python/python-uv
SHA256
15
0
Fork 0
forked from pool/python-uv
Code Pull Requests Activity

Accepting request 1313007 from devel:languages:python

Browse Source 
- update to 0.9.5 (bsc#1252399, CVE-2025-62518)
  This release contains an upgrade to astral-tokio-tar, which addresses
  a vulnerability in tar extraction on malformed archives with
  mismatching size information between the ustar header and PAX
  extensions. While the astral-tokio-tar advisory has been graded as
  "high" due its potential broader impact, the specific impact to uv is
  low due to a lack of novel attacker capability. Specifically, uv only
  processes tar archives from source distributions, which already
  possess the capability for full arbitrary code execution by design,
  meaning that an attacker gains no additional capabilities through
  astral-tokio-tar.
  Regardless, we take the hypothetical risk of parser differentials very
  seriously. Out of an abundance of caution, we have assigned this
  upgrade an advisory:
  https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9
  * Security
    * Upgrade astral-tokio-tar to 0.5.6 to address a parsing
      differential (#16387)
  * Enhancements
    * Add required environment marker example to hint (#16244)
    * Fix typo in MissingTopLevel warning (#16351)
    * Improve 403 Forbidden error message to indicate package may not
      exist (#16353)
    * Add a hint on uv pip install failure if the --system flag is
      used to select an externally managed interpreter (#16318)
  * Bug fixes
    * Fix backtick escaping for PowerShell (#16307)
  * Documentation
    * Document metadata consistency expectation (#15683)
    * Remove outdated aarch64 musl note (#16385)

OBS-URL: https://build.opensuse.org/request/show/1313007
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-uv?expand=0&rev=58
This commit is contained in:
Ana Guerrero
2025-10-22 10:17:37 +00:00
committed by Git OBS Bridge
parent 345d389817 bb3b270561
commit 25cb077a72
5 changed files with 42 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
python-uv-0.9.4.tar.gz LFS
View File

Binary file not shown.

BIN
python-uv-0.9.5.tar.gz LFS Normal file
View File

Binary file not shown.

36
python-uv.changes
View File

@@ -1,3 +1,39 @@
-------------------------------------------------------------------
Wed Oct 22 05:48:12 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
- update to 0.9.5 (bsc#1252399, CVE-2025-62518)
This release contains an upgrade to astral-tokio-tar, which addresses
a vulnerability in tar extraction on malformed archives with
mismatching size information between the ustar header and PAX
extensions. While the astral-tokio-tar advisory has been graded as
"high" due its potential broader impact, the specific impact to uv is
low due to a lack of novel attacker capability. Specifically, uv only
processes tar archives from source distributions, which already
possess the capability for full arbitrary code execution by design,
meaning that an attacker gains no additional capabilities through
astral-tokio-tar.
Regardless, we take the hypothetical risk of parser differentials very
seriously. Out of an abundance of caution, we have assigned this
upgrade an advisory:
https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9
* Security
* Upgrade astral-tokio-tar to 0.5.6 to address a parsing
differential (#16387)
* Enhancements
* Add required environment marker example to hint (#16244)
* Fix typo in MissingTopLevel warning (#16351)
* Improve 403 Forbidden error message to indicate package may not
exist (#16353)
* Add a hint on uv pip install failure if the --system flag is
used to select an externally managed interpreter (#16318)
* Bug fixes
* Fix backtick escaping for PowerShell (#16307)
* Documentation
* Document metadata consistency expectation (#15683)
* Remove outdated aarch64 musl note (#16385)
-------------------------------------------------------------------
Sun Oct 19 22:01:08 UTC 2025 - Ondřej Súkup <mimi.vx@gmail.com>

3
python-uv.spec
View File

@@ -1,7 +1,6 @@
#
# spec file for package python-uv
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
@@ -34,7 +33,7 @@
%bcond_without libalternatives
%{?sle15_python_module_pythons}
Name: python-uv
Version: 0.9.4
Version: 0.9.5
Release: 0
Summary: A Python package installer and resolver, written in Rust
License: Apache-2.0 OR MIT

BIN
vendor.tar.zst LFS
View File

Binary file not shown.