Two security updates have been released for Fedora. The first update, FEDORA-2025-e1ae3d4ed9, addresses two low-severity CVEs in the exiv2 package and includes a patch to fix silent ABI breakage. The second update, FEDORA-2025-4647d515fc and FEDORA-2025-691c5cb4f4 for Fedora 41 and 42, respectively, applies a fix for CVE-2025-9300 in the libsixel package.

Fedora 41 Update: exiv2-0.28.6-2.fc41
Fedora 41 Update: libsixel-1.10.5-3.fc41
Fedora 42 Update: libsixel-1.10.5-4.fc42

[SECURITY] Fedora 41 Update: exiv2-0.28.6-2.fc41

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-e1ae3d4ed9
2025-09-04 01:28:02.523160+00:00
--------------------------------------------------------------------------------

Name : exiv2
Product : Fedora 41
Version : 0.28.6
Release : 2.fc41
URL : http://www.exiv2.org/
Summary : Exif, IPTC and XMP metadata manipulation library
Description :
A command line utility to access image metadata, allowing one to:
* print the Exif metadata of Jpeg images as summary info, interpreted values,
or the plain data for each tag
* print the Iptc metadata of Jpeg images
* print the Jpeg comment of Jpeg images
* set, add and delete Exif and Iptc metadata of Jpeg images
* adjust the Exif timestamp (that's how it all started...)
* rename Exif image files according to the Exif timestamp
* extract, insert and delete Exif metadata (including thumbnails),
Iptc metadata and Jpeg comments

--------------------------------------------------------------------------------
Update Information:

Exiv2 0.28.6 + patch to fix silent abi breakage
Exiv2 v0.28.6 (Fixes two low severity CVEs)
--------------------------------------------------------------------------------
ChangeLog:

* Sun Aug 31 2025 Steve Cossette [farchord@gmail.com] - 0.28.6-2
- Make methods non-virtual (Fix for a silent ABI change introduced in
0.28.6)
* Fri Aug 29 2025 Steve Cossette [farchord@gmail.com] - 0.28.6-1
- 0.28.6
* Wed Jul 23 2025 Fedora Release Engineering [releng@fedoraproject.org] - 0.28.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2391815 - CVE-2025-54080 exiv2: Exiv2 Segmentation Faults [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2391815
[ 2 ] Bug #2391836 - CVE-2025-55304 exiv2: Exiv2 has quadratic performance in ICC profile parsing in JpegBase::readMetadata [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2391836
[ 3 ] Bug #2391902 - exiv2-0.28.6 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2391902
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-e1ae3d4ed9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 41 Update: libsixel-1.10.5-3.fc41

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-4647d515fc
2025-09-04 01:28:02.523145+00:00
--------------------------------------------------------------------------------

Name : libsixel
Product : Fedora 41
Version : 1.10.5
Release : 3.fc41
URL : https://github.com/libsixel/libsixel
Summary : SIXEL encoding and decoding
Description :
An encoder/decoder implementation for DEC SIXEL graphics.

--------------------------------------------------------------------------------
Update Information:

Apply fix for CVE-2025-9300
--------------------------------------------------------------------------------
ChangeLog:

* Tue Aug 26 2025 ErrorNoInternet [errornointernet@envs.net] - 1.10.5-3
- Apply fix for CVE-2025-9300
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2390150 - CVE-2025-9300 libsixel: buffer overflow in img2sixel when processing crafted image files [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2390150
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-4647d515fc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 42 Update: libsixel-1.10.5-4.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-691c5cb4f4
2025-09-04 00:50:37.981059+00:00
--------------------------------------------------------------------------------

Name : libsixel
Product : Fedora 42
Version : 1.10.5
Release : 4.fc42
URL : https://github.com/libsixel/libsixel
Summary : SIXEL encoding and decoding
Description :
An encoder/decoder implementation for DEC SIXEL graphics.

--------------------------------------------------------------------------------
Update Information:

Apply fix for CVE-2025-9300
--------------------------------------------------------------------------------
ChangeLog:

* Tue Aug 26 2025 ErrorNoInternet [errornointernet@envs.net] - 1.10.5-4
- Apply fix for CVE-2025-9300
* Thu Jul 24 2025 Fedora Release Engineering [releng@fedoraproject.org] - 1.10.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2390151 - CVE-2025-9300 libsixel: buffer overflow in img2sixel when processing crafted image files [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2390151
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-691c5cb4f4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--