Aggregator

USN-8062-2: curl vulnerabilities

5 days 9 hours ago
USN-8062-1 fixed vulnerabilities in curl. This update provides the corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224 for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that curl incorrectly handled cookies when redirected from secure to insecure connections. An attacker could possibly use this issue to cause a denial of service, or obtain sensitive information. This issue only affected Ubuntu 25.10. (CVE-2025-9086) Calvin Ruocco discovered that curl did not properly handle WebSocket communications under certain circumstances. A malicious server could possibly use this issue to poison proxy caches with malicious content. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-10148) Stanislav Fort discovered that wcurl did not properly handle URLs with certain encoded characters. If a user were tricked into processing a specially crafted URL, an attacker could possibly use this issue to write files outside the intended directory. This issue only affected Ubuntu 25.10. (CVE-2025-11563) Stanislav Fort discovered that curl did not properly validate pinned public keys under certain circumstances. A remote attacker could possibly use this issue to perform a machine-in-the-middle attack. This issue only affected Ubuntu 25.10.(CVE-2025-13034) Stanislav Fort discovered that curl did not properly manage TLS options when performing LDAP over TLS transfers in multi-threaded environments. Under certain circumstances, certificate verification could be unintentionally and unknowingly disabled. (CVE-2025-14017) It was discovered that curl incorrectly handled Oauth2 bearer tokens when following redirects. A remote attacker could possibly use this issue to obtain authentication credentials. (CVE-2025-14524) Stanislav Fort discovered that curl did not properly validate TLS certificates when reusing connections. A remote attacker could possibly use this issue to bypass expected certificate verification. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-14819) Harry Sintonen discovered that curl did not properly validate SSH host keys when performing SSH-based file transfers. This issue could lead to unintended bypass of custom known_hosts file. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-15079) Harry Sintonen discovered that curl built with libssh did not properly handle authentication when performing SSH-based file transfers. This could result in unintended authentication operations. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-15224)

USN-7990-6: Linux kernel (Raspberry Pi) vulnerabilities

5 days 10 hours ago
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Padata parallel execution mechanism; - Netfilter; (CVE-2022-49698, CVE-2025-21726, CVE-2025-40019)

dr_libs-0^20260302.fa931f3-2.fc42

5 days 19 hours ago
FEDORA-2026-4bf819dfdb Packages in this update:
  • dr_libs-0^20260302.fa931f3-2.fc42
Update description: dr_flac v0.13.3 - 2026-01-17
  • Fix a compiler compatibility issue with some inlined assembly.
  • Fix a compilation warning.
dr_mp3 v0.7.3 - 2026-01-17
  • Fix an error in drmp3_open_and_read_pcm_frames_s16() and family when memory allocation fails.
  • Fix some compilation warnings.
dr_wav v0.14.5 - 2026-03-03
  • Fix a crash when loading files with a malformed "smpl" chunk.
  • Fix a signed overflow bug with the MS-ADPCM decoder.
v0.14.4 - 2026-01-17
  • Fix some compilation warnings.

dr_libs-0^20260302.fa931f3-2.fc43

5 days 20 hours ago
FEDORA-2026-d1d665c9d5 Packages in this update:
  • dr_libs-0^20260302.fa931f3-2.fc43
Update description: dr_flac v0.13.3 - 2026-01-17
  • Fix a compiler compatibility issue with some inlined assembly.
  • Fix a compilation warning.
dr_mp3 v0.7.3 - 2026-01-17
  • Fix an error in drmp3_open_and_read_pcm_frames_s16() and family when memory allocation fails.
  • Fix some compilation warnings.
dr_wav v0.14.5 - 2026-03-03
  • Fix a crash when loading files with a malformed "smpl" chunk.
  • Fix a signed overflow bug with the MS-ADPCM decoder.
v0.14.4 - 2026-01-17
  • Fix some compilation warnings.

dr_libs-0^20260302.fa931f3-2.fc44

5 days 20 hours ago
FEDORA-2026-c2889d2725 Packages in this update:
  • dr_libs-0^20260302.fa931f3-2.fc44
Update description: dr_flac v0.13.3 - 2026-01-17
  • Fix a compiler compatibility issue with some inlined assembly.
  • Fix a compilation warning.
dr_mp3 v0.7.3 - 2026-01-17
  • Fix an error in drmp3_open_and_read_pcm_frames_s16() and family when memory allocation fails.
  • Fix some compilation warnings.
dr_wav v0.14.5 - 2026-03-03
  • Fix a crash when loading files with a malformed "smpl" chunk.
  • Fix a signed overflow bug with the MS-ADPCM decoder.
v0.14.4 - 2026-01-17
  • Fix some compilation warnings.

USN-8067-1: Mailman vulnerability

6 days 10 hours ago
It was discovered that Mailman incorrectly handled CSRF tokens. A remote list member or moderator could possibly use their own token to craft an admin request CSRF attack and set a new admin password or make other changes.

USN-5376-6: Git regression

6 days 11 hours ago
USN-5376-4 fixed a regression in Git. This update provides the corresponding update for Ubuntu 18.04 LTS. We apologize for the inconvenience. Original advisory details: 俞晨东 discovered that Git incorrectly handled certain repository paths in platforms with multiple users support. An attacker could possibly use this issue to run arbitrary commands.

perl-Crypt-SysRandom-XS-0.011-1.fc42

6 days 16 hours ago
FEDORA-2026-c0123ede74 Packages in this update:
  • perl-Crypt-SysRandom-XS-0.011-1.fc42
Update description:

0.011 - Update data pointer on resize for rdrand; Clean up string length handling 0.010 - Disallow requesting strings with negative lengths CVE-2026-2597; Try arc4random in stdlib.h first; Correct value of PROTOTYPES keyword in XS

perl-Crypt-SysRandom-XS-0.011-1.fc43

6 days 16 hours ago
FEDORA-2026-7b9874a01f Packages in this update:
  • perl-Crypt-SysRandom-XS-0.011-1.fc43
Update description:

0.011 - Update data pointer on resize for rdrand; Clean up string length handling 0.010 - Disallow requesting strings with negative lengths CVE-2026-2597; Try arc4random in stdlib.h first; Correct value of PROTOTYPES keyword in XS

perl-Net-CIDR-0.27-1.el9

1 week ago
FEDORA-EPEL-2026-19279ff82c Packages in this update:
  • perl-Net-CIDR-0.27-1.el9
Update description:

This update fixes handling of leading zeroes.

The functions addr2cidr and cidrlookup may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses.

perl-Net-CIDR-0.27-1.el10_1

1 week ago
FEDORA-EPEL-2026-c2d409a4ce Packages in this update:
  • perl-Net-CIDR-0.27-1.el10_1
Update description:

This update fixes handling of leading zeroes.

The functions addr2cidr and cidrlookup may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses.

perl-Net-CIDR-0.27-1.el8

1 week ago
FEDORA-EPEL-2026-39c5d63f42 Packages in this update:
  • perl-Net-CIDR-0.27-1.el8
Update description:

This update fixes handling of leading zeroes.

The functions addr2cidr and cidrlookup may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses.