Aggregator

It was discovered that GNU binutils' dump_dwarf_section function could be manipulated to perform an out-of-bounds read. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service. This issue only affected Ubuntu 25.10. (CVE-2025-11081) It was discovered that GNU binutils incorrectly handled certain files. A local attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 25.10. (CVE-2025-11082) It was discovered that GNU binutils incorrectly handled certain inputs. A local attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue was only fixed in Ubuntu 25.10. (CVE-2025-11083) It was discovered that certain GNU binutils functions could be manipulated to perform out-of-bounds reads. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service. (CVE-2025-11412, CVE-2025-11413, CVE-2025-11414) It was discovered that GNU binutils' _bfd_x86_elf_late_size_sections function could be manipulated to perform an out-of-bounds read. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-11494) It was discovered that GNU binutils' elf_x86_64_relocate_section function could be manipulated to cause a heap-based buffer overflow. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service. This issue was only fixed in Ubuntu 25.04 and Ubuntu 25.10. (CVE-2025-11495)

FEDORA-2025-58e2bb0f1e Packages in this update:

• fonttools-4.61.0-1.fc42
• python-unicodedata2-17.0.0-1.fc42

Update description:

Update to 17.0.0 version (#2412270) Update fonttools 4.61.0

Version:next-20251210 (linux-next) Released:2025-12-10

Jeppe Bonde Weikop discovered that Netty incorrectly parsed HTTP messages. When Netty is used with certain reverse proxies, a remote attacker could possibly use this issue to perform HTTP request smuggling attacks. (CVE-2025-58056) Jonas Konrad discovered that Netty did not properly manage memory when decoding compressed data. A remote attacker could possibly use this issue to cause Netty to consume excessive memory, resulting in a denial of service. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-58057)

FEDORA-2025-b1379d950d Packages in this update:

• python-django4.2-4.2.27-1.fc42

Update description:

• Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
• Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
• Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
• Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
• Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
• Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)

FEDORA-2025-c08e0795c0 Packages in this update:

• python-django4.2-4.2.27-1.fc41

Update description:

• Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
• Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
• Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
• Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
• Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
• Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)

FEDORA-EPEL-2025-f43c018f46 Packages in this update:

• python-django4.2-4.2.27-1.el9

Update description:

• Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
• Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
• Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (4.2.26)
• Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (4.2.25)
• Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (4.2.25)
• Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (4.2.24)

FEDORA-2025-24dfd3b072 Packages in this update:

• python-django5-5.2.9-1.fc43

Update description:

• Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
• Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
• Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (5.2.8)
• Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (5.2.7)
• Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (5.2.7)
• Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (5.2.6)

FEDORA-2025-45ee190318 Packages in this update:

• python-django5-5.2.9-1.fc42

Update description:

• Fixes CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
• Fixes CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
• Fixes CVE-2025-64459: Potential SQL injection via _connector keyword argument (5.2.8)
• Fixes CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB (5.2.7)
• Fixes CVE-2025-59682: Potential partial directory-traversal via archive.extract() (5.2.7)
• Fixes CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases (5.2.6)

It was discovered that the subsetting module of fontTools was vulnerable to an XML External Entity (XEE) attack. An unauthenticated remote attacker could possibly use this issue to include arbitrary files from the file system or make web requests from the host system. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-45139) It was discovered that fontTools was vulnerable to path traversal attacks. If a user or automated system were tricked into extracting a specially crafted .designspace file, an attacker could possibly use this issue to write arbitrary files outside the target directory, resulting in remote code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04 and Ubuntu 25.10. (CVE-2025-66034)

FEDORA-2025-9621c19da8 Packages in this update:

• httpd-2.4.66-1.fc43

Update description:

• version update
• security update

FEDORA-2025-f7c75ffee2 Packages in this update:

• httpd-2.4.66-1.fc42

Update description:

• version update
• security update

FEDORA-2025-bf07d21f3e Packages in this update:

• nebula-1.10.0-2.fc43

Update description:

Upstream update

FEDORA-2025-4fa5b6cb8e Packages in this update:

• firefox-146.0-2.fc43

Update description:

• Updated to latest upstream (146.0)

FEDORA-2025-d09ccba523 Packages in this update:

• firefox-146.0-2.fc42

Update description:

• Updated to latest upstream (146.0)