[ASA-202506-6] python-django: content spoofing
[ASA-202506-5] konsole: arbitrary code execution
[ASA-202506-4] go: multiple issues
[ASA-202506-3] samba: access restriction bypass
[ASA-202506-2] curl: denial of service
[ASA-202506-1] roundcubemail: arbitrary code execution
[ASA-202505-15] ghostscript: information disclosure
[ASA-202506-6] python-django: content spoofing
Arch Linux Security Advisory ASA-202506-6
=========================================
Severity: Low
Date : 2025-06-12
CVE-ID : CVE-2025-48432
Package : python-django
Type : content spoofing
Remote : Yes
Link : https://security.archlinux.org/AVG-2894
Summary
=======
The package python-django before version 5.1.11-1 is vulnerable to
content spoofing.
Resolution
==========
Upgrade to 5.1.11-1.
# pacman -Syu "python-django>=5.1.11-1"
The problem has been fixed upstream in version 5.1.11.
Workaround
==========
None.
Description
===========
Internal HTTP response logging used request.path directly, allowing
control characters (e.g. newlines or ANSI escape sequences) to be
written unescaped into logs. This could enable log injection or
forgery, letting attackers manipulate log appearance or structure,
especially in logs processed by external systems or viewed in
terminals.
Impact
======
A remote attacker can manipulate log entries by sending crafted HTTP
requests with control characters in the path, potentially spoofing or
injecting content into server logs.
References
==========
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/
https://docs.djangoproject.com/en/dev/releases/5.1.10/#cve-2025-48432-potential-log-injection-via-unescaped-request-path
https://docs.djangoproject.com/en/dev/releases/5.1.11/
https://security.archlinux.org/CVE-2025-48432
[ASA-202506-5] konsole: arbitrary code execution
Arch Linux Security Advisory ASA-202506-5
=========================================
Severity: High
Date : 2025-06-11
CVE-ID : CVE-2025-49091
Package : konsole
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2897
Summary
=======
The package konsole before version 25.04.2-1 is vulnerable to arbitrary
code execution.
Resolution
==========
Upgrade to 25.04.2-1.
# pacman -Syu "konsole>=25.04.2-1"
The problem has been fixed upstream in version 25.04.2.
Workaround
==========
None.
Description
===========
Konsole supports loading URLs from the scheme handlers such as
telnet://URL. This can be executed regardless of whether the telnet
binary is available.
In this mode konsole had a path where if telnet was not available it
would fall back to using bash for the given arguments provided; which
is the URL provided. This allows an attacker to execute arbitrary code.
Browsers typically provide a prompt when a user opens an external
scheme handler which would look suspicious, requiring user interaction
to be exploitable.
Impact
======
A remote attacker can trick a user into opening a specially crafted URL
that exploits Konsoleβs scheme handler fallback mechanism, leading to
arbitrary code execution.
References
==========
https://kde.org/info/security/advisory-20250609-1.txt
https://proofnet.de/publikationen/konsole_rce.html
https://nvd.nist.gov/vuln/detail/CVE-2025-49091
https://www.openwall.com/lists/oss-security/2025/06/10/5
https://invent.kde.org/utilities/konsole/-/commit/09d20dea109050b4c02fb73095f327b5642a2b75
https://security.archlinux.org/CVE-2025-49091
[ASA-202506-4] go: multiple issues
Arch Linux Security Advisory ASA-202506-4
=========================================
Severity: Medium
Date : 2025-06-07
CVE-ID : CVE-2025-4673 CVE-2025-22874
Package : go
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2896
Summary
=======
The package go before version 1.24.4-1 is vulnerable to multiple issues
including certificate verification bypass and information disclosure.
Resolution
==========
Upgrade to 1.24.4-1.
# pacman -Syu "go>=1.24.4-1"
The problems have been fixed upstream in version 1.24.4.
Workaround
==========
None.
Description
===========
- CVE-2025-4673 (information disclosure)
net/http: Proxy-Authorization and Proxy-Authenticate headers were not
cleared during cross-origin redirects, potentially leaking sensitive
credentials in proxy-authenticated environments.
- CVE-2025-22874 (certificate verification bypass)
crypto/x509: When VerifyOptions.KeyUsages includes ExtKeyUsageAny,
certificate policy validation is unintentionally disabled. This affects
certificate chains with policy constraints, which are uncommon but
security-relevant when used.
Impact
======
A remote attacker can exploit Go's HTTP client to leak proxy
credentials via cross-origin redirects, or bypass certificate policy
validation when ExtKeyUsageAny is used during TLS verification.
References
==========
https://github.com/golang/go/issues/73816
https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A/m/XDxq7uidAgAJ
https://go.dev/doc/devel/release#go1.24.4
https://github.com/golang/go/issues/73612
https://security.archlinux.org/CVE-2025-4673
https://security.archlinux.org/CVE-2025-22874
[ASA-202506-3] samba: access restriction bypass
Arch Linux Security Advisory ASA-202506-3
=========================================
Severity: Low
Date : 2025-06-06
CVE-ID : CVE-2025-0620
Package : samba
Type : access restriction bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-2892
Summary
=======
The package samba before version 4.22.2-1 is vulnerable to access
restriction bypass.
Resolution
==========
Upgrade to 4.22.2-1.
# pacman -Syu "samba>=4.22.2-1"
The problem has been fixed upstream in version 4.22.2.
Workaround
==========
None.
Description
===========
When using Kerberos authentication with SMB, smbd doesn't pick up group
membership changes when re-authenticating an expired SMB session.
Impact
======
A remote authenticated attacker may retain unintended access to file
shares in Samba.
References
==========
https://www.samba.org/samba/security/CVE-2025-0620.html
https://bugzilla.samba.org/show_bug.cgi?id=15707
https://nvd.nist.gov/vuln/detail/CVE-2025-0620
https://security.archlinux.org/CVE-2025-0620
[ASA-202506-2] curl: denial of service
Arch Linux Security Advisory ASA-202506-2
=========================================
Severity: Low
Date : 2025-06-05
CVE-ID : CVE-2025-5399
Package : curl
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-2895
Summary
=======
The package curl before version 8.14.1-1 is vulnerable to denial of
service.
Resolution
==========
Upgrade to 8.14.1-1.
# pacman -Syu "curl>=8.14.1-1"
The problem has been fixed upstream in version 8.14.1.
Workaround
==========
None.
Description
===========
Due to a mistake in libcurl's WebSocket code, a malicious server can
send a particularly crafted packet which makes libcurl get trapped in
an endless busy-loop.
There is no other way for the application to escape or exit this loop
other than killing the thread/process. This might be used to DoS
libcurl-using application.
Impact
======
A remote attacker can send a specially crafted WebSocket frame that
triggers an infinite busy-loop in libcurl, causing the application to
hang indefinitely potentially leading to a denial of service.
References
==========
https://curl.se/docs/CVE-2025-5399.html
https://github.com/curl/curl/commit/d1145df24de8f80e6b16
https://security.archlinux.org/CVE-2025-5399
[ASA-202506-1] roundcubemail: arbitrary code execution
Arch Linux Security Advisory ASA-202506-1
=========================================
Severity: Critical
Date : 2025-06-04
CVE-ID : CVE-2025-49113
Package : roundcubemail
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2891
Summary
=======
The package roundcubemail before version 1.6.11-1 is vulnerable to
arbitrary code execution.
Resolution
==========
Upgrade to 1.6.11-1.
# pacman -Syu "roundcubemail>=1.6.11-1"
The problem has been fixed upstream in version 1.6.11.
Workaround
==========
None.
Description
===========
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote
code execution by authenticated users because the _from parameter in a
URL is not validated in program/actions/settings/upload.php, leading to
PHP Object Deserialization.
Impact
======
A remote attacker with access to an authenticated Roundcube session can
exploit a vulnerability leading to arbitrary code execution.
References
==========
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
https://www.cve.org/CVERecord?id=CVE-2025-49113
https://www.openwall.com/lists/oss-security/2025/06/02/3
https://github.com/roundcube/roundcubemail/pull/9865
https://security.archlinux.org/CVE-2025-49113
[ASA-202505-15] ghostscript: information disclosure
Arch Linux Security Advisory ASA-202505-15
==========================================
Severity: Low
Date : 2025-05-24
CVE-ID : CVE-2025-48708
Package : ghostscript
Type : information disclosure
Remote : No
Link : https://security.archlinux.org/AVG-2883
Summary
=======
The package ghostscript before version 10.05.1-2 is vulnerable to
information disclosure.
Resolution
==========
Upgrade to 10.05.1-2.
# pacman -Syu "ghostscript>=10.05.1-2"
The problem has been fixed upstream in version 10.05.1.
Workaround
==========
None.
Description
===========
gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex
Ghostscript before 10.05.1 lacks argument sanitization for the # case.
A created PDF document includes its password in cleartext.
Impact
======
A local attacker can access the password used to protect a PDF in
cleartext.
References
==========
https://bugs.ghostscript.com/show_bug.cgi?id=708446
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?h=gs10.05.1&id=5b5968c306b3e35cdeec83bb15026fd74a7334de
https://security.archlinux.org/CVE-2025-48708
