Beiträge von Micha

Package : thunderbird

CVE ID : CVE-2025-14327 CVE-2026-0877 CVE-2026-0878 CVE-2026-0879

CVE-2026-0880 CVE-2026-0882 CVE-2026-0883 CVE-2026-0884

CVE-2026-0885 CVE-2026-0886 CVE-2026-0887 CVE-2026-0890

CVE-2026-0891

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

For the oldstable distribution (bookworm), these problems have been fixed in version 1:140.7.0esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in version 1:140.7.0esr-1~deb13u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

Information on source package thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : python-urllib3

CVE ID : CVE-2025-50181 CVE-2025-66418 CVE-2026-21441

Debian Bug : 1108076 1122030 1125062

Several vulnerabilities were discovered in python-urllib3, a HTTP library with thread-safe connection pooling for Python3, which could result in denial of service or request forgery.

For the oldstable distribution (bookworm), these problems have been fixed in version 1.26.12-1+deb12u2.

For the stable distribution (trixie), these problems have been fixed in version 2.3.0-3+deb13u1.

We recommend that you upgrade your python-urllib3 packages.

For the detailed security status of python-urllib3 please refer to its security tracker page at:

Information on source package python-urllib3

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2025-14327 CVE-2026-0877 CVE-2026-0878 CVE-2026-0879

CVE-2026-0880 CVE-2026-0882 CVE-2026-0883 CVE-2026-0884

CVE-2026-0885 CVE-2026-0886 CVE-2026-0887 CVE-2026-0890

CVE-2026-0891

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, information disclosure or spoofing.

For the oldstable distribution (bookworm), these problems have been fixed in version 140.7.0esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in version 140.7.0esr-1~deb13u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

Information on source package firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2026-0899 CVE-2026-0900 CVE-2026-0901 CVE-2026-0902

CVE-2026-0903 CVE-2026-0904 CVE-2026-0905 CVE-2026-0906

CVE-2026-0907 CVE-2026-0908

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

For the oldstable distribution (bookworm), these problems have been fixed in version 144.0.7559.59-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in version 144.0.7559.59-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : python-parsl

CVE ID : CVE-2026-21892

Viral Vaghela discovered an SQL injection vulnerability in Parsl, a parallel scripting library for Python.

For the stable distribution (trixie), this problem has been fixed in version 2025.01.13+ds-1+deb13u1.

We recommend that you upgrade your python-parsl packages.

For the detailed security status of python-parsl please refer to its security tracker page at:

Information on source package python-parsl

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : net-snmp

CVE ID : CVE-2025-68615

Debian Bug : 1123861

A vulnerability was discovered in the snmptrapd daemon in net-snmp, a suite of Simple Network Management Protocol applications, which could result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bookworm), this problem has been fixed in version 5.9.3+dfsg-2+deb12u1.

For the stable distribution (trixie), this problem has been fixed in version 5.9.4+dfsg-2+deb13u1.

We recommend that you upgrade your net-snmp packages.

For the detailed security status of net-snmp please refer to its security tracker page at:

Information on source package net-snmp

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2026-0628

A security issue was discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

For the oldstable distribution (bookworm), this problem has been fixed in version 143.0.7499.192-1~deb12u1.

For the stable distribution (trixie), this problem has been fixed in version 143.0.7499.192-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : vlc

CVE ID : not yet available

Multiple vulnerabilities were discovered in the VLC media player, which could result in denial of service or potentially the execution of arbitrary code if a malformed video file is opened.

For the oldstable distribution (bookworm), this problem has been fixed in version 3.0.23-0+deb12u1.

For the stable distribution (trixie), this problem has been fixed in version 3.0.23-0+deb13u1.

We recommend that you upgrade your vlc packages.

For the detailed security status of vlc please refer to its security tracker page at:

Information on source package vlc

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : foomuuri

CVE ID : CVE-2025-67603 CVE-2025-67858

Matthias Gerstner discovered two vulnerabilities in the Foomuuri firewall generator, which could result in tampering of the firewall configuration by unauthorised users.

For the stable distribution (trixie), these problems have been fixed in version 0.27-2+deb13u1.

We recommend that you upgrade your foomuuri packages.

For the detailed security status of foomuuri please refer to its security tracker page at:

Information on source package foomuuri

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : libsodium

CVE ID : CVE-2025-69277

It was discovered that the crypto_core_ed25519_is_valid_point() function of the Sodium cryptography library mishandled checks for valid elliptic curve points.

For the oldstable distribution (bookworm), this problem has been fixed in version 1.0.18-1+deb12u1.

For the stable distribution (trixie), this problem has been fixed in version 1.0.18-1+deb13u1.

We recommend that you upgrade your libsodium packages.

For the detailed security status of libsodium please refer to its security tracker page at:

Information on source package libsodium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : gimp

CVE ID : CVE-2025-14422 CVE-2025-14424 CVE-2025-14425

Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed XCF, JPEG 2000 or PNM files are opened.

For the oldstable distribution (bookworm), these problems have been fixed in version 2.10.34-1+deb12u6.

For the stable distribution (trixie), these problems have been fixed in version 3.0.4-3+deb13u4.

We recommend that you upgrade your gimp packages.

For the detailed security status of gimp please refer to its security tracker page at:

Information on source package gimp

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : smb4k

CVE ID : CVE-2025-66002 CVE-2025-66003

Debian Bug : 1122381

Two vulnerabilities were discovered in smb4k, a KDE desktop utility which allows unprivileged mounting of Samba/CIFS network shares, which may result in local denial of service or local privilege escalation.

For the stable distribution (trixie), these problems have been fixed in version 4.0.0-1+deb13u1.

We recommend that you upgrade your smb4k packages.

For the detailed security status of smb4k please refer to its security tracker page at:

Information on source package smb4k

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : rails

CVE ID : CVE-2025-24293 CVE-2025-55193

Multiple security issues were discovered in the Rails web framework which could result in command injection or logging of unescaped ANSI sequences.

For the oldstable distribution (bookworm), these problems have been fixed in version 2:6.1.7.10+dfsg-1~deb12u2.

For the stable distribution (trixie), these problems have been fixed in version 2:7.2.2.2+dfsg-2~deb13u1.

We recommend that you upgrade your rails packages.

For the detailed security status of rails please refer to its security tracker page at:

Information on source package rails

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : wordpress

CVE ID : CVE-2025-58246 CVE-2025-58674

Multiple security issues were discovered in the WordPress blogging tool, which could result in cross-site scripting or information disclosure.

For the stable distribution (trixie), these problems have been fixed in version 6.8.3+dfsg1-0+deb13u1.

We recommend that you upgrade your wordpress packages.

For the detailed security status of wordpress please refer to its security tracker page at:

Information on source package wordpress

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2025-14765 CVE-2025-14766

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

For the oldstable distribution (bookworm), these problems have been fixed in version 143.0.7499.169-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in version 143.0.7499.169-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : php8.4

CVE ID : CVE-2025-14177 CVE-2025-14178 CVE-2025-14180

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service or memory disclosure.

For the stable distribution (trixie), these problems have been fixed in version 8.4.16-1~deb13u1.

We recommend that you upgrade your php8.4 packages.

For the detailed security status of php8.4 please refer to its security tracker page at:

Information on source package php8.4

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : roundcube

CVE ID : CVE-2025-68460 CVE-2025-68461

Debian Bug : 1122899

It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, is prone to a cross-site scripting vulnerability via the animate tag in an SVG document and a information disclosure vulnerability in the HTML style sanitizer.

For the oldstable distribution (bookworm), these problems have been fixed in version 1.6.5+dfsg-1+deb12u6.

For the stable distribution (trixie), these problems have been fixed in version 1.6.12+dfsg-0+deb13u1.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to its security tracker page at:

Information on source package roundcube

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : dropbear

CVE ID : CVE-2025-14282

"Turistu" discovered that incorrect permission handling in the Dropbear SSH server could result in privilege escalation.

The oldstable distribution (bookworm) is not affected.

For the stable distribution (trixie), this problem has been fixed in version 2025.89-1~deb13u1.

We recommend that you upgrade your dropbear packages.

For the detailed security status of dropbear please refer to its security tracker page at:

Information on source package dropbear

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : mediawiki

CVE ID : CVE-2025-11173 CVE-2025-11261 CVE-2025-61635 CVE-2025-61638

CVE-2025-61639 CVE-2025-61640 CVE-2025-61641 CVE-2025-61643

CVE-2025-61646 CVE-2025-61653 CVE-2025-61655 CVE-2025-61656

CVE-2025-67475 CVE-2025-67478 CVE-2025-67479 CVE-2025-67480

CVE-2025-67481 CVE-2025-67482 CVE-2025-67484 CVE-2025-67483

CVE-2025-67477 CVE-2025-61657 CVE-2025-61654 CVE-2025-61652

CVE-2025-61642 CVE-2025-61637 CVE-2025-61636 CVE-2025-61634

CVE-2025-11175

Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, information disclosure, missing rate limiting or denial of service.

For the oldstable distribution (bookworm), these problems have been fixed in version 1:1.39.17-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in version 1:1.43.6+dfsg-1~deb13u1.

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to its security tracker page at:

Information on source package mediawiki

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : c-ares

CVE ID : CVE-2025-62408

It was discovered that c-ares, a library that performs DNS requests and name resolution asynchronously, does not properly handle termination of queries which may result in denial of service.

For the stable distribution (trixie), this problem has been fixed in version 1.34.5-1+deb13u1.

We recommend that you upgrade your c-ares packages.

For the detailed security status of c-ares please refer to its security tracker page at:

Information on source package c-ares

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/