Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Mageia 9: MGASA-2025-0194 important: yarnpkg denial of service

mageia
Calendar Grey June 25, 2025
Dist Mageia Esm H88
Mageia has rolled out an update for yarnpkg to address several security vulnerabilities, such as denial of service and issues related to signature verification.
CVE-2024-37890 yarnpkg: denial of service when handling a request with many HTTP headers

Summary

CVE-2024-37890 yarnpkg: denial of service when handling a request with many HTTP headers. CVE-2024-48949 yarnpkg: Missing Validation in Elliptic's EDDSA Signature Verification. CVE-2024-12905 yarnpkg: link following and path traversal via maliciously crafted tar file And other vulnerabilities in the yarn's bundled nodejs components are fixed too, see the references.

References

- https://bugs.mageia.org/show_bug.cgi?id=33674

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UGLXZO6VIHGIITQTEUY5Q5YCAP2A4ZP/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEDIJM7VQF4Q2L2KKQ6KJ2WZNR7AXYQD/

- https://www.cve.org/CVERecord?id=CVE-2020-7677

- https://www.cve.org/CVERecord?id=CVE-2021-43138

- https://www.cve.org/CVERecord?id=CVE-2022-3517

- https://www.cve.org/CVERecord?id=CVE-2024-37890

- https://www.cve.org/CVERecord?id=CVE-2024-48949

- https://www.cve.org/CVERecord?id=CVE-2022-37599

- https://www.cve.org/CVERecord?id=CVE-2023-26136

- https://www.cve.org/CVERecord?id=CVE-2023-46234

- https://www.cve.org/CVERecord?id=CVE-2024-12905

- https://www.cve.org/CVERecord?id=CVE-2024-4067

- https://www.cve.org/CVERecord?id=CVE-2025-48387

Topics%20covered

Topics Covered

security advisory denial of service important path traversal signature verification mageia

Resolution

SRPMS

- 9/core/yarnpkg-1.22.22-0.10.9.2.1.mga9

Severity
important
Lowest
Low
Medium
High
Critical

Publication date: 25 Jun 2025
URL: https://advisories.mageia.org/MGASA-2025-0194.html
Type: security
CVE: CVE-2020-7677, CVE-2021-43138, CVE-2022-3517, CVE-2024-37890, CVE-2024-48949, CVE-2022-37599, CVE-2023-26136, CVE-2023-46234, CVE-2024-12905, CVE-2024-4067, CVE-2025-48387

Topics%20covered

Topics Covered

security advisory denial of service important path traversal signature verification mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here