Fix Fedora's uv tar vuln with DNF, then go further. Automation script, firewalld rules, and the books that turn patching into binary analysis mastery. Subscribe now.
On May 18, 2026, Fedora 42 shipped uv 0.11.11 to resolve two tar‑handling weaknesses (GHSA-xx64-wwv2-hcqq and GHSA-fp55-jw48-c537). But the workflow below works for any uv update on any Fedora release, today or next year.
1. Check if You Are Vulnerable (Fedora Commands)
First, see which uv version you are running:
rpm -q uv
If the version is older than 0.11.11, your system is vulnerable.
To list all pending security updates:
sudo dnf check-update --security
For deeper system‑wide checks, install Lynis:
sudo dnf install lynis -y && sudo lynis audit system
Lynis scans your package manager, kernel parameters, and service configurations, then flags weaknesses that a mere version check would miss.
2. Automation Script to Apply the Fix
Save this as patch_uv.sh and run it with sudo bash patch_uv.sh. It applies the update, logs the change, and verifies the new version.
#!/bin/bash # patch_uv.sh – Evergreen uv security fix for Fedora # Works for any future uv CVE as well set -e echo "[*] Checking current uv version..." OLD_VER=$(rpm -q uv) echo "Current: $OLD_VER" echo "[*] Applying security update via DNF..." sudo dnf upgrade --refresh --security echo "[*] Verifying update..." NEW_VER=$(rpm -q uv) if [ "$OLD_VER" != "$NEW_VER" ]; then echo "[✓] uv updated from $OLD_VER to $NEW_VER" logger -t uv-patch "uv security update applied: $OLD_VER → $NEW_VER" else echo "[!] Version unchanged – no update available or already up‑to‑date" fi
Why --security? It installs only patches marked as security updates, leaving feature updates for later – best practice for production systems.
The script above patches a single CVE. To learn how to write your own scripts for any future CVE, you need Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly. This book teaches you to dissect binaries, instrument code, and understand vulnerabilities at the machine level.
Pratical Binary Analysis (adversiting) ->https://amzn.to/43hlbDF
A patch fixes the hole. But attackers don't send malformed tarballs in isolation – they deliver malware that exploits the flaw, persists, and phones home. Practical Malware Analysis: The Hands‑On Guide to Dissecting Malicious Software gives you the skills to safely analyze, debug, and disassemble real malware, turning you from a patch‑applier into a threat hunter.
Pratical Malware Analysis (adversiting) -> https://amzn.to/4ueGqC2
Stop chasing patches – learn to dissect the malware that exploits them.
I earn a comission with you make a purchase.
3. Alternative Mitigation if You Can't Update Now
If you cannot immediately upgrade uv (e.g., during a maintenance freeze), use these defense‑in‑depth measures.
Firewalld: Block Tainted Traffic
Add a rich rule to reject connections from IP ranges that attempt to exploit known tar parsing issues. This example blocks an example attacker subnet – replace 203.0.113.0/24 with your actual threat feed.
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.0/24" reject' sudo firewall-cmd --reload
To list active rules: sudo firewall-cmd --list-rich-rules
Kernel Hardening (sysctl)
Even before uv is patched, you can raise the kernel's baseline protection:
# /etc/sysctl.d/99-security.conf net.ipv4.conf.all.rp_filter = 2 # Strict reverse path filtering net.ipv4.conf.default.rp_filter = 2 net.ipv4.tcp_syncookies = 1 # Mitigate SYN flood net.ipv4.conf.all.accept_source_route = 0 # Disable source routing
Apply with sudo sysctl -p /etc/sysctl.d/99-security.conf
Continuous Monitoring with auditd
Track who accesses the vulnerable uv binary and any anomalous process launches. Add these rules to /etc/audit/rules.d/uv-monitor.rules:
-w /usr/bin/uv -p x -k uv_execution -w /var/log/dnf.log -p wa -k dnf_changes
Then sudo auditctl -R /etc/audit/rules.d/uv-monitor.rules
Conclusion
Patching uv takes five minutes. The next CVE? And the malware that follows it? Those need a different skillset. Grab Practical Binary Analysis and Practical Malware Analysis, run the labs, and stop being a passive patch consumer. Your future self – and your infrastructure – will thank you.
Nenhum comentário:
Postar um comentário