HYCU 5.1.1-21 security updates

Latest R-Cloud Hybrid Cloud edition download

HYCU version 5.1.1

This release contains fixes for the following vulnerabilities:

• RHSA-2025:10027:
  • CVE-2025-6020: linux-pam: Linux-pam directory Traversal
• RHSA-2025:10110:
  • CVE-2025-32462: sudo: LPE via host option
• RHSA-2025:10128:
  • CVE-2024-12718: cpython: python: Bypass extraction filter to modify file metadata outside extraction directory
  • CVE-2025-4138: cpython: python: Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory
  • CVE-2025-4330: cpython: python: Extraction filter bypass for linking outside extraction directory
  • CVE-2025-4435: cpython: Tarfile extracts filtered members when errorlevel=0
  • CVE-2025-4517: python: cpython: Arbitrary writes via tarfile realpath overflow
• RHSA-2025:10618:
  • CVE-2024-23337: jq: jq has signed integer overflow in jv.c:jvp_array_write
  • CVE-2025-48060: jq: AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt)
• RHSA-2025:4461:
  • CVE-2025-31498: c-ares: c-ares has a use-after-free in read_answers()
• RHSA-2025:4560:
  • CVE-2025-32050: libsoup: Integer overflow in append_param_quoted
  • CVE-2025-32052: libsoup: Heap buffer overflow in sniff_unknown()
  • CVE-2025-32053: libsoup: Heap buffer overflows in sniff_feed_or_html() and skip_insignificant_space()
  • CVE-2025-32906: libsoup: Out of bounds reads in soup_headers_parse_request()
  • CVE-2025-32911: libsoup: Double free on soup_message_headers_get_content_disposition() through “soup-message-headers.c” via “params” GHashTable value
  • CVE-2025-32913: libsoup: NULL pointer dereference in soup_message_headers_get_content_disposition when “filename” parameter is present, but has no value in Content-Disposition header
  • CVE-2025-46420: libsoup: Memory leak on soup_header_parse_quality_list() via soup-headers.c
  • CVE-2025-46421: libsoup: Information disclosure may leads libsoup client sends Authorization header to a different host when being redirected by a server
• RHSA-2025:4658:
  • CVE-2017-17095: libtiff: Heap-based buffer overflow in tools/pal2rgb.c can lead to denial of service
• RHSA-2025:7540:
  • CVE-2020-13790: libjpeg-turbo: heap-based buffer over-read in get_rgb_row() in rdppm.c
• RHSA-2025:8132:
  • CVE-2025-2784: libsoup: Heap buffer over-read in skip_insignificant_space when sniffing content
  • CVE-2025-4948: libsoup: Integer Underflow in soup_multipart_new_from_message() Leading to Denial of Service in libsoup
  • CVE-2025-32049: libsoup: Denial of Service attack to websocket server
  • CVE-2025-32914: libsoup: OOB Read on libsoup through function “soup_multipart_new_from_message” in soup-multipart.c leads to crash or exit of process
• RHSA-2025:8395:
  • CVE-2016-9840: zlib: Out-of-bound pointer arithmetic in inftrees.c
• RHSA-2025:8411:
  • CVE-2025-3576: krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5 Collisions
• RHSA-2025:8514:
  • CVE-2025-23165: nodejs: Memory Leak in Node.js ReadFileUtf8 Binding Leading to DoS
  • CVE-2025-23166: nodejs: Remote Crash via SignTraits::DeriveBits() in Node.js
  • CVE-2025-23167: nodejs: Improper HTTP Header Termination in Node.js 20 Enables Request Smuggling
• RHSA-2025:8676:
  • CVE-2023-40403: libxslt: Processing web content may disclose sensitive information
• RHSA-2025:8686:
  • CVE-2025-4802: glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH
• RHSA-2025:8844:
  • CVE-2025-47947: modsecurity: ModSecurity Has Possible DoS Vulnerability
• RHSA-2025:8958:
  • CVE-2025-32414: libxml2: Out-of-Bounds Read in libxml2