Fedora 40 update for clevis-pin-tpm2, envision, fido-device-onboard, gotify-desktop, keylime-agent-rust, keyring-ima-signer, libkrun, rust-afterburn, rust-cargo-vendor-filterer, rust-coreos-installer, rust-eif_build, rust-gst-plugin-reqwest, rust-nu, rust

Published: 2025-04-29

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2025-0977
CWE-ID	CWE-125
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Fedora Operating systems & Components / Operating system s390utils Operating systems & Components / Operating system package or component rustup Operating systems & Components / Operating system package or component rust-tealdeer Operating systems & Components / Operating system package or component rust-snphost Operating systems & Components / Operating system package or component rust-sevctl Operating systems & Components / Operating system package or component rust-sequoia-sqv Operating systems & Components / Operating system package or component rust-sequoia-sq Operating systems & Components / Operating system package or component rust-sequoia-sop Operating systems & Components / Operating system package or component rust-sequoia-policy-config Operating systems & Components / Operating system package or component rust-sequoia-octopus-librnp Operating systems & Components / Operating system package or component rust-sequoia-keyring-linter Operating systems & Components / Operating system package or component rust-rpm-sequoia Operating systems & Components / Operating system package or component rust-pore Operating systems & Components / Operating system package or component rust-openssl-sys Operating systems & Components / Operating system package or component rust-openssl Operating systems & Components / Operating system package or component rust-nu Operating systems & Components / Operating system package or component rust-gst-plugin-reqwest Operating systems & Components / Operating system package or component rust-eif_build Operating systems & Components / Operating system package or component rust-coreos-installer Operating systems & Components / Operating system package or component rust-cargo-vendor-filterer Operating systems & Components / Operating system package or component rust-afterburn Operating systems & Components / Operating system package or component libkrun Operating systems & Components / Operating system package or component keyring-ima-signer Operating systems & Components / Operating system package or component keylime-agent-rust Operating systems & Components / Operating system package or component gotify-desktop Operating systems & Components / Operating system package or component fido-device-onboard Operating systems & Components / Operating system package or component envision Operating systems & Components / Operating system package or component clevis-pin-tpm2 Operating systems & Components / Operating system package or component
Vendor	Fedoraproject

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Out-of-bounds read

EUVDB-ID: #VU108061

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-0977

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in ssl::select_next_proto. A remote attacker can initiate connection with the server, trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 40

s390utils: before 2.33.1-4.fc40

rustup: before 1.27.1-6.fc40

rust-tealdeer: before 1.7.1-3.fc40

rust-snphost: before 0.5.0-3.fc40

rust-sevctl: before 0.6.0-4.fc40

rust-sequoia-sqv: before 1.2.1-6.fc40

rust-sequoia-sq: before 1.1.0-4.fc40

rust-sequoia-sop: before 0.36.0-3.fc40

rust-sequoia-policy-config: before 0.7.0-3.fc40

rust-sequoia-octopus-librnp: before 1.10.0-6.fc40

rust-sequoia-keyring-linter: before 1.0.1-10.fc40

rust-rpm-sequoia: before 1.7.0-5.fc40

rust-pore: before 0.1.17-5.fc40

rust-openssl-sys: before 0.9.105-1.fc40

rust-openssl: before 0.10.70-1.fc40

rust-nu: before 0.99.1-7.fc40

rust-gst-plugin-reqwest: before 0.13.3-3.fc40

rust-eif_build: before 0.2.1-3.fc40

rust-coreos-installer: before 0.23.0-2.fc40

rust-cargo-vendor-filterer: before 0.5.17-2.fc40

rust-afterburn: before 5.7.0-3.fc40

libkrun: before 1.10.1-2.fc40

keyring-ima-signer: before 0.1.0-17.fc40

keylime-agent-rust: before 0.2.7-4.fc40

gotify-desktop: before 1.3.7-4.fc40

fido-device-onboard: before 0.5.0-2.fc40

envision: before 2.0.0-4.20241209git2.0.0.fc40

clevis-pin-tpm2: before 0.5.3-9.fc40

CPE2.3

External links

https://bodhi.fedoraproject.org/updates/FEDORA-2025-6f07616b52

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.