Detections
Analytics

Fedora 43 : fastapi-cli / fastapi-cloud-cli / gherkin / maturin / etc (2025-4154ea83d0)

high Nessus Plugin ID 272299

Language:

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 43 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2025-4154ea83d0 advisory.

 ## uv / python-uv-build 0.9.5

 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md

 ----

 ## ruff 0.14.2

 https://github.com/astral-sh/ruff/blob/0.14.2/CHANGELOG.md

 ----

 ## Pydantic 2.12.3

 [Blog post](https://pydantic.dev/articles/pydantic-v2-12-release)

 ----

 ## maturin 1.9.6

 https://github.com/PyO3/maturin/blob/v1.9.6/Changelog.md

 ----

 ## python-typing-inspection 0.4.2 (2025-10-01)

 - Add `typing_objects.is_noextraitems()`

 ----

 ## python-jiter 0.11.0

 https://github.com/pydantic/jiter/releases/tag/v0.11.0

 ----

 ## python-pydantic-extra-types 2.10.6

 https://github.com/pydantic/pydantic-extra-types/releases/tag/v2.10.6

 ----

 # Typer

 ## 0.20.0

 ### Features

 * Enable command suggestions on typo by default.

 ### Upgrades

 * Add (official) support for Python 3.14.

 ### Internal

 Assorted small enhancements.

 ----

 # FastAPI

 ## 0.120.1

 ### Upgrades

 * Bump Starlette to <`0.50.0`.

 ### Internal

 * Add `license` and `license-files` to `pyproject.toml`, remove `License` from `classifiers`.

 ## 0.120.0

 There are no major nor breaking changes in this release.

The internal reference documentation now uses `annotated_doc.Doc` instead of `typing_extensions.Doc`, this adds a new (very small) dependency on [`annotated-doc`](https://github.com/fastapi/annotated-doc), a package made just to provide that `Doc` documentation utility class.

 I would expect `typing_extensions.Doc` to be deprecated and then removed at some point from `typing_extensions`, for that reason there's the new `annotated-doc` micro-package. If you are curious about this, you can read more in the repo for [`annotated-doc`](https://github.com/fastapi/annotated-doc).

 This new version `0.120.0` only contains that transition to the new home package for that utility class `Doc`.

 ### Translations, Internal

 Assorted improvements.

 ## 0.119.1

 ### Fixes

 * Fix internal Pydantic v1 compatibility (warnings) for Python 3.14 and Pydantic 2.12.1.

 ### Docs, Internal

 Assorted improvements.

 ## 0.119.0

 FastAPI now (temporarily) supports both Pydantic v2 models and `pydantic.v1` models at the same time in the same app, to make it easier for any FastAPI apps still using Pydantic v1 to gradually but quickly
 **migrate to Pydantic v2**.

 ### Features

 * Add support for `from pydantic.v1 import BaseModel`, mixed Pydantic v1 and v2 models in the same app.

 ## 0.118.3

 ### Upgrades

 - Add (official) support for Python 3.14.

 ## 0.118.2

 ### Fixes

 * Fix tagged discriminated union not recognized as body field.

 ## 0.118.1

 ### Upgrades

 * Ensure compatibility with Pydantic 2.12.0.

 ### Docs, Translations, Internal

 Assorted bugfixes and enhancements.

 ## 0.118.0

 ### Fixes

 * Fix support for `StreamingResponse`s with dependencies with `yield` or `UploadFile`s, close after the response is done.

 Before FastAPI 0.118.0, if you used a dependency with `yield`, it would run the exit code after the *path operation function* returned but right before sending the response.

 This change also meant that if you returned a `StreamingResponse`, the exit code of the dependency with `yield` would have been already run.

 For example, if you had a database session in a dependency with `yield`, the `StreamingResponse` would not be able to use that session while streaming data because the session would have already been closed in the exit code after `yield`.

 This behavior was reverted in 0.118.0, to make the exit code after `yield` be executed after the response is sent.

 You can read more about it in the docs for [Advanced Dependencies - Dependencies with `yield`, `HTTPException`, `except` and Background Tasks](https://fastapi.tiangolo.com/advanced/advanced- dependencies#dependencies-with-yield-httpexception-except-and-background-tasks). Including what you could do if you wanted to close a database session earlier, before returning the response to the client.

 ### Docs, Translations, Internal

 Assorted bugfixes and enhancements.

 ----

 # Starlette

 ## 0.49.1 (October 28, 2025)

 This release fixes a security vulnerability in the parsing logic of the `Range` header in `FileResponse`.

 You can view the full security advisory: [GHSA-7f5h-v6xp- fcq8](https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8)

 #### Fixed

 * Optimize the HTTP ranges parsing logic.

 ## 0.49.0 (October 28, 2025)

 #### Added

 * Add `encoding` parameter to `Config` class.
 * Support multiple cookie headers in `Request.cookies`.
 * Use `Literal` type for `WebSocketEndpoint` encoding values.

 #### Changed

 * Do not pollute exception context in `Middleware` when using `BaseHTTPMiddleware`.

 ----

 # FastAPI CLI

 ## 0.0.14

 ### Upgrades

 * Add support for Python 3.13 and 3.14.

 ----

 # FastAPI Cloud CLI

 ## 0.3.1

 ### Fixes

 * Fix login url not linked correctly.

 ### Refactors

 * Refactor env vars creation.
 * Remove env vars from deploy workflow.

 ### Internal

 * Log files added to archive in debug mode.
 * Add test to make sure .fastapicloudignore can override .gitignore.

 ## 0.3.0

 ### Features

 - Add support for `.fastapicloudignore` file.

 ## 0.2.1

 ### Features

 * Add support for verification statuses.

 ----

 ## `python-rignore`

 ### 0.7.1

 - Add support for overrides

 ### 0.7.0

 - Update PyO3 to 0.26

 ----

 # python-inline-snapshot

 ## 0.30.1 2025-10-20

 Fixed
 -----

 - Disable ensure ascii in json.dump to support non-ASCII characters in external files

 ## 0.30.0 2025-10-15

 Added
 -----

 - The `test-dir` config option can now also be a list of paths
 - added (official) Python 3.14 support

 ## 0.29.4 2025-10-13

 Changed
 -------

 - `External.run_inline()` now uses the same logic as `External.run_pytest`.

 Fixed
 -----

 - inline-snapshot now supports different Python file encodings and recognizes encoding comments such as `# -*- coding: windows-1251 -*-`

 ## 0.29.3 2025-10-04

 Fixed
 -----

 - xdist is now detected properly.

 ## 0.29.2 2025-10-01

 Fixed
 -----

 - fixed string formatting with black which caused invalid snapshots


 ----

 ## rust-regex 1.11.3 (2025-09-25)

 This is a small patch release with an improvement in memory usage in some cases.

 **Improvements:**

 * Improve memory usage by trimming excess memory capacity in some spots.

 ----

 ## rust-speedate 0.17.0

 - feat: add new from float with config func
 - Derive Copy on Date, Time and DateTime

 ----

 ## rust-astral-tokio-tar 0.5.6

 * Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers.

 This vulnerability is being tracked as [GHSA-j5gw-2vrg-8fgx](https://github.com/advisories/GHSA-j5gw-2vrg-8fgx) and CVE-2025-62518.

 ----

 - Update `rust-regex-automata` to 0.4.11
 - Update `rust-serde_json` to 1.0.145
 - Update `rust-tikv-jemallocator` and `rust-tikv-jemalloc-sys` to 0.6.1
 - Update `python-pydantic-core` to 2.41.4
 - Update `openapi-python-client` to 0.26.2 and patch it to allow `ruff` 0.14 and `typer` 0.20
 - Initial package for `python-cron-converter`
 - Initial packages for a number of new Rust library dependencies for `ruff` and `uv`












Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2025-4154ea83d0

Plugin Details

Severity: High

ID: 272299

File Name: fedora_2025-4154ea83d0.nasl

Version: 1.1

Type: local

Agent: unix

Published: 11/5/2025

Updated: 11/5/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.7

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2025-62518

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:rust-jiter, p-cpe:/a:fedoraproject:fedora:rust-collection_literals, p-cpe:/a:fedoraproject:fedora:rust-reqsign-file-read-tokio, p-cpe:/a:fedoraproject:fedora:python-openapi-core, p-cpe:/a:fedoraproject:fedora:rust-interpolator, p-cpe:/a:fedoraproject:fedora:rust-reqsign-aws-v4, p-cpe:/a:fedoraproject:fedora:rust-reqsign, p-cpe:/a:fedoraproject:fedora:maturin, p-cpe:/a:fedoraproject:fedora:rust-get-size2, p-cpe:/a:fedoraproject:fedora:rust-quote-use, p-cpe:/a:fedoraproject:fedora:python-jiter, p-cpe:/a:fedoraproject:fedora:python-pydantic-extra-types, p-cpe:/a:fedoraproject:fedora:python-typer, p-cpe:/a:fedoraproject:fedora:uv, p-cpe:/a:fedoraproject:fedora:rust-attribute-derive-macro, p-cpe:/a:fedoraproject:fedora:rust-speedate, p-cpe:/a:fedoraproject:fedora:python-pydantic-core, p-cpe:/a:fedoraproject:fedora:rust-reqsign-core, p-cpe:/a:fedoraproject:fedora:rust-tikv-jemallocator, p-cpe:/a:fedoraproject:fedora:rust-proc-macro-utils, p-cpe:/a:fedoraproject:fedora:rust-attribute-derive, p-cpe:/a:fedoraproject:fedora:python-fastapi, p-cpe:/a:fedoraproject:fedora:rust-reqsign-http-send-reqwest, p-cpe:/a:fedoraproject:fedora:python-annotated-doc, p-cpe:/a:fedoraproject:fedora:python-pydantic, p-cpe:/a:fedoraproject:fedora:python-inline-snapshot, p-cpe:/a:fedoraproject:fedora:python-typing-inspection, p-cpe:/a:fedoraproject:fedora:fastapi-cli, p-cpe:/a:fedoraproject:fedora:rust-reqsign-command-execute-tokio, p-cpe:/a:fedoraproject:fedora:rust-quote-use-macros, p-cpe:/a:fedoraproject:fedora:python-starlette, p-cpe:/a:fedoraproject:fedora:rust-tikv-jemalloc-sys, p-cpe:/a:fedoraproject:fedora:fastapi-cloud-cli, p-cpe:/a:fedoraproject:fedora:python-platformio, p-cpe:/a:fedoraproject:fedora:python-uv-build, p-cpe:/a:fedoraproject:fedora:rust-astral-tokio-tar, p-cpe:/a:fedoraproject:fedora:python-rignore, p-cpe:/a:fedoraproject:fedora:rust-get-size-derive2, p-cpe:/a:fedoraproject:fedora:gherkin, p-cpe:/a:fedoraproject:fedora:rust-serde_json, p-cpe:/a:fedoraproject:fedora:rust-regex, p-cpe:/a:fedoraproject:fedora:rust-manyhow, p-cpe:/a:fedoraproject:fedora:rust-manyhow-macros, p-cpe:/a:fedoraproject:fedora:ruff, p-cpe:/a:fedoraproject:fedora:openapi-python-client, cpe:/o:fedoraproject:fedora:43, p-cpe:/a:fedoraproject:fedora:python-cron-converter, p-cpe:/a:fedoraproject:fedora:rust-regex-automata

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/8/2025

Vulnerability Publication Date: 10/11/2025

Reference Information

CVE: CVE-2025-62518, CVE-2025-62727