Comments

249 Comments
karma

The upstream release notes for the packaged version claim it fixes the mentioned CVE’s, and the command-line tool passed a quick “smoke test” in a mock chroot.

BZ#2327536 CVE-2024-48990 needrestart: arbitrary code execution via PYTHONPATH environment variable [fedora-41]
BZ#2327541 CVE-2024-11003 needrestart: local privilege escalation via unsanitized input [fedora-41]
BZ#2327546 CVE-2024-48992 needrestart: arbitrary code execution via RUBYLIB environment variable [fedora-41]
BZ#2327553 CVE-2024-48991 needrestart: arbitrary code execution via race condition [fedora-41]

It seems like https://bugzilla.redhat.com/show_bug.cgi?id=2327553 should be associated with this update, too.

karma

The upstream release notes for the packaged version claim it fixes the mentioned CVE’s, and the command-line tool passed a quick “smoke test” in a mock chroot.

BZ#2327531 CVE-2024-48990 needrestart: arbitrary code execution via PYTHONPATH environment variable [epel-8]
BZ#2327537 CVE-2024-11003 needrestart: local privilege escalation via unsanitized input [epel-8]
BZ#2327542 CVE-2024-48992 needrestart: arbitrary code execution via RUBYLIB environment variable [epel-8]
BZ#2327549 CVE-2024-48991 needrestart: arbitrary code execution via race condition [epel-8]
karma

The upstream release notes for the packaged version claim it fixes the mentioned CVE’s, and the command-line tool passed a quick “smoke test” in a mock chroot.

BZ#2124940 Build needrestart for EPEL9
BZ#2327532 CVE-2024-48990 needrestart: arbitrary code execution via PYTHONPATH environment variable [epel-9]
BZ#2327538 CVE-2024-11003 needrestart: local privilege escalation via unsanitized input [epel-9]
BZ#2327543 CVE-2024-48992 needrestart: arbitrary code execution via RUBYLIB environment variable [epel-9]
BZ#2327550 CVE-2024-48991 needrestart: arbitrary code execution via race condition [epel-9]
karma

The upstream release notes for the packaged version claim it fixes the mentioned CVE’s, and the command-line tool passed a quick “smoke test” in a mock chroot.

BZ#2327534 CVE-2024-48990 needrestart: arbitrary code execution via PYTHONPATH environment variable [fedora-40]
BZ#2327540 CVE-2024-11003 needrestart: local privilege escalation via unsanitized input [fedora-40]
BZ#2327545 CVE-2024-48992 needrestart: arbitrary code execution via RUBYLIB environment variable [fedora-40]
BZ#2327552 CVE-2024-48991 needrestart: arbitrary code execution via race condition [fedora-40]
karma

The upstream release notes for the packaged version claim it fixes the mentioned CVE’s, and the command-line tool passed a quick “smoke test” in a mock chroot.

BZ#2327533 CVE-2024-48990 needrestart: arbitrary code execution via PYTHONPATH environment variable [fedora-39]
BZ#2327539 CVE-2024-11003 needrestart: local privilege escalation via unsanitized input [fedora-39]
BZ#2327544 CVE-2024-48992 needrestart: arbitrary code execution via RUBYLIB environment variable [fedora-39]
BZ#2327551 CVE-2024-48991 needrestart: arbitrary code execution via race condition [fedora-39]

This update has been unpushed.

Unpushing this update in order to tag the build into a Pydantic 3.10 update similar to FEDORA-2024-064d418de8.

All the nu crate library packages appear to be installable (mock -r fedora-41-x86_64 --enablerepo=updates-testing -i 'rust-nu*' succeeds).

The nu shell appears to work.

The uv-0.4.30-2.fc40 package in this update was built with rust-jiff-0.1.14-1.fc40, from FEDORA-2024-a8a682f03e, and rust-goblin-0.9.2-1.fc40, from FEDORA-2024-d995ad4e76.

The uv-0.4.30-2.fc41 package in this update was built with rust-jiff-0.1.14-1.fc41, from FEDORA-2024-cad1407d4e, and rust-goblin-0.9.2-1.fc41, from FEDORA-2024-dc111cf987.

This update has been unpushed.

This update has been unpushed.

We can’t add a build to a non-side-tag update, but we can unpush the update, tag the build into a side tag, and re-use it for a new update based on the side tag, without having to rebuild python-nibabel again.

I’m still doing local rebuilds to verify that everything else is OK. The things that depend on this have some seriously heavy tests.

karma

It turns out that this breaks python-nifti-mrs. That’s fixed in python-nifti-mrs-1.3.1, so one possibility is that this update could be unpushed and the build could be tagged into a side tag with python-nifti-mrs-1.3.1, and that side tag could be used to create a new update.

However, I wonder if anything else is affected. I’ll spend a little time doing test builds and follow up.

BZ#2317731 python-nibabel-5.3.0 is available
karma

It turns out that this breaks python-nifti-mrs. That’s fixed in python-nifti-mrs-1.3.1, so one possibility is that this update could be unpushed and the build could be tagged into a side tag with python-nifti-mrs-1.3.1, and that side tag could be used to create a new update.

However, I wonder if anything else is affected. I’ll spend a little time doing test builds and follow up.

BZ#2317731 python-nibabel-5.3.0 is available

While rpminspect claims “New package python3-tox-uv-1.15.0-1.fc41.noarch.rpm is empty (no payloads),” manual inspection of python3-tox-uv-1.15.0-1.fc41.noarch.rpm indicates that this diagnostic is (weirdly) spurious.

The update looks reasonable, installs correctly, and appears to resolve https://bugzilla.redhat.com/show_bug.cgi?id=2319202.

BZ#2319202 rust-ratatui and rust-ratatui0.26 ship the same version (0.26.3)