Thank you, Fabio! We should update goose in a few days from now with other changes we have prepared. I will make sure to include the fixes for the openssl crate.
On Mon, May 11, 2026 at 8:24 PM Fabio Valentini <[email protected]> wrote: > Hi all, > > A number of security issues in two "widely-used" Rust crates have been > published recently: > > - openssl (Rust bindings for OpenSSL): CVE-2026-41676, CVE-2026-41677, > CVE-2026-41678, CVE-2026-41681, CVE-2026-41898, CVE-2026-42327, > CVE-2026-44662 > - sequoia-openpgp (our favourite OpenPGP implemenation): > CVE-2026-42783, CVE-2026-42784, and CVE-requested-but-not-assigned-yet > > I am currently processing the package rebuilds that are necessary for > applications to pick up these fixes (yay, static linking). > > The rebuilds for sequoia-openpgp 2.3.0 are done: > https://bodhi.fedoraproject.org/updates/?search=rust-sequoia-openpgp-2.3.0 > These were also built against the latest version of the "openssl" crate. > > The rebuilds for fixes included in "openssl" 0.10.78 / 0.10.79 are > still running and I will submit them to bodhi as they finish. > > I am handling rebuilds of all packages that I maintain, co-maintain, > or where the Rust SIG is co-maintainer. Maintainers of packages in > none of these three categories will need to check whether their > packages are affected and rebuild them themselves. This includes: > > - aw-server-rust > - awatcher > - clevis-pin-tpm2 > - clevis-pin-trustee > - envision > - fido-device-onboard > - keyring-ima-signer > - krun-awsnitro-eif-ctl > - python-cryptography > - s390utils > - trustee > - trustee-guest-components > - virt-firmware-rs > > I am also unable to address this issue in (almost all) packages that > vendor their Rust dependencies: > > - 389-ds-base > - arapuca > - bcvk > - bootc > - bpfman > - chunkah > - cosmic-settings-daemon > - fractal > - goose > - rpm-ostree > - rust-bootupd > - rust-zincati > - trunk > - vaultwarden > > Fabio > > --- > > Advisories for the "openssl" crate: > > - CVE-2026-41676: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5 > - CVE-2026-41677: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2 > - CVE-2026-41678: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-8c75-8mhr-p7r9 > - CVE-2026-41681: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj > - CVE-2026-41898: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3 > - CVE-2026-42327: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr > - CVE-2026-44662: > > https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xv59-967r-8726 > > NEWS for version 2.3.0 of the "sequoia-openpgp" crate: > https://gitlab.com/sequoia-pgp/sequoia/-/raw/openpgp/v2.3.0/openpgp/NEWS > -- > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new > -- Rodolfo Olivieri He/Him Principal Software Engineer, RHEL Lightspeed Red Hat <https://www.redhat.com> [email protected] @redhatbr <https://twitter.com/redhatbr> @red-hat <https://www.linkedin.com/company/red-hat> @redhatbrasil <https://www.facebook.com/redhatbrasil> <https://www.redhat.com> <https://redhat.com/options>
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
