-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-d3dee9f37d 2025-07-05 01:45:24.506251+00:00 -------------------------------------------------------------------------------- Name : yarnpkg Product : Fedora 41 Version : 1.22.22 Release : 9.fc41 URL : https://github.com/yarnpkg/yarn Summary : Fast, reliable, and secure dependency management. Description : Fast, reliable, and secure dependency management. -------------------------------------------------------------------------------- Update Information: Update bundled pbkdf2 library. -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 24 2025 Sandro Mani <manisandro@xxxxxxxxx> - 1.22.22-9 - Add CVE-2025-6545_6547.prebundle.patch and regenerate bundle. Fixes CVE-2025-6545 and CVE-2025-6547. -------------------------------------------------------------------------------- References: [ 1 ] Bug #2374429 - CVE-2025-6547 yarnpkg: pbkdf2 silently returns static keys [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2374429 [ 2 ] Bug #2374433 - CVE-2025-6545 yarnpkg: pbkdf2 silently returns predictable key material [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2374433 [ 3 ] Bug #2374438 - CVE-2025-6547 yarnpkg: pbkdf2 silently returns static keys [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2374438 [ 4 ] Bug #2374443 - CVE-2025-6545 yarnpkg: pbkdf2 silently returns predictable key material [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2374443 [ 5 ] Bug #2374450 - CVE-2025-6547 yarnpkg: pbkdf2 silently returns static keys [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2374450 [ 6 ] Bug #2374455 - CVE-2025-6545 yarnpkg: pbkdf2 silently returns predictable key material [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2374455 [ 7 ] Bug #2374462 - CVE-2025-6547 yarnpkg: pbkdf2 silently returns static keys [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2374462 [ 8 ] Bug #2374465 - CVE-2025-6545 yarnpkg: pbkdf2 silently returns predictable key material [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2374465 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-d3dee9f37d' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
