Alerts This Week
Warning Icon 1 560
Alerts This Week
Warning Icon 1 560

Fedora 42: openapi-python-client Important Fix for CVE-2025-62518

fedora
Calendar Grey November 3, 2025
Dist Fedora Esm H88
This advisory highlights a critical security fix for openapi-python-client in Fedora 42 addressing CVE-2025-62518.
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518

Summary

The openapi-python-client is a powerful tool designed to generate

modern Python clients from OpenAPI 3.0+ documents supporting both

synchronous and asynchronous HTTP requests. It automates the creation of

Python classes and methods that correspond to the endpoints and schema

defined in your OpenAPI specification, making it easier to interact with

your API in a type-safe manner.

Update Information:

uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1 Update openapi-python-client to 0.26.2 and patch it to allow ruff 0.14

Topics%20covered

Topics Covered

security advisory fedora security fix important openapi-python-client parser desynchronization

Change Log

* Tue Oct 21 2025 Benjamin A. Beasley - 0.26.2-4 - Allow typer 0.20 * Tue Oct 21 2025 Benjamin A. Beasley - 0.26.2-3 - Allow ruff 0.14 * Sat Oct 18 2025 Do\u011fukan a\u011fatay - 0.26.2-2 - Update checksum for openapi-python-client version 0.26.2 * Sat Oct 18 2025 Do\u011fukan a\u011fatay - 0.26.2-1 - Update openapi-python-client to 0.26.2 - Bump version from 0.26.1 to 0.26.2 in spec file - Update man page to version 0.26.2 - Remove allow-typer-0.19.patch (no longer needed with 0.26.2) - Remove %bcond tests 1 and conditional test execution * Wed Oct 1 2025 Do\u011fukan a\u011fatay - 0.26.1-1 - Update version 0.26.1 - Update upstream version 0.26.1 - Delete old patch for the fix of the CLI tests fix-test-cli-1309.patch - Update allow-typer-0.19.patch * Sat Sep 20 2025 Benjamin A. Beasley - 0.26.0-5 - Allow typer 0.19 * Sat Sep 20 2025 Benjamin A. Beasley - 0.26.0-4 - Allow typer 0.18 * Fri Sep 19 2025 Python Maint - 0.26.0-3 - Rebuilt for Python 3.14.0rc3 bytecode * Sun Aug 31 2025 Benjamin A. Beasley - 0.26.0-2 - Allow typer 0.17 * Sat Aug 30 2025 Do\u011fukan a\u011fatay - 0.26.0-1 - Update version 0.26.0 - Update upstream version 0.26.0 - Add patch for the fix of the CLI tests fix-test-cli-1309.patch - Delete old patch openapi-python-client-0.24.3-typer-0.16.patch * Fri Aug 15 2025 Python Maint - 0.24.3-5 - Rebuilt for Python 3.14.0rc2 bytecode * Thu Jul 24 2025 Fedora Release Engineering - 0.24.3-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild * Sun Jun 22 2025 Python Maint - 0.24.3-3 - Rebuilt for Python 3.14 * Tue May 27 2025 Benjamin A. Beasley - 0.24.3-2 - Allow typer 0.16

References


[ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405474 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405474 [ 8 ] Bug #2405476 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header...

Read the Full Advisory

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-a77c1f005b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: openapi-python-client
Product: Fedora 42
Version: 0.26.2
Release: 4.fc42
URL: https://github.com/openapi-generators/openapi-python-client
Summary: Generate modern Python clients from OpenAPI

Topics%20covered

Topics Covered

security advisory fedora security fix important openapi-python-client parser desynchronization

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here