Beiträge von Micha

Package : jpeg-xl

CVE ID : CVE-2023-0645 CVE-2023-35790 CVE-2024-11403 CVE-2024-11498

Debian Bug : 1034722 1055306 1088818

Multiple vulnerabilities are discovered in jpeg-xl, the JPEG XL ("JXL") image coding library, including out of bounds read/write and stack based buffer overflow, which may cause excessive memory usage and denial of service attacks.

CVE-2023-0645

Specifically crafted file could cause an out of bounds read in the exif

handler of libjxl.

CVE-2023-35790

Integer underflow in patch decoding code of libjxl.

CVE-2024-11403

Out of bounds write in the JPEG decoder used for recompression of JPEG

files.

CVE-2024-11498

Specifically crafted file could cause the JPEG XL decoder to use large

amounts of stack space, potentially exhausting the stack.

For the stable distribution (bookworm), these problems have been fixed in version 0.7.0-10+deb12u1.

We recommend that you upgrade your jpeg-xl packages.

For the detailed security status of jpeg-xl please refer to its security tracker page at:

Information on source package jpeg-xl

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : mediawiki

CVE ID : CVE-2025-6590 CVE-2025-6591 CVE-2025-6593 CVE-2025-6594

CVE-2025-6595 CVE-2025-6597 CVE-2025-6926 CVE-2025-32072

Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, information disclosure, HTML injection or incorrect tracking of authentication events.

For the stable distribution (bookworm), these problems have been fixed in version 1:1.39.13-1~deb12u1.

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to its security tracker page at:

Information on source package mediawiki

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ring

CVE ID : CVE-2023-27585

The embedded copy of pjproject is affected by a buffer overflow vulnerability, which affects applications that use PJSIP DNS resolver.

For the stable distribution (bookworm), this problem has been fixed in version 20230206.0~ds2-1.1+deb12u1.

We recommend that you upgrade your ring packages.

For the detailed security status of ring please refer to its security tracker page at:

Information on source package ring

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2025-6554

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Google is aware that an exploit for CVE-2025-6554 exists in the wild.

For the stable distribution (bookworm), this problem has been fixed in version 138.0.7204.92-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : sudo

CVE ID : CVE-2025-32462

Rich Mirch discovered that sudo, a program designed to provide limited super user privileges to specific users, does not correctly handle the host (-h or --host) option. Due to a bug the host option was not restricted to listing privileges only and could be used when running a command via sudo or editing a file with sudoedit. Depending on the rules present in the sudoers file the flaw might allow a local privilege escalation attack.

For the stable distribution (bookworm), this problem has been fixed in version 1.9.13p3-1+deb12u2.

We recommend that you upgrade your sudo packages.

For the detailed security status of sudo please refer to its security tracker page at:

Information on source package sudo

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : catdoc

CVE ID : CVE-2024-48877 CVE-2024-52035 CVE-2024-54028

Debian Bug : 1107168

Several vulnerabilities were discovered in catdoc, a text extractor for MS-Office files, which may result in denial of service or the execution of arbitrary code if a specially crafted file is processed.

For the stable distribution (bookworm), these problems have been fixed in version 1:0.95-6~deb12u1.

We recommend that you upgrade your catdoc packages.

For the detailed security status of catdoc please refer to its security tracker page at:

Information on source package catdoc

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2025-6555 CVE-2025-6556 CVE-2025-6557

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

For the stable distribution (bookworm), these problems have been fixed in version 138.0.7204.49-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2025-6424 CVE-2025-6425 CVE-2025-6429 CVE-2025-6430

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

For the stable distribution (bookworm), these problems have been fixed in version 128.12.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

Information on source package firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : libxml2

CVE ID : CVE-2022-49043 CVE-2023-39615 CVE-2023-45322 CVE-2024-25062

CVE-2024-34459 CVE-2024-56171 CVE-2025-24928 CVE-2025-27113

CVE-2025-32414 CVE-2025-32415

Debian Bug : 1051230 1053629 1063234 1071162 1094238 1098320 1098321 1098322 1102521 1103511

Brief introduction

Multiple memory related vulnerabilities, inlcuding use-after-free, out-of-bounds memory access and NULL pointer dereference, were discovered in GNOME XML Parser and Toolkit Library and its Python bindings, which may cause denial of service or other unintended behaviors.

For the stable distribution (bookworm), these problems have been fixed in version 2.9.14+dfsg-1.3~deb12u2.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to its security tracker page at:

Information on source package libxml2

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : trafficserver

CVE ID : CVE-2024-53868 CVE-2025-31698 CVE-2025-49763

Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling or incorrect processing of ACLs.

For the stable distribution (bookworm), these problems have been fixed in version 9.2.5+ds-0+deb12u3.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to its security tracker page at:

Information on source package trafficserver

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : xorg-server

CVE ID : CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178

CVE-2025-49179 CVE-2025-49180

Nils Emmerich discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

For the stable distribution (bookworm), these problems have been fixed in version 2:21.1.7-3+deb12u10.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to its security tracker page at:

Information on source package xorg-server

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : gdk-pixbuf

CVE ID : CVE-2025-6199

It was discovered that incorrect bounds validation in the GIF decoder of the GDK Pixbuf library may result in memory disclosure.

For the stable distribution (bookworm), this problem has been fixed in version 2.42.10+dfsg-1+deb12u2.

We recommend that you upgrade your gdk-pixbuf packages.

For the detailed security status of gdk-pixbuf please refer to its security tracker page at:

Information on source package gdk-pixbuf

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : konsole

CVE ID : CVE-2025-49091

Dennis Dast discovered that the Konsole terminal emulator insecurely handled the telnet URI scheme, which could result in the execution of arbitrary code in some configurations.

For the stable distribution (bookworm), this problem has been fixed in version 4:22.12.3-1+deb12u1.

We recommend that you upgrade your konsole packages.

For the detailed security status of konsole please refer to its security tracker page at:

Information on source package konsole

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2025-6191 CVE-2025-6192

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

For the stable distribution (bookworm), these problems have been fixed in version 137.0.7151.119-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : libblockdev

CVE ID : CVE-2025-6019

The Qualys Threat Research Unit (TRU) discovered a local privilege escalation vulnerability in libblockdev, a library for manipulating block devices. An "allow_active" user can exploit this flaw via the udisks daemon to obtain the full privileges of the root user.

Details can be found in the Qualys advisory at https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt

Along with the libblockdev update, updated udisks2 packages are released, to enforce that private mounts are mounted with 'nodev,nosuid'.

For the stable distribution (bookworm), this problem has been fixed in version 2.28-2+deb12u1. The additional udisks2 hardening is applied in version 2.9.4-4+deb12u1.

We recommend that you upgrade your libblockdev packages.

For the detailed security status of libblockdev please refer to its security tracker page at:

Information on source package libblockdev

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2025-5958 CVE-2025-5959

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

For the stable distribution (bookworm), these problems have been fixed in version 137.0.7151.103-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : gst-plugins-bad1.0

CVE ID : CVE-2025-3887

Multiple vulnerabilities were discovered in the H.265 plugin for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

For the stable distribution (bookworm), this problem has been fixed in version 1.22.0-4+deb12u6.

We recommend that you upgrade your gst-plugins-bad1.0 packages.

For the detailed security status of gst-plugins-bad1.0 please refer to its security tracker page at:

Information on source package gst-plugins-bad1.0

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : modsecurity-apache

CVE ID : CVE-2025-47947 CVE-2025-48866

Debian Bug : 1106286 1107196

Several vulnerabilities were discovered in modsecurity-apache, an Apache module to tighten the Web application security, which may result in denial of service (high memory consumption).

For the stable distribution (bookworm), these problems have been fixed in version 2.9.7-1+deb12u1.

We recommend that you upgrade your modsecurity-apache packages.

For the detailed security status of modsecurity-apache please refer to its security tracker page at:

Information on source package modsecurity-apache

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : gimp

CVE ID : CVE-2025-2760 CVE-2025-2761 CVE-2025-48797 CVE-2025-48798

Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed XCF, TGA, DDS, FLI or ICO files are opened.

For the stable distribution (bookworm), these problems have been fixed in version 2.10.34-1+deb12u3.

We recommend that you upgrade your gimp packages.

For the detailed security status of gimp please refer to its security tracker page at:

Information on source package gimp

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : python-tornado

CVE ID : CVE-2025-47287

It was discovered that the Tornado Python web framework performed excessive logging when parsing some multipart/form-data requests, which could result in denial of service.

For the stable distribution (bookworm), this problem has been fixed in version 6.2.0-3+deb12u2.

We recommend that you upgrade your python-tornado packages.

For the detailed security status of python-tornado please refer to its security tracker page at:

Information on source package python-tornado

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/