Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT. https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
It’s unfortunate that neither https://www.cve.org/CVERecord?id=CVE-2025-64181 nor https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq points out the precise fix. Still, it’s basically https://github.com/AcademySoftwareFoundation/openexr/compare/v3.4.2..v3.4.3 that needs to be backported to fix this and related issues. Some, but not all, of the affected code appears to be present in OpenUSD. I will attempt to craft a patch backporting the relevant changes.
https://src.fedoraproject.org/rpms/usd/pull-request/37 Waiting for https://bodhi.fedoraproject.org/updates/FEDORA-2025-0cc929ff17 to go stable first.
FEDORA-2025-4924a5bc8b (usd-25.08-12.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-4924a5bc8b
FEDORA-2025-4924a5bc8b has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-4924a5bc8b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-4924a5bc8b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-4924a5bc8b (usd-25.08-12.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.