On 26-05-12 01:22, Fabio Valentini wrote:
Hi all,
A number of security issues in two "widely-used" Rust crates have been
published recently:
- openssl (Rust bindings for OpenSSL): CVE-2026-41676, CVE-2026-41677,
CVE-2026-41678, CVE-2026-41681, CVE-2026-41898, CVE-2026-42327,
CVE-2026-44662
- sequoia-openpgp (our favourite OpenPGP implemenation):
CVE-2026-42783, CVE-2026-42784, and CVE-requested-but-not-assigned-yet
I am currently processing the package rebuilds that are necessary for
applications to pick up these fixes (yay, static linking).
The rebuilds for sequoia-openpgp 2.3.0 are done:
https://bodhi.fedoraproject.org/updates/?search=rust-sequoia-openpgp-2.3.0
These were also built against the latest version of the "openssl" crate.
The rebuilds for fixes included in "openssl" 0.10.78 / 0.10.79 are
still running and I will submit them to bodhi as they finish.
I am handling rebuilds of all packages that I maintain, co-maintain,
or where the Rust SIG is co-maintainer. Maintainers of packages in
none of these three categories will need to check whether their
packages are affected and rebuild them themselves. This includes:
- aw-server-rust
- awatcher
- clevis-pin-tpm2
- clevis-pin-trustee
- envision
- fido-device-onboard
- keyring-ima-signer
- krun-awsnitro-eif-ctl
- python-cryptography
- s390utils
- trustee
- trustee-guest-components
- virt-firmware-rs
Hi,
thanks for notifying. The updates for aw-server-rust and awatcher are
pending now.
--
Łukasz
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new
