The following Fedora EPEL 10.1 Security updates need testing:
Age URL
4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-5aefff4853
fluidsynth-2.4.8-2.el10_1
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-a67eb81816
openbao-2.4.3-1.el10_1
The following builds have been pushed to Fedora EPEL 10.1 updates-testing
nextcloud-32.0.1-1.el10_1
rust-ambient-id-0.0.5-1.el10_1
rust-astral-tokio-tar-0.5.6-1.el10_1
rust-backon-1.6.0-1.el10_1
rust-dlv-list-0.5.2-2.el10_1
rust-dotenv-0.15.0-16.el10_1
rust-half-2.7.1-2.el10_1
rust-macro_rules_attribute-0.2.2-2.el10_1
rust-macro_rules_attribute-proc_macro-0.2.2-2.el10_1
rust-ordered-multimap-0.7.3-2.el10_1
rust-reqsign-0.17.0-1.el10_1
rust-reqsign-aws-v4-1.0.0-1.el10_1
rust-reqsign-command-execute-tokio-1.0.0-1.el10_1
rust-reqsign-core-1.0.0-1.el10_1
rust-reqsign-file-read-tokio-1.0.0-1.el10_1
rust-reqsign-http-send-reqwest-1.0.0-1.el10_1
rust-rust-ini-0.21.3-1.el10_1
rust-secrecy-0.10.3-1.el10_1
rust-tikv-jemalloc-sys-0.6.1-1.el10_1
rust-tikv-jemallocator-0.6.1-1.el10_1
uv-0.8.24-2.el10_1
Details about builds:
================================================================================
nextcloud-32.0.1-1.el10_1 (FEDORA-EPEL-2025-bf3e0e8cde)
Private file sync and share server
--------------------------------------------------------------------------------
Update Information:
32.0.1 release RHBZ#2399899
--------------------------------------------------------------------------------
ChangeLog:
* Sat Oct 25 2025 Andrew Bauer <[email protected]> - 32.0.1-1
- 32.0.1 release RHBZ#2399899
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2399899 - nextcloud-32.0.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2399899
--------------------------------------------------------------------------------
================================================================================
rust-ambient-id-0.0.5-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Detects ambient OIDC credentials in a variety of environments
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 26 2025 Benjamin A. Beasley <[email protected]> - 0.0.5-1
- Initial package (close RHBZ#2396331)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-astral-tokio-tar-0.5.6-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Rust implementation of an async TAR file reader and writer
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Oct 21 2025 Benjamin A. Beasley <[email protected]> - 0.5.6-1
- Update to version 0.5.6; Fixes RHBZ#2405351
- Security fix for CVE-2025-62518
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-backon-1.6.0-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Make retry like a built-in feature provided by Rust
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Oct 20 2025 Benjamin A. Beasley <[email protected]> - 1.6.0-1
- Update to version 1.6.0; Fixes RHBZ#2404917
* Thu Aug 21 2025 Benjamin A. Beasley <[email protected]> - 1.5.2-2
- Drop unnecessary sqlx dev-dependency
* Wed Jul 30 2025 Fabio Valentini <[email protected]> - 1.5.2-1
- Update to version 1.5.2; Fixes RHBZ#2384769
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
1.5.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Thu Jun 19 2025 Fabio Valentini <[email protected]> - 1.5.1-1
- Update to version 1.5.1
* Wed Apr 23 2025 Fabio Valentini <[email protected]> - 1.5.0-3
- Drop WASM-specific features
* Tue Apr 22 2025 Fabio Valentini <[email protected]> - 1.5.0-2
- Fix invalid rust2rpm.toml, regenerate spec, relax spin dependency
* Sun Apr 20 2025 Andreas Schneider <[email protected]> - 1.5.0-1
- New package version 1.5.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-dlv-list-0.5.2-2.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Semi-doubly linked list implemented using a vector
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
0.5.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Fri May 2 2025 Cristian Le <[email protected]> - 0.5.2-1
- Update to version 0.5.2; Fixes RHBZ#1989392
* Sun Jan 19 2025 Fedora Release Engineering <[email protected]> -
0.3.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Fri Jul 19 2024 Fedora Release Engineering <[email protected]> -
0.3.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Fri Jan 26 2024 Fedora Release Engineering <[email protected]> -
0.3.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-dotenv-0.15.0-16.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Dotenv implementation for Rust
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
0.15.0-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Sun Jan 19 2025 Fedora Release Engineering <[email protected]> -
0.15.0-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Fri Sep 13 2024 Fabio Valentini <[email protected]> - 0.15.0-14
- Remove reference to readme file that is not included in published crates
* Fri Jul 19 2024 Fedora Release Engineering <[email protected]> -
0.15.0-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Fri Jan 26 2024 Fedora Release Engineering <[email protected]> -
0.15.0-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-half-2.7.1-2.el10_1 (FEDORA-EPEL-2025-8f085cabaf)
Half-precision floating point f16 and bf16 types for Rust
--------------------------------------------------------------------------------
Update Information:
2.7.1 - 2025-10-13
Fixed
loongarch64 lsx hardware intrinsics for f16 conversions now enabled only under
nightly cargo feature, fixing compile errors on stable Rust.
2.7.0 - 2025-10-08
Changed
zerocopy is now a required dependency. The optional zerocopy crate feature is
deprecated.
This change is to ensure better code safety and prevent potential unsound
behavior.
Git repository URL has changed due to GitHub user name change. Old URL is
redirected.
Added
New num-traits implementations: Signed for f16 and bf16.
loongarch64 lsx hardware intrinsic support for f16 conversions.
Implemented Weight trait from rand crate for f16 and bf16 with rand optional
cargo
feature.
Fixed
min and max incorrectly propagate NaN values when self is NaN.
Suppressed warnings from new unnecessary_transmutes lint.
Removed
doc_auto_cfg feature has been removed from docs.rs documentation due to removal
of rust
feature.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Oct 24 2025 Benjamin A. Beasley <[email protected]> - 2.7.1-2
- Fix some CRLF-terminated files using dos2unix
* Fri Oct 24 2025 Benjamin A. Beasley <[email protected]> - 2.7.1-1
- Update to version 2.7.1; Fixes RHBZ#2402613
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
2.6.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
rust-macro_rules_attribute-0.2.2-2.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Use declarative macros in attribute or derive position
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
0.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Tue Jun 10 2025 Alexander F. Lent <[email protected]> - 0.2.2-1
- Initial Import (rhbz#2358542).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-macro_rules_attribute-proc_macro-0.2.2-2.el10_1
(FEDORA-EPEL-2025-e6cbc78be8)
Use declarative macros as proc_macro attributes or derives
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
0.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Tue Jun 3 2025 Alexander F. Lent <[email protected]> - 0.2.2-1
- Update macro_rules_attribute-proc_macro to 0.2.2
* Tue Jun 3 2025 Alexander F. Lent <[email protected]> - 0.2.0-1
- Initial Import (rhbz#2358541).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-ordered-multimap-0.7.3-2.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Insertion ordered multimap
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
0.7.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Thu May 1 2025 Cristian Le <[email protected]> - 0.7.3-1
- Update to version 0.7.3; Fixes RHBZ#1976416
* Sun Jan 19 2025 Fedora Release Engineering <[email protected]> -
0.4.3-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Sat Jul 20 2024 Fedora Release Engineering <[email protected]> -
0.4.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Fri Jan 26 2024 Fedora Release Engineering <[email protected]> -
0.4.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-reqsign-0.17.0-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Signing HTTP requests for popular cloud services
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Oct 22 2025 Benjamin A. Beasley <[email protected]> - 0.17.0-1
- Initial package (close RHBZ#2400218)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-reqsign-aws-v4-1.0.0-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Signing API requests without effort
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Oct 11 2025 Benjamin A. Beasley <[email protected]> - 1.0.0-1
- Initial package (close RHBZ#2400195)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-reqsign-command-execute-tokio-1.0.0-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Tokio-based command execution implementation for reqsign
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Oct 2 2025 Benjamin A. Beasley <[email protected]> - 1.0.0-1
- Initial package (close RHBZ#2400111)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-reqsign-core-1.0.0-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Signing API requests without effort
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 30 2025 Benjamin A. Beasley <[email protected]> - 1.0.0-1
- Initial package (close RHBZ#2400096)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-reqsign-file-read-tokio-1.0.0-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Signing API requests without effort
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Oct 8 2025 Benjamin A. Beasley <[email protected]> - 1.0.0-1
- Initial package (close RHBZ#2400101)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-reqsign-http-send-reqwest-1.0.0-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Signing API requests without effort
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Oct 2 2025 Benjamin A. Beasley <[email protected]> - 1.0.0-1
- Initial package (close RHBZ#2400100)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-rust-ini-0.21.3-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Ini configuration file parsing library in Rust
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Oct 22 2025 Fabio Valentini <[email protected]> - 0.21.3-1
- Update to version 0.21.3; Fixes RHBZ#2392154
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
0.21.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Tue Jul 8 2025 Fabio Valentini <[email protected]> - 0.21.2-1
- Update to version 0.21.2; Fixes RHBZ#2375939
* Thu May 1 2025 Cristian Le <[email protected]> - 0.21.1-1
- Update to version 0.21.1; Fixes RHBZ#2193253
* Sun Jan 19 2025 Fedora Release Engineering <[email protected]> -
0.18.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Sat Jul 20 2024 Fedora Release Engineering <[email protected]> -
0.18.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Fri Jan 26 2024 Fedora Release Engineering <[email protected]> -
0.18.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-secrecy-0.10.3-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Wrapper types and traits for secret management
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 18 2025 Benjamin A. Beasley <[email protected]> - 0.10.3-1
- Update to version 0.10.3; Fixes RHBZ#2313021
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
0.8.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Sun Jan 19 2025 Fedora Release Engineering <[email protected]> -
0.8.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Sat Jul 20 2024 Fedora Release Engineering <[email protected]> -
0.8.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Fri Jan 26 2024 Fedora Release Engineering <[email protected]> -
0.8.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-tikv-jemalloc-sys-0.6.1-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Rust FFI bindings to jemalloc
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Oct 16 2025 Benjamin A. Beasley <[email protected]> - 0.6.1-1
- Update to version 0.6.1
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
0.6.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
rust-tikv-jemallocator-0.6.1-1.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
Rust allocator backed by jemalloc
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Oct 16 2025 Benjamin A. Beasley <[email protected]> - 0.6.1-1
- Update to version 0.6.1; Fixes RHBZ#2404523
* Fri Jul 25 2025 Fedora Release Engineering <[email protected]> -
0.6.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
================================================================================
uv-0.8.24-2.el10_1 (FEDORA-EPEL-2025-e6cbc78be8)
An extremely fast Python package installer and resolver, written in Rust
--------------------------------------------------------------------------------
Update Information:
uv 0.8.24
https://github.com/astral-sh/uv/blob/0.8.24/CHANGELOG.md
Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for
CVE-2025-62518.
rust-astral-tokio-tar 0.5.6
Fixed a parser desynchronization vulnerability when reading tar archives that
contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx
and CVE-2025-62518.
Update rust-tikv-jemallocator and rust-tikv-jemalloc-sys to 0.6.1.
Initial packages for a number of new dependencies for uv, and initial EPEL10
packages for a few of their dependencies.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Oct 23 2025 Benjamin A. Beasley <[email protected]> - 0.8.24-2
- Allow hashbrown 0.15 (for EPEL10.1)
* Wed Oct 22 2025 Benjamin A. Beasley <[email protected]> - 0.8.24-1
- Update to 0.8.24
* Wed Oct 22 2025 Benjamin A. Beasley <[email protected]> - 0.8.23-1
- Update to 0.8.23
* Wed Oct 22 2025 Benjamin A. Beasley <[email protected]> - 0.8.22-1
- Update to 0.8.22
* Wed Oct 22 2025 Benjamin A. Beasley <[email protected]> - 0.8.21-1
- Update to 0.8.21
* Thu Oct 16 2025 Gordon Messmer <[email protected]> - 0.8.20-2
- Use rpm's native resource tunable to limit parallelism.
* Mon Sep 29 2025 Benjamin A. Beasley <[email protected]> - 0.8.20-1
- Update to 0.8.20 (close RHBZ#2389326)
* Mon Sep 29 2025 Benjamin A. Beasley <[email protected]> - 0.8.19-1
- Update to 0.8.19
* Mon Sep 29 2025 Benjamin A. Beasley <[email protected]> - 0.8.18-1
- Update to 0.8.18
* Sun Sep 28 2025 Benjamin A. Beasley <[email protected]> - 0.8.17-1
- Update to 0.8.17
* Sun Sep 28 2025 Benjamin A. Beasley <[email protected]> - 0.8.16-1
- Update to 0.8.16
* Sun Sep 28 2025 Benjamin A. Beasley <[email protected]> - 0.8.15-1
- Update to 0.8.15
* Sun Sep 28 2025 Benjamin A. Beasley <[email protected]> - 0.8.14-1
- Update to 0.8.14
* Sun Sep 28 2025 Benjamin A. Beasley <[email protected]> - 0.8.13-1
- Update to 0.8.13
* Sun Sep 28 2025 Benjamin A. Beasley <[email protected]> - 0.8.12-1
- Update to 0.8.12
* Sun Sep 28 2025 Benjamin A. Beasley <[email protected]> - 0.8.11-5
- Use the bundled reqwest-middleware, too
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2405468 - CVE-2025-62518 rust-astral-tokio-tar: astral-tokio-tar
Vulnerable to PAX Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405468
[ 2 ] Bug #2405469 - CVE-2025-62518 uv: astral-tokio-tar Vulnerable to PAX
Header Desynchronization [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2405469
--------------------------------------------------------------------------------
--
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
