Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 14 articles for you...
89
security advisoryfedoracriticalFedora 43: rust-astral-tokio-tar Critical CVE-2025-62518 Parser Issue
uv / python-uv-build 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md Pydantic 2.12.3. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-4154ea83d0 2025-11-05 02:09:57.817569+00:00 -------------------------------------------------------------------------------- Name : rust-astral-tokio-tar Product : Fedora 43 Version : 0.5.6 Release : 1.fc43 URL : https://crates.io/crates/astral-tokio-tar Summary : Rust implementation of an async TAR file reader and writer Description : A Rust implementation of an async TAR file reader and writer. This library does not currently handle compression, but it is abstract over all I/O readers and writers. Additionally, great lengths are taken to ensure that the entire contents are never required to be entirely resident in memory all at once. -------------------------------------------------------------------------------- Update Information: uv / python-uv-build 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md Pydantic 2.12.3 Blog post maturin 1.9.6 https://github.com/PyO3/maturin/blob/v1.9.6/Changelog.md python-typing-inspection 0.4.2 (2025-10-01) Add typing_objects.is_noextraitems() python-jiter 0.11.0 https://github.com/pydantic/jiter/releases/tag/v0.11.0 python-pydantic-extra-types 2.10.6 https://github.com/pydantic/pydantic-extra-types/releases/tag/v2.10.6 Typer 0.20.0 Features \u2728 Enable command suggestions on typo by default. Upgrades \u2b06\ufe0f Add (official) support for Python 3.14. Internal Assorted small enhancements. FastAPI 0.120.1 Upgrades \u2b06\ufe0f Bump Starlette to
Nov 05, 2025
•Critical
Fedora
89
security advisoryfedorasecurity fixFedora 42: uv 0.9.5 Important Security Fix CVE-2025-62518
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-a77c1f005b 2025-11-03 01:05:58.219415+00:00 -------------------------------------------------------------------------------- Name : uv Product : Fedora 42 Version : 0.9.5 Release : 1.fc42 URL : https://github.com/astral-sh/uv Summary : An extremely fast Python package installer and resolver, written in Rust Description : An extremely fast Python package installer and resolver, written in Rust. Designed as a drop-in replacement for common pip and pip-tools workflows. Highlights: \u2022 \u2696\ufe0f Drop-in replacement for common pip, pip-tools, and virtualenv commands. \u2022 \u26a1\ufe0f 10-100x faster than pip and pip-tools (pip-compile and pip-sync). \u2022 \U0001f4be Disk-space efficient, with a global cache for dependency deduplication. \u2022 \U0001f40d Installable via curl, pip, pipx, etc. uv is a static binary that can be installed without Rust or Python. \u2022 \U0001f9ea Tested at-scale against the top 10,000 PyPI packages. \u2022 \U0001f5a5\ufe0f Support for macOS, Linux, and Windows. \u2022 \U0001f9f0 Advanced features such as dependency version overrides and alternative resolution strategies. \u2022 \u2049\ufe0f Best-in-class error messages with a conflict-tracking resolver. \u2022 \U0001f91d Support for a wide range of advanced pip features, including editable installs, Git dependencies, direct URL dependencies, local dependencies, constraints, source distributions, HTML and JSON indexes, and more. -------------------------------------------------------------------------------- Update Information: uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fixfor CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1 Update openapi-python-client to 0.26.2 and patch it to allow ruff 0.14 -------------------------------------------------------------------------------- ChangeLog: * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.5-1 - Update to 0.9.5 (close RHBZ#2402923) * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.4-1 - Update to 0.9.4 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.3-1 - Update to 0.9.3 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.2-1 - Update to 0.9.2 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.1-1 - Update to 0.9.1 * Fri Oct 24 2025 Benjamin A. Beasley - 0.9.0-1 - Update to 0.9.0 * Thu Oct 23 2025 Benjamin A. Beasley - 0.8.24-4 - Try to work around \u201ctoo many open files\u201d on 192-core builders * Thu Oct 23 2025 Benjamin A. Beasley - 0.8.24-3 - Revert "Allow hashbrown 0.15 (for EPEL10.1)" * Thu Oct 23 2025 Benjamin A. Beasley - 0.8.24-2 - Allow hashbrown 0.15 (for EPEL10.1) * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.24-1 - Update to 0.8.24 * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.23-1 - Update to 0.8.23 * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.22-1 - Update to 0.8.22 * Wed Oct 22 2025 Benjamin A. Beasley - 0.8.21-1 - Update to 0.8.21 * Thu Oct 16 2025 Gordon Messmer - 0.8.20-2 - Use rpm's native resource tunable to limit parallelism. * Mon Sep 29 2025 Benjamin A. Beasley - 0.8.20-1 - Update to 0.8.20 (close RHBZ#2389326) * Mon Sep 29 2025 Benjamin A. Beasley - 0.8.19-1 - Update to 0.8.19 * Mon Sep 29 2025 Benjamin A. Beasley - 0.8.18-1 - Update to 0.8.18 * Sun Sep28 2025 Benjamin A. Beasley - 0.8.17-1 - Update to 0.8.17 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.16-1 - Update to 0.8.16 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.15-1 - Update to 0.8.15 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.14-1 - Update to 0.8.14 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.13-1 - Update to 0.8.13 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.12-1 - Update to 0.8.12 * Sun Sep 28 2025 Benjamin A. Beasley - 0.8.11-5 - Use the bundled reqwest-middleware, too -------------------------------------------------------------------------------- References: [ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405474 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405474 [ 8 ] Bug #2405476 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405476 [ 9 ] Bug #2406135 - ruff-0.14.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406135 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-a77c1f005b' at the command line. For more information, refer tothe dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Addressing CVE-2025-62518, this advisory covers a critical security fix for Fedora 42's uv package.. Fedora Update, security fix, UV package, CVE-2025-62518, important advisory. . Severity: Important. LinuxSecurity.com Team
Nov 03, 2025
•Important
Fedora
89
security advisoryfedoraparser desynchronizationFedora 42: rust-tikv-jemallocator Critical CVE-2025-62518 Parser Issue
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-a77c1f005b 2025-11-03 01:05:58.219415+00:00 -------------------------------------------------------------------------------- Name : rust-tikv-jemallocator Product : Fedora 42 Version : 0.6.1 Release : 1.fc42 URL : https://crates.io/crates/tikv-jemallocator Summary : Rust allocator backed by jemalloc Description : A Rust allocator backed by jemalloc. -------------------------------------------------------------------------------- Update Information: uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1 Update openapi-python-client to 0.26.2 and patch it to allow ruff 0.14 -------------------------------------------------------------------------------- ChangeLog: * Thu Oct 16 2025 Benjamin A. Beasley - 0.6.1-1 - Update to version 0.6.1; Fixes RHBZ#2404523 * Fri Jul 25 2025 Fedora Release Engineering - 0.6.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405474 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405474 [ 8 ] Bug #2405476 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405476 [ 9 ] Bug #2406135 - ruff-0.14.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406135 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-a77c1f005b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Nov 03, 2025
•Critical
Fedora
89
security advisoryfedoraimportantFedora 42: Critical Fix for rust-get-size-derive2 PAX Header Sync Issue
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-a77c1f005b 2025-11-03 01:05:58.219415+00:00 -------------------------------------------------------------------------------- Name : rust-get-size-derive2 Product : Fedora 42 Version : 0.7.0 Release : 1.fc42 URL : https://crates.io/crates/get-size-derive2 Summary : Derives the GetSize trait Description : Derives the GetSize trait. -------------------------------------------------------------------------------- Update Information: uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1 Update openapi-python-client to 0.26.2 and patch it to allow ruff 0.14 -------------------------------------------------------------------------------- ChangeLog: * Mon Oct 20 2025 Benjamin A. Beasley - 0.7.0-1 - Initial package (close RHBZ#2398141) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug#2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405474 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405474 [ 8 ] Bug #2405476 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405476 [ 9 ] Bug #2406135 - ruff-0.14.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406135 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-a77c1f005b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Nov 03, 2025
•Important
Fedora
89
security advisoryfedoracriticalFedora 42: Important Advisory on CVE-2025-62518 for rust-reqsign Command
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-a77c1f005b 2025-11-03 01:05:58.219415+00:00 -------------------------------------------------------------------------------- Name : rust-reqsign-command-execute-tokio Product : Fedora 42 Version : 2.0.0 Release : 1.fc42 URL : https://crates.io/crates/reqsign-command-execute-tokio Summary : Tokio-based command execution implementation for reqsign Description : Tokio-based command execution implementation for reqsign. -------------------------------------------------------------------------------- Update Information: uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1 Update openapi-python-client to 0.26.2 and patch it to allow ruff 0.14 -------------------------------------------------------------------------------- ChangeLog: * Thu Oct 23 2025 Benjamin A. Beasley - 2.0.0-1 - Update to version 2.0.0; Fixes RHBZ#2402442 * Thu Oct 2 2025 Benjamin A. Beasley - 1.0.0-1 - Initial package (close RHBZ#2400111) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405474 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405474 [ 8 ] Bug #2405476 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405476 [ 9 ] Bug #2406135 - ruff-0.14.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406135 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-a77c1f005b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Nov 03, 2025
•Critical
Fedora
89
security advisoryfedoraimportantFedora 42: rust-quote-use CVE-2025-62518 Parser Desync Fix Released
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-a77c1f005b 2025-11-03 01:05:58.219415+00:00 -------------------------------------------------------------------------------- Name : rust-quote-use Product : Fedora 42 Version : 0.8.4 Release : 2.fc42 URL : https://crates.io/crates/quote-use Summary : Support use in procmacros hygienically Description : Support `use` in procmacros hygienically. -------------------------------------------------------------------------------- Update Information: uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1 Update openapi-python-client to 0.26.2 and patch it to allow ruff 0.14 -------------------------------------------------------------------------------- ChangeLog: * Tue Oct 7 2025 Benjamin A. Beasley - 0.8.4-2 - Omit several unused dev-dependencies * Sat Oct 4 2025 Benjamin A. Beasley - 0.8.4-1 - Initial package (close RHBZ#2398057) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 -rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405474 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405474 [ 8 ] Bug #2405476 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405476 [ 9 ] Bug #2406135 - ruff-0.14.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406135 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-a77c1f005b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Nov 03, 2025
•Important
Fedora
89
security advisoryfedorasecurity fixFedora 42: rust-interpolator Security Fix CVE-2025-62518 Advisory
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-a77c1f005b 2025-11-03 01:05:58.219415+00:00 -------------------------------------------------------------------------------- Name : rust-interpolator Product : Fedora 42 Version : 0.5.0 Release : 3.fc42 URL : https://crates.io/crates/interpolator Summary : Runtime format strings, fully compatible with std's macros Description : Runtime format strings, fully compatible with std's macros. -------------------------------------------------------------------------------- Update Information: uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1 Update openapi-python-client to 0.26.2 and patch it to allow ruff 0.14 -------------------------------------------------------------------------------- ChangeLog: * Sat Oct 4 2025 Benjamin A. Beasley - 0.5.0-3 - Omit some unnecessary dev-dependencies * Sat Oct 4 2025 Benjamin A. Beasley - 0.5.0-2 - No longer allow proptest-derive 0.5 * Thu Oct 2 2025 Benjamin A. Beasley - 0.5.0-1 - Initial package (close RHBZ#2398112) -------------------------------------------------------------------------------- References: [ 1 ]Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 - rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405474 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405474 [ 8 ] Bug #2405476 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405476 [ 9 ] Bug #2406135 - ruff-0.14.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406135 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-a77c1f005b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Nov 03, 2025
•Important
Fedora
89
security advisoryfedoracriticalFedora 42: rust-manyhow-macros Critical Parser Desync CVE-2025-62518
uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-a77c1f005b 2025-11-03 01:05:58.219415+00:00 -------------------------------------------------------------------------------- Name : rust-manyhow-macros Product : Fedora 42 Version : 0.11.4 Release : 1.fc42 URL : https://crates.io/crates/manyhow-macros Summary : Macro for manyhow Description : Macro for manyhow. -------------------------------------------------------------------------------- Update Information: uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for CVE-2025-62518. ruff 0.14.2 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md rust-astral-tokio-tar 0.5.6 Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers. This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518. Initial package for python-uv-build in Fedora 42 Initial packages for a number of new dependencies for ruff and uv Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1 Update openapi-python-client to 0.26.2 and patch it to allow ruff 0.14 -------------------------------------------------------------------------------- ChangeLog: * Thu Oct 2 2025 Benjamin A. Beasley - 0.11.4-1 - Initial package (close RHBZ#2398059) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2360699 - ruff-0.14.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2360699 [ 2 ] Bug #2402441 - rust-reqsign-core-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402441 [ 3 ] Bug #2402442 -rust-reqsign-command-execute-tokio-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402442 [ 4 ] Bug #2402443 - rust-reqsign-http-send-reqwest-2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402443 [ 5 ] Bug #2402881 - python-uv-build-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402881 [ 6 ] Bug #2402923 - uv-0.9.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2402923 [ 7 ] Bug #2405474 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405474 [ 8 ] Bug #2405476 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX Header Desynchronization [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2405476 [ 9 ] Bug #2406135 - ruff-0.14.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2406135 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-a77c1f005b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Nov 03, 2025
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!