * Mon Sep 29 2025 Benjamin A. Beasley - 0.8.18-1 - Update to 0.8.18 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.17-1 - Update to 0.8.17 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.16-1 - Update to 0.8.16 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.15-1 - Update to 0.8.15 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.14-1 - Update to 0.8.14 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.13-1 - Update to 0.8.13 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.12-1 - Update to 0.8.12 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.11-5 - Use the bundled reqwest-middleware, too

References


[ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405471 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2405471 [ 8 ] Bug #2405472 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header...

Read the Full Advisory

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-43a0bff5ea' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: uv
Product: Fedora 41
Version: 0.9.5
Release: 1.fc41
URL: https://github.com/astral-sh/uv
Summary: An extremely fast Python package installer and resolver, written in Rust

Topics%20covered

Topics Covered

security advisory fedora critical CVE uv parser desynchronization

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here