The OpenSSL project reports:
+++ +RFC7250 handshakes with unauthenticated servers don't abort as expected (High). + Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set.
+
security@mozilla.org reports:
A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution.
A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak.
Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed.
Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs present in Firefox 134 and Thunderbird 134. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack.
security@mozilla.org reports:
An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash.
An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash.
A race during concurrent delazification could have led to a use-after-free.
Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the Other field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript.
MariaDB reports:
Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Sam Hocevar reports:
Multiple memory leaks and invalid memory accesses:
- CVE-2018-20545: Illegal WRITE memory access at common-image.c
- CVE-2018-20546: Illegal READ memory access at caca/dither.c
- CVE-2018-20547: Illegal READ memory access at caca/dither.c
- CVE-2018-20548: Illegal WRITE memory access at common-image.c
- CVE-2018-20549: Illegal WRITE memory access at caca/file.c
- CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize
- CVE-2021-30498: Heap buffer overflow in export.c in function export_tga
- CVE-2021-30499: Buffer overflow in export.c in function export_troff
Cacti repo reports:
- security #GHSA-c5j8-jxj3-hh36: Authenticated RCE via multi-line SNMP responses
- security #GHSA-f9c7-7rc3-574c: SQL Injection vulnerability when using tree rules through Automation API
- security #GHSA-fh3x-69rr-qqpp: SQL Injection vulnerability when request automation devices
- security #GHSA-fxrq-fr7h-9rqq: Arbitrary File Creation leading to RCE
- security #GHSA-pv2c-97pp-vxwg: Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path
- security #GHSA-vj9g-p7f2-4wqj: SQL Injection vulnerability when view host template
The nginx development team reports:
This update fixes the SSL session reuse vulnerability.
Qt qtwebengine-chromium repo reports:
Backports for 9 security bugs in Chromium:
- CVE-2024-12693: Out of bounds memory access in V8
- CVE-2024-12694: Use after free in Compositing
- CVE-2025-0436: Integer overflow in Skia
- CVE-2025-0437: Out of bounds read in Metrics
- CVE-2025-0438: Stack buffer overflow in Tracing
- CVE-2025-0441: Inappropriate implementation in Fenced Frames
- CVE-2025-0443: Insufficient data validation in Extensions
- CVE-2025-0447: Inappropriate implementation in Navigation
- CVE-2025-0611: Object corruption in V8
Chrome Releases reports:
This update includes 2 security fixes:
- [384844003] Medium CVE-2025-0762: Use after free in DevTools. Reported by Sakana.S on 2024-12-18
Dendrite team reports:
This is a security release, gomatrixserverlib was vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.
In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace.
It is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace.
When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd.
An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved.
In order to export a file system via NFS, the file system must define a file system identifier (FID) for all exported files. Each FreeBSD file system implements operations to translate between FIDs and vnodes, the kernel's in-memory representation of files. These operations are VOP_VPTOFH(9) and VFS_FHTOVP(9).
On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow.
A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic.
A logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective.
A passive observer could detect which network packets contain real keystrokes, and infer the specific characters being transmitted from packet timing.
Golang reports:
This update include security fixes:
- CVE-2024-45338: Non-linear parsing of case-insensitive content
The Vaultwarden project reports:
RCE in the admin panel.
Getting access to the Admin Panel via CSRF.
Escalation of privilege via variable confusion in OrgHeaders trait.
Chrome Releases reports:
This update includes 3 security fixes:
- [386143468] High CVE-2025-0611: Object corruption in V8. Reported by 303f06e3 on 2024-12-26
- [385155406] High CVE-2025-0612: Out of bounds memory access in V8. Reported by Alan Goodman on 2024-12-20
Chrome Releases reports:
This update includes 16 security fixes:
- [374627491] High CVE-2025-0434: Out of bounds memory access in V8. Reported by ddme on 2024-10-21
- [379652406] High CVE-2025-0435: Inappropriate implementation in Navigation. Reported by Alesandro Ortiz on 2024-11-18
- [382786791] High CVE-2025-0436: Integer overflow in Skia. Reported by Han Zheng (HexHive) on 2024-12-08
- [378623799] High CVE-2025-0437: Out of bounds read in Metrics. Reported by Xiantong Hou of Wuheng Lab and Pisanbao on 2024-11-12
- [384186539] High CVE-2025-0438: Stack buffer overflow in Tracing. Reported by Han Zheng (HexHive) on 2024-12-15
- [371247941] Medium CVE-2025-0439: Race in Frames. Reported by Hafiizh on 2024-10-03
- [40067914] Medium CVE-2025-0440: Inappropriate implementation in Fullscreen. Reported by Umar Farooq on 2023-07-22
- [368628042] Medium CVE-2025-0441: Inappropriate implementation in Fenced Frames. Reported by someoneverycurious on 2024-09-21
- [40940854] Medium CVE-2025-0442: Inappropriate implementation in Payments. Reported by Ahmed ElMasry on 2023-11-08
- [376625003] Medium CVE-2025-0443: Insufficient data validation in Extensions. Reported by Anonymous on 2024-10-31
- [359949844] Low CVE-2025-0446: Inappropriate implementation in Extensions. Reported by Hafiizh on 2024-08-15
- [375550814] Low CVE-2025-0447: Inappropriate implementation in Navigation. Reported by Khiem Tran (@duckhiem) on 2024-10-25
- [377948403] Low CVE-2025-0448: Inappropriate implementation in Compositing. Reported by Dahyeon Park on 2024-11-08
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-12693.
- Security: backported fix for CVE-2024-12694.
- Security: backported fix for CVE-2024-12695.
- Security: backported fix for CVE-2025-0434.
- Security: backported fix for CVE-2025-0436.
- Security: backported fix for CVE-2025-0437.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0434.
- Security: backported fix for CVE-2025-0436.
- Security: backported fix for CVE-2025-0437.
Gitlab reports:
Stored XSS via Asciidoctor render
Developer could exfiltrate protected CI/CD variables via CI lint
Cyclic reference of epics leads resource exhaustion
The ClamAV project reports:
A possible buffer overflow read bug is found in the OLE2 file parser that could cause a denial-of-service (DoS) condition.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-12053.
The Go project reports:
crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.
net/http: sensitive headers incorrectly sent after cross-domain redirect
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-12053.
- Security: backported fix for CVE-2024-12693.
- Security: backported fix for CVE-2024-12694.
Filippo Valsorda reports:
A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.
Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the plugin.NewIdentity, plugin.NewIdentityWithoutData, or plugin.NewRecipient APIs.
Frank Lichtenheld reports:
[OpenVPN v2.6.13 ...] improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN - this would not result in a crash, buffer overflow or other security issues, but the server would then misparse incoming IV variables and produce misleading error messages.
rsync reports:
This update includes multiple security fixes:
- CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing
- CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR
- CVE-2024-12086: Server leaks arbitrary client files
- CVE-2024-12087: Server can make client write files outside of destination directory using symbolic links
- CVE-2024-12088: --safe-links Bypass
- CVE-2024-12747: symlink race condition
Git development team reports:
CVE-2024-50349: Printing unsanitized URLs when asking for credentials made the user susceptible to crafted URLs (e.g. in recursive clones) that mislead the user into typing in passwords for trusted sites that would then be sent to untrusted sites instead.
CVE-2024-52006: Git may pass on Carriage Returns via the credential protocol to credential helpers which use line-reading functions that interpret said Carriage Returns as line endings, even though Git did not intend that.
Keycloak reports:
This update includes 2 security fixes:
- CVE-2024-11734: Unrestricted admin use of system and environment variables
- CVE-2024-11736: Denial of Service in Keycloak Server via Security Headers
cve@mitre.org reports:
An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal.
Redis core team reports:
An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service.The problem exists in Redis 7.0.0 or newer.
Redis core team reports:
An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting.
Gitlab reports:
Possible access token exposure in GitLab logs
Cyclic reference of epics leads resource exhaustion
Unauthorized user can manipulate status of issues in public projects
Instance SAML does not respect external_provider configuration