Updated yarnpkg packages fix security vulnerabilities
Publication date: 25 Jun 2025Modification date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2020-7677 , CVE-2021-43138 , CVE-2022-3517 , CVE-2024-37890 , CVE-2024-48949 , CVE-2022-37599 , CVE-2023-26136 , CVE-2023-46234 , CVE-2024-12905 , CVE-2024-4067 , CVE-2025-48387
Description
CVE-2024-37890 yarnpkg: denial of service when handling a request with
many HTTP headers.
CVE-2024-48949 yarnpkg: Missing Validation in Elliptic's EDDSA Signature
Verification.
CVE-2024-12905 yarnpkg: link following and path traversal via
maliciously crafted tar file
And other vulnerabilities in the yarn's bundled nodejs components are
fixed too, see the references.
References
- https://bugs.mageia.org/show_bug.cgi?id=33674
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UGLXZO6VIHGIITQTEUY5Q5YCAP2A4ZP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEDIJM7VQF4Q2L2KKQ6KJ2WZNR7AXYQD/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7677
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43138
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37890
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48949
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37599
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26136
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46234
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12905
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4067
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48387
SRPMS
9/core
- yarnpkg-1.22.22-0.10.9.2.1.mga9