Fedora 40 uv Security Advisory: Update for CVE-2024-53899 Released
Summary
An extremely fast Python package installer and resolver, written in Rust.
Designed as a drop-in replacement for common pip and pip-tools workflows.
Highlights:
⢠âï¸ Drop-in replacement for common pip, pip-tools, and virtualenv commands.
⢠â¡ï¸ 10-100x faster than pip and pip-tools (pip-compile and pip-sync).
⢠ð¾ Disk-space efficient, with a global cache for dependency deduplication.
⢠ð Installable via curl, pip, pipx, etc. uv is a static binary that can be
installed without Rust or Python.
⢠𧪠Tested at-scale against the top 10,000 PyPI packages.
⢠ð¥ï¸ Support for macOS, Linux, and Windows.
⢠𧰠Advanced features such as dependency version overrides and alternative
resolution strategies.
⢠âï¸ Best-in-class error messages with a conflict-tracking resolver.
⢠ð¤ Support for a wide range of advanced pip features, including editable
installs, Git dependencies, direct URL dependencies, local dependencies,
constraints, source distributions, HTML and JSON indexes, and more.
Update Information:
Update uv from 0.4.30 to 0.5.5. This is a significant update. Please see the following notes. By updating to a current release of uv, this update fixes CVE-2024-53899, which was originally reported against virtualenv but which was also reproducible on uv 0.5.2 and earlier. See upstream issue #9424 for more details. This update adds a default system-wide configuration file /etc/uv/uv.toml with settings specific to Fedora. The RPM-packaged uv now deviates from the default configuration in two ways. First, we set "python-downloads" to "manual" in order to avoid unintended Python downloads. We suggest using RPM-packaged (system) Pythons that benefit from distribution maintenance and integration. Use uv python install to manually install managed Pythons. Second, we set "python-preference" to "system" instead of "managed". Otherwise, any managed Python would be used for uv operations where no particular Python is specified, even if the only available managed Python were much older than th...
Change Log
* Thu Nov 28 2024 Benjamin A. Beasley - 0.5.5-2
- Revert "Backport a path-escaping fix for the batch activation script"
* Wed Nov 27 2024 Benjamin A. Beasley
- 0.5.5-1
- Update to 0.5.5 (close RHBZ#2329188)
* Wed Nov 27 2024 Benjamin A. Beasley
- 0.5.4-2
- Backport a path-escaping fix for the batch activation script
* Thu Nov 21 2024 Benjamin A. Beasley
- 0.5.4-1
- Update to 0.5.4 (close RHBZ#2327512)
* Thu Nov 21 2024 Benjamin A. Beasley
- 0.5.3-1
- Update to 0.5.3
* Tue Nov 19 2024 Benjamin A. Beasley
- 0.5.2-2
- Stop loosening the mailparse dependency version bound
* Mon Nov 18 2024 Benjamin A. Beasley
- 0.5.2-1
- Update to 0.5.2 (close RHBZ#2323792)
* Sat Nov 16 2024 Benjamin A. Beasley
- 0.5.1-1
- Update to 0.5.1
* Sat Nov 16 2024 Benjamin A. Beasley
- 0.5.0-1
- Update to 0.5.0
* Thu Nov 14 2024 Benjamin A. Beasley
- 0.4.30-4
- Also configure python-preference = "system"
* Thu Nov 14 2024 Benjamin A. Beasley
- 0.4.30-3
- Install a default system-wide uv.toml
- Configure python-downloads = "manual"
References
[ 1 ] Bug #2327512 - uv-0.5.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2327512
[ 2 ] Bug #2328745 - CVE-2024-53899 uv: potential command injection via virtual environment activation scripts [fedora-40]
https://bugzilla.redhat.com/show_bug.cgi?id=2328745
[ 3 ] Bug #2329188 - uv-0.5.5 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2329188
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-075f626765' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
Name :uv