Critical Update for Uncontrolled Recursion CVE-2025-53605 in Fedora 43

The mirrorlist-server uses the data created by MirrorManager2

(https://github.com/fedora-infra/mirrormanager2) to answer client request for

the "best" mirror.

This implementation of the mirrorlist-server is written in Rust. The original

version of the mirrorlist-server was part of the MirrorManager2 repository and

it is implemented using Python. While moving from Python2 to Python3 one of

the problems was that the data exchange format (Python Pickle) did not support

running the MirrorManager2 backend with Python2 and the mirrorlist frontend

with Python3. To have a Pickle independent data exchange format protobuf was

introduced. The first try to use protobuf in the python mirrorlist

implementation required a lot more memory than the Pickle based implementation

(3.5GB instead of 1.1GB). That is one of the reasons a new mirrorlist-server

implementation was needed.

Another reason to rewrite the mirrorlist-server is its architecture. The

Python based version requires the Apache HTTP server or something that can

run the included wsgi. The wsgi talks over a socket to the actual

mirrorlist-server. In Fedora's MirrorManager2 instance this runs in a container

which runs behind HAProxy. This implementation in Rust directly uses a HTTP

library to reduce the number of involved components.

In addition to being simpler this implementation also requires less memory

than the Python version.

Update mirrorlist-server to version 3.0.8. Update the maxminddb crate to version 0.26.0. Update the prometheus crate to version 0.14.0. Update the protobuf and protobuf-codegen crates to version 3.7.2. Initial packaging of the protobuf-parse and protobuf-support crates. This includes fixes for CVE-2025-53605 (Uncontrolled Recursion Vulnerability in the protobuf crate).