Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 584
Alerts This Week
Warning Icon 1 584

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 233 articles for you...
203

Mageia 9: MGASA-2025-0179 moderate: php-adodb SQL injection risk

ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data. . MGASA-2025-0179 - Updated php-adodb packages fix security vulnerability Publication date: 08 Jun 2025 URL: https://advisories.mageia.org/MGASA-2025-0179.html Type: security Affected Mageia releases: 9 CVE: CVE-2025-46337 ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data. This issue has been patched in version 5.22.9 - CVE-2025-46337. References: - https://bugs.mageia.org/show_bug.cgi?id=34339 - https://ubuntu.com/security/notices/USN-7530-1 - https://github.com/ADOdb/ADOdb/releases/tag/v5.22.9 - https://www.cve.org/CVERecord?id=CVE-2025-46337 SRPMS: - 9/core/php-adodb-5.22.9-1.mga9 . Caution notice for Mageia addressing a php-adodb vulnerability that permits SQL injection. It is suggested to upgrade to version 5.22.9 for best protection.. php adodb security, Mageia advisory, database vulnerability, SQL injection fix, security patch. . LinuxSecurity.com Team

Calendar%202 Jun 08, 2025 Mageia
197

Debian: DLA-4208-1 Critical: MariaDB 10.5 DoS and Data Access Issues

Vulnerabilities was discovered in MariaDB, a SQL database server compatible with MySQL. CVE-2025-30693 . From: Otto Kekäläinen To: This email address is being protected from spambots. You need JavaScript enabled to view it. Subject: [SECURITY] [DLA 4208-1] mariadb-10.5 security update - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4208-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Otto Kekalainen June 04, 2025 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : mariadb-10.5 Version : 1:10.5.29-0+deb11u1 CVE ID : CVE-2025-30693 CVE-2025-30722 Debian Bug : 1099515 1105976 Vulnerabilities was discovered in MariaDB, a SQL database server compatible with MySQL. CVE-2025-30693 Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DoS) of MariaDB Server as well as unauthorized update, insert or delete access to some of MariaDB Server accessible data. CVE-2025-30722 Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Client. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MariaDB Client accessible data as well as unauthorized update, insert or delete access to some of MariaDB Client accessible data For Debian 11 bullseye, these problems have been fixed in version 1:10.5.29-0+deb11u1. This update also includes a NEWS entry about CVE-2025-30693: Fix of CVE-2025-30693, need to changes data format of innoDB format particularly variable-length encoding. Fix replace mach_write_compressed() withmach_u64_write_much_compressed(), which produces an identical encoding for 32-bit unsigned values. Any 64-bit unsigned integer that does not fit in 32 bits would be encoded as the octet 0xff followed by two the variable-length encoded 32-bit halves of the integer. This scheme is not backward compatible with older format, and may break external tools, particularly if tools read indexes on virtual columns in InnoDB undo log records. Additionally, the updates also includes bugfixes through the 10.5 maintenance branch, as detailed at: https://mariadb.com/docs/release-notes/community-server/old-releases/mariadb-10-5-series/mariadb-10-5-29-release-notes We recommend that you upgrade your mariadb-10.5 packages. For the detailed security status of mariadb-10.5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/mariadb-10.5 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Essential security patches for MariaDB 10.5 address several flaws that affect data transmission and system reliability.. MariaDB Security Update, Debian LTS, DoS Exploitation, SQL Server Threats, Network Security Fixes. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jun 04, 2025 Critical Debian LTS
172

Ubuntu 25.04 & 24.10: USN-7530-1 moderate: ADOdb SQL injection

ADOdb could be made to crash or run programs if it received specially crafted input.. ========================================================================== Ubuntu Security Notice USN-7530-1 May 29, 2025 libphp-adodb vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.04 - Ubuntu 24.10 Summary: ADOdb could be made to crash or run programs if it received specially crafted input. Software Description: - libphp-adodb: PHP database abstraction layer library Details: It was discovered that ADOdb incorrectly handled SQL input. A remote attacker could use this issue to execute arbitrary SQL commands. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.04 libphp-adodb 5.22.8-0.1ubuntu0.1 Ubuntu 24.10 libphp-adodb 5.22.7-0.1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7530-1 CVE-2025-46337 Package Information: https://launchpad.net/ubuntu/+source/libphp-adodb/5.22.8-0.1ubuntu0.1 https://launchpad.net/ubuntu/+source/libphp-adodb/5.22.7-0.1ubuntu0.1 . Enhance your Ubuntu installations to address ADOdb vulnerabilities concerning SQL input processing.. ADOdb, SQL Injection, Ubuntu Security, System Update, Code Execution. . LinuxSecurity.com Team

Calendar%202 Jun 02, 2025 Ubuntu
172

Ubuntu 24.10 LTS: USN-7315-1 critical: postgresql SQL injection

PostgreSQL could be made to execute arbitrary code if it received specially crafted input.. ========================================================================== Ubuntu Security Notice USN-7315-1 March 03, 2025 postgresql-12, postgresql-14, postgresql-16 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: PostgreSQL could be made to execute arbitrary code if it received specially crafted input. Software Description: - postgresql-16: Object-relational SQL database - postgresql-14: Object-relational SQL database - postgresql-12: Object-relational SQL database Details: Stephen Fewer discovered that PostgreSQL incorrectly handled quoting syntax in certain scenarios. A remote attacker could possibly use this issue to perform SQL injection attacks. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 postgresql-16 16.8-0ubuntu0.24.10.1 postgresql-client-16 16.8-0ubuntu0.24.10.1 Ubuntu 24.04 LTS postgresql-16 16.8-0ubuntu0.24.04.1 postgresql-client-16 16.8-0ubuntu0.24.04.1 Ubuntu 22.04 LTS postgresql-14 14.17-0ubuntu0.22.04.1 postgresql-client-14 14.17-0ubuntu0.22.04.1 Ubuntu 20.04 LTS postgresql-12 12.22-0ubuntu0.20.04.2 postgresql-client-12 12.22-0ubuntu0.20.04.2 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart PostgreSQL to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7315-1 CVE-2025-1094 Package Information: https://launchpad.net/ubuntu/+source/postgresql-16/16.8-0ubuntu0.24.10.1 https://launchpad.net/ubuntu/+source/postgresql-16/16.8-0ubuntu0.24.04.1 https://launchpad.net/ubuntu/+source/postgresql-14/14.17-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/postgresql-12/12.22-0ubuntu0.20.04.2 . Ubuntu USN-7316-1 highlights security patches for PostgreSQL aimed at mitigating remote SQL injection vulnerabilities and unauthorized execution of code.. postgresql security, ubuntu update, attack prevention, sql injection threat. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Mar 03, 2025 Critical Ubuntu
197

Debian 11 DLA-4052-1 moderate: PostgreSQL 13 SQL Injection Threat

A security issue was discovered in the PostgreSQL database system. Under certain usage patterns, improper neutralization of quoting syntax could make it possible for an input provider to achieve SQL injection. . ------------------------------------------------------------------------- Debian LTS Advisory DLA-4052-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Santiago Ruano Rincón February 13, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : postgresql-13 Version : 13.19-0+deb11u1 CVE ID : CVE-2025-1094 A security issue was discovered in the PostgreSQL database system. Under certain usage patterns, improper neutralization of quoting syntax could make it possible for an input provider to achieve SQL injection. For Debian 11 bullseye, this problem has been fixed in version 13.19-0+deb11u1. We recommend that you upgrade your postgresql-13 packages. For the detailed security status of postgresql-13 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/postgresql-13 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . This advisory highlights a critical SQL injection vulnerability in PostgreSQL affecting versions pre-15.2, urging immediate patching to ensure database security. PostgreSQL Security Updates, Debian LTS Advisory, Database SQL Injection. . LinuxSecurity.com Team

Calendar%202 Feb 13, 2025 Debian LTS
202

openSUSE: 2024:0351-1 critical: python-mysql-connector-python SQL injection

An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for python-mysql-connector-python ______________________________________________________________________________ Announcement ID: openSUSE-SU-2024:0351-1 Rating: important References: #1231740 Cross-References: CVE-2024-21272 Affected Products: openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-mysql-connector-python fixes the following issues: - Update to 9.1.0 (boo#1231740, CVE-2024-21272) - WL#16452: Bundle all installable authentication plugins when building the C-extension - WL#16444: Drop build support for DEB packages - WL#16442: Upgrade gssapi version to 1.8.3 - WL#16411: Improve wheel metadata information for Classic and XDevAPI connectors - WL#16341: OpenID Connect (Oauth2 - JWT) Authentication Support - WL#16307: Remove Python 3.8 support - WL#16306: Add support for Python 3.13 - BUG#37055435: Connection fails during the TLS negotiation when specifying TLSv1.3 ciphers - BUG#37013057: mysql-connector-python Parameterized query SQL injection - BUG#36765200: python mysql connector 8.3.0 raise %-.100s:%u when input a wrong host - BUG#36577957: Update charset/collation description indicate this is 16 bits - 9.0.0: - WL#16350: Update dnspython version - WL#16318: Deprecate Cursors Prepared Raw and Named Tuple - WL#16284: Update the Python Protobuf version - WL#16283: Remove OpenTelemetry Bundled Installation - BUG#36664998: Packets out of order error is raised while changing user in aio - BUG#36611371: Update dnspython required versions to allow latest 2.6.1 - BUG#36570707: Collation set on connect using C-Extension is ignored - BUG#36476195: Incorrectescaping in pure Python mode if sql_mode includes NO_BACKSLASH_ESCAPES - BUG#36289767: MySQLCursorBufferedRaw does not skip conversion - 8.4.0 - WL#16203: GPL License Exception Update - WL#16173: Update allowed cipher and cipher-suite lists - WL#16164: Implement support for new vector data type - WL#16127: Remove the FIDO authentication mechanism - WL#16053: Support GSSAPI/Kerberos authentication on Windows using authentication_ldap_sasl_client plug-in for C-extension - BUG#36227964: Improve OpenTelemetry span coverage - BUG#36167880: Massive memory leak mysqlx native Protobuf adding to collection - 8.3.0 - WL#16015: Remove use of removed COM_ commands - WL#15985: Support GSSAPI/Kerberos authentication on Windows using authentication_ldap_sasl_client plug-in for Pure Python - WL#15983: Stop using mysql_ssl_set api - WL#15982: Remove use of mysql_shutdown - WL#15950: Support query parameters for prepared statements - WL#15942: Improve type hints and standardize byte type handling - WL#15836: Split mysql and mysqlx into different packages - WL#15523: Support Python DB API asynchronous execution - BUG#35912790: Binary strings are converted when using prepared statements - BUG#35832148: Fix Django timezone.utc deprecation warning - BUG#35710145: Bad MySQLCursor.statement and result when query text contains code comments - BUG#21390859: STATEMENTS GET OUT OF SYNCH WITH RESULT SETS Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-351=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): python3-mysql-connector-python-9.1.0-bp155.3.3.1 References: https://www.suse.com/security/cve/CVE-2024-21272.html https://bugzilla.suse.com/1231740 . A significant patch has been released for python-mysql-connector-python due to a serious security vulnerability.. openSUSE python-mysql-connector-python security issue. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Nov 06, 2024 Important OpenSUSE
197

Debian 11: DLA-3884-1 Critical: Cacti XSS and SQL Injection Risks

Cacti, a web interface for graphing of monitoring systems, was vulnerable. CVE-2022-41444 . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3884-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Bastien Roucariès September 09, 2024 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : cacti Version : 1.2.16+ds1-2+deb11u4 CVE ID : CVE-2022-41444 CVE-2024-25641 CVE-2024-31443 CVE-2024-31444 CVE-2024-31445 CVE-2024-31458 CVE-2024-31459 CVE-2024-31460 CVE-2024-34340 Cacti, a web interface for graphing of monitoring systems, was vulnerable. CVE-2022-41444 A Cross Site Scripting (XSS) vulnerability was found via crafted POST request to graphs_new.php. CVE-2024-25641 An arbitrary file write vulnerability was found, exploitable through the "Package Import" feature. This vulnerability allowed authenticated users having the "Import Templates" permission to execute arbitrary PHP code (RCE) on the web server. CVE-2024-31443 A Cross Site Scripting (XSS) vulnerabilty was found via crafted request to data_queries.php file. CVE-2024-31444 A Cross Site Scripting (XSS) vulnerabilty was found via crafted request to automation_tree_rules.php file, via automation_tree_rules_form_save() function. CVE-2024-31445 A SQL injection vulnerabilty was found in automation_get_new_graphs_sql function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. CVE-2024-31458 A SQL injection vulnerability was found in form_save() function in graph_template_inputs.php file. CVE-2024-31459 A file inclusion issue in the 'lib/plugin.php' file was found. Combined with a SQL injection vulnerabilities, remote codeexecution (RCE) can be implemented. CVE-2024-31460 A SQL injection vulnerability was found in some of the data stored in automation_tree_rules.php file. CVE-2024-34340 A type juggling vulnerability was found in compat_password_verify function. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not the correct stricter `===`. For Debian 11 bullseye, these problems have been fixed in version 1.2.16+ds1-2+deb11u4. We recommend that you upgrade your cacti packages. For the detailed security status of cacti please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/cacti Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Debian LTS Advisory DLA-3884-2 resolves several security issues in Cacti, such as CSRF and command injection.. Cacti Security Advisory, Debian Security Update, XSS Threats, SQL Injection Risks, Remote Code Execution. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Sep 09, 2024 Critical Debian LTS
202

openSUSE 2024:0272-1 Important Security Update for Python-Django

An update that fixes four vulnerabilities is now available. . openSUSE Security Update: Security update for python-Django ______________________________________________________________________________ Announcement ID: openSUSE-SU-2024:0272-1 Rating: important References: #1228629 #1228630 #1228631 #1228632 Cross-References: CVE-2024-41989 CVE-2024-41990 CVE-2024-41991 CVE-2024-42005 CVSS scores: CVE-2024-41989 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-41989 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-41990 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-41990 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-41991 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-41991 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-42005 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-42005 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for python-Django fixes the following issues: * CVE-2024-42005: Fixed potential SQL injection in QuerySet.values() and values_list() (boo#1228629) * CVE-2024-41989: Fixed memory exhaustion in django.utils.numberformat.floatformat() (boo#1228630) * CVE-2024-41990: Fixed potential denial-of-service vulnerability in django.utils.html.urlize() (boo#1228631) * CVE-2024-41991: Fixed potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget (boo#1228632) Patch Instructions: To install this openSUSE Security Update use the SUSE recommendedinstallation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-272=1 Package List: References: https://www.suse.com/security/cve/CVE-2024-41989.html https://www.suse.com/security/cve/CVE-2024-41990.html https://www.suse.com/security/cve/CVE-2024-41991.html https://www.suse.com/security/cve/CVE-2024-42005.html https://bugzilla.suse.com/1228629 https://bugzilla.suse.com/1228630 https://bugzilla.suse.com/1228631 https://bugzilla.suse.com/1228632 . The latest update for openSUSE's python-Django addresses various security vulnerabilities, reinforcing system security with crucial patches.. openSUSE Django Security Update, Python Security Patch, Backports SLE-15-SP5, SQL Injection Fix. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Aug 30, 2024 Important OpenSUSE
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200