I would like to update python-ujson in Fedora 35 from 3.0.0 to 5.4.0.
The 5.4.0 release contains fixes for CVE-2022-31117 and CVE-2022-31116. The latter is fixed by a series of commits that are not trivial to safely backport. Furthermore, updating past 5.1.0 also fixes CVE-2021-45958, and updating past 5.3.0 fixes some memory safety issues that don’t seem to be associated with CVEs but could potentially have security implications.
While updating by two major versions would seem disruptive, a review of the upstream changelogs shows that each time the major version was bumped, the breaking change was the removal of support for an old Python version. From the perspective of Fedora, such a change is not incompatible. Furthermore, I used COPR to verify that the update introduces no regressions to dependent packages.
Overall, I have no reason to believe that this update contains any incompatible or disruptive changes in practice. Still, given the large apparent difference in the version number, I’ve chosen to request a formal exception before proceeding.
Metadata Update from @music: - Issue tagged with: updates policy exception
+1
Let's fasttrack this. No need to wait a full week. @music, @mhayden, @sgallagh, @dcantrell, please vote.
Metadata Update from @zbyszek: - Issue tagged with: fast track
For my own request:
This hasn't reached the required +7 for fast-track approval, but it has been a week and this is APPROVED (+6,0,-0).
Metadata Update from @churchyard: - Issue tagged with: pending announcement
Thank you. I have prepared the update.
Announced:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/6VAM5N54Z4AJQ7XVYFSZZFC6QTG26P7H/
Metadata Update from @decathorpe: - Issue untagged with: fast track, pending announcement - Issue close_status updated to: Accepted - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.