Updated flatpak & bubblewrap packages fix security vulnerability

Flatpak may allow access to files outside sandbox for certain apps. CVE-2024-42472...

Updated cups-filters packages fix security vulnerabilities

CUPS-Filters has heap-buffer-overflow write in cfImageLut. CVE-2025-57812 cups-filters 1.x: out of bounds write in pdftoraster. CVE-2025-64503...

Updated thunderbird packages fix security vulnerabilities

Race condition in the Graphics component. CVE-2025-13012 Mitigation bypass in the DOM: Core & HTML component. CVE-2025-13013 CVE-2025-13014: Use-after-free in the Audio/Video component. CVE-2025-13014 Spoofing issue in Firefox. CVE-2025-13015 Incorrect boundary conditions in the JavaScript:...

Updated postgresql15 & postgresql13 packages fix security vulnerabilities

PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege. CVE-2025-12817 PostgreSQL libpq undersizes allocations, via integer wraparound. CVE-2025-12818...

Updated apache packages fix security vulnerabilities

HTTP response splitting. CVE-2024-42516 SSRF with modheaders setting Content-Type header. CVE-2024-43204 modssl error log variable escaping. CVE-2024-47252 modproxyhttp2 denial of service. CVE-2025-49630 modssl access control bypass with session resumption. CVE-2025-23048 modssl TLS upgrade attac...

Updated firefox packages fix security vulnerabilities

Race condition in the Graphics component. CVE-2025-13012 Mitigation bypass in the DOM: Core & HTML component. CVE-2025-13013 CVE-2025-13014: Use-after-free in the Audio/Video component. CVE-2025-13014 Spoofing issue in Firefox. CVE-2025-13015 Incorrect boundary conditions in the JavaScript:...

Updated apache-commons-beanutils packages fix security vulnerability

Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default. CVE-2025-48734...

Updated spdlog packages fix security vulnerability

Spdlog patternformatter-inl.h scopedpadder resource consumption. CVE-2025-6140...

Updated yelp & yelp-xsl packages fix security vulnerability

The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment. CVE-2025-3155...

Updated apache-commons-fileupload packages fix security vulnerability

Apache Commons FileUpload: FileUpload DoS via part headers. CVE-2025-48976...

Updated python-django packages fix security vulnerability

Potential SQL injection via connector keyword argument in QuerySet and Q objects. CVE-2025-64459...

Updated apache-commons-lang3 & apache-commons-lang packages fix security vulnerability

Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass... can throw a StackOverflowError on very long inputs. CVE-2025-48924...

Updated botan2 packages fix security vulnerability

Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 used in Chacha-Poly1305 and x25519. An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i38...

Updated stardict packages fix security vulnerability

The YouDao plugin for StarDict, as used in stardict 3.0.7+git20220909+dfsg-6 in Debian trixie and elsewhere, sends an X11 selection to the dict.youdao.com and dict.cn servers via cleartext HTTP. CVE-2025-55014...

Updated webkit2 packages fix security vulnerabilities

CVE-2024-27838 A maliciously crafted webpage may be able to fingerprint the user. Description: The issue was addressed by adding additional logic. CVE-2024-27851 Processing maliciously crafted web content may lead to arbitrary code execution. Description: The issue was addressed with improved...

Updated python-setuptools packages fix security vulnerability

Setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write. CVE-2025-47273...

Updated ruby packages fix security vulnerabilities

Net::IMAP vulnerable to possible DoS by memory exhaustion. CVE-2025-25186 In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service DoS vulnerability. The method does not impose any limit on the length of the raw cookie value it...

Updated python-py packages fix security vulnerability

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS Regular expression Denial of Service attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. CVE-2022-42969...

Updated perl-Crypt-OpenSSL-RSA packages fix security vulnerability

Perl-crypt-openssl-rsa: side-channel attack in pkcs1 v1.5 padding mode marvin attack. CVE-2024-2467...

Updated perl-Cpanel-JSON-XS packages fix security vulnerability

Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact. CVE-2025-40929...

Updated perl-Authen-SASL packages fix security vulnerability

Authen::SASL::Perl::DIGESTMD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely. CVE-2025-40918...

Updated perl-JSON-XS packages fix security vulnerability

JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact. CVE-2025-40928...

Updated python-flask-cors packages fix security vulnerabilities

Log Injection Vulnerability in corydolphin/flask-cors. CVE-2024-1681 Improper Access Control in corydolphin/flask-cors. CVE-2024-6221 Improper Regex Path Matching in corydolphin/flask-cors. CVE-2024-6839 Inconsistent CORS Matching Due to Handling of '+' in URL Path in corydolphin/flask-cors...

Updated perl-CPAN & perl-HTTP-Tiny packages fix security vulnerabilities

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates...

Updated perl-File-Find-Rule packages fix security vulnerability

File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when grep encounters a crafted file name. CVE-2011-10007...

Updated perl-FCGI packages fix security vulnerability

FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 aka fcgi library. CVE-2025-40907...

Updated perl-YAML-LibYAML packages fix security vulnerability

YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified. CVE-2025-40908...

Updated perl packages fix security vulnerabilities

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 Perl is vulnerable to a heap buffer overflow when transliterating non-ASCII bytes. CVE-2024-56406 Perl threads have a working directory race condition where file operations may target...

Updated perl-Data-Entropy packages fix security vulnerability

Data::Entropy for Perl uses insecure rand function for cryptographic functions. CVE-2025-1860...

Updated python-urllib3 & python-pip packages fix security vulnerability

Urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation. CVE-2025-50181...

Updated python-tornado packages fix security vulnerability

Tornado vulnerable to excessive logging caused by malformed multipart form data. CVE-2025-47287...

Updated python3 packages fix security vulnerabilities

URL parser allowed square brackets in domain names. CVE-2025-0938 Mishandling of comma during folding and unicode-encoding of email headers. CVE-2025-1795 Virtual environment venv activation scripts don't quote paths. CVE-2024-9287 Use-after-free in "unicodeescape" decoder with error handler...

Updated unbound packages fix security vulnerability

Several multi-vendor cache poisoning vulnerabilities have been discovered in caching resolvers for non-DNSSEC protected data. Unbound is vulnerable for some of these cases that could lead to domain hijacking CVE-2025-11411...

Updated strongswan packages fix security vulnerability

Buffer Overflow When Handling EAP-MSCHAPv2 Failure Requests. CVE-2025-62291...

Updated xen packages fix security vulnerabilities

Double unlock in x86 guest IRQ handling. CVE-2024-31143 Xapi: Metadata injection attack against backup/restore functionality. CVE-2024-31144 Error handling in x86 IOMMU identity mapping. CVE-2024-31145 PCI device pass-through with shared resources. CVE-2024-31146 x86: Deadlock in vlapicerror...

Updated opencontainers-runc packages fix security vulnerabilities

The way masked paths are implemented in runc can be exploited to cause the host system to crash or halt CVE-2025-31133 and a flaw in /dev/console bind-mounts can lead to container escape CVE-2025-52565. Also, arbitrary write gadgets and procfs write redirects could be used to engineer container...

Updated libxml2 & libxslt packages fix security vulnerabilities

Heap use after free UAF leads to Denial of service DoS. CVE-2025-49794 Null pointer dereference leads to Denial of service DoS. CVE-2025-49795 Type confusion leads to Denial of service DoS. CVE-2025-49796 Integer Overflow Leading to Buffer Overflow in xmlBuildQName. CVE-2025-6021 Stack-based Buff...

Updated dcmtk packages fix security vulnerabilities

A vulnerability was identified in DCMTK up to 3.6.9. This affects an unknown function in the library dcmimage/include/dcmtk/dcmimage/diybrpxt.h of the component dcm2img. Such manipulation leads to memory corruption. Local access is required to approach this attack. The name of the patch is...

Updated sqlite3 packages fix security vulnerability

Integer Truncation on SQLite. CVE-2025-6965...

Updated java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk & java-latest-openjdk packages fix security vulnerabilities

Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or...

Updated libvpx packages fix security vulnerability

Double-free in libvpx encoder. CVE-2025-5283...

Updated x11-server, x11-server-xwayland & tigervnc packages fix security vulnerabilities

Use-after-free in XPresentNotify structures creation. CVE-2025-62229 Use-after-free in Xkb client resource removal. CVE-2025-62230 Value overflow in Xkb extension XkbSetCompatMap. CVE-2025-62231...

Updated gstreamer1.0-plugins-bad packages fix security vulnerability

GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. CVE-2025-3887...

Updated binutils packages fix security vulnerabilities

GNU Binutils format.c bfdsetformat memory corruption. CVE-2025-1153 GNU Binutils ld elflink.c bfdelfgcmarkrsec heap-based overflow. CVE-2025-1176 GNU Binutils ld libbfd.c bfdputl64 memory corruption. CVE-2025-1178 GNU Binutils ld elflink.c bfdelfgcmarkrsec memory corruption. CVE-2025-1181 GNU...

Updated mediawiki packages fix security vulnerabilities

i18n XSS vulnerability in HTMLMultiSelectField when sections are used. CVE-2025-3469 "reupload-own" restriction can be bypassed by reverting file. CVE-2025-32696 Cascading protection is not preventing file reversions. CVE-2025-32697 LogPager.php: Restriction enforcer functions do not correctly...

Updated net-tools packages fix security vulnerability

net-tools Stack-based Buffer Overflow vulnerability. CVE-2025-46836...

Updated libsoup3 & libsoup packages fix security vulnerabilities

Libsoup: heap buffer over-read in skipinsignificantspace when sniffing content. CVE-2025-2784 Libsoup: denial of service attack to websocket server. CVE-2025-32049 Libsoup: integer overflow in appendparamquoted. CVE-2025-32050 Libsoup: segmentation fault when parsing malformed data uri...

Updated microcode packages fix security vulnerability

AMD CPU Microcode Signature Verification Vulnerability. CVE-2024-36347...

Updated golang packages fix security vulnerabilities

Insufficient validation of bracketed IPv6 hostnames in net/url. CVE-2025-47912 Unbounded allocation when parsing GNU sparse map in archive/tar. CVE-2025-58183 Parsing DER payload can cause memory exhaustion in encoding/asn1. CVE-2025-58185 Lack of limit when parsing cookies can cause memory...

Updated libavif packages fix security vulnerabilities

In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream-offset+size. CVE-2025-48174 In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer overflows in multiplications involving rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes...