Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 526
Alerts This Week
Warning Icon 1 526

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 71 articles for you...
198

Fedora: 203105-8 moderate: ruby-on-rails sql injection vulnerability

The package python-django before version 5.1.11-1 is vulnerable to content spoofing. . Arch Linux Security Advisory ASA-202506-6 ========================================= Severity: Low Date : 2025-06-12 CVE-ID : CVE-2025-48432 Package : python-django Type : content spoofing Remote : Yes Link : https://security.archlinux.org/AVG-2894 Summary ======= The package python-django before version 5.1.11-1 is vulnerable to content spoofing. Resolution ========== Upgrade to 5.1.11-1. # pacman -Syu "python-django> =5.1.11-1" The problem has been fixed upstream in version 5.1.11. Workaround ========== None. Description =========== Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals. Impact ====== A remote attacker can manipulate log entries by sending crafted HTTP requests with control characters in the path, potentially spoofing or injecting content into server logs. References ========== https://www.djangoproject.com/weblog/2025/jun/04/security-releases/ https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/ https://docs.djangoproject.com/en/dev/releases/5.1.10/#cve-2025-48432-potential-log-injection-via-unescaped-request-path https://docs.djangoproject.com/en/dev/releases/5.1.11/ https://security.archlinux.org/CVE-2025-48432 . Ubuntu Security Notice for python-flask flaw: minor impact linked to data manipulation. Prompt update recommended.. content manipulation, python-django security, archlinux advisory. . Severity: Low. LinuxSecurity.com Team

Calendar%202 Jun 13, 2025 Low ArchLinux
198

Ubuntu: 303103-1 medium: gnome-terminal privilege escalation

The package konsole before version 25.04.2-1 is vulnerable to arbitrary code execution. . Arch Linux Security Advisory ASA-202506-5 ========================================= Severity: High Date : 2025-06-11 CVE-ID : CVE-2025-49091 Package : konsole Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2897 Summary ======= The package konsole before version 25.04.2-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 25.04.2-1. # pacman -Syu "konsole> =25.04.2-1" The problem has been fixed upstream in version 25.04.2. Workaround ========== None. Description =========== Konsole supports loading URLs from the scheme handlers such as telnet://URL. This can be executed regardless of whether the telnet binary is available. In this mode konsole had a path where if telnet was not available it would fall back to using bash for the given arguments provided; which is the URL provided. This allows an attacker to execute arbitrary code. Browsers typically provide a prompt when a user opens an external scheme handler which would look suspicious, requiring user interaction to be exploitable. Impact ====== A remote attacker can trick a user into opening a specially crafted URL that exploits Konsole’s scheme handler fallback mechanism, leading to arbitrary code execution. References ========== https://kde.org/info/security/advisory-20250609-1.txt https://www.proofnet.de/publikationen/konsole_rce.html https://nvd.nist.gov/vuln/detail/CVE-2025-49091 https://www.openwall.com/lists/oss-security/2025/06/10/5 https://security.archlinux.org/CVE-2025-49091 . Arch Linux Security Notice ASA-202506-5: Critical vulnerability identified in konsole enabling arbitrary code execution.. archlinux security advisory, konsole security issue, code execution risk. . LinuxSecurity.com Team

Calendar%202 Jun 13, 2025 ArchLinux
198

ArchLinux: ASA-202506-4 medium risk of go certificate bypass issue

The package go before version 1.24.4-1 is vulnerable to multiple issues including certificate verification bypass and information disclosure. . Arch Linux Security Advisory ASA-202506-4 ========================================= Severity: Medium Date : 2025-06-07 CVE-ID : CVE-2025-4673 CVE-2025-22874 Package : go Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2896 Summary ======= The package go before version 1.24.4-1 is vulnerable to multiple issues including certificate verification bypass and information disclosure. Resolution ========== Upgrade to 1.24.4-1. # pacman -Syu "go> =1.24.4-1" The problems have been fixed upstream in version 1.24.4. Workaround ========== None. Description =========== - CVE-2025-4673 (information disclosure) net/http: Proxy-Authorization and Proxy-Authenticate headers were not cleared during cross-origin redirects, potentially leaking sensitive credentials in proxy-authenticated environments. - CVE-2025-22874 (certificate verification bypass) crypto/x509: When VerifyOptions.KeyUsages includes ExtKeyUsageAny, certificate policy validation is unintentionally disabled. This affects certificate chains with policy constraints, which are uncommon but security-relevant when used. Impact ====== A remote attacker can exploit Go's HTTP client to leak proxy credentials via cross-origin redirects, or bypass certificate policy validation when ExtKeyUsageAny is used during TLS verification. References ========== https://github.com/golang/go/issues/73816 https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A/m/XDxq7uidAgAJ https://go.dev/doc/devel/release#go1.24.4 https://github.com/golang/go/issues/73612 https://security.archlinux.org/CVE-2025-4673 https://security.archlinux.org/CVE-2025-22874 . Arch Linux Security Advisory ASA-202507-5 with high severity highlights various vulnerabilities in the ruby package.. Arch Linux, package security, go programming, certificateissues, CVE-2025-4673. . Severity: Medium. LinuxSecurity.com Team

Calendar%202 Jun 13, 2025 Medium ArchLinux
198

Arch Linux: ASA-202506-3 CVE-2025-0620 low: samba access issue

The package samba before version 4.22.2-1 is vulnerable to access restriction bypass. . Arch Linux Security Advisory ASA-202506-3 ========================================= Severity: Low Date : 2025-06-06 CVE-ID : CVE-2025-0620 Package : samba Type : access restriction bypass Remote : Yes Link : https://security.archlinux.org/AVG-2892 Summary ======= The package samba before version 4.22.2-1 is vulnerable to access restriction bypass. Resolution ========== Upgrade to 4.22.2-1. # pacman -Syu "samba> =4.22.2-1" The problem has been fixed upstream in version 4.22.2. Workaround ========== None. Description =========== When using Kerberos authentication with SMB, smbd doesn't pick up group membership changes when re-authenticating an expired SMB session. Impact ====== A remote authenticated attacker may retain unintended access to file shares in Samba. References ========== https://nvd.nist.gov/vuln/detail/CVE-2025-0620 https://security.archlinux.org/CVE-2025-0620 . Debian Security Announcement DSA-202506-4 outlines a minor vulnerability in openSSH that may permit unauthorized access, issued on 2025-06-07.. Samba access bypass, Arch Linux security patch, samba update. . Severity: Low. LinuxSecurity.com Team

Calendar%202 Jun 13, 2025 Low ArchLinux
198

ArchLinux: 202506-2 curl Low severity denial of service risk

The package curl before version 8.14.1-1 is vulnerable to denial of service. . Arch Linux Security Advisory ASA-202506-2 ========================================= Severity: Low Date : 2025-06-05 CVE-ID : CVE-2025-5399 Package : curl Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2895 Summary ======= The package curl before version 8.14.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 8.14.1-1. # pacman -Syu "curl> =8.14.1-1" The problem has been fixed upstream in version 8.14.1. Workaround ========== None. Description =========== Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application. Impact ====== A remote attacker can send a specially crafted WebSocket frame that triggers an infinite busy-loop in libcurl, causing the application to hang indefinitely potentially leading to a denial of service. References ========== https://curl.se/docs/CVE-2025-5399.html https://github.com/curl/curl/commit/d1145df24de8f80e6b16 https://security.archlinux.org/CVE-2025-5399 . The Arch Linux Security Advisory ASA-202506-3 discusses a minor Denial of Service vulnerability in curl versions prior to 8.14.1-1, urging users to upgrade. Curl Denial of Service, ArchLinux Update, Security Advisory, Linux Package Management. . Severity: Low. LinuxSecurity.com Team

Calendar%202 Jun 13, 2025 Low ArchLinux
198

Arch Linux: ASA-202506-1 critical: roundcubemail remote code execution

The package roundcubemail before version 1.6.11-1 is vulnerable to arbitrary code execution. . Arch Linux Security Advisory ASA-202506-1 ========================================= Severity: Critical Date : 2025-06-04 CVE-ID : CVE-2025-49113 Package : roundcubemail Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2891 Summary ======= The package roundcubemail before version 1.6.11-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.6.11-1. # pacman -Syu "roundcubemail> =1.6.11-1" The problem has been fixed upstream in version 1.6.11. Workaround ========== None. Description =========== Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. Impact ====== A remote attacker with access to an authenticated Roundcube session can exploit a vulnerability leading to arbitrary code execution. References ========== https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 https://www.cve.org/CVERecord?id=CVE-2025-49113 https://www.openwall.com/lists/oss-security/2025/06/02/3 https://github.com/roundcube/roundcubemail/pull/9865 https://security.archlinux.org/CVE-2025-49113 . Arch Linux Security Advisory ASA-202507-2: Severe vulnerability in PHPMyAdmin permits unrestricted file access. Immediate upgrade advised.. Arch Linux, roundcubemail security, arbitrary code execution, software update, webmail security. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jun 13, 2025 Critical ArchLinux
198

Arch Linux: 202505-15 low: ghostscript information disclosure

The package ghostscript before version 10.05.1-2 is vulnerable to information disclosure. . Arch Linux Security Advisory ASA-202505-15 ========================================== Severity: Low Date : 2025-05-24 CVE-ID : CVE-2025-48708 Package : ghostscript Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-2883 Summary ======= The package ghostscript before version 10.05.1-2 is vulnerable to information disclosure. Resolution ========== Upgrade to 10.05.1-2. # pacman -Syu "ghostscript> =10.05.1-2" The problem has been fixed upstream in version 10.05.1. Workaround ========== None. Description =========== gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the # case. A created PDF document includes its password in cleartext. Impact ====== A local attacker can access the password used to protect a PDF in cleartext. References ========== https://bugs.ghostscript.com/show_bug.cgi?id=708446 https://security.archlinux.org/CVE-2025-48708 . Debian GNU/Linux Security Alert for imagemagick discloses minor data leak issue; users are advised to update promptly.. Arch Linux Security, ghostscript vulnerability, information disclosure fix. . Severity: Low. LinuxSecurity.com Team

Calendar%202 Jun 13, 2025 Low ArchLinux
198

ArchLinux: ASA-202505-12 critical: directory traversal vulnerability found

The package go before version 2:1.24.3-1 is vulnerable to directory traversal. . Arch Linux Security Advisory ASA-202505-12 ========================================== Severity: Low Date : 2025-05-19 CVE-ID : CVE-2025-22873 Package : go Type : directory traversal Remote : No Link : https://security.archlinux.org/AVG-2878 Summary ======= The package go before version 2:1.24.3-1 is vulnerable to directory traversal. Resolution ========== Upgrade to 2:1.24.3-1. # pacman -Syu "go> =2:1.24.3-1" The problem has been fixed upstream in version 1.24.3. Workaround ========== None. Description =========== It was possible to improperly access the parent directory of a restricted filesystem root created with os.DirFS. Calling Open("../") on such a filesystem could open the parent directory itself, violating expected directory confinement. This escape did not allow access to ancestor directories beyond the parent, nor to files within the parent directory. This behavior has been corrected to return an error for such paths. Impact ====== A local attacker or untrusted component running within a Go application could bypass directory confinement by accessing the parent directory of a restricted os.DirFS root using a "../" path. References ========== https://github.com/golang/go/issues/73555 https://go.dev/doc/devel/release#go1.24.3 https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ?pli=1 https://security.archlinux.org/CVE-2025-22873 . Ubuntu Security Notice USN-5648-1: python-requests vulnerable to denial of service. Immediate action advised.. package update, directory traversal, security advisory, Arch Linux, software security. . Severity: Low. LinuxSecurity.com Team

Calendar%202 May 20, 2025 Low ArchLinux
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200