Alerts This Week
Warning Icon 1 626
Alerts This Week
Warning Icon 1 626

Warning: Undefined array key "Description" in /var/www/www.linuxsecurity.com-443/html/lsadvisories/lsadvisories.php on line 220

Fedora 42 Mirrorlist Server Update Stack Exhaustion CVE-2026-25537 Advisory

fedora
Calendar Grey February 11, 2026
Dist Fedora Esm H88
Update for mirrorlist-server in Fedora 42 addresses critical issues including stack exhaustion and authorization bypass.
Update the time crate to version 0.3.47

Summary

The mirrorlist-server uses the data created by MirrorManager2

(https://github.com/fedora-infra/mirrormanager2) to answer client request for

the "best" mirror.

This implementation of the mirrorlist-server is written in Rust. The original

version of the mirrorlist-server was part of the MirrorManager2 repository and

it is implemented using Python. While moving from Python2 to Python3 one of

the problems was that the data exchange format (Python Pickle) did not support

running the MirrorManager2 backend with Python2 and the mirrorlist frontend

with Python3. To have a Pickle independent data exchange format protobuf was

introduced. The first try to use protobuf in the python mirrorlist

implementation required a lot more memory than the Pickle based implementation

(3.5GB instead of 1.1GB). That is one of the reasons a new mirrorlist-server

implementation was needed.

Another reason to rewrite the mirrorlist-server is its architecture. The

Python based version requires the Apache HTTP server or something that can

run the included wsgi. The wsgi talks over a socket to the actual

mirrorlist-server. In Fedora's MirrorManager2 instance this runs in a container

which runs behind HAProxy. This implementation in Rust directly uses a HTTP

library to reduce the number of involved components.

In addition to being simpler this implementation also requires less memory

than the Python version.

Update Information:

Update the time crate to version 0.3.47. Update the time-macros crate to version 0.2.27. Update the time-core crate to version 0.1.8. Update the num-conv crate to version 0.2.0. Update the git2 crate to version 0.20.4. Update the bytes crate to version 1.11.1. Additionally, this update contains rebuilds of applications affected by security advisories: bytes: RUSTSEC-2026-0007 git2: RUSTSEC-2026-0008 jsonwebtoken: CVE-2026-25537 time: RUSTSEC-2026-0009 All applications that statically link libgit2 via the git2 Rust bindings were also rebuilt against the latest version of the git2 / libgit2-sys crates to pull in fixes included in libgit2 between v1.8.1 and v1.9.2.

Topics%20covered

Topics Covered

security advisory fedora authorization bypass stack exhaustion mirrorlist-server rust-jsonwebtoken

Change Log

* Sat Feb 7 2026 Fabio Valentini - 3.0.8-3 - Rebuild for RUSTSEC-2026-{0007,0008,0009} and CVE-2026-25537 * Fri Jan 16 2026 Fedora Release Engineering - 3.0.8-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild

References


[ 1 ] Bug #2437465 - CVE-2026-25537 rust-jsonwebtoken: jsonwebtoken has Type Confusion that leads to potential authorization bypass [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2437465 [ 2 ] Bug #2437467 - CVE-2026-25537 uv: jsonwebtoken has Type Confusion that leads to potential authorization bypass [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2437467 [ 3 ] Bug #2438046 - CVE-2026-25727 atuin: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438046 [ 4 ] Bug #2438075 - CVE-2026-25727 keylime-agent-rust: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438075 [ 5 ] Bug #2438077 - CVE-2026-25727 maturin: time affected by a stack exhaustion denial of service attack [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2438077 [ 6 ] Bug #2438086 - CVE-2026-25727 rus...

Read the Full Advisory

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-6388b28850' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: mirrorlist-server
Product: Fedora 42
Version: 3.0.8
Release: 3.fc42
URL: https://github.com/adrianreber/mirrorlist-server
Summary: Mirrorlist Server

Topics%20covered

Topics Covered

security advisory fedora authorization bypass stack exhaustion mirrorlist-server rust-jsonwebtoken

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here