Hi Fabio, On Tue, May 12, 2026 at 1:24 AM Fabio Valentini <[email protected]> wrote:
> Hi all, > > A number of security issues in two "widely-used" Rust crates have been > published recently: > > - openssl (Rust bindings for OpenSSL): CVE-2026-41676, CVE-2026-41677, > CVE-2026-41678, CVE-2026-41681, CVE-2026-41898, CVE-2026-42327, > CVE-2026-44662 > - sequoia-openpgp (our favourite OpenPGP implemenation): > CVE-2026-42783, CVE-2026-42784, and CVE-requested-but-not-assigned-yet > > I am currently processing the package rebuilds that are necessary for > applications to pick up these fixes (yay, static linking). > > The rebuilds for sequoia-openpgp 2.3.0 are done: > https://bodhi.fedoraproject.org/updates/?search=rust-sequoia-openpgp-2.3.0 > These were also built against the latest version of the "openssl" crate. > > The rebuilds for fixes included in "openssl" 0.10.78 / 0.10.79 are > still running and I will submit them to bodhi as they finish. > > I am handling rebuilds of all packages that I maintain, co-maintain, > or where the Rust SIG is co-maintainer. Maintainers of packages in > none of these three categories will need to check whether their > packages are affected and rebuild them themselves. This includes: > > - aw-server-rust > - awatcher > - clevis-pin-tpm2 > - clevis-pin-trustee > - envision > - fido-device-onboard > - keyring-ima-signer > - krun-awsnitro-eif-ctl > - python-cryptography > - s390utils > - trustee > - trustee-guest-components > - virt-firmware-rs > > I am also unable to address this issue in (almost all) packages that > vendor their Rust dependencies: > > - 389-ds-base > For the record, 389-ds-base is not affected because it uses NSS as the primary crypto library. The openssl crate is used only by the pwdchan plugin for PBKDF2 password hashing. That said, we will rebuild the package to include bug fixes and bump the openssl crate version. - arapuca > - bcvk > - bootc > - bpfman > - chunkah > - cosmic-settings-daemon > - fractal > - goose > - rpm-ostree > - rust-bootupd > - rust-zincati > - trunk > - vaultwarden > > Fabio > > --- > > Advisories for the "openssl" crate: > > - CVE-2026-41676: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5 > - CVE-2026-41677: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2 > - CVE-2026-41678: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-8c75-8mhr-p7r9 > - CVE-2026-41681: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj > - CVE-2026-41898: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3 > - CVE-2026-42327: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr > - CVE-2026-44662: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xv59-967r-8726 > > NEWS for version 2.3.0 of the "sequoia-openpgp" crate: > https://gitlab.com/sequoia-pgp/sequoia/-/raw/openpgp/v2.3.0/openpgp/NEWS > -- > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new > -- Viktor
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
