Axel Mierczuk reports:
+++ ++ By default, the Redis configuration does not limit the + output buffer of normal clients (see + client-output-buffer-limit). Therefore, the output buffer + can grow unlimitedly over time. As a result, the service + is exhausted and the memory is unavailable. +
++ When password authentication is enabled on the Redis + server, but no password is provided, the client can still + cause the output buffer to grow from "NOAUTH" responses + until the system will run out of memory. +
+
Gitlab reports:
Cross Site Scripting (XSS) in Maven Dependency Proxy through CSP directives
Cross Site Scripting (XSS) in Maven dependency proxy through cache headers
Network Error Logging (NEL) Header Injection in Maven Dependency Proxy Allows Browser Activity Monitoring
Denial of service (DOS) via issue preview
Unauthorized access to branch names when Repository assets are disabled in the project
Chrome Releases reports:
This update includes 1 security fix.
Deluan reports:
In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty (salted) password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error.
security-advisories@github.com reports:
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
ejabberd team reports:
Fixed issue with handling of user provided occupant-id in messages and presences sent to muc room. Server was replacing just first instance of occupant-id with its own version, leaving other ones untouched. That would mean that depending on order in which clients send occupant-id, they could see value provided by sender, and that could be used to spoof as different sender.
Chrome Releases reports:
This update includes 2 security fixes:
- [409619251] Critical CVE-2025-3619: Heap buffer overflow in Codecs. Reported by Elias Hohl on 2025-04-09
- [405292639] High CVE-2025-3620: Use after free in USB. Reported by @retsew0x01 on 2025-03-21
Chrome Releases reports:
This update includes 2 security fixes:
- [405140652] High CVE-2025-3066: Use after free in Site Isolation. Reported by Sven Dysthe (@svn-dys) on 2025-03-21
element-hq/synapse developers report:
A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild.
Jenkins Security Advisory:
Description
(Medium) SECURITY-3512 / CVE-2025-31720
Missing permission check allows retrieving agent configurations
Description
(Medium) SECURITY-3513 / CVE-2025-31721
Missing permission check allows retrieving secrets from agent configurations
Gitlab reports:
Denial of service via CI pipelines
Unintentionally authorizing sensitive actions on users behalf
IP Restriction Bypass through GraphQL Subscription
Unauthorized users can list the number of confidential issues
Debugging Information Disclosed
secalert@redhat.com reports:
A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.
security@mozilla.org reports:
Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Leaking of file descriptors from the fork server to web content processes could allow for privilege escalation attacks.
security@mozilla.org reports:
An attacker could read 32 bits of values spilled onto the stack in a JIT compiled function.
security@mozilla.org reports:
Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack.
security@mozilla.org reports:
JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free.
Chrome Releases reports:
This update includes 13 security fixes:
- [376491759] Medium CVE-2025-3067: Inappropriate implementation in Custom Tabs. Reported by Philipp Beer (TU Wien) on 2024-10-31
- [401823929] Medium CVE-2025-3068: Inappropriate implementation in Intents. Reported by Simon Rawet on 2025-03-09
- [40060076] Medium CVE-2025-3069: Inappropriate implementation in Extensions. Reported by NDevTK on 2022-06-26
- [40086360] Medium CVE-2025-3070: Insufficient validation of untrusted input in Extensions. Reported by Anonymous on 2017-01-01
- [40051596] Low CVE-2025-3071: Inappropriate implementation in Navigations. Reported by David Erceg on 2020-02-23
- [362545037] Low CVE-2025-3072: Inappropriate implementation in Custom Tabs. Reported by Om Apip on 2024-08-27
- [388680893] Low CVE-2025-3073: Inappropriate implementation in Autofill. Reported by Hafiizh on 2025-01-09
- [392818696] Low CVE-2025-3074: Inappropriate implementation in Downloads. Reported by Farras Givari on 2025-01-28
security@mozilla.org reports:
Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs present in Firefox 133 and Thunderbird 133. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed.
security@mozilla.org reports:
Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash.
security@mozilla.org reports:
Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free.
security@mozilla.org reports:
When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site.
security@mozilla.org reports:
Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash.
security@mozilla.org reports:
The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks.
security@mozilla.org reports:
Memory safety bugs present in Firefox 135 and Thunderbird 135. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
CVE-2025-1938: Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
CVE-2025-1935: A web page could trick a user into setting that site as the default handler for a custom URL protocol.
CVE-2025-1934: It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it.
security@mozilla.org reports:
Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
It was possible to cause a use-after-free in the content process side of a WebTransport connection, leading to a potentially exploitable crash.
security@mozilla.org reports:
On 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up bits from left over memory. This can potentially cause them to be treated as a different type.
cna@mongodb.com reports:
When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4
cna@mongodb.com reports:
Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to6.0.20 and MongoDB v7.0 versions prior to 7.0.16
cna@mongodb.com reports:
A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3 versions prior to 7.3.4.
Gert Doering reports:
OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular combination of authenticated and malformed packets.
To trigger the bug, a valid tls-crypt-v2 client key is needed, or network observation of a handshake with a valid tls-crypt-v2 client key
No crypto integrity is violated, no data is leaked, and no remote code execution is possible.
This bug does not affect OpenVPN clients.
security@golang.org reports:
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.
golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
security@mozilla.org reports:
An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Only affected version 122 and later. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.
Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability affects Firefox < 136.
When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string This vulnerability affects Firefox < 136 and Thunderbird < 136.
Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page This vulnerability affects Firefox for iOS < 136.
Suricate team reports:
Multiple vulnerabilities
Qt qtwebengine-chromium repo reports:
Backports for 11 security bugs in Chromium:
- CVE-2024-11477: 7-Zip Zstd decompression integer underflow
- CVE-2025-0762: Use after free in DevTools
- CVE-2025-0996: Inappropriate implementation in Browser UI
- CVE-2025-0998: Out of bounds memory access in V8
- CVE-2025-0999: Heap buffer overflow in V8
- CVE-2025-1006: Use after free in Network
- CVE-2025-1426: Heap buffer overflow in GPU
- CVE-2025-1918: Out of bounds read in Pdfium
- CVE-2025-1919: Out of bounds read in Media
- CVE-2025-1921: Inappropriate implementation in Media
- CVE-2025-2036: Use after free in Inspector
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2025-2783.
Gitlab reports:
Cross-site Scripting (XSS) through merge-request error messages
Cross-site Scripting (XSS) through improper rendering of certain file types
Admin Privileges Persists After Role is Revoked
External user can access internal projects
Prompt injection in Amazon Q integration may allow unauthorized actions
Uncontrolled Resource Consumption via a maliciously crafted terraform file in merge request
Maintainer can inject shell code in Harbor project name configuration when using helper scripts
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2025-1920.
Qt qtwebengine-chromium repo reports:
Backports for 1 security bug in Chromium:
- CVE-2024-12694: Use after free in Compositing
The Varnish Development Team reports:
A client-side desync vulnerability can be triggered in Varnish Cache and Varnish Enterprise. This vulnerability can be triggered under specific circumstances involving malformed HTTP/1 requests.
Chrome Releases reports:
This update includes 2 security fixes:
- [401029609] Critical CVE-2025-2476: Use after free in Lens. Reported by SungKwon Lee of Enki Whitehat on 2025-03-05
php.net reports:
- CVE-2024-11235: Core: Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free).
- CVE-2025-1219: LibXML: Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource).
- CVE-2025-1736: Streams: Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header).
- CVE-2025-1861: Streams: Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes).
- CVE-2025-1734: Streams: Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon).
- CVE-2025-1217: Streams: Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers).
The Shibboleth Project reports:
An updated version of the OpenSAML C++ library is available which corrects a parameter manipulation vulnerability when using SAML bindings that rely on non-XML signatures. The Shibboleth Service Provider is impacted by this issue, and it manifests as a critical security issue in that context.
Parameter manipulation allows the forging of signed SAML messages
A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages.
Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise).
The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so.
Prior to updating, it is possible to mitigate the POST-SimpleSign vulnerability by editing the protocols.xml configuration file and removing this line:
<Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" path="/SAML2/POST-SimpleSign" />
Gitlab reports:
CVE-2025-25291 and CVE-2025-25292 (third party gem ruby-saml)
CVE-2025-27407 (third party gem graphql)
Denial of Service Due to Inefficient Processing of Untrusted Input
Credentials disclosed when repository mirroring fails
Denial of Service Vulnerability in GitLab Approval Rules due to Unbounded Field
Internal Notes in Merge Requests Are Emailed to Non-Members Upon Review Submission
Maintainer can inject shell code in Google integrations
Guest with custom Admin group member permissions can approve the users invitation despite user caps
Vim reports:
See https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf
Chrome Releases reports:
This update includes 5 security fixes:
- [398065918] High CVE-2025-1920: Type Confusion in V8. Reported by Excello s.r.o. on 2025-02-21
- [400052777] High CVE-2025-2135: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2025-03-02
- [401059730] High CVE-TBD: Out of bounds write in GPU. Reported on 2025-03-05
- [395032416] Medium CVE-2025-2136: Use after free in Inspector. Reported by Sakana.S on 2025-02-10
- [398999390] Medium CVE-2025-2137: Out of bounds read in V8. Reported by zeroxiaobai@ on 2025-02-25
security@documentfoundation.org reports:
LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1.
security-advisories@github.com reports:
Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shellcommands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL).
Electron develpers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0445.
- Security: backported fix for CVE-2025-0995.
- Security: backported fix for CVE-2025-0998.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0445.
- Security: backported fix for CVE-2025-0998.
security-advisories@github.com reports:
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.
The X.Org project reports:
- CVE-2025-26594: Use-after-free of the root cursor
The root cursor is referenced in the xserver as a global variable. If a client manages to free the root cursor, the internal reference points to freed memory and causes a use-after-free.
- CVE-2025-26595: Buffer overflow in XkbVModMaskText()
The code in XkbVModMaskText() allocates a fixed sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code however fails to check the bounds of the buffer correctly and would copy the data regardless of the size, which may lead to a buffer overflow.
- CVE-2025-26596: Heap overflow in XkbWriteKeySyms()
The computation of the length in XkbSizeKeySyms() differs from what is actually written in XkbWriteKeySyms(), which may lead to a heap based buffer overflow.
- CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey()
If XkbChangeTypesOfKey() is called with 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If later, the same function is called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.
- CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient()
The function GetBarrierDevice() searches for the pointer device based on its device id and returns the matching value, or supposedly NULL if no match was found. However the code will return the last element of the list if no matching device id was found which can lead to out of bounds memory access.
- CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow()
The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without the validation of the window tree marked just before, which leaves the validate data partly initialized, and the use of an uninitialized pointer later.
- CVE-2025-26600: Use-after-free in PlayReleasedEvents()
When a device is removed while still frozen, the events queued for that device remain while the device itself is freed and replaying the events will cause a use after free.
- CVE-2025-26601: Use-after-free in SyncInitTrigger()
When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object. This can be used to cause a use after free when the alarm eventually triggers.
MITRE Caldera contributor report:
In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands.
Jenkins Security Advisory:
Description
(Medium) SECURITY-3495 / CVE-2025-27622
Encrypted values of secrets stored in agent configuration revealed to users with Agent/Extended Read permission
Description
(Medium) SECURITY-3496 / CVE-2025-27623
Encrypted values of secrets stored in view configuration revealed to users with View/Read permission
Description
(Medium) SECURITY-3498 / CVE-2025-27624
CSRF vulnerability
Description
(Medium) SECURITY-3501 / CVE-2025-27625
Open redirect vulnerability
security-advisories@github.com reports:
Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.
Chrome Releases reports:
This update includes 14 security fixes:
- [397731718] High CVE-2025-1914: Out of bounds read in V8. Reported by Zhenghang Xiao (@Kipreyyy) and Nan Wang (@eternalsakura13) on 2025-02-20
- [391114799] Medium CVE-2025-1915: Improper Limitation of a Pathname to a Restricted Directory in DevTools. Reported by Topi Lassila on 2025-01-20
- [376493203] Medium CVE-2025-1916: Use after free in Profiles. Reported by parkminchan, SSD Labs Korea on 2024-10-31
- [329476341] Medium CVE-2025-1917: Inappropriate Implementation in Browser UI. Reported by Khalil Zhani on 2024-03-14
- [388557904] Medium CVE-2025-1918: Out of bounds read in PDFium. Reported by asnine on 2025-01-09
- [392375312] Medium CVE-2025-1919: Out of bounds read in Media. Reported by @Bl1nnnk and @Pisanbao on 2025-01-26
- [387583503] Medium CVE-2025-1921: Inappropriate Implementation in Media Stream. Reported by Kaiido on 2025-01-04
- [384033062] Low CVE-2025-1922: Inappropriate Implementation in Selection. Reported by Alesandro Ortiz on 2024-12-14
- [382540635] Low CVE-2025-1923: Inappropriate Implementation in Permission Prompts. Reported by Khalil Zhani on 2024-12-06
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0611.
- Security: backported fix for CVE-2025-0612.
- Security: backported fix for CVE-2025-0999.
SO-AND-SO reports:
Unit 1.34.2 fixes two issues in the Java language module websocket code.
- It addresses a potential security issue where we could get a negative payload length that could cause the Java language module process(es) to enter an infinite loop and consume excess CPU. This was a bug carried over from the initial Java websocket code import. It has been re-issued a CVE number (CVE-2025-1695).
- It addresses an issue whereby decoded payload lengths would be limited to 32 bits.
vim reports:
Summary
Potential code execution with tar.vim and special crafted tar files
Description
Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files.
Since commit 129a844 (Nov 11, 2024 runtime(tar): Update tar.vim to support permissions), the tar.vim plugin uses the ":read " ex command line to append below the cursor position, however the is not sanitized and is taken literaly from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL).
Impact
Impact is high but a user must be convinced to edit such a file using Vim which will reveal the filename, so a careful user may suspect some strange things going on.
Gitlab reports:
XSS in k8s proxy endpoint
XSS Maven Dependency Proxy
HTML injection leads to XSS on self hosted instances
Improper Authorisation Check Allows Guest User to Read Security Policy
Planner role can read code review analytics in private projects
Chrome Releases reports:
This update includes 1 security fix.
Kevin Backhouse reports:
A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as v0.27.7, are not affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file.
Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as fixiso.
A shell injection vulnerability exists in GNU Emacs due to improper handling of custom man URI schemes.
Initially considered low severity, as it required user interaction with local files, it was later discovered that an attacker could exploit this vulnerability by tricking a user into visiting a specially crafted website or an HTTP URL with a redirect, leading to arbitrary shell command execution without further user action.
An Emacs user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.
cve@mitre.org reports:
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.
OpenSSH client host verification error (CVE-2025-26465)
ssh(1) contains a logic error that allows an on-path attacker to impersonate any server during certain conditions when the VerifyHostKeyDNS option is enabled.
OpenSSH server denial of service (CVE-2025-26466)
The OpenSSH client and server are both vulnerable to a memory/CPU denial of service while handling SSH2_MSG_PING packets.
OpenSSH client host verification error (CVE-2025-26465)
Under specific circumstances, a machine-in-the-middle may impersonate any server when the client has the VerifyHostKeyDNS option enabled.
OpenSSH server denial of service (CVE-2025-26466)
During the processing of SSH2_MSG_PING packets, a server may be subject to a memory/CPU denial of service.
Chrome Releases reports:
This update includes 3 security fixes:
- [394350433] High CVE-2025-0999: Heap buffer overflow in V8. Reported by Seunghyun Lee (@0x10n) on 2025-02-04
- [383465163] High CVE-2025-1426: Heap buffer overflow in GPU. Reported by un3xploitable and GF on 2024-12-11
- [390590778] Medium CVE-2025-1006: Use after free in Network. Reported by Tal Keren, Sam Agranat, Eran Rom, Edouard Bochin, Adam Hatsir of Palo Alto Networks on 2025-01-18
Chrome Releases reports:
This update includes 4 security fixes:
- [391907159] High CVE-2025-0995: Use after free in V8. Reported by Popax21 on 2025-01-24
- [391788835] High CVE-2025-0996: Inappropriate implementation in Browser UI. Reported by yuki yamaoto on 2025-01-23
- [391666328] High CVE-2025-0997: Use after free in Navigation. Reported by asnine on 2025-01-23
- [386857213] High CVE-2025-0998: Out of bounds memory access in V8. Reported by Alan Goodman on 2024-12-31
Chrome Releases reports:
This update includes 12 security fixes:
- [390889644] High CVE-2025-0444: Use after free in Skia. Reported by Francisco Alonso (@revskills) on 2025-01-19
- [392521083] High CVE-2025-0445: Use after free in V8. Reported by 303f06e3 on 2025-01-27
- [40061026] Medium CVE-2025-0451: Inappropriate implementation in Extensions API. Reported by Vitor Torres and Alesandro Ortiz on 2022-09-18
VSCode developers report:
The update addresses these issues, including a fix for a security vulnerability.
- Scope node_module binary resolution in js-debug
- Elevation of Privilege Vulnerability with VS Code server for web UI
Graham Northup reports:
A buffer overflow in extract_openvpn_cr allows attackers with a valid LDAP username and who can control the challenge/response password field to pass a string with more than 14 colons into this field and cause a buffer overflow.
The PostgreSQL Project reports:
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Gitlab reports:
A CSP-bypass XSS in merge-request page
Denial of Service due to Unbounded Symbol Creation
Exfiltrate content from private issues using Prompt Injection
A custom permission may allow overriding Repository settings
Internal HTTP header leak via route confusion in workhorse
SSRF via workspaces
Unauthorized Incident Closure and Deletion by Planner Role in GitLab
ActionCable does not invalidate tokens after revocation
Intel reports:
A potential security vulnerability in some Intel Processors may allow denial of service. Intel released microcode updates to mitigate this potential vulnerability.
A potential security vulnerability in some Intel Software Guard Extensions (Intel SGX) Platforms may allow denial of service. Intel is released microcode updates to mitigate this potential vulnerability.
Potential security vulnerabilities in the UEFI firmware for some Intel Processors may allow escalation of privilege, denial of service, or information disclosure. Intel released UEFI firmware and CPU microcode updates to mitigate these potential vulnerabilities.
A potential security vulnerability in some 13th and 14th Generation Intel Core™ Processors may allow denial of service. Intel released microcode and UEFI reference code updates to mitigate this potential vulnerability.
A potential security vulnerability in the Intel Data Streaming Accelerator (Intel DSA) for some Intel Xeon Processors may allow denial of service. Intel released software updates to mitigate this potential vulnerability.
The OpenSSL project reports:
RFC7250 handshakes with unauthenticated servers don't abort as expected (High). Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set.
security@mozilla.org reports:
A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution.
A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak.
Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed.
Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs present in Firefox 134 and Thunderbird 134. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack.
security@mozilla.org reports:
An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash.
An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash.
A race during concurrent delazification could have led to a use-after-free.
Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the Other field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript.
MariaDB reports:
Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Sam Hocevar reports:
Multiple memory leaks and invalid memory accesses:
- CVE-2018-20545: Illegal WRITE memory access at common-image.c
- CVE-2018-20546: Illegal READ memory access at caca/dither.c
- CVE-2018-20547: Illegal READ memory access at caca/dither.c
- CVE-2018-20548: Illegal WRITE memory access at common-image.c
- CVE-2018-20549: Illegal WRITE memory access at caca/file.c
- CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize
- CVE-2021-30498: Heap buffer overflow in export.c in function export_tga
- CVE-2021-30499: Buffer overflow in export.c in function export_troff
Cacti repo reports:
- security #GHSA-c5j8-jxj3-hh36: Authenticated RCE via multi-line SNMP responses
- security #GHSA-f9c7-7rc3-574c: SQL Injection vulnerability when using tree rules through Automation API
- security #GHSA-fh3x-69rr-qqpp: SQL Injection vulnerability when request automation devices
- security #GHSA-fxrq-fr7h-9rqq: Arbitrary File Creation leading to RCE
- security #GHSA-pv2c-97pp-vxwg: Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path
- security #GHSA-vj9g-p7f2-4wqj: SQL Injection vulnerability when view host template
The nginx development team reports:
This update fixes the SSL session reuse vulnerability.
Qt qtwebengine-chromium repo reports:
Backports for 9 security bugs in Chromium:
- CVE-2024-12693: Out of bounds memory access in V8
- CVE-2024-12694: Use after free in Compositing
- CVE-2025-0436: Integer overflow in Skia
- CVE-2025-0437: Out of bounds read in Metrics
- CVE-2025-0438: Stack buffer overflow in Tracing
- CVE-2025-0441: Inappropriate implementation in Fenced Frames
- CVE-2025-0443: Insufficient data validation in Extensions
- CVE-2025-0447: Inappropriate implementation in Navigation
- CVE-2025-0611: Object corruption in V8
Chrome Releases reports:
This update includes 2 security fixes:
- [384844003] Medium CVE-2025-0762: Use after free in DevTools. Reported by Sakana.S on 2024-12-18
Dendrite team reports:
This is a security release, gomatrixserverlib was vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.
In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace.
It is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace.
When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd.
An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved.
In order to export a file system via NFS, the file system must define a file system identifier (FID) for all exported files. Each FreeBSD file system implements operations to translate between FIDs and vnodes, the kernel's in-memory representation of files. These operations are VOP_VPTOFH(9) and VFS_FHTOVP(9).
On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow.
A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic.
A logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective.
A passive observer could detect which network packets contain real keystrokes, and infer the specific characters being transmitted from packet timing.
Golang reports:
This update include security fixes:
- CVE-2024-45338: Non-linear parsing of case-insensitive content
The Vaultwarden project reports:
RCE in the admin panel.
Getting access to the Admin Panel via CSRF.
Escalation of privilege via variable confusion in OrgHeaders trait.
Chrome Releases reports:
This update includes 3 security fixes:
- [386143468] High CVE-2025-0611: Object corruption in V8. Reported by 303f06e3 on 2024-12-26
- [385155406] High CVE-2025-0612: Out of bounds memory access in V8. Reported by Alan Goodman on 2024-12-20
Chrome Releases reports:
This update includes 16 security fixes:
- [374627491] High CVE-2025-0434: Out of bounds memory access in V8. Reported by ddme on 2024-10-21
- [379652406] High CVE-2025-0435: Inappropriate implementation in Navigation. Reported by Alesandro Ortiz on 2024-11-18
- [382786791] High CVE-2025-0436: Integer overflow in Skia. Reported by Han Zheng (HexHive) on 2024-12-08
- [378623799] High CVE-2025-0437: Out of bounds read in Metrics. Reported by Xiantong Hou of Wuheng Lab and Pisanbao on 2024-11-12
- [384186539] High CVE-2025-0438: Stack buffer overflow in Tracing. Reported by Han Zheng (HexHive) on 2024-12-15
- [371247941] Medium CVE-2025-0439: Race in Frames. Reported by Hafiizh on 2024-10-03
- [40067914] Medium CVE-2025-0440: Inappropriate implementation in Fullscreen. Reported by Umar Farooq on 2023-07-22
- [368628042] Medium CVE-2025-0441: Inappropriate implementation in Fenced Frames. Reported by someoneverycurious on 2024-09-21
- [40940854] Medium CVE-2025-0442: Inappropriate implementation in Payments. Reported by Ahmed ElMasry on 2023-11-08
- [376625003] Medium CVE-2025-0443: Insufficient data validation in Extensions. Reported by Anonymous on 2024-10-31
- [359949844] Low CVE-2025-0446: Inappropriate implementation in Extensions. Reported by Hafiizh on 2024-08-15
- [375550814] Low CVE-2025-0447: Inappropriate implementation in Navigation. Reported by Khiem Tran (@duckhiem) on 2024-10-25
- [377948403] Low CVE-2025-0448: Inappropriate implementation in Compositing. Reported by Dahyeon Park on 2024-11-08
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-12693.
- Security: backported fix for CVE-2024-12694.
- Security: backported fix for CVE-2024-12695.
- Security: backported fix for CVE-2025-0434.
- Security: backported fix for CVE-2025-0436.
- Security: backported fix for CVE-2025-0437.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0434.
- Security: backported fix for CVE-2025-0436.
- Security: backported fix for CVE-2025-0437.
Gitlab reports:
Stored XSS via Asciidoctor render
Developer could exfiltrate protected CI/CD variables via CI lint
Cyclic reference of epics leads resource exhaustion
The ClamAV project reports:
A possible buffer overflow read bug is found in the OLE2 file parser that could cause a denial-of-service (DoS) condition.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-12053.
The Go project reports:
crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.
net/http: sensitive headers incorrectly sent after cross-domain redirect
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-12053.
- Security: backported fix for CVE-2024-12693.
- Security: backported fix for CVE-2024-12694.
Filippo Valsorda reports:
A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.
Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the plugin.NewIdentity, plugin.NewIdentityWithoutData, or plugin.NewRecipient APIs.
Frank Lichtenheld reports:
[OpenVPN v2.6.13 ...] improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN - this would not result in a crash, buffer overflow or other security issues, but the server would then misparse incoming IV variables and produce misleading error messages.
rsync reports:
This update includes multiple security fixes:
- CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing
- CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR
- CVE-2024-12086: Server leaks arbitrary client files
- CVE-2024-12087: Server can make client write files outside of destination directory using symbolic links
- CVE-2024-12088: --safe-links Bypass
- CVE-2024-12747: symlink race condition
Git development team reports:
CVE-2024-50349: Printing unsanitized URLs when asking for credentials made the user susceptible to crafted URLs (e.g. in recursive clones) that mislead the user into typing in passwords for trusted sites that would then be sent to untrusted sites instead.
CVE-2024-52006: Git may pass on Carriage Returns via the credential protocol to credential helpers which use line-reading functions that interpret said Carriage Returns as line endings, even though Git did not intend that.
Keycloak reports:
This update includes 2 security fixes:
- CVE-2024-11734: Unrestricted admin use of system and environment variables
- CVE-2024-11736: Denial of Service in Keycloak Server via Security Headers
cve@mitre.org reports:
An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal.
Redis core team reports:
An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service.The problem exists in Redis 7.0.0 or newer.
Redis core team reports:
An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting.
Gitlab reports:
Possible access token exposure in GitLab logs
Cyclic reference of epics leads resource exhaustion
Unauthorized user can manipulate status of issues in public projects
Instance SAML does not respect external_provider configuration