Aggregator

USN-7918-1: Netty vulnerabilities

Ubuntu Security Advisories
2 weeks 2 days ago
Jeppe Bonde Weikop discovered that Netty incorrectly parsed HTTP messages. When Netty is used with certain reverse proxies, a remote attacker could possibly use this issue to perform HTTP request smuggling attacks. (CVE-2025-58056) Jonas Konrad discovered that Netty did not properly manage memory when decoding compressed data. A remote attacker could possibly use this issue to cause Netty to consume excessive memory, resulting in a denial of service. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-58057)

python-django4.2-4.2.27-1.fc42

Fedora Security Advisories
2 weeks 2 days ago
FEDORA-2025-b1379d950d Packages in this update:
  • python-django4.2-4.2.27-1.fc42
Update description:
  • Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
  • Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
  • Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
  • Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
  • Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
  • Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)

python-django4.2-4.2.27-1.fc41

Fedora Security Advisories
2 weeks 2 days ago
FEDORA-2025-c08e0795c0 Packages in this update:
  • python-django4.2-4.2.27-1.fc41
Update description:
  • Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
  • Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
  • Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
  • Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
  • Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
  • Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)

python-django4.2-4.2.27-1.el9

Fedora Security Advisories
2 weeks 2 days ago
FEDORA-EPEL-2025-f43c018f46 Packages in this update:
  • python-django4.2-4.2.27-1.el9
Update description:
  • Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
  • Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
  • Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
  • Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
  • Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
  • Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)

python-django5-5.2.9-1.fc43

Fedora Security Advisories
2 weeks 2 days ago
FEDORA-2025-24dfd3b072 Packages in this update:
  • python-django5-5.2.9-1.fc43
Update description:
  • Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
  • Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
  • Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (5.2.8)
  • Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (5.2.7)
  • Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (5.2.7)
  • Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (5.2.6)

python-django5-5.2.9-1.fc42

Fedora Security Advisories
2 weeks 2 days ago
FEDORA-2025-45ee190318 Packages in this update:
  • python-django5-5.2.9-1.fc42
Update description:
  • Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
  • Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
  • Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (5.2.8)
  • Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (5.2.7)
  • Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (5.2.7)
  • Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (5.2.6)

USN-7917-1: fontTools vulnerabilities

Ubuntu Security Advisories
2 weeks 2 days ago
It was discovered that the subsetting module of fontTools was vulnerable to an XML External Entity (XEE) attack. An unauthenticated remote attacker could possibly use this issue to include arbitrary files from the file system or make web requests from the host system. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-45139) It was discovered that fontTools was vulnerable to path traversal attacks. If a user or automated system were tricked into extracting a specially crafted .designspace file, an attacker could possibly use this issue to write arbitrary files outside the target directory, resulting in remote code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04 and Ubuntu 25.10. (CVE-2025-66034)