c.f. https://rustsec.org/advisories/RUSTSEC-2023-0042.html The ouroboros crate is affected by soundness issues, which could result in invalid code being generated in future versions of Rust. The upstream project recommends to migrate to the self_cell crate: https://github.com/joshua-maros/ouroboros/issues/88 Affected packages in Fedora: - mercurial - python-cryptography - rust-zoxide
Upstream PyCA cryptography has switched to self_cell two hours ago, https://github.com/pyca/cryptography/pull/8800
The RUSTSEC advisory for ouroboros was updated: Upstream project has continued development, and recent versions (>= 0.16) should no longer suffer from soundness issues. I've updated the bug title accordingly (since ouroboros in Fedora is stuck at a version that's still affected). However, mercurial has since switched to self_cell, so it is no longer affected. That only leaves zoxide and python-cryptography (looks like the migration to self_cell was only merged to main / future version 42, but not the 41.0.x branch, and Fedora is stuck on the v40 branch anyway).
ouroboros 0.17.2 is now available in Rawhide. I have patched python-cryptography 41.0.3 to use ouroboros 0.17. The code builds and all tests are passing. The ouroboros update also unblocks update of zoxide to latest version 0.9.2.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.