The following Fedora EPEL 10.1 Security updates need testing:
Age URL
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-39f8ab7cb7
nextcloud-31.0.9-1.el10_1
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-829b789d0e
python-nh3-0.2.21-2.el10_1 rust-ammonia-4.0.1-1.el10_1
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-569bc4dd06
bird-3.1.4-1.el10_1
The following builds have been pushed to Fedora EPEL 10.1 updates-testing
hatch-1.14.2-1.el10_1
ruff-0.11.13-3.el10_1
rust-astral-tokio-tar-0.5.5-1.el10_1
uv-0.8.11-4.el10_1
Details about builds:
================================================================================
hatch-1.14.2-1.el10_1 (FEDORA-EPEL-2025-ebe0dbd8e4)
A modern project, package, and virtual env manager
--------------------------------------------------------------------------------
Update Information:
1.14.2 - 2025-09-24
Fixed:
Fix compatibility with recent versions of Click
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 24 2025 Benjamin A. Beasley <[email protected]> - 1.14.2-1
- Update to 1.14.2 (close RHBZ#2397757)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2397757 - hatch-1.14.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2397757
--------------------------------------------------------------------------------
================================================================================
ruff-0.11.13-3.el10_1 (FEDORA-EPEL-2025-c1a61d7d24)
Extremely fast Python linter and code formatter
--------------------------------------------------------------------------------
Update Information:
Update to 0.11.13
https://github.com/astral-sh/ruff/releases/tag/0.11.13
https://github.com/astral-sh/ruff/releases/tag/0.11.12
https://github.com/astral-sh/ruff/releases/tag/0.11.11
https://github.com/astral-sh/ruff/releases/tag/0.11.10
https://github.com/astral-sh/ruff/releases/tag/0.11.9
https://github.com/astral-sh/ruff/releases/tag/0.11.8
https://github.com/astral-sh/ruff/releases/tag/0.11.7
https://github.com/astral-sh/ruff/releases/tag/0.11.6
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 24 2025 Benjamin A. Beasley <[email protected]> - 0.11.13-3
- Patch `find_ruff_bin()` to find the system-wide ruff executable
* Wed Sep 24 2025 Benjamin A. Beasley <[email protected]> - 0.11.13-2
- Flaky salsa tests are flaky on ppc64le, too
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.13-1
- Update to 0.11.13
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.12-1
- Update to 0.11.12
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.11-1
- Update to 0.11.11
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.10-1
- Update to 0.11.10
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.9-5
- Skip additional related flaky tests in salsa on s390x
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.9-4
- Remove bundled, pre-compiled mermaid.js to prove it is unused
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.9-3
- Validate hashes/versons in %prep so that mismatches are detected quickly
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.9-2
- Validate salsa version against source
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.9-1
- Update to 0.11.9
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.8-3
- No longer limit the number of test threads
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.8-2
- No longer need to skip
generate_cli_help::tests::test_generate_json_schema
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.8-1
- Update to 0.11.8
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.7-1
- Update to 0.11.7
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.6-1
- Update to 0.11.6
* Sat Sep 20 2025 Benjamin A. Beasley <[email protected]> - 0.11.5-9
- Update packaging style to parallel that of uv
- Package CHANGELOG.md as documentation; do not package CODE_OF_CONDUCT.md
or CONTRIBUTING.md since they pertain to upstream development
- Split out the importable Python module into a separate python3-ruff
subpackage
- Follow upstream in using the jemalloc allocator
* Fri Sep 19 2025 Python Maint <[email protected]> - 0.11.5-8
- Rebuilt for Python 3.14.0rc3 bytecode
* Tue Sep 2 2025 Fabio Valentini <[email protected]> - 0.11.5-7
- Rebuild with tracing-subscriber v0.3.20 for CVE-2025-58160
* Fri Aug 15 2025 Python Maint <[email protected]> - 0.11.5-6
- Rebuilt for Python 3.14.0rc2 bytecode
--------------------------------------------------------------------------------
================================================================================
rust-astral-tokio-tar-0.5.5-1.el10_1 (FEDORA-EPEL-2025-9b9bfff5fa)
Rust implementation of an async TAR file reader and writer
--------------------------------------------------------------------------------
Update Information:
Security update for path traversal CVE-2025-59825 / GHSA-3wgq-wrwc-vqmv.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 24 2025 Benjamin A. Beasley <[email protected]> - 0.5.5-1
- Update to version 0.5.5; fixes RHBZ#2397644
- Security fix for CVE-2025-59825 / GHSA-3wgq-wrwc-vqmv
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2397714 - CVE-2025-59825 rust-astral-tokio-tar: astral-tokio-tar
path traversal [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2397714
[ 2 ] Bug #2397715 - CVE-2025-59825 uv: astral-tokio-tar path traversal
[epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2397715
--------------------------------------------------------------------------------
================================================================================
uv-0.8.11-4.el10_1 (FEDORA-EPEL-2025-9b9bfff5fa)
An extremely fast Python package installer and resolver, written in Rust
--------------------------------------------------------------------------------
Update Information:
Security update for path traversal CVE-2025-59825 / GHSA-3wgq-wrwc-vqmv.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 24 2025 Benjamin A. Beasley <[email protected]> - 0.8.11-4
- Rebuilt with astral-tokio-tar version 0.5.5
- Security fix for path traversal CVE-2025-59825 / GHSA-3wgq-wrwc-vqmv
* Fri Sep 19 2025 Python Maint <[email protected]> - 0.8.11-3
- Rebuilt for Python 3.14.0rc3 bytecode
* Tue Sep 2 2025 Benjamin A. Beasley <[email protected]> - 0.8.11-2
- Rebuilt with rust-tracing-subscriber-0.3.20
- Fixes CVE-2025-58160: fixes RHBZ#2392055, fixes RHBZ#2392012, fixes
RHBZ#2391975
* Sat Aug 16 2025 Benjamin A. Beasley <[email protected]> - 0.8.11-1
- Update to 0.8.11 (close RHBZ#2388413)
* Sat Aug 16 2025 Benjamin A. Beasley <[email protected]> - 0.8.10-1
- Update to 0.8.10
* Fri Aug 15 2025 Python Maint <[email protected]> - 0.8.9-2
- Rebuilt for Python 3.14.0rc2 bytecode
* Wed Aug 13 2025 Benjamin A. Beasley <[email protected]> - 0.8.9-1
- Update to 0.8.9 (close RHBZ#2387762)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2397714 - CVE-2025-59825 rust-astral-tokio-tar: astral-tokio-tar
path traversal [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2397714
[ 2 ] Bug #2397715 - CVE-2025-59825 uv: astral-tokio-tar path traversal
[epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2397715
--------------------------------------------------------------------------------
--
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
