Several security updates have been released for Fedora Linux, including a new version of ov (0.50.2-1) and docker-buildkit (0.26.3-1). These updates affect different versions of Fedora: Fedora 42 and Fedora 43. Additionally, other packages like Chezmoi and Subfinder have also received security updates, all for Fedora 43. Docker BuildKit was updated twice in Fedora 43, to the same version.

Fedora 42 Update: ov-0.50.2-1.fc42
Fedora 42 Update: docker-buildkit-0.26.3-1.fc42
Fedora 43 Update: ov-0.50.2-1.fc43
Fedora 43 Update: chezmoi-2.68.1-1.fc43
Fedora 43 Update: subfinder-2.10.1-1.fc43
Fedora 43 Update: docker-buildkit-0.26.3-1.fc43

[SECURITY] Fedora 42 Update: ov-0.50.2-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-9ded4c3651
2025-12-26 00:56:54.910496+00:00
--------------------------------------------------------------------------------

Name : ov
Product : Fedora 42
Version : 0.50.2
Release : 1.fc42
URL : https://github.com/noborus/ov
Summary : Feature-rich terminal-based text viewer
Description :
Feature-rich terminal-based text viewer. It is a so-called terminal pager.

--------------------------------------------------------------------------------
Update Information:

Update to 0.50.2
--------------------------------------------------------------------------------
ChangeLog:

* Wed Dec 17 2025 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 0.50.2-1
- Update to 0.50.2 - Closes rhbz#2397069
* Fri Oct 10 2025 Maxwell G [maxwell@gtmx.me] - 0.43.0-3
- Rebuild for golang 1.25.2
* Fri Oct 10 2025 Alejandro S??ez [asm@redhat.com] - 0.43.0-2
- rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2384165 - ov: go-viper information leak [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2384165
[ 2 ] Bug #2390879 - ov: go-viper's mapstructure May Leak Sensitive Information in Logs [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2390879
[ 3 ] Bug #2391668 - CVE-2025-58058 ov: github.com/ulikunitz/xz leaks memory [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2391668
[ 4 ] Bug #2398872 - CVE-2025-47910 ov: CrossOriginProtection bypass in net/http [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2398872
[ 5 ] Bug #2399549 - CVE-2025-47906 ov: Unexpected paths returned from LookPath in os/exec [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2399549
[ 6 ] Bug #2408082 - CVE-2025-58189 ov: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2408082
[ 7 ] Bug #2409552 - CVE-2025-61723 ov: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2409552
[ 8 ] Bug #2410503 - CVE-2025-58185 ov: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2410503
[ 9 ] Bug #2411401 - CVE-2025-58188 ov: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2411401
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-9ded4c3651' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 42 Update: docker-buildkit-0.26.3-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-9cf9edf688
2025-12-26 00:56:54.910477+00:00
--------------------------------------------------------------------------------

Name : docker-buildkit
Product : Fedora 42
Version : 0.26.3
Release : 1.fc42
URL : https://github.com/moby/buildkit
Summary : Concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
Description :
Concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit.

--------------------------------------------------------------------------------
Update Information:

Update to release v0.26.3
Resolves CVE-2024-25621: rhbz#2419004, rhbz#2419033, rhbz#2419427
Upstream fix
--------------------------------------------------------------------------------
ChangeLog:

* Tue Dec 16 2025 Bradley G Smith [bradley.g.smith@gmail.com] - 0.26.3-1
- Update to release v0.26.3
- Resolves CVE-2024-25621: rhbz#2419004, rhbz#2419033, rhbz#2419427
- Upstream fix
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2419004 - CVE-2024-25621 docker-buildkit: containerd local privilege escalation [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2419004
[ 2 ] Bug #2419033 - CVE-2024-25621 docker-buildkit: containerd local privilege escalation [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2419033
[ 3 ] Bug #2419427 - CVE-2024-25621 docker-buildkit: containerd local privilege escalation [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2419427
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-9cf9edf688' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: ov-0.50.2-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-0d2748fa32
2025-12-26 00:43:51.117595+00:00
--------------------------------------------------------------------------------

Name : ov
Product : Fedora 43
Version : 0.50.2
Release : 1.fc43
URL : https://github.com/noborus/ov
Summary : Feature-rich terminal-based text viewer
Description :
Feature-rich terminal-based text viewer. It is a so-called terminal pager.

--------------------------------------------------------------------------------
Update Information:

Update to 0.50.2
--------------------------------------------------------------------------------
ChangeLog:

* Wed Dec 17 2025 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 0.50.2-1
- Update to 0.50.2 - Closes rhbz#2397069
* Fri Oct 10 2025 Maxwell G [maxwell@gtmx.me] - 0.43.0-3
- Rebuild for golang 1.25.2
* Fri Oct 10 2025 Alejandro S??ez [asm@redhat.com] - 0.43.0-2
- rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2408337 - CVE-2025-58189 ov: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408337
[ 2 ] Bug #2409810 - CVE-2025-61723 ov: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2409810
[ 3 ] Bug #2410760 - CVE-2025-58185 ov: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2410760
[ 4 ] Bug #2411656 - CVE-2025-58188 ov: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2411656
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-0d2748fa32' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 43 Update: chezmoi-2.68.1-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-28e625afa6
2025-12-26 00:43:51.117598+00:00
--------------------------------------------------------------------------------

Name : chezmoi
Product : Fedora 43
Version : 2.68.1
Release : 1.fc43
URL : https://github.com/twpayne/chezmoi
Summary : Manage your dotfiles across multiple diverse machines
Description :
Manage your dotfiles across multiple diverse machines, securely.

--------------------------------------------------------------------------------
Update Information:

Update to 2.68.1
--------------------------------------------------------------------------------
ChangeLog:

* Wed Dec 17 2025 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 2.68.1-1
- Update to 2.68.1 - Closes rhbz#2394285
* Fri Oct 10 2025 Maxwell G [maxwell@gtmx.me] - 2.63.1-2
- Rebuild for golang 1.25.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2408131 - CVE-2025-58189 chezmoi: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408131
[ 2 ] Bug #2408695 - CVE-2025-61725 chezmoi: Excessive CPU consumption in ParseAddress in net/mail [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408695
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-28e625afa6' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: subfinder-2.10.1-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-6b23a0b058
2025-12-26 00:43:51.117588+00:00
--------------------------------------------------------------------------------

Name : subfinder
Product : Fedora 43
Version : 2.10.1
Release : 1.fc43
URL : https://github.com/projectdiscovery/subfinder
Summary : Fast passive subdomain enumeration tool
Description :
Subfinder is a subdomain discovery tool that discovers valid subdomains for
websites. Designed as a passive framework to be useful for bug bounties and
safe for penetration testing.

--------------------------------------------------------------------------------
Update Information:

Update to 2.10.1
--------------------------------------------------------------------------------
ChangeLog:

* Wed Dec 17 2025 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 2.10.1-1
- Update to 2.10.1 - Closes rhbz#2415791
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2408353 - CVE-2025-58189 subfinder: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2408353
[ 2 ] Bug #2409825 - CVE-2025-61723 subfinder: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2409825
[ 3 ] Bug #2410775 - CVE-2025-58185 subfinder: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2410775
[ 4 ] Bug #2411671 - CVE-2025-58188 subfinder: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2411671
[ 5 ] Bug #2412605 - CVE-2025-58183 subfinder: Unbounded allocation when parsing GNU sparse map [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2412605
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-6b23a0b058' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 43 Update: docker-buildkit-0.26.3-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-94f9b9b1b1
2025-12-26 00:43:51.117576+00:00
--------------------------------------------------------------------------------

Name : docker-buildkit
Product : Fedora 43
Version : 0.26.3
Release : 1.fc43
URL : https://github.com/moby/buildkit
Summary : Concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
Description :
Concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit.

--------------------------------------------------------------------------------
Update Information:

Update to release v0.26.3
Resolves CVE-2024-25621: rhbz#2419004, rhbz#2419033, rhbz#2419427
Upstream fix
--------------------------------------------------------------------------------
ChangeLog:

* Tue Dec 16 2025 Bradley G Smith [bradley.g.smith@gmail.com] - 0.26.3-1
- Update to release v0.26.3
- Resolves CVE-2024-25621: rhbz#2419004, rhbz#2419033, rhbz#2419427
- Upstream fix
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2419004 - CVE-2024-25621 docker-buildkit: containerd local privilege escalation [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2419004
[ 2 ] Bug #2419033 - CVE-2024-25621 docker-buildkit: containerd local privilege escalation [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2419033
[ 3 ] Bug #2419427 - CVE-2024-25621 docker-buildkit: containerd local privilege escalation [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2419427
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-94f9b9b1b1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--