GIT-LFS and Chromium updates for Fedora

Fedora Linux 9157 Published 2025-10-29 07:18 by Philipp Esselbach

News

Fedora updates have been released for several packages, including git-lfs-3.7.1 and chromium-141.0.7390.122, to fix security vulnerabilities, such as CVE-2025-12036 in Chromium and multiple CVEs in Git LFS. The updates include fixes for issues like CrossOriginProtection bypass, unexpected paths returned from LookPath, and arbitrary file writing via crafted symlinks.

Fedora 42 Update: git-lfs-3.7.1-1.fc42
Fedora 43 Update: git-lfs-3.7.1-1.fc43
Fedora 41 Update: chromium-141.0.7390.122-1.fc41
Fedora 41 Update: git-lfs-3.7.1-1.fc41

[SECURITY] Fedora 42 Update: git-lfs-3.7.1-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-f8d1e1df04
2025-10-29 01:45:52.929013+00:00
--------------------------------------------------------------------------------

Name : git-lfs
Product : Fedora 42
Version : 3.7.1
Release : 1.fc42
URL : https://git-lfs.github.io/
Summary : Git extension for versioning large files
Description :
Git Large File Storage (LFS) replaces large files such as audio samples,
videos, datasets, and graphics with text pointers inside Git, while
storing the file contents on a remote server.

--------------------------------------------------------------------------------
Update Information:

Update to latest version (#2404637)
Fix CVE-2025-47910, CVE-2025-47906, CVE-2025-26625
--------------------------------------------------------------------------------
ChangeLog:

* Mon Oct 20 2025 Elliott Sales de Andrade [quantum.analyst@gmail.com] - 3.7.1-1
- Update to latest version (#2404637)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2398691 - CVE-2025-47910 git-lfs: CrossOriginProtection bypass in net/http [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2398691
[ 2 ] Bug #2399372 - CVE-2025-47906 git-lfs: Unexpected paths returned from LookPath in os/exec [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2399372
[ 3 ] Bug #2404637 - git-lfs-3.7.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2404637
[ 4 ] Bug #2404744 - CVE-2025-26625 git-lfs: Git LFS may write to arbitrary files via crafted symlinks [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2404744
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-f8d1e1df04' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: git-lfs-3.7.1-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-7dfe24dbaa
2025-10-29 01:23:01.616161+00:00
--------------------------------------------------------------------------------

Name : git-lfs
Product : Fedora 43
Version : 3.7.1
Release : 1.fc43
URL : https://git-lfs.github.io/
Summary : Git extension for versioning large files
Description :
Git Large File Storage (LFS) replaces large files such as audio samples,
videos, datasets, and graphics with text pointers inside Git, while
storing the file contents on a remote server.

--------------------------------------------------------------------------------
Update Information:

Update to latest version (#2404637)
Fix CVE-2025-26625
--------------------------------------------------------------------------------
ChangeLog:

* Mon Oct 20 2025 Elliott Sales de Andrade [quantum.analyst@gmail.com] - 3.7.1-1
- Update to latest version (#2404637)
* Fri Oct 10 2025 Alejandro S??ez [asm@redhat.com] - 3.7.0-2
- rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2404637 - git-lfs-3.7.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2404637
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-7dfe24dbaa' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 41 Update: chromium-141.0.7390.122-1.fc41

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-6728ac0fca
2025-10-29 01:08:25.691460+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 41
Version : 141.0.7390.122
Release : 1.fc41
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 141.0.7390.122
High CVE-2025-12036 chromium: Inappropriate implementation in V8
--------------------------------------------------------------------------------
ChangeLog:

* Wed Oct 22 2025 Than Ngo [than@redhat.com] - 141.0.7390.122-1
- Update to 141.0.7390.122
* High CVE-2025-12036 chromium: Inappropriate implementation in V8
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-6728ac0fca' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 41 Update: git-lfs-3.7.1-1.fc41

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-5872b9ec46
2025-10-29 01:08:25.691374+00:00
--------------------------------------------------------------------------------

Name : git-lfs
Product : Fedora 41
Version : 3.7.1
Release : 1.fc41
URL : https://git-lfs.github.io/
Summary : Git extension for versioning large files
Description :
Git Large File Storage (LFS) replaces large files such as audio samples,
videos, datasets, and graphics with text pointers inside Git, while
storing the file contents on a remote server.

--------------------------------------------------------------------------------
Update Information:

Update to latest version (#2404637)
Fix CVE-2025-22870, CVE-2025-47910, CVE-2025-47906, CVE-2025-26625
--------------------------------------------------------------------------------
ChangeLog:

* Mon Oct 20 2025 Elliott Sales de Andrade [quantum.analyst@gmail.com] - 3.7.1-1
- Update to latest version (#2404637)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2352168 - CVE-2025-22870 git-lfs: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2352168
[ 2 ] Bug #2398435 - CVE-2025-47910 git-lfs: CrossOriginProtection bypass in net/http [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2398435
[ 3 ] Bug #2399097 - CVE-2025-47906 git-lfs: Unexpected paths returned from LookPath in os/exec [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2399097
[ 4 ] Bug #2404637 - git-lfs-3.7.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2404637
[ 5 ] Bug #2404743 - CVE-2025-26625 git-lfs: Git LFS may write to arbitrary files via crafted symlinks [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2404743
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-5872b9ec46' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

Windows 11 KB5067112 (OS Build 22621.6133) Preview released

Webkit2GTK3, LibTIFF, Squid, Kernel, Ansible updates for RHEL

GIT-LFS and Chromium updates for Fedora

[SECURITY] Fedora 42 Update: git-lfs-3.7.1-1.fc42

[SECURITY] Fedora 43 Update: git-lfs-3.7.1-1.fc43

[SECURITY] Fedora 41 Update: chromium-141.0.7390.122-1.fc41

[SECURITY] Fedora 41 Update: git-lfs-3.7.1-1.fc41

Windows

Linux

macOS

Community