Aggregator

FEDORA-2025-7f360be18f Packages in this update:

• libpng-1.6.53-1.fc43

Update description:

• Fixed CVE-2025-66293 (high severity): Out-of-bounds read in png_image_read_composite.
• Fixed the Paeth filter handling in the RISC-V RVV implementation.
• Improved the performance of the RISC-V RVV implementation.

FEDORA-2025-d93200cf16 Packages in this update:

• brotli-1.2.0-1.fc43
• perl-Alien-Brotli-0.2.2-11.fc43
• python-urllib3-2.6.1-1.fc43

Update description:

Update brotli to 1.2.0 and python-urllib3 to 2.6.1.

In python-urllib3:

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 / `GHSA-2xpw-w6gg-jr37)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 / `GHSA-gm62-xv2j-4w53)

FEDORA-EPEL-2025-b479f3bb28 Packages in this update:

• checkpointctl-1.4.1-1.el9

Update description:

Update checkpointctl to 1.4.1

FEDORA-2025-db05be2555 Packages in this update:

• containernetworking-plugins-1.9.0-1.fc41

Update description:

Update to release v1.9.0

FEDORA-2025-3a607d134b Packages in this update:

• checkpointctl-1.4.1-1.fc41

Update description:

Update checkpointctl to 1.4.1

FEDORA-2025-909f303a85 Packages in this update:

• checkpointctl-1.4.1-1.fc42

Update description:

Update checkpointctl to 1.4.1 (CVE-2025-47906)

FEDORA-2025-ebfdef0115 Packages in this update:

• checkpointctl-1.4.1-1.fc43

Update description:

Update checkpointctl to 1.4.1

FEDORA-2025-bab8cb971e Packages in this update:

• containernetworking-plugins-1.9.0-1.fc42

Update description:

Update to release v1.9.0

FEDORA-2025-294d534170 Packages in this update:

• containernetworking-plugins-1.9.0-1.fc43

Update description:

Update to release v1.9.0

FEDORA-2025-c67591d0a2 Packages in this update:

• containernetworking-plugins-1.9.0-1.fc44

Update description:

Automatic update for containernetworking-plugins-1.9.0-1.fc44.

Changelog * Tue Dec 9 2025 Bradley G Smith <bradley.g.smith@gmail.com> - 1.9.0-1 - Update to release v1.9.0 - Resolves: rhbz#2420515 - Resolves CVE-2025-58188: rhbz#2411454, rhbz#2411189, rhbz#2410923 - Resolves CVE-2025-58185: rhbz#2410556, rhbz#2410277, rhbz#2409991 - Resolves CVE-2025-61723: rhbz#2409605, rhbz#2409325, rhbz#2409043 - Resolves CVE-2025-58189: rhbz#2408135, rhbz#2407858, rhbz#2407588 - Fixes CVE-2025-67499, a bug in the nftables backend for the portmap plugin - Additional changes

It was discovered that GNU binutils' dump_dwarf_section function could be manipulated to perform an out-of-bounds read. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service. This issue only affected Ubuntu 25.10. (CVE-2025-11081) It was discovered that GNU binutils incorrectly handled certain files. A local attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 25.10. (CVE-2025-11082) It was discovered that GNU binutils incorrectly handled certain inputs. A local attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue was only fixed in Ubuntu 25.10. (CVE-2025-11083) It was discovered that certain GNU binutils functions could be manipulated to perform out-of-bounds reads. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service. (CVE-2025-11412, CVE-2025-11413, CVE-2025-11414) It was discovered that GNU binutils' _bfd_x86_elf_late_size_sections function could be manipulated to perform an out-of-bounds read. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-11494) It was discovered that GNU binutils' elf_x86_64_relocate_section function could be manipulated to cause a heap-based buffer overflow. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service. This issue was only fixed in Ubuntu 25.04 and Ubuntu 25.10. (CVE-2025-11495)

Version:next-20251210 (linux-next) Released:2025-12-10

Jeppe Bonde Weikop discovered that Netty incorrectly parsed HTTP messages. When Netty is used with certain reverse proxies, a remote attacker could possibly use this issue to perform HTTP request smuggling attacks. (CVE-2025-58056) Jonas Konrad discovered that Netty did not properly manage memory when decoding compressed data. A remote attacker could possibly use this issue to cause Netty to consume excessive memory, resulting in a denial of service. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-58057)

FEDORA-2025-b1379d950d Packages in this update:

• python-django4.2-4.2.27-1.fc42

Update description:

• Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
• Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
• Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
• Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
• Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
• Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)

FEDORA-2025-c08e0795c0 Packages in this update:

• python-django4.2-4.2.27-1.fc41

Update description:

• Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
• Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
• Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
• Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
• Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
• Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)

FEDORA-EPEL-2025-f43c018f46 Packages in this update:

• python-django4.2-4.2.27-1.el9

Update description:

• Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
• Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
• Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
• Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
• Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
• Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)

FEDORA-2025-24dfd3b072 Packages in this update:

• python-django5-5.2.9-1.fc43

Update description:

• Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
• Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
• Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (5.2.8)
• Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (5.2.7)
• Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (5.2.7)
• Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (5.2.6)