Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Fedora 43 uv Important Denial of Service Update 2026-25538

fedora
Calendar Grey February 10, 2026
Dist Fedora Esm H88
Critical update for Fedora 43 addressing potential denial of service in time crate. Ensure your system is patched.
Update the time crate to version 0.3.47

Summary

An extremely fast Python package and project manager, written in Rust.

Highlights:

\u2022 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twine,

virtualenv, and more.

\u2022 10-100x faster than pip.

\u2022 Provides comprehensive project management, with a universal lockfile.

\u2022 Runs scripts, with support for inline dependency metadata.

\u2022 Installs and manages Python versions.

\u2022 Runs and installs tools published as Python packages.

\u2022 Includes a pip-compatible interface for a performance boost with a familiar

CLI.

\u2022 Supports Cargo-style workspaces for scalable projects.

\u2022 Disk-space efficient, with a global cache for dependency deduplication.

Update Information:

Update the time crate to version 0.3.47. Update the time-macros crate to version 0.2.27. Update the time-core crate to version 0.1.8. Update the num-conv crate to version 0.2.0. Update the git2 crate to version 0.20.4. Update the bytes crate to version 1.11.1. Additionally, this update contains rebuilds of applications affected by security advisories: bytes: RUSTSEC-2026-0007 git2: RUSTSEC-2026-0008 jsonwebtoken: CVE-2026-25537 time: RUSTSEC-2026-0009 All applications that statically link libgit2 via the git2 Rust bindings were also rebuilt against the latest version of the git2 / libgit2-sys crates to pull in fixes included in libgit2 between v1.8.1 and v1.9.2.

Topics%20covered

Topics Covered

security advisory denial of service fedora update critical time

Change Log

* Sun Feb 8 2026 Benjamin A. Beasley - 0.9.30-2 - Rebuilt with jsonwebtoken patched for CVE-2026-25537 - Fixes RHBZ#2437472; fixes RHBZ#2437467; fixes RHBZ#2437461 * Thu Feb 5 2026 Benjamin A. Beasley - 0.9.30-1 - Update to 0.9.30 (close RHBZ#2437002) * Wed Feb 4 2026 Benjamin A. Beasley - 0.9.29-1 - Update to 0.9.29 (close RHBZ#2436550)

References


[ 1 ] Bug #2437470 - CVE-2026-25537 rust-jsonwebtoken: jsonwebtoken has Type Confusion that leads to potential authorization bypass [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2437470 [ 2 ] Bug #2437472 - CVE-2026-25537 uv: jsonwebtoken has Type Confusion that leads to potential authorization bypass [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2437472 [ 3 ] Bug #2438104 - CVE-2026-25727 atuin: time affected by a stack exhaustion denial of service attack [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2438104 [ 4 ] Bug #2438135 - CVE-2026-25727 keylime-agent-rust: time affected by a stack exhaustion denial of service attack [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2438135 [ 5 ] Bug #2438138 - CVE-2026-25727 maturin: time affected by a stack exhaustion denial of service attack [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2438138 [ 6 ] Bug #2438149 - CVE-2026-25727 rustup: time ...

Read the Full Advisory

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-f400579a21' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: uv
Product: Fedora 43
Version: 0.9.30
Release: 2.fc43
URL: https://github.com/astral-sh/uv
Summary: An extremely fast Python package installer and resolver, written in Rust

Topics%20covered

Topics Covered

security advisory denial of service fedora update critical time

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here