Beiträge von Micha

    Package : jpeg-xl

    CVE ID : CVE-2023-0645 CVE-2023-35790 CVE-2024-11403 CVE-2024-11498

    Debian Bug : 1034722 1055306 1088818


    Multiple vulnerabilities are discovered in jpeg-xl, the JPEG XL ("JXL") image coding library, including out of bounds read/write and stack based buffer overflow, which may cause excessive memory usage and denial of service attacks.


    CVE-2023-0645


    Specifically crafted file could cause an out of bounds read in the exif

    handler of libjxl.


    CVE-2023-35790


    Integer underflow in patch decoding code of libjxl.


    CVE-2024-11403


    Out of bounds write in the JPEG decoder used for recompression of JPEG

    files.


    CVE-2024-11498


    Specifically crafted file could cause the JPEG XL decoder to use large

    amounts of stack space, potentially exhausting the stack.

    For the stable distribution (bookworm), these problems have been fixed in version 0.7.0-10+deb12u1.


    We recommend that you upgrade your jpeg-xl packages.


    For the detailed security status of jpeg-xl please refer to its security tracker page at:

    Information on source package jpeg-xl


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : mediawiki

    CVE ID : CVE-2025-6590 CVE-2025-6591 CVE-2025-6593 CVE-2025-6594

    CVE-2025-6595 CVE-2025-6597 CVE-2025-6926 CVE-2025-32072


    Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, information disclosure, HTML injection or incorrect tracking of authentication events.


    For the stable distribution (bookworm), these problems have been fixed in version 1:1.39.13-1~deb12u1.


    We recommend that you upgrade your mediawiki packages.


    For the detailed security status of mediawiki please refer to its security tracker page at:

    Information on source package mediawiki


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : ring

    CVE ID : CVE-2023-27585


    The embedded copy of pjproject is affected by a buffer overflow vulnerability, which affects applications that use PJSIP DNS resolver.


    For the stable distribution (bookworm), this problem has been fixed in version 20230206.0~ds2-1.1+deb12u1.


    We recommend that you upgrade your ring packages.


    For the detailed security status of ring please refer to its security tracker page at:

    Information on source package ring


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : chromium

    CVE ID : CVE-2025-6554


    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Google is aware that an exploit for CVE-2025-6554 exists in the wild.


    For the stable distribution (bookworm), this problem has been fixed in version 138.0.7204.92-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : sudo

    CVE ID : CVE-2025-32462


    Rich Mirch discovered that sudo, a program designed to provide limited super user privileges to specific users, does not correctly handle the host (-h or --host) option. Due to a bug the host option was not restricted to listing privileges only and could be used when running a command via sudo or editing a file with sudoedit. Depending on the rules present in the sudoers file the flaw might allow a local privilege escalation attack.


    For the stable distribution (bookworm), this problem has been fixed in version 1.9.13p3-1+deb12u2.


    We recommend that you upgrade your sudo packages.


    For the detailed security status of sudo please refer to its security tracker page at:

    Information on source package sudo


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : catdoc

    CVE ID : CVE-2024-48877 CVE-2024-52035 CVE-2024-54028

    Debian Bug : 1107168


    Several vulnerabilities were discovered in catdoc, a text extractor for MS-Office files, which may result in denial of service or the execution of arbitrary code if a specially crafted file is processed.


    For the stable distribution (bookworm), these problems have been fixed in version 1:0.95-6~deb12u1.


    We recommend that you upgrade your catdoc packages.


    For the detailed security status of catdoc please refer to its security tracker page at:

    Information on source package catdoc


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : chromium

    CVE ID : CVE-2025-6555 CVE-2025-6556 CVE-2025-6557


    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 138.0.7204.49-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : firefox-esr

    CVE ID : CVE-2025-6424 CVE-2025-6425 CVE-2025-6429 CVE-2025-6430


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.


    For the stable distribution (bookworm), these problems have been fixed in version 128.12.0esr-1~deb12u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : libxml2

    CVE ID : CVE-2022-49043 CVE-2023-39615 CVE-2023-45322 CVE-2024-25062

    CVE-2024-34459 CVE-2024-56171 CVE-2025-24928 CVE-2025-27113

    CVE-2025-32414 CVE-2025-32415

    Debian Bug : 1051230 1053629 1063234 1071162 1094238 1098320 1098321 1098322 1102521 1103511


    Brief introduction


    Multiple memory related vulnerabilities, inlcuding use-after-free, out-of-bounds memory access and NULL pointer dereference, were discovered in GNOME XML Parser and Toolkit Library and its Python bindings, which may cause denial of service or other unintended behaviors.


    For the stable distribution (bookworm), these problems have been fixed in version 2.9.14+dfsg-1.3~deb12u2.


    We recommend that you upgrade your libxml2 packages.


    For the detailed security status of libxml2 please refer to its security tracker page at:

    Information on source package libxml2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : trafficserver

    CVE ID : CVE-2024-53868 CVE-2025-31698 CVE-2025-49763


    Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling or incorrect processing of ACLs.


    For the stable distribution (bookworm), these problems have been fixed in version 9.2.5+ds-0+deb12u3.


    We recommend that you upgrade your trafficserver packages.


    For the detailed security status of trafficserver please refer to its security tracker page at:

    Information on source package trafficserver


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : xorg-server

    CVE ID : CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178

    CVE-2025-49179 CVE-2025-49180


    Nils Emmerich discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.


    For the stable distribution (bookworm), these problems have been fixed in version 2:21.1.7-3+deb12u10.


    We recommend that you upgrade your xorg-server packages.


    For the detailed security status of xorg-server please refer to its security tracker page at:

    Information on source package xorg-server


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : gdk-pixbuf

    CVE ID : CVE-2025-6199


    It was discovered that incorrect bounds validation in the GIF decoder of the GDK Pixbuf library may result in memory disclosure.


    For the stable distribution (bookworm), this problem has been fixed in version 2.42.10+dfsg-1+deb12u2.


    We recommend that you upgrade your gdk-pixbuf packages.


    For the detailed security status of gdk-pixbuf please refer to its security tracker page at:

    Information on source package gdk-pixbuf


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : konsole

    CVE ID : CVE-2025-49091


    Dennis Dast discovered that the Konsole terminal emulator insecurely handled the telnet URI scheme, which could result in the execution of arbitrary code in some configurations.


    For the stable distribution (bookworm), this problem has been fixed in version 4:22.12.3-1+deb12u1.


    We recommend that you upgrade your konsole packages.


    For the detailed security status of konsole please refer to its security tracker page at:

    Information on source package konsole


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : chromium

    CVE ID : CVE-2025-6191 CVE-2025-6192


    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 137.0.7151.119-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : libblockdev

    CVE ID : CVE-2025-6019


    The Qualys Threat Research Unit (TRU) discovered a local privilege escalation vulnerability in libblockdev, a library for manipulating block devices. An "allow_active" user can exploit this flaw via the udisks daemon to obtain the full privileges of the root user.


    Details can be found in the Qualys advisory at https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt


    Along with the libblockdev update, updated udisks2 packages are released, to enforce that private mounts are mounted with 'nodev,nosuid'.


    For the stable distribution (bookworm), this problem has been fixed in version 2.28-2+deb12u1. The additional udisks2 hardening is applied in version 2.9.4-4+deb12u1.


    We recommend that you upgrade your libblockdev packages.


    For the detailed security status of libblockdev please refer to its security tracker page at:

    Information on source package libblockdev


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : chromium

    CVE ID : CVE-2025-5958 CVE-2025-5959


    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 137.0.7151.103-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : gst-plugins-bad1.0

    CVE ID : CVE-2025-3887


    Multiple vulnerabilities were discovered in the H.265 plugin for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.


    For the stable distribution (bookworm), this problem has been fixed in version 1.22.0-4+deb12u6.


    We recommend that you upgrade your gst-plugins-bad1.0 packages.


    For the detailed security status of gst-plugins-bad1.0 please refer to its security tracker page at:

    Information on source package gst-plugins-bad1.0


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : modsecurity-apache

    CVE ID : CVE-2025-47947 CVE-2025-48866

    Debian Bug : 1106286 1107196


    Several vulnerabilities were discovered in modsecurity-apache, an Apache module to tighten the Web application security, which may result in denial of service (high memory consumption).


    For the stable distribution (bookworm), these problems have been fixed in version 2.9.7-1+deb12u1.


    We recommend that you upgrade your modsecurity-apache packages.


    For the detailed security status of modsecurity-apache please refer to its security tracker page at:

    Information on source package modsecurity-apache


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : gimp

    CVE ID : CVE-2025-2760 CVE-2025-2761 CVE-2025-48797 CVE-2025-48798


    Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed XCF, TGA, DDS, FLI or ICO files are opened.


    For the stable distribution (bookworm), these problems have been fixed in version 2.10.34-1+deb12u3.


    We recommend that you upgrade your gimp packages.


    For the detailed security status of gimp please refer to its security tracker page at:

    Information on source package gimp


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : python-tornado

    CVE ID : CVE-2025-47287


    It was discovered that the Tornado Python web framework performed excessive logging when parsing some multipart/form-data requests, which could result in denial of service.


    For the stable distribution (bookworm), this problem has been fixed in version 6.2.0-3+deb12u2.


    We recommend that you upgrade your python-tornado packages.


    For the detailed security status of python-tornado please refer to its security tracker page at:

    Information on source package python-tornado


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/