DSA-5870-1 openh264 - security update

Bulletin has no description...

CVE-2025-25192

GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the install/update.php file...

CVE-2025-25192 GLPI allows unauthorized access to debug mode

GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the install/update.php file...

CVE-2025-23024

GLPI (asset/IT management software) is affected by CVE-2025-23024 in versions prior to 10.0.18, where an anonymous user can disable all active plugins. The vendor patch is applied in 10.0.18. As a workaround, deletion of install/update.php is suggested. The CVSS and related metrics in the primary...

GHSA-G8FX-G5FV-QPHM vulnerabilities

Vulnerabilities for packages: mysql...

Security Bulletin: Potential Improper Privilege Management vulnerability in Logstash affects IBM Operations Analytics - Log Analysis (CVE-2024-31141)

Summary Apache Kafka Client bundle in Logstash is vulnerable to improper privilege management. Vulnerability Details CVEID:CVE-2024-31141 DESCRIPTION: Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients...

GHSA-C6GW-W398-HV78 DoS in go-jose Parsing

Impact When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Splittoken, "." to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could...

CVE-2025-27141

Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see resul...

CVE-2025-27141 Metabase Enterprise Edition allows cached questions to leak data to impersonated users

Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see resul...

CVE-2025-27088

oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting XSS vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing attacks on a trusted...

GHSA-38H4-FX85-QCX7 Exiv2 allows Use After Free

Impact A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as v0.27.7, are not affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered whe...

CVE-2025-25282

CVE-2025-25282 pertains to RAGFlow, an open-source RAG engine. An authenticated user can exploit an Insecure Direct Object Reference (IDOR) vulnerability that enables unauthorized cross-tenant access, including listing tenant user accounts and adding users to other tenants. Affected behavior cent...

Security update for postgresql14

This update for postgresql14 fixes the following issues: Upgrade to 14.17: CVE-2025-1094: Harden PQescapeString and allied functions against invalidly-encoded input strings bsc1237093. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST...

Important: git-lfs

Issue Overview: Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential1 command without checking for embedded line-ending control characters, and then sends any credentials it...

Cross-site scripting (XSS) in the CKEditor 5 real-time collaboration package

Impact During a recent internal audit, we identified a Cross-Site Scripting XSS vulnerability in the CKEditor 5 real-time collaboration package. This vulnerability can lead to unauthorized JavaScript code execution and affects user markers, which represent users' positions within the document. Th...

CVE-2025-27091

OpenH264 is a free license codec library which supports H.264 encoding and decoding. A vulnerability in the decoding functions of OpenH264 codec library could allow a remote, unauthenticated attacker to trigger a heap overflow. This vulnerability is due to a race condition between a Sequence...

BIT-DISCOURSE-2024-56197 Users can see other user's tagged PMs in Discourse

Discourse is an open source platform for community discussion. PM titles and metadata can be read by other users when the "PM tags allowed for groups" option is enabled, the other user is a member of a group added to this option, and the PM has been tagged. This issue has been patched in the late...

BIT-DISCOURSE-2025-23023 Anonymous cache poisoning via request headers in Discourse

Discourse is an open source platform for community discussion. In affected versions an attacker can carefully craft a request with the right request headers to poison the anonymous cache for example, the cache may have a response with missing preloaded data. This issue only affects anonymous...

[SECURITY] Fedora 41 Update: kernel-6.12.15-200.fc41

The kernel meta package...

[SECURITY] Fedora 40 Update: kernel-6.12.15-100.fc40

The kernel meta package...