Several security updates have been released for Fedora Linux, including new versions of golang packages and opentofu. The specific package updates are for golang-github-evanw-esbuild, golang-github-alecthomas-chroma, golang-github-jwt, and golang-github-jwt for both Fedora 42 and Fedora 43. Additionally, FluidSynth has also received an update for Fedora 42.

Fedora 42 Update: golang-github-evanw-esbuild-0.24.2-4.fc42
Fedora 42 Update: golang-github-alecthomas-chroma-2-2.14.0-4.fc42
Fedora 42 Update: golang-github-jwt-5-5.2.1-4.fc42
Fedora 43 Update: golang-github-evanw-esbuild-0.24.2-6.fc43
Fedora 43 Update: golang-github-jwt-5-5.2.1-6.fc43
Fedora 43 Update: golang-github-alecthomas-chroma-2-2.14.0-6.fc43
Fedora 43 Update: opentofu-1.11.2-1.fc43
Fedora 42 Update: fluidsynth-2.5.2-1.fc42

[SECURITY] Fedora 42 Update: golang-github-evanw-esbuild-0.24.2-4.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-be54db24e3
2025-12-30 01:14:05.828904+00:00
--------------------------------------------------------------------------------

Name : golang-github-evanw-esbuild
Product : Fedora 42
Version : 0.24.2
Release : 4.fc42
URL : https://github.com/evanw/esbuild
Summary : Fast JavaScript bundler and minifier
Description :
This is a JavaScript bundler and minifier. It packages up JavaScript and
TypeScript code for distribution on the web.

--------------------------------------------------------------------------------
Update Information:

Rebuild for CVEs
--------------------------------------------------------------------------------
ChangeLog:

* Sun Dec 21 2025 W. Michael Petullo [mike@flyn.org] - 0.24.2-4
- Rebuild for CVEs
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2398272 - CVE-2025-56648 golang-github-evanw-esbuild: Parcel Origin Validation Error [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2398272
[ 2 ] Bug #2398722 - CVE-2025-47910 golang-github-evanw-esbuild: CrossOriginProtection bypass in net/http [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2398722
[ 3 ] Bug #2407928 - CVE-2025-58189 golang-github-evanw-esbuild: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2407928
[ 4 ] Bug #2409398 - CVE-2025-61723 golang-github-evanw-esbuild: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2409398
[ 5 ] Bug #2410348 - CVE-2025-58185 golang-github-evanw-esbuild: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2410348
[ 6 ] Bug #2411249 - CVE-2025-58188 golang-github-evanw-esbuild: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2411249
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-be54db24e3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 42 Update: golang-github-alecthomas-chroma-2-2.14.0-4.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-570618af7e
2025-12-30 01:14:05.828901+00:00
--------------------------------------------------------------------------------

Name : golang-github-alecthomas-chroma-2
Product : Fedora 42
Version : 2.14.0
Release : 4.fc42
URL : https://github.com/alecthomas/chroma
Summary : A general purpose syntax highlighter in pure Go
Description :
A general purpose syntax highlighter in pure Go.

--------------------------------------------------------------------------------
Update Information:

Rebuilt for CVE-2025-58185
--------------------------------------------------------------------------------
ChangeLog:

* Sun Dec 21 2025 W. Michael Petullo [mike@flyn.org] - 2.14.0-4
- Rebuilt for CVE-2025-58185
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2410326 - CVE-2025-58185 golang-github-alecthomas-chroma-2: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2410326
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-570618af7e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 42 Update: golang-github-jwt-5-5.2.1-4.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-17f9c28389
2025-12-30 01:14:05.828899+00:00
--------------------------------------------------------------------------------

Name : golang-github-jwt-5
Product : Fedora 42
Version : 5.2.1
Release : 4.fc42
URL : https://github.com/golang-jwt/jwt
Summary : A Go implementation of JSON Web Tokens
Description :
A Go implementation of JSON Web Tokens.

--------------------------------------------------------------------------------
Update Information:

Rebuilt for CVE-2025-61723
--------------------------------------------------------------------------------
ChangeLog:

* Sun Dec 21 2025 W. Michael Petullo [mike@flyn.org] - 5.2.1-4
- Rebuilt for CVE-2025-61723
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-17f9c28389' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: golang-github-evanw-esbuild-0.24.2-6.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-4068748872
2025-12-30 00:38:13.645663+00:00
--------------------------------------------------------------------------------

Name : golang-github-evanw-esbuild
Product : Fedora 43
Version : 0.24.2
Release : 6.fc43
URL : https://github.com/evanw/esbuild
Summary : Fast JavaScript bundler and minifier
Description :
This is a JavaScript bundler and minifier. It packages up JavaScript and
TypeScript code for distribution on the web.

--------------------------------------------------------------------------------
Update Information:

Rebuild for CVEs
--------------------------------------------------------------------------------
ChangeLog:

* Sun Dec 21 2025 W. Michael Petullo [mike@flyn.org] - 0.24.2-6
- Rebuild for CVEs
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2408203 - CVE-2025-58189 golang-github-evanw-esbuild: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408203
[ 2 ] Bug #2409673 - CVE-2025-61723 golang-github-evanw-esbuild: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2409673
[ 3 ] Bug #2410625 - CVE-2025-58185 golang-github-evanw-esbuild: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2410625
[ 4 ] Bug #2411522 - CVE-2025-58188 golang-github-evanw-esbuild: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2411522
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-4068748872' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: golang-github-jwt-5-5.2.1-6.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-12b00d8e2c
2025-12-30 00:38:13.645657+00:00
--------------------------------------------------------------------------------

Name : golang-github-jwt-5
Product : Fedora 43
Version : 5.2.1
Release : 6.fc43
URL : https://github.com/golang-jwt/jwt
Summary : A Go implementation of JSON Web Tokens
Description :
A Go implementation of JSON Web Tokens.

--------------------------------------------------------------------------------
Update Information:

Rebuilt for CVE-2025-61723
--------------------------------------------------------------------------------
ChangeLog:

* Sun Dec 21 2025 W. Michael Petullo [mike@flyn.org] - 5.2.1-6
- Rebuilt for CVE-2025-61723
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2410650 - CVE-2025-58185 golang-github-jwt-5: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2410650
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-12b00d8e2c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: golang-github-alecthomas-chroma-2-2.14.0-6.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-cfdd59f20f
2025-12-30 00:38:13.645660+00:00
--------------------------------------------------------------------------------

Name : golang-github-alecthomas-chroma-2
Product : Fedora 43
Version : 2.14.0
Release : 6.fc43
URL : https://github.com/alecthomas/chroma
Summary : A general purpose syntax highlighter in pure Go
Description :
A general purpose syntax highlighter in pure Go.

--------------------------------------------------------------------------------
Update Information:

Rebuilt for CVE-2025-58185
--------------------------------------------------------------------------------
ChangeLog:

* Sun Dec 21 2025 W. Michael Petullo [mike@flyn.org] - 2.14.0-6
- Rebuilt for CVE-2025-58185
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2408184 - CVE-2025-58189 golang-github-alecthomas-chroma-2: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408184
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-cfdd59f20f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: opentofu-1.11.2-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-6968ab200a
2025-12-29 17:24:00.361574+00:00
--------------------------------------------------------------------------------

Name : opentofu
Product : Fedora 43
Version : 1.11.2
Release : 1.fc43
URL : https://github.com/opentofu/opentofu
Summary : OpenTofu lets you declaratively manage your cloud infrastructure
Description :
OpenTofu lets you declaratively manage your cloud infrastructure.

--------------------------------------------------------------------------------
Update Information:

Update to 1.11.2
--------------------------------------------------------------------------------
ChangeLog:

* Fri Dec 19 2025 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 1.11.2-1
- Update to 1.11.2 - Closes rhbz#2420199
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2408335 - CVE-2025-58189 opentofu: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408335
[ 2 ] Bug #2408738 - CVE-2025-61725 opentofu: Excessive CPU consumption in ParseAddress in net/mail [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408738
[ 3 ] Bug #2409808 - CVE-2025-61723 opentofu: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2409808
[ 4 ] Bug #2410758 - CVE-2025-58185 opentofu: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2410758
[ 5 ] Bug #2411654 - CVE-2025-58188 opentofu: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2411654
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-6968ab200a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 42 Update: fluidsynth-2.5.2-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-202d079b40
2025-12-29 17:23:59.716712+00:00
--------------------------------------------------------------------------------

Name : fluidsynth
Product : Fedora 42
Version : 2.5.2
Release : 1.fc42
URL : http://www.fluidsynth.org/
Summary : Real-time software synthesizer
Description :
FluidSynth is a real-time software synthesizer based on the SoundFont 2
specifications. It is a "software synthesizer". FluidSynth can read MIDI events
from the MIDI input device and render them to the audio device. It features
real-time effect modulation using SoundFont 2.01 modulators, and a built-in
command line shell. It can also play MIDI files (note: FluidSynth was previously
called IIWU Synth).

--------------------------------------------------------------------------------
Update Information:

Update to 2.5.2
Fix for CVE-2025-68617
--------------------------------------------------------------------------------
ChangeLog:

* Wed Dec 24 2025 Christoph Karl - 2.5.2-1
- Update to 2.5.2
- Fix for CVE-2025-68617
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2424828 - CVE-2025-68617 fluidsynth: FluidSynth: Race Condition in DLS Unloading Allows Code Execution and Privilege Escalation [epel-10]
https://bugzilla.redhat.com/show_bug.cgi?id=2424828
[ 2 ] Bug #2424831 - CVE-2025-68617 fluidsynth: FluidSynth: Race Condition in DLS Unloading Allows Code Execution and Privilege Escalation [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2424831
[ 3 ] Bug #2424833 - CVE-2025-68617 fluidsynth: FluidSynth: Race Condition in DLS Unloading Allows Code Execution and Privilege Escalation [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2424833
[ 4 ] Bug #2424835 - CVE-2025-68617 fluidsynth: FluidSynth: Race Condition in DLS Unloading Allows Code Execution and Privilege Escalation [epel-9]
https://bugzilla.redhat.com/show_bug.cgi?id=2424835
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-202d079b40' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--