Aggregator
DSA-6075-1 wordpress - security update
next-20251210: linux-next
Version:next-20251210 (linux-next)
Released:2025-12-10
USN-7918-1: Netty vulnerabilities
Jeppe Bonde Weikop discovered that Netty incorrectly parsed HTTP
messages. When Netty is used with certain reverse proxies, a
remote attacker could possibly use this issue to perform HTTP request
smuggling attacks. (CVE-2025-58056)
Jonas Konrad discovered that Netty did not properly manage memory when
decoding compressed data. A remote attacker could possibly use this
issue to cause Netty to consume excessive memory, resulting in a denial
of service. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu
20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and
Ubuntu 25.10. (CVE-2025-58057)
python-django4.2-4.2.27-1.fc42
FEDORA-2025-b1379d950d
Packages in this update:
- python-django4.2-4.2.27-1.fc42
- Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
- Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
- Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
- Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
- Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
- Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)
python-django4.2-4.2.27-1.fc41
FEDORA-2025-c08e0795c0
Packages in this update:
- python-django4.2-4.2.27-1.fc41
- Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
- Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
- Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
- Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
- Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
- Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)
python-django4.2-4.2.27-1.el9
FEDORA-EPEL-2025-f43c018f46
Packages in this update:
- python-django4.2-4.2.27-1.el9
- Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
- Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
- Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
- Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
- Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
- Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)
python-django5-5.2.9-1.fc43
FEDORA-2025-24dfd3b072
Packages in this update:
- python-django5-5.2.9-1.fc43
- Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
- Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
- Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (5.2.8)
- Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (5.2.7)
- Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (5.2.7)
- Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (5.2.6)
python-django5-5.2.9-1.fc42
FEDORA-2025-45ee190318
Packages in this update:
- python-django5-5.2.9-1.fc42
- Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
- Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
- Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (5.2.8)
- Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (5.2.7)
- Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (5.2.7)
- Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (5.2.6)
USN-7917-1: fontTools vulnerabilities
It was discovered that the subsetting module of fontTools was vulnerable to
an XML External Entity (XEE) attack. An unauthenticated remote attacker
could possibly use this issue to include arbitrary files from the file
system or make web requests from the host system. This issue only affected
Ubuntu 22.04 LTS. (CVE-2023-45139)
It was discovered that fontTools was vulnerable to path traversal attacks.
If a user or automated system were tricked into extracting a specially
crafted .designspace file, an attacker could possibly use this issue to
write arbitrary files outside the target directory, resulting in remote
code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04
and Ubuntu 25.10. (CVE-2025-66034)
httpd-2.4.66-1.fc43
FEDORA-2025-9621c19da8
Packages in this update:
- httpd-2.4.66-1.fc43
- version update
- security update
httpd-2.4.66-1.fc42
FEDORA-2025-f7c75ffee2
Packages in this update:
- httpd-2.4.66-1.fc42
- version update
- security update
nebula-1.10.0-2.fc43
FEDORA-2025-bf07d21f3e
Packages in this update:
- nebula-1.10.0-2.fc43
Upstream update
firefox-146.0-2.fc43
FEDORA-2025-4fa5b6cb8e
Packages in this update:
- firefox-146.0-2.fc43
- Updated to latest upstream (146.0)
firefox-146.0-2.fc42
FEDORA-2025-d09ccba523
Packages in this update:
- firefox-146.0-2.fc42
- Updated to latest upstream (146.0)
USN-7916-1: python-apt vulnerability
Julian Andres Klode discovered that python-apt incorrectly handled
deb822 configuration files. An attacker could use this issue to cause
python-apt to crash, resulting in a denial of service.
USN-7412-3: GnuPG vulnerability
USN-7412-1 fixed a vulnerability in GnuPG. This update provides the
corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that GnuPG incorrectly handled importing keys with
certain crafted subkey data. If a user or automated system were tricked
into importing a specially crafted key, a remote attacker may prevent
users from importing other keys in the future.
DSA-6074-1 webkit2gtk - security update
vips-8.17.3-1.fc43
FEDORA-2025-d9707059b7
Packages in this update:
- vips-8.17.3-1.fc43
New version of vips.
vips-8.17.3-1.fc42
FEDORA-2025-107641b428
Packages in this update:
- vips-8.17.3-1.fc42
New version of vips.