Aggregator

containernetworking-plugins-1.9.0-1.fc44

Fedora Security Advisories
2 weeks 6 days ago
FEDORA-2025-c67591d0a2 Packages in this update:
  • containernetworking-plugins-1.9.0-1.fc44
Update description:

Automatic update for containernetworking-plugins-1.9.0-1.fc44.

Changelog * Tue Dec 9 2025 Bradley G Smith <bradley.g.smith@gmail.com> - 1.9.0-1 - Update to release v1.9.0 - Resolves: rhbz#2420515 - Resolves CVE-2025-58188: rhbz#2411454, rhbz#2411189, rhbz#2410923 - Resolves CVE-2025-58185: rhbz#2410556, rhbz#2410277, rhbz#2409991 - Resolves CVE-2025-61723: rhbz#2409605, rhbz#2409325, rhbz#2409043 - Resolves CVE-2025-58189: rhbz#2408135, rhbz#2407858, rhbz#2407588 - Fixes CVE-2025-67499, a bug in the nftables backend for the portmap plugin - Additional changes

USN-7919-1: GNU binutils vulnerabilities

Ubuntu Security Advisories
2 weeks 6 days ago
It was discovered that GNU binutils' dump_dwarf_section function could be manipulated to perform an out-of-bounds read. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service. This issue only affected Ubuntu 25.10. (CVE-2025-11081) It was discovered that GNU binutils incorrectly handled certain files. A local attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 25.10. (CVE-2025-11082) It was discovered that GNU binutils incorrectly handled certain inputs. A local attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue was only fixed in Ubuntu 25.10. (CVE-2025-11083) It was discovered that certain GNU binutils functions could be manipulated to perform out-of-bounds reads. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service. (CVE-2025-11412, CVE-2025-11413, CVE-2025-11414) It was discovered that GNU binutils' _bfd_x86_elf_late_size_sections function could be manipulated to perform an out-of-bounds read. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-11494) It was discovered that GNU binutils' elf_x86_64_relocate_section function could be manipulated to cause a heap-based buffer overflow. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service. This issue was only fixed in Ubuntu 25.04 and Ubuntu 25.10. (CVE-2025-11495)

USN-7918-1: Netty vulnerabilities

Ubuntu Security Advisories
3 weeks ago
Jeppe Bonde Weikop discovered that Netty incorrectly parsed HTTP messages. When Netty is used with certain reverse proxies, a remote attacker could possibly use this issue to perform HTTP request smuggling attacks. (CVE-2025-58056) Jonas Konrad discovered that Netty did not properly manage memory when decoding compressed data. A remote attacker could possibly use this issue to cause Netty to consume excessive memory, resulting in a denial of service. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-58057)

python-django4.2-4.2.27-1.fc42

Fedora Security Advisories
3 weeks ago
FEDORA-2025-b1379d950d Packages in this update:
  • python-django4.2-4.2.27-1.fc42
Update description:
  • Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
  • Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
  • Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
  • Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
  • Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
  • Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)

python-django4.2-4.2.27-1.fc41

Fedora Security Advisories
3 weeks ago
FEDORA-2025-c08e0795c0 Packages in this update:
  • python-django4.2-4.2.27-1.fc41
Update description:
  • Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
  • Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
  • Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
  • Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
  • Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
  • Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)

python-django4.2-4.2.27-1.el9

Fedora Security Advisories
3 weeks ago
FEDORA-EPEL-2025-f43c018f46 Packages in this update:
  • python-django4.2-4.2.27-1.el9
Update description:
  • Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
  • Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
  • Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
  • Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
  • Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
  • Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)

python-django5-5.2.9-1.fc43

Fedora Security Advisories
3 weeks ago
FEDORA-2025-24dfd3b072 Packages in this update:
  • python-django5-5.2.9-1.fc43
Update description:
  • Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
  • Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
  • Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (5.2.8)
  • Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (5.2.7)
  • Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (5.2.7)
  • Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (5.2.6)

python-django5-5.2.9-1.fc42

Fedora Security Advisories
3 weeks ago
FEDORA-2025-45ee190318 Packages in this update:
  • python-django5-5.2.9-1.fc42
Update description:
  • Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
  • Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
  • Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (5.2.8)
  • Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (5.2.7)
  • Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (5.2.7)
  • Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (5.2.6)

USN-7917-1: fontTools vulnerabilities

Ubuntu Security Advisories
3 weeks ago
It was discovered that the subsetting module of fontTools was vulnerable to an XML External Entity (XEE) attack. An unauthenticated remote attacker could possibly use this issue to include arbitrary files from the file system or make web requests from the host system. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-45139) It was discovered that fontTools was vulnerable to path traversal attacks. If a user or automated system were tricked into extracting a specially crafted .designspace file, an attacker could possibly use this issue to write arbitrary files outside the target directory, resulting in remote code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04 and Ubuntu 25.10. (CVE-2025-66034)