Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.
Category Archives: Advisories
Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2025-004
Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).
This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.
Sites with the Link module disabled or that do not use any link fields are not affected.
Install the latest version:
If you use Drupal 10.3.x, update to Drupal 10.3.14
If you use Drupal 10.4.x, update to Drupal 10.4.5
If you use Drupal 11.0.x, update to Drupal 11.0.13
If you use Drupal 11.1.x, update to Drupal 11.1.5
All versions of Drupal prior to 10.3 are end-of-life and do not receive security coverage from the Drupal Security Team.
Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
Alex Bronstein (effulgentsia)
Jen Lampton (jenlampton) Provisional Member of the Drupal Security Team
Lee Rowlands (larowlan) of the Drupal Security Team
Dave Long (longwave) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
Adam G-H (phenaproxima)
Samuel Mortenson (samuel.mortenson)
Jess (xjm) of the Drupal Security Team
moby-engine-28.0.2-1.fc43
FEDORA-2025-728b8010fa
Packages in this update:
moby-engine-28.0.2-1.fc43
Update description:
Automatic update for moby-engine-28.0.2-1.fc43.
Changelog
* Wed Mar 19 2025 Bradley G Smith <bradley.g.smith@gmail.com> – 28.0.2-1
– Update to release v28.0.2
– Resolves: rhbz#2353390, rhbz#2353100
– Upstream fixes and feature updates
webkitgtk-2.48.0-1.fc42
FEDORA-2025-80e387cc51
Packages in this update:
webkitgtk-2.48.0-1.fc42
Update description:
Update to 2.48.0
Notably fixes CVE-2025-24201
webkitgtk-2.48.0-1.fc41
FEDORA-2025-b92313b6f2
Packages in this update:
webkitgtk-2.48.0-1.fc41
Update description:
Upgrade to 2.48.0:
Move tile rendering to worker threads when rendering with the GPU.
Fix preserve-3D intersection rendering.
Added new function for creating Promise objects to the JavaScriptCore GLib API.
The MediaRecorder backend gained WebM support (requires at least GStreamer 1.24.9) and audio bitrate configuration support.
Fix invalid DPI-aware font size conversion.
Bring back support for OpenType-SVG fonts using Skia SVG module.
Add metadata (title and creation/modification date) to the PDF document generated for printing.
Propagate the font’s computed locale to HarfBuzz.
The GPU process build is now enabled for WebGL, but the web process is still used by default. The runtime flag UseGPUProcessForWebGL can be used to use the GPU process for WebGL.
Fix CVE-2025-24201, CVE-2024-44192, CVE-2024-54467
webkitgtk-2.48.0-1.fc40
FEDORA-2025-0c6c204dae
Packages in this update:
webkitgtk-2.48.0-1.fc40
Update description:
Upgrade to 2.48.0:
Move tile rendering to worker threads when rendering with the GPU.
Fix preserve-3D intersection rendering.
Added new function for creating Promise objects to the JavaScriptCore GLib API.
The MediaRecorder backend gained WebM support (requires at least GStreamer 1.24.9) and audio bitrate configuration support.
Fix invalid DPI-aware font size conversion.
Bring back support for OpenType-SVG fonts using Skia SVG module.
Add metadata (title and creation/modification date) to the PDF document generated for printing.
Propagate the font’s computed locale to HarfBuzz.
The GPU process build is now enabled for WebGL, but the web process is still used by default. The runtime flag UseGPUProcessForWebGL can be used to use the GPU process for WebGL.
Fix CVE-2025-24201, CVE-2024-44192, CVE-2024-54467
USN-7359-1: Valkey vulnerabilities
It was discovered that Valkey did not properly handle memory
cleanup. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-46981)
It was discovered that Valkey did not properly handle resource
access permissions. An authenticated attacker could possibly
use this issue to cause a denial of service. (CVE-2024-51741)
golang-github-edoardottt-lit-bb-hack-tools-1.3.5-4.fc43
FEDORA-2025-af00197966
Packages in this update:
golang-github-edoardottt-lit-bb-hack-tools-1.3.5-4.fc43
Update description:
Automatic update for golang-github-edoardottt-lit-bb-hack-tools-1.3.5-4.fc43.
Changelog
* Wed Mar 19 2025 Tim Semeijn <tim@semeijn.net> – 1.3.5-4
– Rebuilt to fix HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
(fixes rhbz#2352192 & rhbz#2351970)
USN-7358-1: PostgreSQL vulnerabilities
Wolfgang Walther discovered that PostgreSQL incorrectly tracked tables with
row security. A remote attacker could possibly use this issue to perform
forbidden reads and modifications. (CVE-2024-10976)
Jacob Champion discovered that PostgreSQL clients used untrusted server
error messages. An attacker that is able to intercept network
communications could possibly use this issue to inject error messages that
could be interpreted as valid query results. (CVE-2024-10977)
Tom Lane discovered that PostgreSQL incorrectly handled certain privilege
assignments. A remote attacker could possibly use this issue to view or
change different rows from those intended. (CVE-2024-10978)
Coby Abrams discovered that PostgreSQL incorrectly handled environment
variables. A remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-10979)
USN-7357-1: Libxslt vulnerability
Ivan Fratric discovered that Libxslt incorrectly handled certain memory
operations when handling documents. A remote attacker could use this issue
to cause Libxslt to crash, resulting in a denial of service, or possibly
execute arbitrary code.