Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -7 articles for you...
89
security advisorymoderatefedoraFedora 43 Pydantic Moderate Bug Fix Security Update 2025-312ac3e645
Pydantic 2.12.4 This is the fourth 2.12 patch release, fixing more regressions, and reverting a change in the build() method of the AnyUrl and Dsn types.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-312ac3e645 2025-11-10 00:46:08.034331+00:00 -------------------------------------------------------------------------------- Name : uv Product : Fedora 43 Version : 0.9.7 Release : 2.fc43 URL : https://github.com/astral-sh/uv Summary : An extremely fast Python package installer and resolver, written in Rust Description : An extremely fast Python package installer and resolver, written in Rust. Designed as a drop-in replacement for common pip and pip-tools workflows. Highlights: \u2022 \u2696\ufe0f Drop-in replacement for common pip, pip-tools, and virtualenv commands. \u2022 \u26a1\ufe0f 10-100x faster than pip and pip-tools (pip-compile and pip-sync). \u2022 \U0001f4be Disk-space efficient, with a global cache for dependency deduplication. \u2022 \U0001f40d Installable via curl, pip, pipx, etc. uv is a static binary that can be installed without Rust or Python. \u2022 \U0001f9ea Tested at-scale against the top 10,000 PyPI packages. \u2022 \U0001f5a5\ufe0f Support for macOS, Linux, and Windows. \u2022 \U0001f9f0 Advanced features such as dependency version overrides and alternative resolution strategies. \u2022 \u2049\ufe0f Best-in-class error messages with a conflict-tracking resolver. \u2022 \U0001f91d Support for a wide range of advanced pip features, including editable installs, Git dependencies, direct URL dependencies, local dependencies, constraints, source distributions, HTML and JSON indexes, and more. -------------------------------------------------------------------------------- Update Information: Pydantic 2.12.4 This is the fourth 2.12 patch release, fixing more regressions, and reverting a change in the build() method of the AnyUrl and Dsn types. This patchrelease also fixes an issue with the serialization of IP address types, when serialize_as_any is used. The next patch release will try to address the remaining issues with serialize as any behavior by introducing a new polymorphic serialization feature, that should be used in most cases in place of serialize as any. https://github.com/pydantic/pydantic/releases/tag/v2.12.4 uv / python-uv-build 0.9.7 https://github.com/astral-sh/uv/releases/tag/0.9.7 0.9.6 This release contains an upgrade to Astral's fork of async_zip, which addresses potential sources of ZIP parsing differentials between uv and other Python packaging tooling. See GHSA-pqhf-p39g-3x64 for additional details. https://github.com/astral-sh/uv/releases/tag/0.9.6 ruff 0.14.3 https://github.com/astral-sh/ruff/releases/tag/0.14.3 Update rust-get-size2/rust-get-size-derive2 to 0.7.1 (implement GetSize for RefCell). Update rust-reqsign to 0.18.1 and rust-reqsign-* to 2.0.1. Update rust-regex to 1.12.2 and rust-regex-automata to 0.4.13. -------------------------------------------------------------------------------- ChangeLog: * Sun Nov 2 2025 Benjamin A. Beasley - 0.9.7-2 - Allow spdx 0.12 * Fri Oct 31 2025 Benjamin A. Beasley - 0.9.7-1 - Update to 0.9.7 (close RHBZ#2408776) * Thu Oct 30 2025 Benjamin A. Beasley - 0.9.6-1 - Update to 0.9.6 (close RHBZ#2407283) * Sat Oct 25 2025 Benjamin A. Beasley - 0.9.5-6 - Remove a few more now-unnecessary test skips * Sat Oct 25 2025 Benjamin A. Beasley - 0.9.5-5 - Consolidate ppc64le/s390x skips for the same test * Sat Oct 25 2025 Benjamin A. Beasley - 0.9.5-4 - Remove python_list::python_list* test skips that no longer fail * Sat Oct 25 2025 Benjamin A. Beasley - 0.9.5-3 - Skip a test that is flaky on ppc64le -------------------------------------------------------------------------------- References: [ 1 ] Bug #2403244 - rust-regex-1.12.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2403244 [ 2 ] Bug #2403245 - rust-regex-automata-0.4.13 is available https://bugzilla.redhat.com/show_bug.cgi?id=2403245 [ 3 ] Bug #2406419 - rust-get-size2-0.7.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406419 [ 4 ] Bug #2406420 - rust-get-size-derive2-0.7.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406420 [ 5 ] Bug #2411957 - python-cloudpickle-3.1.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411957 [ 6 ] Bug #2411978 - rust-reqsign-core-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411978 [ 7 ] Bug #2411979 - rust-reqsign-command-execute-tokio-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411979 [ 8 ] Bug #2411980 - rust-reqsign-aws-v4-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411980 [ 9 ] Bug #2411981 - rust-reqsign-0.18.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411981 [ 10 ] Bug #2411982 - rust-reqsign-http-send-reqwest-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411982 [ 11 ] Bug #2411983 - rust-reqsign-file-read-tokio-2.0.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2411983 [ 12 ] Bug #2412643 - python-pydantic-2.12.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2412643 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-312ac3e645' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . The Fedora 43 update addresses regressions in Pydantic and includes changes to the uv package for enhanced performance and security.. FedoraUpdates, Python Package Installer, Security Advisory. . LinuxSecurity.com Team
Nov 10, 2025
Fedora
89
security advisoryupdateFedoraFedora 41: FEDORA-2024-8568f9cd5e critical: uv command injection issue
An extremely fast Python package installer and resolver, written in Rust. Designed as a drop-in replacement for common pip and pip-tools workflows. Highlights: ⢠âï¸ Drop-in replacement for common pip, pip-tools, and virtualenv commands. ⢠â¡ï¸ 10-100x faster than pip and pip-tools (pip-compile and pip-sync). . -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-8568f9cd5e 2024-12-07 07:36:24.985993+00:00 -------------------------------------------------------------------------------- Name : uv Product : Fedora 41 Version : 0.5.5 Release : 2.fc41 URL : https://github.com/astral-sh/uv Summary : An extremely fast Python package installer and resolver, written in Rust Description : An extremely fast Python package installer and resolver, written in Rust. Designed as a drop-in replacement for common pip and pip-tools workflows. Highlights: ⢠âï¸ Drop-in replacement for common pip, pip-tools, and virtualenv commands. ⢠â¡ï¸ 10-100x faster than pip and pip-tools (pip-compile and pip-sync). ⢠ð¾ Disk-space efficient, with a global cache for dependency deduplication. ⢠ð Installable via curl, pip, pipx, etc. uv is a static binary that can be installed without Rust or Python. ⢠𧪠Tested at-scale against the top 10,000 PyPI packages. ⢠ð¥ï¸ Support for macOS, Linux, and Windows. ⢠𧰠Advanced features such as dependency version overrides and alternative resolution strategies. ⢠âï¸ Best-in-class error messages with a conflict-tracking resolver. ⢠ð¤ Support for a wide range of advanced pip features, including editable installs, Git dependencies, direct URL dependencies, local dependencies, constraints, source distributions, HTML and JSON indexes, andmore. -------------------------------------------------------------------------------- Update Information: Update uv from 0.4.30 to 0.5.5. This is a significant update. Please see the following notes. By updating to a current release of uv, this update fixes CVE-2024-53899, which was originally reported against virtualenv but which was also reproducible on uv 0.5.2 and earlier. See upstream issue #9424 for more details. This update adds a default system-wide configuration file /etc/uv/uv.toml with settings specific to Fedora. The RPM-packaged uv now deviates from the default configuration in two ways. First, we set "python-downloads" to "manual" in order to avoid unintended Python downloads. We suggest using RPM-packaged (system) Pythons that benefit from distribution maintenance and integration. Use uv python install to manually install managed Pythons. Second, we set "python-preference" to "system" instead of "managed". Otherwise, any managed Python would be used for uv operations where no particular Python is specified, even if the only available managed Python were much older than the primary system Python. No choices can be appropriate for all users and applications. To restore the default behavior, comment out settings in this file or override them in a configuration file with higher precedence, such as a user-level configuration file. See https://docs.astral.sh/uv/configuration/files/ for details on the interaction of project-, user-, and system-level configuration files. With 0.5.0, uv introduced several potentially breaking changes. The developers write that these are âchanges that improve correctness and user experience, but could break some workflows. This release contains those changes; many have been marked as breaking out of an abundance of caution. We expect most users to be able to upgrade without making changes.â Use base executable to set virtualenv Python path Use XDG (i.e. ~/.local/bin) instead of the Cargo home directory in the installer Discoverand respect .python-version files in parent directories Error when disallowed settings are defined in uv.toml Implement PEP 440-compliant local version semantics Treat the base Conda environment as a system environment Do not allow pre-releases when the != operator is used Prefer USERPROFILE over FOLDERID_Profile when selecting a home directory on Windows Improve interactions between color environment variables and CLI options Make allow-insecure-host a global option Only write .python-version files during uv init for workspace members if the version differs For detailed discussion of these changes, please see https://github.com/astral-sh/uv/releases/tag/0.5.0. For other fixes, enhancements, and changes in this update, please consult the following: https://github.com/astral-sh/uv/releases/tag/0.5.1 https://github.com/astral-sh/uv/releases/tag/0.5.2 https://github.com/astral-sh/uv/releases/tag/0.5.3 https://github.com/astral-sh/uv/releases/tag/0.5.4 https://github.com/astral-sh/uv/releases/tag/0.5.5 -------------------------------------------------------------------------------- ChangeLog: * Thu Nov 28 2024 Benjamin A. Beasley - 0.5.5-2 - Revert "Backport a path-escaping fix for the batch activation script" * Wed Nov 27 2024 Benjamin A. Beasley - 0.5.5-1 - Update to 0.5.5 (close RHBZ#2329188) * Wed Nov 27 2024 Benjamin A. Beasley - 0.5.4-2 - Backport a path-escaping fix for the batch activation script * Thu Nov 21 2024 Benjamin A. Beasley - 0.5.4-1 - Update to 0.5.4 (close RHBZ#2327512) * Thu Nov 21 2024 Benjamin A. Beasley - 0.5.3-1 - Update to 0.5.3 * Tue Nov 19 2024 Benjamin A. Beasley - 0.5.2-2 - Stop loosening the mailparse dependency version bound * Mon Nov 18 2024 Benjamin A. Beasley - 0.5.2-1 - Update to 0.5.2 (close RHBZ#2323792) * Sat Nov 16 2024 Benjamin A. Beasley - 0.5.1-1 - Update to 0.5.1 * Sat Nov 16 2024 Benjamin A. Beasley - 0.5.0-1 - Update to 0.5.0 * Thu Nov 14 2024 Benjamin A. Beasley - 0.4.30-4 - Also configure python-preference ="system" * Thu Nov 14 2024 Benjamin A. Beasley - 0.4.30-3 - Install a default system-wide uv.toml - Configure python-downloads = "manual" -------------------------------------------------------------------------------- References: [ 1 ] Bug #2327512 - uv-0.5.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2327512 [ 2 ] Bug #2328746 - CVE-2024-53899 uv: potential command injection via virtual environment activation scripts [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2328746 [ 3 ] Bug #2329188 - uv-0.5.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2329188 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-8568f9cd5e' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- . The latest Fedora update for the UV package installer enhances efficiency and addresses potential security risks associated with command injection vulnerabilities.. uv Package Installer, Fedora Security Update, Python Dependency Management. . Severity: Critical. LinuxSecurity.com Team
Dec 07, 2024
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!