Category Archives: Advisories

Advisories

Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2025-004

Read Time:1 Minute, 33 Second
Project: 
Drupal core
Date: 
2025-March-19
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: 
Cross Site Scripting
Affected versions: 
>= 8.0.0 < 10.3.14 || >= 10.4.0 < 10.4.5 || >= 11.0.0 < 11.0.13 || >= 11.1.0 < 11.1.5
Description: 

Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.

Sites with the Link module disabled or that do not use any link fields are not affected.

Solution: 

Install the latest version:

If you use Drupal 10.3.x, update to Drupal 10.3.14
If you use Drupal 10.4.x, update to Drupal 10.4.5
If you use Drupal 11.0.x, update to Drupal 11.0.13
If you use Drupal 11.1.x, update to Drupal 11.1.5

All versions of Drupal prior to 10.3 are end-of-life and do not receive security coverage from the Drupal Security Team.

Reported By: 
Samuel Mortenson (samuel.mortenson)
Fixed By: 
Benji Fisher (benjifisher) of the Drupal Security Team
Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
Alex Bronstein (effulgentsia)
Jen Lampton (jenlampton) Provisional Member of the Drupal Security Team
Lee Rowlands (larowlan) of the Drupal Security Team
Dave Long (longwave) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
Adam G-H (phenaproxima)
Samuel Mortenson (samuel.mortenson)
Jess (xjm) of the Drupal Security Team

Read More

Advisories

moby-engine-28.0.2-1.fc43

Read Time:18 Second

FEDORA-2025-728b8010fa

Packages in this update:

moby-engine-28.0.2-1.fc43

Update description:

Automatic update for moby-engine-28.0.2-1.fc43.

Changelog

* Wed Mar 19 2025 Bradley G Smith <bradley.g.smith@gmail.com> – 28.0.2-1
– Update to release v28.0.2
– Resolves: rhbz#2353390, rhbz#2353100
– Upstream fixes and feature updates

Read More

Advisories

webkitgtk-2.48.0-1.fc41

Read Time:45 Second

FEDORA-2025-b92313b6f2

Packages in this update:

webkitgtk-2.48.0-1.fc41

Update description:

Upgrade to 2.48.0:

Move tile rendering to worker threads when rendering with the GPU.
Fix preserve-3D intersection rendering.
Added new function for creating Promise objects to the JavaScriptCore GLib API.
The MediaRecorder backend gained WebM support (requires at least GStreamer 1.24.9) and audio bitrate configuration support.
Fix invalid DPI-aware font size conversion.
Bring back support for OpenType-SVG fonts using Skia SVG module.
Add metadata (title and creation/modification date) to the PDF document generated for printing.
Propagate the font’s computed locale to HarfBuzz.
The GPU process build is now enabled for WebGL, but the web process is still used by default. The runtime flag UseGPUProcessForWebGL can be used to use the GPU process for WebGL.
Fix CVE-2025-24201, CVE-2024-44192, CVE-2024-54467

Read More

Advisories

webkitgtk-2.48.0-1.fc40

Read Time:45 Second

FEDORA-2025-0c6c204dae

Packages in this update:

webkitgtk-2.48.0-1.fc40

Update description:

Upgrade to 2.48.0:

Move tile rendering to worker threads when rendering with the GPU.
Fix preserve-3D intersection rendering.
Added new function for creating Promise objects to the JavaScriptCore GLib API.
The MediaRecorder backend gained WebM support (requires at least GStreamer 1.24.9) and audio bitrate configuration support.
Fix invalid DPI-aware font size conversion.
Bring back support for OpenType-SVG fonts using Skia SVG module.
Add metadata (title and creation/modification date) to the PDF document generated for printing.
Propagate the font’s computed locale to HarfBuzz.
The GPU process build is now enabled for WebGL, but the web process is still used by default. The runtime flag UseGPUProcessForWebGL can be used to use the GPU process for WebGL.
Fix CVE-2025-24201, CVE-2024-44192, CVE-2024-54467

Read More

Advisories

USN-7359-1: Valkey vulnerabilities

Read Time:16 Second

It was discovered that Valkey did not properly handle memory
cleanup. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-46981)

It was discovered that Valkey did not properly handle resource
access permissions. An authenticated attacker could possibly
use this issue to cause a denial of service. (CVE-2024-51741)

Read More

Advisories

USN-7358-1: PostgreSQL vulnerabilities

Read Time:37 Second

Wolfgang Walther discovered that PostgreSQL incorrectly tracked tables with
row security. A remote attacker could possibly use this issue to perform
forbidden reads and modifications. (CVE-2024-10976)

Jacob Champion discovered that PostgreSQL clients used untrusted server
error messages. An attacker that is able to intercept network
communications could possibly use this issue to inject error messages that
could be interpreted as valid query results. (CVE-2024-10977)

Tom Lane discovered that PostgreSQL incorrectly handled certain privilege
assignments. A remote attacker could possibly use this issue to view or
change different rows from those intended. (CVE-2024-10978)

Coby Abrams discovered that PostgreSQL incorrectly handled environment
variables. A remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-10979)

Read More

Advisories

USN-7357-1: Libxslt vulnerability

Read Time:11 Second

Ivan Fratric discovered that Libxslt incorrectly handled certain memory
operations when handling documents. A remote attacker could use this issue
to cause Libxslt to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Read More