Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

It was discovered that Git incorrectly handled certain URLs when
asking for credentials. An attacker could possibly use this
issue to mislead the user into typing passwords for trusted
sites that would then be sent to untrusted sites instead.
(CVE-2024-50349)

It was discovered that git incorrectly handled line endings when
using credential helpers. (CVE-2024-52006)

Read More

Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not
properly handle certain error conditions, leading to a NULL pointer
dereference. A local attacker could possibly trigger this vulnerability to
cause a denial of service. (CVE-2022-38096)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– ARM32 architecture;
– ARM64 architecture;
– S390 architecture;
– x86 architecture;
– Power management core;
– GPU drivers;
– InfiniBand drivers;
– Network drivers;
– S/390 drivers;
– SCSI subsystem;
– TTY drivers;
– BTRFS file system;
– Ext4 file system;
– EROFS file system;
– F2FS file system;
– File systems infrastructure;
– BPF subsystem;
– Socket messages infrastructure;
– Bluetooth subsystem;
– Memory management;
– Amateur Radio drivers;
– Ethernet bridge;
– Networking core;
– IPv4 networking;
– Network traffic control;
– Sun RPC protocol;
– VMware vSockets driver;
– SELinux security module;
(CVE-2024-42240, CVE-2024-36938, CVE-2024-35967, CVE-2024-36953,
CVE-2022-48938, CVE-2024-38553, CVE-2024-35904, CVE-2024-35965,
CVE-2024-26947, CVE-2024-36968, CVE-2024-43892, CVE-2024-38597,
CVE-2023-52498, CVE-2021-47501, CVE-2024-44942, CVE-2024-42077,
CVE-2024-53057, CVE-2024-46724, CVE-2024-35963, CVE-2022-48943,
CVE-2024-42068, CVE-2024-42156, CVE-2022-48733, CVE-2023-52639,
CVE-2021-47101, CVE-2023-52821, CVE-2024-44940, CVE-2024-36952,
CVE-2021-47001, CVE-2024-38538, CVE-2024-40910, CVE-2021-47076,
CVE-2024-35966, CVE-2024-50264, CVE-2024-35951, CVE-2023-52488,
CVE-2023-52497, CVE-2024-49967)

Read More

It was discovered that Django incorrectly handled certain IPv6
strings. An attacker could possibly use this issue to cause a
denial of service.

Read More

FEDORA-2025-82714dbb22

Packages in this update:

SDL2_sound-2.0.4-1.fc41

Update description:

Latest stable release from upstream. Changelog: https://github.com/icculus/SDL_sound/releases/tag/v2.0.4 . NOTE: dr_libs are unbundled.

Fixes:
CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder()
CVE-2023-45677: Heap buffer out of bounds write in start_decoder()
CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
CVE-2023-45680: Null pointer dereference in vorbis_deinit()
CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
CVE-2023-45680: Null pointer dereference in vorbis_deinit()
CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()

Read More

FEDORA-2025-5ef10f8485

Packages in this update:

SDL2_sound-2.0.4-1.fc40

Update description:

Latest stable release from upstream. Changelog: https://github.com/icculus/SDL_sound/releases/tag/v2.0.4 . NOTE: dr_libs are unbundled.

Fixes:
CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder()
CVE-2023-45677: Heap buffer out of bounds write in start_decoder()
CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
CVE-2023-45680: Null pointer dereference in vorbis_deinit()
CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
CVE-2023-45680: Null pointer dereference in vorbis_deinit()
CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()

Read More

Wei Hao discovered that PowerDNS Authoritative Server incorrectly handled
memory when accessing certain files. An attacker could possibly use this
issue to achieve arbitrary code execution. (CVE-2018-1046)

It was discovered that PowerDNS Authoritative Server and PowerDNS Recursor
incorrectly handled memory when receiving certain remote input. An attacker
could possibly use this issue to cause denial of service. (CVE-2018-10851)

Kees Monshouwer discovered that PowerDNS Authoritative Server and PowerDNS
Recursor incorrectly handled request validation after having cached
malformed input. An attacker could possibly use this issue to cause denial
of service. (CVE-2018-14626)

Toshifumi Sakaguchi discovered that PowerDNS Recursor incorrectly handled
requests after having cached malformed input. An attacker could possibly
use this issue to cause denial of service. (CVE-2018-14644)

Nathaniel Ferguson discovered that PowerDNS Authoritative Server
incorrectly handled memory when receiving certain remote input. An attacker
could possibly use this issue to obtain sensitive information.
(CVE-2020-17482)

Nicolas Dehaine and Dmitry Shabanov discovered that PowerDNS Authoritative
Server and PowerDNS Recursor incorrectly handled IXFR requests in certain
circumstances. An attacker could possibly use this issue to cause denial of
service. (CVE-2022-27227)

Read More

A CVSS score 6.8 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by ‘Dmitry “InfoSecDJ” Janushkevich of Trend Micro Zero Day Initiative’ was reported to the affected vendor on: 2025-01-14, 0 days ago. The vendor is given until 2025-05-14 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Read More

Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool.

CVE-2024-12084

Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a
heap-based buffer overflow vulnerability due to improper handling of
attacker-controlled checksum lengths. A remote attacker can take
advantage of this flaw for code execution.

CVE-2024-12085

Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a flaw in
the way rsync compares file checksums, allowing a remote attacker to
trigger an information leak.

CVE-2024-12086

Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a flaw
which would result in a server leaking contents of an arbitrary file
from the client’s machine.

CVE-2024-12087

Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a path
traversal vulnerability in the rsync daemon affecting the
–inc-recursive option, which could allow a server to write files
outside of the client’s intended destination directory.

CVE-2024-12088

Simon Scannell, Pedro Gallegos and Jasiel Spelman reported that when
using the –safe-links option, rsync fails to properly verify if a
symbolic link destination contains another symbolic link with it,
resulting in path traversal and arbitrary file write outside of the
desired directory.

CVE-2024-12747

Aleksei Gorban “loqpa” discovered a race condition when handling
symbolic links resulting in an information leak which may enable
escalation of privileges.

https://security-tracker.debian.org/tracker/DSA-5843-1

Read More