[SECURITY] Fedora 43 Update: uv-0.9.30-2.fc43

Mon, 09 Feb 2026 17:38:19 -0800 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f400579a21
2026-02-10 01:31:32.937525+00:00
--------------------------------------------------------------------------------

Name        : uv
Product     : Fedora 43
Version     : 0.9.30
Release     : 2.fc43
URL         : https://github.com/astral-sh/uv
Summary     : An extremely fast Python package installer and resolver, written 
in Rust
Description :
An extremely fast Python package and project manager, written in Rust.

Highlights:

  • A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twine,
    virtualenv, and more.
  • 10-100x faster than pip.
  • Provides comprehensive project management, with a universal lockfile.
  • Runs scripts, with support for inline dependency metadata.
  • Installs and manages Python versions.
  • Runs and installs tools published as Python packages.
  • Includes a pip-compatible interface for a performance boost with a 
familiar
    CLI.
  • Supports Cargo-style workspaces for scalable projects.
  • Disk-space efficient, with a global cache for dependency deduplication.

--------------------------------------------------------------------------------
Update Information:

Update the time crate to version 0.3.47.
Update the time-macros crate to version 0.2.27.
Update the time-core crate to version 0.1.8.
Update the num-conv crate to version 0.2.0.
Update the git2 crate to version 0.20.4.
Update the bytes crate to version 1.11.1.
Additionally, this update contains rebuilds of applications affected by security
advisories:
bytes: RUSTSEC-2026-0007
git2: RUSTSEC-2026-0008
jsonwebtoken: CVE-2026-25537
time: RUSTSEC-2026-0009
All applications that statically link libgit2 via the git2 Rust bindings were
also rebuilt against the latest version of the git2 / libgit2-sys crates to pull
in fixes included in libgit2 between v1.8.1 and v1.9.2.
--------------------------------------------------------------------------------
ChangeLog:

* Sun Feb  8 2026 Benjamin A. Beasley <[email protected]> - 0.9.30-2
- Rebuilt with jsonwebtoken patched for CVE-2026-25537
- Fixes RHBZ#2437472; fixes RHBZ#2437467; fixes RHBZ#2437461
* Thu Feb  5 2026 Benjamin A. Beasley <[email protected]> - 0.9.30-1
- Update to 0.9.30 (close RHBZ#2437002)
* Wed Feb  4 2026 Benjamin A. Beasley <[email protected]> - 0.9.29-1
- Update to 0.9.29 (close RHBZ#2436550)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2437470 - CVE-2026-25537 rust-jsonwebtoken: jsonwebtoken has Type 
Confusion that leads to potential authorization bypass [fedora-43]
        https://bugzilla.redhat.com/show_bug.cgi?id=2437470
  [ 2 ] Bug #2437472 - CVE-2026-25537 uv: jsonwebtoken has Type Confusion that 
leads to potential authorization bypass [fedora-43]
        https://bugzilla.redhat.com/show_bug.cgi?id=2437472
  [ 3 ] Bug #2438104 - CVE-2026-25727 atuin: time affected by a stack 
exhaustion denial of service attack [fedora-43]
        https://bugzilla.redhat.com/show_bug.cgi?id=2438104
  [ 4 ] Bug #2438135 - CVE-2026-25727 keylime-agent-rust: time affected by a 
stack exhaustion denial of service attack [fedora-43]
        https://bugzilla.redhat.com/show_bug.cgi?id=2438135
  [ 5 ] Bug #2438138 - CVE-2026-25727 maturin: time affected by a stack 
exhaustion denial of service attack [fedora-43]
        https://bugzilla.redhat.com/show_bug.cgi?id=2438138
  [ 6 ] Bug #2438149 - CVE-2026-25727 rustup: time affected by a stack 
exhaustion denial of service attack [fedora-43]
        https://bugzilla.redhat.com/show_bug.cgi?id=2438149
  [ 7 ] Bug #2438158 - CVE-2026-25727 tbtools: time affected by a stack 
exhaustion denial of service attack [fedora-43]
        https://bugzilla.redhat.com/show_bug.cgi?id=2438158
  [ 8 ] Bug #2438164 - CVE-2026-25727 tuigreet: time affected by a stack 
exhaustion denial of service attack [fedora-43]
        https://bugzilla.redhat.com/show_bug.cgi?id=2438164
  [ 9 ] Bug #2438165 - CVE-2026-25727 uv: time affected by a stack exhaustion 
denial of service attack [fedora-43]
        https://bugzilla.redhat.com/show_bug.cgi?id=2438165
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f400579a21' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


-- 
_______________________________________________
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to