diff --git a/python-uv-0.9.4.tar.gz b/python-uv-0.9.4.tar.gz deleted file mode 100644 index 3b3c3f7..0000000 --- a/python-uv-0.9.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ceb34b1fe1dff6802b966c283e8bcba48d57f15adf60baf630c4c556f8d3d7bb -size 4749319 diff --git a/python-uv-0.9.5.tar.gz b/python-uv-0.9.5.tar.gz new file mode 100644 index 0000000..af26706 --- /dev/null +++ b/python-uv-0.9.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9fd1dd030b37b51dcf79b582ea77a911eeb4015a00669bd3047d3b6adea37ba8 +size 4752059 diff --git a/python-uv.changes b/python-uv.changes index 641c96d..8a9634d 100644 --- a/python-uv.changes +++ b/python-uv.changes @@ -1,3 +1,39 @@ +------------------------------------------------------------------- +Wed Oct 22 05:48:12 UTC 2025 - Daniel Garcia + +- update to 0.9.5 (bsc#1252399, CVE-2025-62518) + This release contains an upgrade to astral-tokio-tar, which addresses + a vulnerability in tar extraction on malformed archives with + mismatching size information between the ustar header and PAX + extensions. While the astral-tokio-tar advisory has been graded as + "high" due its potential broader impact, the specific impact to uv is + low due to a lack of novel attacker capability. Specifically, uv only + processes tar archives from source distributions, which already + possess the capability for full arbitrary code execution by design, + meaning that an attacker gains no additional capabilities through + astral-tokio-tar. + + Regardless, we take the hypothetical risk of parser differentials very + seriously. Out of an abundance of caution, we have assigned this + upgrade an advisory: + https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9 + + * Security + * Upgrade astral-tokio-tar to 0.5.6 to address a parsing + differential (#16387) + * Enhancements + * Add required environment marker example to hint (#16244) + * Fix typo in MissingTopLevel warning (#16351) + * Improve 403 Forbidden error message to indicate package may not + exist (#16353) + * Add a hint on uv pip install failure if the --system flag is + used to select an externally managed interpreter (#16318) + * Bug fixes + * Fix backtick escaping for PowerShell (#16307) + * Documentation + * Document metadata consistency expectation (#15683) + * Remove outdated aarch64 musl note (#16385) + ------------------------------------------------------------------- Sun Oct 19 22:01:08 UTC 2025 - Ondřej Súkup diff --git a/python-uv.spec b/python-uv.spec index 0276f5a..d610156 100644 --- a/python-uv.spec +++ b/python-uv.spec @@ -1,7 +1,6 @@ # # spec file for package python-uv # -# Copyright (c) 2025 SUSE LLC # Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties @@ -34,7 +33,7 @@ %bcond_without libalternatives %{?sle15_python_module_pythons} Name: python-uv -Version: 0.9.4 +Version: 0.9.5 Release: 0 Summary: A Python package installer and resolver, written in Rust License: Apache-2.0 OR MIT diff --git a/vendor.tar.zst b/vendor.tar.zst index f6de1ee..254efce 100644 --- a/vendor.tar.zst +++ b/vendor.tar.zst @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:95c1d3d5085d266f7c4fe79e3c0901243f69042ac9beb4b56547feea56477ef7 -size 66216742 +oid sha256:e7450717b1b2bd0f0918060ed77a8d654a6da002f3d0e066b1c971f0c7a13366 +size 65628991