Alerts This Week
Warning Icon 1 664
Alerts This Week
Warning Icon 1 664

Fedora 43 uv CVE-2026-32766 CVE-2026-33056 Update for Permission Issues

fedora
Calendar Grey March 28, 2026
Dist Fedora Esm H88
Critical updates for Fedora 43 addressing vulnerabilities. Upgrade rust packages to ensure Python tools run securely.
Update rust-astral-tokio-tar to 0.6.0, fixing CVE-2026-32766

Summary

An extremely fast Python package and project manager, written in Rust.

Highlights:

\u2022 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twine,

virtualenv, and more.

\u2022 10-100x faster than pip.

\u2022 Provides comprehensive project management, with a universal lockfile.

\u2022 Runs scripts, with support for inline dependency metadata.

\u2022 Installs and manages Python versions.

\u2022 Runs and installs tools published as Python packages.

\u2022 Includes a pip-compatible interface for a performance boost with a familiar

CLI.

\u2022 Supports Cargo-style workspaces for scalable projects.

\u2022 Disk-space efficient, with a global cache for dependency deduplication.

Update Information:

Update rust-astral-tokio-tar to 0.6.0, fixing CVE-2026-32766. Update rust-tar to 0.4.45, fixing CVE-2026-33056. Update rust-nix to 0.31.2. Update uv and python- uv-build to 0.10.2, rebuilding them with the latest rust-astral-tokio-tar and rust-tar. Update python-fastar to 0.9.0, rebuilding it with the lastest rust- tar. Rebuild maturin with the latest rust-tar. Update to 0.9.0

Topics%20covered

Topics Covered

security advisory fedora update permission modification cve-2026-32766 cve-2026-33056

Change Log

* Fri Mar 20 2026 Benjamin A. Beasley - 0.10.12-1 - Update to 0.10.12 (close RHBZ#2449243) * Tue Mar 17 2026 Benjamin A. Beasley - 0.10.11-1 - Update to 0.10.11 (close RHBZ#2448300) * Sun Mar 15 2026 Benjamin A. Beasley - 0.10.10-1 - Update to 0.10.10 (close RHBZ#2447540)

References


[ 1 ] Bug #2448054 - rust-astral-tokio-tar-0.6.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2448054 [ 2 ] Bug #2449243 - uv-0.10.12 is available https://bugzilla.redhat.com/show_bug.cgi?id=2449243 [ 3 ] Bug #2449274 - rust-tar-0.4.45 is available https://bugzilla.redhat.com/show_bug.cgi?id=2449274 [ 4 ] Bug #2449338 - python-uv-build-0.10.12 is available https://bugzilla.redhat.com/show_bug.cgi?id=2449338 [ 5 ] Bug #2449551 - CVE-2026-32766 python-uv-build: astral-tokio-tar: Potential archive misinterpretation via malformed PAX extensions [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2449551 [ 6 ] Bug #2449553 - CVE-2026-32766 uv: astral-tokio-tar: Potential archive misinterpretation via malformed PAX extensions [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2449553 [ 7 ] Bug #2449645 - python-fastar-0.9.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2449645 [ 8 ] Bug...

Read the Full Advisory

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-d18cf572b8' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: uv
Product: Fedora 43
Version: 0.10.12
Release: 1.fc43
URL: https://github.com/astral-sh/uv
Summary: An extremely fast Python package installer and resolver, written in Rust

Topics%20covered

Topics Covered

security advisory fedora update permission modification cve-2026-32766 cve-2026-33056

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here