The Fedora project has released security updates for Fedora 41 and Fedora 42 to address several vulnerabilities. An update is available for the yq package, a portable command-line YAML, JSON, XML, CSV, TOML, and properties processor, which adds shell completions and fixes bugs. Another update is also available for the yq package on Fedora 42 with the same changes as the previous one. Additionally, an update is available for the Kea package, a DHCPv4, DHCPv6, and DDNS server from ISC, which includes new version 3.0.1 and fixes CVE-2025-40779.

Fedora 41 Update: yq-4.47.1-2.fc41
Fedora 42 Update: yq-4.47.1-2.fc42
Fedora 42 Update: kea-3.0.1-1.fc42

[SECURITY] Fedora 41 Update: yq-4.47.1-2.fc41

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-d8a379a267
2025-09-07 01:12:58.236453+00:00
--------------------------------------------------------------------------------

Name : yq
Product : Fedora 41
Version : 4.47.1
Release : 2.fc41
URL : https://github.com/mikefarah/yq
Summary : Yq is a portable command-line YAML, JSON, XML, CSV, TOML and properties processor
Description :
Yq is a portable command-line YAML, JSON, XML, CSV, TOML and properties
processor.

--------------------------------------------------------------------------------
Update Information:

Add shell-completions
Update to 4.47.1 and adopt go-vendor-tools
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug 29 2025 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 4.47.1-2
- Add shell completions
* Thu Aug 21 2025 Romain Geissler [romain.geissler@amadeus.com] - 4.47.1-1
- Upgrade to upstream version 4.47.1 and use vendoring (rhbz#2282002).
* Fri Aug 15 2025 Maxwell G [maxwell@gtmx.me] - 4.43.1-7
- Rebuild for golang-1.25.0
* Fri Jul 25 2025 Fedora Release Engineering [releng@fedoraproject.org] - 4.43.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2352349 - CVE-2025-22870 yq: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2352349
[ 2 ] Bug #2360619 - CVE-2025-22872 yq: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2360619
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-d8a379a267' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 42 Update: yq-4.47.1-2.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-99309ef35f
2025-09-07 00:51:16.113251+00:00
--------------------------------------------------------------------------------

Name : yq
Product : Fedora 42
Version : 4.47.1
Release : 2.fc42
URL : https://github.com/mikefarah/yq
Summary : Yq is a portable command-line YAML, JSON, XML, CSV, TOML and properties processor
Description :
Yq is a portable command-line YAML, JSON, XML, CSV, TOML and properties
processor.

--------------------------------------------------------------------------------
Update Information:

Add shell-completions
Update to 4.47.1 and adopt go-vendor-tools
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug 29 2025 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 4.47.1-2
- Add shell completions
* Thu Aug 21 2025 Romain Geissler [romain.geissler@amadeus.com] - 4.47.1-1
- Upgrade to upstream version 4.47.1 and use vendoring (rhbz#2282002).
* Fri Aug 15 2025 Maxwell G [maxwell@gtmx.me] - 4.43.1-7
- Rebuild for golang-1.25.0
* Fri Jul 25 2025 Fedora Release Engineering [releng@fedoraproject.org] - 4.43.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2282002 - v4.44.1 of yq was released
https://bugzilla.redhat.com/show_bug.cgi?id=2282002
[ 2 ] Bug #2360655 - CVE-2025-22872 yq: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2360655
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-99309ef35f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--

[SECURITY] Fedora 42 Update: kea-3.0.1-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-92b4ae7199
2025-09-07 00:51:16.113246+00:00
--------------------------------------------------------------------------------

Name : kea
Product : Fedora 42
Version : 3.0.1
Release : 1.fc42
URL : http://kea.isc.org
Summary : DHCPv4, DHCPv6 and DDNS server from ISC
Description :
DHCP implementation from Internet Systems Consortium, Inc. that features fully
functional DHCPv4, DHCPv6 and Dynamic DNS servers.
Both DHCP servers fully support server discovery, address assignment, renewal,
rebinding and release. The DHCPv6 server supports prefix delegation. Both
servers support DNS Update mechanism, using stand-alone DDNS daemon.

--------------------------------------------------------------------------------
Update Information:

New version 3.0.1 (rhbz#2391289)
Fixes CVE-2025-40779 (rhbz#2391373)
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug 29 2025 Martin Osvald [mosvald@redhat.com] - 3.0.1-1
- New version 3.0.1 (rhbz#2391289)
- Fixes CVE-2025-40779 (rhbz#2391373)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2391373 - CVE-2025-40779 kea: Kea crash upon interaction between specific client options and subnet selection
https://bugzilla.redhat.com/show_bug.cgi?id=2391373
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-92b4ae7199' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--