Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-uv for openSUSE:Factory checked in at 2025-10-22 12:17:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-uv (Old) and /work/SRC/openSUSE:Factory/.python-uv.new.18484 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-uv" Wed Oct 22 12:17:37 2025 rev:58 rq:1313007 version:0.9.5 Changes: -------- --- /work/SRC/openSUSE:Factory/python-uv/python-uv.changes 2025-10-21 11:16:15.694392492 +0200 +++ /work/SRC/openSUSE:Factory/.python-uv.new.18484/python-uv.changes 2025-10-22 12:23:24.129463092 +0200 @@ -1,0 +2,36 @@ +Wed Oct 22 05:48:12 UTC 2025 - Daniel Garcia <[email protected]> + +- update to 0.9.5 (bsc#1252399, CVE-2025-62518) + This release contains an upgrade to astral-tokio-tar, which addresses + a vulnerability in tar extraction on malformed archives with + mismatching size information between the ustar header and PAX + extensions. While the astral-tokio-tar advisory has been graded as + "high" due its potential broader impact, the specific impact to uv is + low due to a lack of novel attacker capability. Specifically, uv only + processes tar archives from source distributions, which already + possess the capability for full arbitrary code execution by design, + meaning that an attacker gains no additional capabilities through + astral-tokio-tar. + + Regardless, we take the hypothetical risk of parser differentials very + seriously. Out of an abundance of caution, we have assigned this + upgrade an advisory: + https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9 + + * Security + * Upgrade astral-tokio-tar to 0.5.6 to address a parsing + differential (#16387) + * Enhancements + * Add required environment marker example to hint (#16244) + * Fix typo in MissingTopLevel warning (#16351) + * Improve 403 Forbidden error message to indicate package may not + exist (#16353) + * Add a hint on uv pip install failure if the --system flag is + used to select an externally managed interpreter (#16318) + * Bug fixes + * Fix backtick escaping for PowerShell (#16307) + * Documentation + * Document metadata consistency expectation (#15683) + * Remove outdated aarch64 musl note (#16385) + +------------------------------------------------------------------- Old: ---- python-uv-0.9.4.tar.gz New: ---- python-uv-0.9.5.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-uv.spec ++++++ --- /var/tmp/diff_new_pack.IyOSA7/_old 2025-10-22 12:23:27.637610908 +0200 +++ /var/tmp/diff_new_pack.IyOSA7/_new 2025-10-22 12:23:27.637610908 +0200 @@ -1,7 +1,6 @@ # # spec file for package python-uv # -# Copyright (c) 2025 SUSE LLC # Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties @@ -34,7 +33,7 @@ %bcond_without libalternatives %{?sle15_python_module_pythons} Name: python-uv -Version: 0.9.4 +Version: 0.9.5 Release: 0 Summary: A Python package installer and resolver, written in Rust License: Apache-2.0 OR MIT ++++++ python-uv-0.9.4.tar.gz -> python-uv-0.9.5.tar.gz ++++++ ++++ 2248 lines of diff (skipped) ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/python-uv/vendor.tar.zst /work/SRC/openSUSE:Factory/.python-uv.new.18484/vendor.tar.zst differ: char 7, line 1
