Explore top 10 tips to secure your open-source projects now. Read More
×The package python-django before version 5.1.11-1 is vulnerable to content spoofing. . Arch Linux Security Advisory ASA-202506-6 ========================================= Severity: Low Date : 2025-06-12 CVE-ID : CVE-2025-48432 Package : python-django Type : content spoofing Remote : Yes Link : https://security.archlinux.org/AVG-2894 Summary ======= The package python-django before version 5.1.11-1 is vulnerable to content spoofing. Resolution ========== Upgrade to 5.1.11-1. # pacman -Syu "python-django> =5.1.11-1" The problem has been fixed upstream in version 5.1.11. Workaround ========== None. Description =========== Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals. Impact ====== A remote attacker can manipulate log entries by sending crafted HTTP requests with control characters in the path, potentially spoofing or injecting content into server logs. References ========== https://www.djangoproject.com/weblog/2025/jun/04/security-releases/ https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/ https://docs.djangoproject.com/en/dev/releases/5.1.10/#cve-2025-48432-potential-log-injection-via-unescaped-request-path https://docs.djangoproject.com/en/dev/releases/5.1.11/ https://security.archlinux.org/CVE-2025-48432 . Ubuntu Security Notice for python-flask flaw: minor impact linked to data manipulation. Prompt update recommended.. content manipulation, python-django security, archlinux advisory. . Severity: Low. LinuxSecurity.com Team
The package konsole before version 25.04.2-1 is vulnerable to arbitrary code execution. . Arch Linux Security Advisory ASA-202506-5 ========================================= Severity: High Date : 2025-06-11 CVE-ID : CVE-2025-49091 Package : konsole Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2897 Summary ======= The package konsole before version 25.04.2-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 25.04.2-1. # pacman -Syu "konsole> =25.04.2-1" The problem has been fixed upstream in version 25.04.2. Workaround ========== None. Description =========== Konsole supports loading URLs from the scheme handlers such as telnet://URL. This can be executed regardless of whether the telnet binary is available. In this mode konsole had a path where if telnet was not available it would fall back to using bash for the given arguments provided; which is the URL provided. This allows an attacker to execute arbitrary code. Browsers typically provide a prompt when a user opens an external scheme handler which would look suspicious, requiring user interaction to be exploitable. Impact ====== A remote attacker can trick a user into opening a specially crafted URL that exploits Konsoleâs scheme handler fallback mechanism, leading to arbitrary code execution. References ========== https://kde.org/info/security/advisory-20250609-1.txt https://www.proofnet.de/publikationen/konsole_rce.html https://nvd.nist.gov/vuln/detail/CVE-2025-49091 https://www.openwall.com/lists/oss-security/2025/06/10/5 https://security.archlinux.org/CVE-2025-49091 . Arch Linux Security Notice ASA-202506-5: Critical vulnerability identified in konsole enabling arbitrary code execution.. archlinux security advisory, konsole security issue, code execution risk. . LinuxSecurity.com Team
The package go before version 1.24.4-1 is vulnerable to multiple issues including certificate verification bypass and information disclosure. . Arch Linux Security Advisory ASA-202506-4 ========================================= Severity: Medium Date : 2025-06-07 CVE-ID : CVE-2025-4673 CVE-2025-22874 Package : go Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2896 Summary ======= The package go before version 1.24.4-1 is vulnerable to multiple issues including certificate verification bypass and information disclosure. Resolution ========== Upgrade to 1.24.4-1. # pacman -Syu "go> =1.24.4-1" The problems have been fixed upstream in version 1.24.4. Workaround ========== None. Description =========== - CVE-2025-4673 (information disclosure) net/http: Proxy-Authorization and Proxy-Authenticate headers were not cleared during cross-origin redirects, potentially leaking sensitive credentials in proxy-authenticated environments. - CVE-2025-22874 (certificate verification bypass) crypto/x509: When VerifyOptions.KeyUsages includes ExtKeyUsageAny, certificate policy validation is unintentionally disabled. This affects certificate chains with policy constraints, which are uncommon but security-relevant when used. Impact ====== A remote attacker can exploit Go's HTTP client to leak proxy credentials via cross-origin redirects, or bypass certificate policy validation when ExtKeyUsageAny is used during TLS verification. References ========== https://github.com/golang/go/issues/73816 https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A/m/XDxq7uidAgAJ https://go.dev/doc/devel/release#go1.24.4 https://github.com/golang/go/issues/73612 https://security.archlinux.org/CVE-2025-4673 https://security.archlinux.org/CVE-2025-22874 . Arch Linux Security Advisory ASA-202507-5 with high severity highlights various vulnerabilities in the ruby package.. Arch Linux, package security, go programming, certificateissues, CVE-2025-4673. . Severity: Medium. LinuxSecurity.com Team
The package samba before version 4.22.2-1 is vulnerable to access restriction bypass. . Arch Linux Security Advisory ASA-202506-3 ========================================= Severity: Low Date : 2025-06-06 CVE-ID : CVE-2025-0620 Package : samba Type : access restriction bypass Remote : Yes Link : https://security.archlinux.org/AVG-2892 Summary ======= The package samba before version 4.22.2-1 is vulnerable to access restriction bypass. Resolution ========== Upgrade to 4.22.2-1. # pacman -Syu "samba> =4.22.2-1" The problem has been fixed upstream in version 4.22.2. Workaround ========== None. Description =========== When using Kerberos authentication with SMB, smbd doesn't pick up group membership changes when re-authenticating an expired SMB session. Impact ====== A remote authenticated attacker may retain unintended access to file shares in Samba. References ========== https://nvd.nist.gov/vuln/detail/CVE-2025-0620 https://security.archlinux.org/CVE-2025-0620 . Debian Security Announcement DSA-202506-4 outlines a minor vulnerability in openSSH that may permit unauthorized access, issued on 2025-06-07.. Samba access bypass, Arch Linux security patch, samba update. . Severity: Low. LinuxSecurity.com Team
The package curl before version 8.14.1-1 is vulnerable to denial of service. . Arch Linux Security Advisory ASA-202506-2 ========================================= Severity: Low Date : 2025-06-05 CVE-ID : CVE-2025-5399 Package : curl Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2895 Summary ======= The package curl before version 8.14.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 8.14.1-1. # pacman -Syu "curl> =8.14.1-1" The problem has been fixed upstream in version 8.14.1. Workaround ========== None. Description =========== Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application. Impact ====== A remote attacker can send a specially crafted WebSocket frame that triggers an infinite busy-loop in libcurl, causing the application to hang indefinitely potentially leading to a denial of service. References ========== https://curl.se/docs/CVE-2025-5399.html https://github.com/curl/curl/commit/d1145df24de8f80e6b16 https://security.archlinux.org/CVE-2025-5399 . The Arch Linux Security Advisory ASA-202506-3 discusses a minor Denial of Service vulnerability in curl versions prior to 8.14.1-1, urging users to upgrade. Curl Denial of Service, ArchLinux Update, Security Advisory, Linux Package Management. . Severity: Low. LinuxSecurity.com Team
The package roundcubemail before version 1.6.11-1 is vulnerable to arbitrary code execution. . Arch Linux Security Advisory ASA-202506-1 ========================================= Severity: Critical Date : 2025-06-04 CVE-ID : CVE-2025-49113 Package : roundcubemail Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2891 Summary ======= The package roundcubemail before version 1.6.11-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.6.11-1. # pacman -Syu "roundcubemail> =1.6.11-1" The problem has been fixed upstream in version 1.6.11. Workaround ========== None. Description =========== Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. Impact ====== A remote attacker with access to an authenticated Roundcube session can exploit a vulnerability leading to arbitrary code execution. References ========== https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 https://www.cve.org/CVERecord?id=CVE-2025-49113 https://www.openwall.com/lists/oss-security/2025/06/02/3 https://github.com/roundcube/roundcubemail/pull/9865 https://security.archlinux.org/CVE-2025-49113 . Arch Linux Security Advisory ASA-202507-2: Severe vulnerability in PHPMyAdmin permits unrestricted file access. Immediate upgrade advised.. Arch Linux, roundcubemail security, arbitrary code execution, software update, webmail security. . Severity: Critical. LinuxSecurity.com Team
The package ghostscript before version 10.05.1-2 is vulnerable to information disclosure. . Arch Linux Security Advisory ASA-202505-15 ========================================== Severity: Low Date : 2025-05-24 CVE-ID : CVE-2025-48708 Package : ghostscript Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-2883 Summary ======= The package ghostscript before version 10.05.1-2 is vulnerable to information disclosure. Resolution ========== Upgrade to 10.05.1-2. # pacman -Syu "ghostscript> =10.05.1-2" The problem has been fixed upstream in version 10.05.1. Workaround ========== None. Description =========== gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the # case. A created PDF document includes its password in cleartext. Impact ====== A local attacker can access the password used to protect a PDF in cleartext. References ========== https://bugs.ghostscript.com/show_bug.cgi?id=708446 https://security.archlinux.org/CVE-2025-48708 . Debian GNU/Linux Security Alert for imagemagick discloses minor data leak issue; users are advised to update promptly.. Arch Linux Security, ghostscript vulnerability, information disclosure fix. . Severity: Low. LinuxSecurity.com Team
The package go before version 2:1.24.3-1 is vulnerable to directory traversal. . Arch Linux Security Advisory ASA-202505-12 ========================================== Severity: Low Date : 2025-05-19 CVE-ID : CVE-2025-22873 Package : go Type : directory traversal Remote : No Link : https://security.archlinux.org/AVG-2878 Summary ======= The package go before version 2:1.24.3-1 is vulnerable to directory traversal. Resolution ========== Upgrade to 2:1.24.3-1. # pacman -Syu "go> =2:1.24.3-1" The problem has been fixed upstream in version 1.24.3. Workaround ========== None. Description =========== It was possible to improperly access the parent directory of a restricted filesystem root created with os.DirFS. Calling Open("../") on such a filesystem could open the parent directory itself, violating expected directory confinement. This escape did not allow access to ancestor directories beyond the parent, nor to files within the parent directory. This behavior has been corrected to return an error for such paths. Impact ====== A local attacker or untrusted component running within a Go application could bypass directory confinement by accessing the parent directory of a restricted os.DirFS root using a "../" path. References ========== https://github.com/golang/go/issues/73555 https://go.dev/doc/devel/release#go1.24.3 https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ?pli=1 https://security.archlinux.org/CVE-2025-22873 . Ubuntu Security Notice USN-5648-1: python-requests vulnerable to denial of service. Immediate action advised.. package update, directory traversal, security advisory, Arch Linux, software security. . Severity: Low. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.