CLSA-2025-1753207140 Fix CVE(s): CVE-2025-48384

SECURITY UPDATE: security vulnerability discovered - debian/patches/CVE-2025-48384.patch: quote values containing CR character in config to prevent unintentional stripping when reading - CVE-2025-48384...

git: Fix of CVE-2025-48384

CVE-2025-48384: config: quote values containing CR character...

CLSA-2025-1752656083 git: Fix of CVE-2025-48384

CVE-2025-48384: config: quote values containing CR character...

AIOHTTP has problems in HTTP parser (the python one, not llhttp)

Summary The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTPNOEXTENSIONS is enabled or not using a prebuilt wheel. Details Bug 1: Bad parsing of Content-Length values Description RFC 9110 says this:...

Node.js: HTTP Request Smuggling via Empty headers separated by CR

HTTP Request Smuggling HRS was possible in Node.js v20.2.0 due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. The CR character without LF was sufficient to delimit HTTP header fields in the llhttp parser, which is not compliant with RFC7230...

GHSA-52RH-5RPJ-C3W6 Improper handling of multiline messages in node-irc

node-irc is a socket wrapper for the IRC protocol that extends Node.js' EventEmitter. The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. Incorrect handling of a CR character allowed for making part of...

Improper handling of multiline messages in node-irc

node-irc is a socket wrapper for the IRC protocol that extends Node.js' EventEmitter. The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. Incorrect handling of a CR character allowed for making part of...

PSF-2019-16 Email header injection in Address objects

It is possible to inject email headers using CR or LF character. The fix disallows CR and LF characters in email.headerregistry.Address arguments to guard against header injection attacks...

New Snort Bypass - Patch - Bypass of Patch

There was a Snort evasion bug posted on BugTraq today http://www.securityfocus.com/archive/1/435600/30/0/threaded This attack will not show up in alert file at all perl -e 'print "GET x90x90x0d http/1.0rnrn"'|nc 192.168.1.3 80 Notice the x0d CR character r above. The following will show up in ale...

Qualcomm Eudora 5.2.1/6.0 - File Attachment Spoofing Variant

source: https://www.securityfocus.com/bid/7653/info Eudora is reported to be prone to an issue which may allow attackers to spoof the file extension in an attachment. This may aid an attacker in enticing a user of the e-mail client into executing malicious content. It is possible to refer to othe...