Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
I have addressed this to the degree I can. Updates for the "openssl" crate that fix this issue (and two more CVEs that no bugs have been filed yet): https://bodhi.fedoraproject.org/updates/?search=rust-openssl-0.10.79 However, there's two groups of packages that have, effectively, opted-out of being covered by rebuilds for security issues in Rust crates. 1) Packages not co-maintained by the Rust SIG: - aw-server-rust - awatcher - clevis-pin-tpm2 - clevis-pin-trustee - envision - fido-device-onboard - keyring-ima-signer - krun-awsnitro-eif-ctl - python-cryptography - s390utils - trustee - trustee-guest-components - virt-firmware-rs 2) Packages that vendor their Rust dependencies: - 389-ds-base - arapuca - bcvk - bootc - bpfman - chunkah - cosmic-settings-daemon - fractal - goose - rpm-ostree - rust-bootupd - rust-zincati - trunk - vaultwarden Maintainers of these packages will need to check whether they're affected (and rebuild, if necessary) themselves.