Bug 33674 - yarnpkg new security issues CVE-2024-37890, CVE-2024-48949 and CVE-2024-12905
Summary: yarnpkg new security issues CVE-2024-37890, CVE-2024-48949 and CVE-2024-12905
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on: 34384
Blocks:
  Show dependency treegraph
 
Reported: 2024-10-25 11:35 CEST by Nicolas Salguero
Modified: 2025-06-25 07:33 CEST (History)
5 users (show)

See Also:
Source RPM: yarnpkg-1.22.22-0.10.8.2.1.mga9.src.rpm
CVE: CVE-2020-7677, CVE-2021-43138, CVE-2022-3517, CVE-2024-37890, CVE-2024-48949, CVE-2022-37599, CVE-2023-26136, CVE-2023-46234, CVE-2024-12905, CVE-2024-4067, CVE-2025-48387
Status comment:


Attachments

Nicolas Salguero 2024-10-25 11:36:41 CEST

CVE: (none) => CVE-2024-37890, CVE-2024-48949
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => yarnpkg-1.22.22-0.10.8.2.2.mga10.src.rpm, yarnpkg-1.22.22-0.10.8.2.1.mga9.src.rpm

Comment 1 Marja Van Waes 2024-10-25 16:04:22 CEST
No registered maintainer, assigning to all.

CC'ing daviddavid who was the last one to touch it.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11

Comment 2 Nicolas Salguero 2025-04-22 13:39:08 CEST
Fedora has issued an advisory on April 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UGLXZO6VIHGIITQTEUY5Q5YCAP2A4ZP/

Summary: yarnpkg new security issues CVE-2024-37890 and CVE-2024-48949 => yarnpkg new security issues CVE-2024-37890, CVE-2024-48949 and CVE-2024-12905

Nicolas Salguero 2025-04-22 13:39:19 CEST

CVE: CVE-2024-37890, CVE-2024-48949 => CVE-2024-37890, CVE-2024-48949, CVE-2024-12905

katnatek 2025-06-02 03:30:14 CEST

Assignee: pkg-bugs => j.alberto.vc

Comment 3 katnatek 2025-06-02 04:09:34 CEST
I think this was a few more simply, but one of fedora's patches fail for me

Assignee: j.alberto.vc => pkg-bugs

Comment 4 katnatek 2025-06-19 02:38:49 CEST
I rebase our spec &sources with fedora, I'm making a build test before send to mageia
katnatek 2025-06-19 05:15:38 CEST

CVE: CVE-2024-37890, CVE-2024-48949, CVE-2024-12905 => CVE-2020-7677, CVE-2021-43138, CVE-2022-3517, CVE-2024-37890, CVE-2024-48949, CVE-2022-37599, CVE-2023-26136, CVE-2023-46234, CVE-2024-12905, CVE-2024-4067, CVE-2025-48387

katnatek 2025-06-19 19:00:40 CEST

Depends on: (none) => 34384

Comment 5 katnatek 2025-06-20 01:01:04 CEST
Fixed in cauldron

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Source RPM: yarnpkg-1.22.22-0.10.8.2.2.mga10.src.rpm, yarnpkg-1.22.22-0.10.8.2.1.mga9.src.rpm => yarnpkg-1.22.22-0.10.8.2.1.mga9.src.rpm

Comment 6 katnatek 2025-06-24 07:00:20 CEST
RPM:
yarnpkg-1.22.22-0.10.9.2.1.mga9

SRPM:
yarnpkg-1.22.22-0.10.9.2.1.mga9

Assignee: pkg-bugs => qa-bugs

Comment 7 Herman Viaene 2025-06-24 10:41:07 CEST
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
No previous tests found, so tried some commands, taking from https://classic.yarnpkg.com/lang/en/docs/getting-started/
$ yarn
yarn install v1.22.22
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
Done in 4.34s.

$ yarn --version
1.22.22

$ yarn init
yarn init v1.22.22
question name (tester9): 
question version (1.0.0): 
question description: azerty
question entry point (index.js): 1
question repository url: 
question author: 
question license (MIT): 
question private: 
success Saved package.json
Done in 35.92s.
Found package.json file in my home.
That's as far as I go.
If  that's sufficient, let it go.

CC: (none) => herman.viaene

katnatek 2025-06-24 20:01:44 CEST

Keywords: (none) => advisory

Comment 8 katnatek 2025-06-24 20:45:57 CEST
RH x86_64

installing yarnpkg-1.22.22-0.10.9.2.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: yarnpkg               ##################################################################################################
      1/1: removing yarnpkg-1.22.22-0.10.8.2.1.mga9.x86_64
                                 ##################################################################################################

Used in the process to build electron application looks good to me too

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 9 Thomas Andrews 2025-06-25 00:54:15 CEST
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 Mageia Robot 2025-06-25 07:33:00 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0194.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.