Hi all, A number of security issues in two "widely-used" Rust crates have been published recently:
- openssl (Rust bindings for OpenSSL): CVE-2026-41676, CVE-2026-41677, CVE-2026-41678, CVE-2026-41681, CVE-2026-41898, CVE-2026-42327, CVE-2026-44662 - sequoia-openpgp (our favourite OpenPGP implemenation): CVE-2026-42783, CVE-2026-42784, and CVE-requested-but-not-assigned-yet I am currently processing the package rebuilds that are necessary for applications to pick up these fixes (yay, static linking). The rebuilds for sequoia-openpgp 2.3.0 are done: https://bodhi.fedoraproject.org/updates/?search=rust-sequoia-openpgp-2.3.0 These were also built against the latest version of the "openssl" crate. The rebuilds for fixes included in "openssl" 0.10.78 / 0.10.79 are still running and I will submit them to bodhi as they finish. I am handling rebuilds of all packages that I maintain, co-maintain, or where the Rust SIG is co-maintainer. Maintainers of packages in none of these three categories will need to check whether their packages are affected and rebuild them themselves. This includes: - aw-server-rust - awatcher - clevis-pin-tpm2 - clevis-pin-trustee - envision - fido-device-onboard - keyring-ima-signer - krun-awsnitro-eif-ctl - python-cryptography - s390utils - trustee - trustee-guest-components - virt-firmware-rs I am also unable to address this issue in (almost all) packages that vendor their Rust dependencies: - 389-ds-base - arapuca - bcvk - bootc - bpfman - chunkah - cosmic-settings-daemon - fractal - goose - rpm-ostree - rust-bootupd - rust-zincati - trunk - vaultwarden Fabio --- Advisories for the "openssl" crate: - CVE-2026-41676: https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5 - CVE-2026-41677: https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2 - CVE-2026-41678: https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-8c75-8mhr-p7r9 - CVE-2026-41681: https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj - CVE-2026-41898: https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3 - CVE-2026-42327: https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr - CVE-2026-44662: https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xv59-967r-8726 NEWS for version 2.3.0 of the "sequoia-openpgp" crate: https://gitlab.com/sequoia-pgp/sequoia/-/raw/openpgp/v2.3.0/openpgp/NEWS -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
