Fedora 42: FEDORA-2025-8a18a5a077 crucial security updates for mirrors

The mirrorlist-server uses the data created by MirrorManager2

(https://github.com/fedora-infra/mirrormanager2) to answer client request for

the "best" mirror.

This implementation of the mirrorlist-server is written in Rust. The original

version of the mirrorlist-server was part of the MirrorManager2 repository and

it is implemented using Python. While moving from Python2 to Python3 one of

the problems was that the data exchange format (Python Pickle) did not support

running the MirrorManager2 backend with Python2 and the mirrorlist frontend

with Python3. To have a Pickle independent data exchange format protobuf was

introduced. The first try to use protobuf in the python mirrorlist

implementation required a lot more memory than the Pickle based implementation

(3.5GB instead of 1.1GB). That is one of the reasons a new mirrorlist-server

implementation was needed.

Another reason to rewrite the mirrorlist-server is its architecture. The

Python based version requires the Apache HTTP server or something that can

run the included wsgi. The wsgi talks over a socket to the actual

mirrorlist-server. In Fedora's MirrorManager2 instance this runs in a container

which runs behind HAProxy. This implementation in Rust directly uses a HTTP

library to reduce the number of involved components.

In addition to being simpler this implementation also requires less memory

than the Python version.

Rebuild applications to apply two recent security updates: build with idna 1.0.0+ to address CVE-2024-12224 (idna accepts Punycode labels that do not produce any non-ASCII when decoded) build with crossbeam-channel 0.5.15+ to address CVE-2025-4574 (potential double- free on Drop)