From denisse at archlinux.org Fri Jun 13 22:28:51 2025 From: denisse at archlinux.org (Andrea Denisse) Date: Fri, 13 Jun 2025 14:28:51 -0600 Subject: [manjaro-security] [ASA-202505-15] ghostscript: information disclosure Message-ID: Arch Linux Security Advisory ASA-202505-15 ========================================== Severity: Low Date : 2025-05-24 CVE-ID : CVE-2025-48708 Package : ghostscript Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-2883 Summary ======= The package ghostscript before version 10.05.1-2 is vulnerable to information disclosure. Resolution ========== Upgrade to 10.05.1-2. # pacman -Syu "ghostscript>=10.05.1-2" The problem has been fixed upstream in version 10.05.1. Workaround ========== None. Description =========== gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the # case. A created PDF document includes its password in cleartext. Impact ====== A local attacker can access the password used to protect a PDF in cleartext. References ========== https://bugs.ghostscript.com/show_bug.cgi?id=708446 https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?h=gs10.05.1&id=5b5968c306b3e35cdeec83bb15026fd74a7334de https://security.archlinux.org/CVE-2025-48708 From denisse at archlinux.org Fri Jun 13 22:30:59 2025 From: denisse at archlinux.org (Andrea Denisse) Date: Fri, 13 Jun 2025 14:30:59 -0600 Subject: [manjaro-security] [ASA-202506-1] roundcubemail: arbitrary code execution Message-ID: Arch Linux Security Advisory ASA-202506-1 ========================================= Severity: Critical Date : 2025-06-04 CVE-ID : CVE-2025-49113 Package : roundcubemail Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2891 Summary ======= The package roundcubemail before version 1.6.11-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.6.11-1. # pacman -Syu "roundcubemail>=1.6.11-1" The problem has been fixed upstream in version 1.6.11. Workaround ========== None. Description =========== Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. Impact ====== A remote attacker with access to an authenticated Roundcube session can exploit a vulnerability leading to arbitrary code execution. References ========== https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 https://www.cve.org/CVERecord?id=CVE-2025-49113 https://www.openwall.com/lists/oss-security/2025/06/02/3 https://github.com/roundcube/roundcubemail/pull/9865 https://security.archlinux.org/CVE-2025-49113 From denisse at archlinux.org Fri Jun 13 22:31:41 2025 From: denisse at archlinux.org (Andrea Denisse) Date: Fri, 13 Jun 2025 14:31:41 -0600 Subject: [manjaro-security] [ASA-202506-2] curl: denial of service Message-ID: <1033e949c93064b997fa267c8ae8dcf75d3d9b7a.camel@archlinux.org> Arch Linux Security Advisory ASA-202506-2 ========================================= Severity: Low Date : 2025-06-05 CVE-ID : CVE-2025-5399 Package : curl Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2895 Summary ======= The package curl before version 8.14.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 8.14.1-1. # pacman -Syu "curl>=8.14.1-1" The problem has been fixed upstream in version 8.14.1. Workaround ========== None. Description =========== Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application. Impact ====== A remote attacker can send a specially crafted WebSocket frame that triggers an infinite busy-loop in libcurl, causing the application to hang indefinitely potentially leading to a denial of service. References ========== https://curl.se/docs/CVE-2025-5399.html https://github.com/curl/curl/commit/d1145df24de8f80e6b16 https://security.archlinux.org/CVE-2025-5399 From denisse at archlinux.org Fri Jun 13 22:32:20 2025 From: denisse at archlinux.org (Andrea Denisse) Date: Fri, 13 Jun 2025 14:32:20 -0600 Subject: [manjaro-security] [ASA-202506-3] samba: access restriction bypass Message-ID: <3403e00e3bf5e6e20c3bf6802733fccb282b9510.camel@archlinux.org> Arch Linux Security Advisory ASA-202506-3 ========================================= Severity: Low Date : 2025-06-06 CVE-ID : CVE-2025-0620 Package : samba Type : access restriction bypass Remote : Yes Link : https://security.archlinux.org/AVG-2892 Summary ======= The package samba before version 4.22.2-1 is vulnerable to access restriction bypass. Resolution ========== Upgrade to 4.22.2-1. # pacman -Syu "samba>=4.22.2-1" The problem has been fixed upstream in version 4.22.2. Workaround ========== None. Description =========== When using Kerberos authentication with SMB, smbd doesn't pick up group membership changes when re-authenticating an expired SMB session. Impact ====== A remote authenticated attacker may retain unintended access to file shares in Samba. References ========== https://www.samba.org/samba/security/CVE-2025-0620.html https://bugzilla.samba.org/show_bug.cgi?id=15707 https://nvd.nist.gov/vuln/detail/CVE-2025-0620 https://security.archlinux.org/CVE-2025-0620 From denisse at archlinux.org Fri Jun 13 22:32:45 2025 From: denisse at archlinux.org (Andrea Denisse) Date: Fri, 13 Jun 2025 14:32:45 -0600 Subject: [manjaro-security] [ASA-202506-4] go: multiple issues Message-ID: Arch Linux Security Advisory ASA-202506-4 ========================================= Severity: Medium Date : 2025-06-07 CVE-ID : CVE-2025-4673 CVE-2025-22874 Package : go Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2896 Summary ======= The package go before version 1.24.4-1 is vulnerable to multiple issues including certificate verification bypass and information disclosure. Resolution ========== Upgrade to 1.24.4-1. # pacman -Syu "go>=1.24.4-1" The problems have been fixed upstream in version 1.24.4. Workaround ========== None. Description =========== - CVE-2025-4673 (information disclosure) net/http: Proxy-Authorization and Proxy-Authenticate headers were not cleared during cross-origin redirects, potentially leaking sensitive credentials in proxy-authenticated environments. - CVE-2025-22874 (certificate verification bypass) crypto/x509: When VerifyOptions.KeyUsages includes ExtKeyUsageAny, certificate policy validation is unintentionally disabled. This affects certificate chains with policy constraints, which are uncommon but security-relevant when used. Impact ====== A remote attacker can exploit Go's HTTP client to leak proxy credentials via cross-origin redirects, or bypass certificate policy validation when ExtKeyUsageAny is used during TLS verification. References ========== https://github.com/golang/go/issues/73816 https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A/m/XDxq7uidAgAJ https://go.dev/doc/devel/release#go1.24.4 https://github.com/golang/go/issues/73612 https://security.archlinux.org/CVE-2025-4673 https://security.archlinux.org/CVE-2025-22874 From denisse at archlinux.org Fri Jun 13 22:33:10 2025 From: denisse at archlinux.org (Andrea Denisse) Date: Fri, 13 Jun 2025 14:33:10 -0600 Subject: [manjaro-security] [ASA-202506-5] konsole: arbitrary code execution Message-ID: <5ecd4b2c1c7818349be9dd1c69492f0efc52028f.camel@archlinux.org> Arch Linux Security Advisory ASA-202506-5 ========================================= Severity: High Date : 2025-06-11 CVE-ID : CVE-2025-49091 Package : konsole Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2897 Summary ======= The package konsole before version 25.04.2-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 25.04.2-1. # pacman -Syu "konsole>=25.04.2-1" The problem has been fixed upstream in version 25.04.2. Workaround ========== None. Description =========== Konsole supports loading URLs from the scheme handlers such as telnet://URL. This can be executed regardless of whether the telnet binary is available. In this mode konsole had a path where if telnet was not available it would fall back to using bash for the given arguments provided; which is the URL provided. This allows an attacker to execute arbitrary code. Browsers typically provide a prompt when a user opens an external scheme handler which would look suspicious, requiring user interaction to be exploitable. Impact ====== A remote attacker can trick a user into opening a specially crafted URL that exploits Konsole?s scheme handler fallback mechanism, leading to arbitrary code execution. References ========== https://kde.org/info/security/advisory-20250609-1.txt https://proofnet.de/publikationen/konsole_rce.html https://nvd.nist.gov/vuln/detail/CVE-2025-49091 https://www.openwall.com/lists/oss-security/2025/06/10/5 https://invent.kde.org/utilities/konsole/-/commit/09d20dea109050b4c02fb73095f327b5642a2b75 https://security.archlinux.org/CVE-2025-49091 From denisse at archlinux.org Fri Jun 13 22:33:50 2025 From: denisse at archlinux.org (Andrea Denisse) Date: Fri, 13 Jun 2025 14:33:50 -0600 Subject: [manjaro-security] [ASA-202506-6] python-django: content spoofing Message-ID: <02db80245f320ab49db9be0730f5d1022a85f24a.camel@archlinux.org> Arch Linux Security Advisory ASA-202506-6 ========================================= Severity: Low Date : 2025-06-12 CVE-ID : CVE-2025-48432 Package : python-django Type : content spoofing Remote : Yes Link : https://security.archlinux.org/AVG-2894 Summary ======= The package python-django before version 5.1.11-1 is vulnerable to content spoofing. Resolution ========== Upgrade to 5.1.11-1. # pacman -Syu "python-django>=5.1.11-1" The problem has been fixed upstream in version 5.1.11. Workaround ========== None. Description =========== Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals. Impact ====== A remote attacker can manipulate log entries by sending crafted HTTP requests with control characters in the path, potentially spoofing or injecting content into server logs. References ========== https://www.djangoproject.com/weblog/2025/jun/04/security-releases/ https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/ https://docs.djangoproject.com/en/dev/releases/5.1.10/#cve-2025-48432-potential-log-injection-via-unescaped-request-path https://docs.djangoproject.com/en/dev/releases/5.1.11/ https://security.archlinux.org/CVE-2025-48432