Multiple security updates have been released for Debian GNU/Linux, including patches for OpenSSL, Ghostscript, Chromium, Squid, and QEMU. The updates address various vulnerabilities, such as out-of-bounds reads and writes, denial of service attacks, information disclosure, and privilege escalation. The affected packages include OpenSSL 1.0, Ghostscript 9.26a and 9.27, Chromium 142.0.7444.59, Squid 5.7 and 6.13, and QEMU 2.8.
Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1563-1 openssl1.0 security update
ELA-1564-1 qemu security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1562-1 ghostscript security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6046-1] chromium security update
[DSA 6047-1] squid security update
Steven Barrett has released Liquorix Linux Kernel 6.17-6, which enhances system responsiveness and performance for desktop, multimedia, and gaming workloads. This custom kernel boasts several key features, such as Zen Interactive Tuning technology, scheduling improvements, and optimized Block Layer tweaks to enhance memory management and minimize latency. Additionally, Liquorix kernel 6.17-6 includes extra features like High Resolution Scheduling, Budget Fair Queue, TCP BBR2 Congestion Control, and Compressed Swap to further boost performance. Users can easily install the kernel using a provided script, and binary builds are available for popular Debian-based distributions and Ubuntu through the Liquorix PPA.
Several Debian Security Advisories have been released to address vulnerabilities in various packages, including xorg-server, openssl, pdns-recursor, and intel-microcode. The advisories recommend upgrading the affected packages to their latest versions, which can be found on the security tracker page for each package. For example, the xorg-server vulnerability has been fixed in version 2:21.1.7-3+deb12u11 (bookworm) and 2:21.1.16-1.3+deb13u1 (trixie).
Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1559-1 openssl security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1561-1 xorg-server security update
ELA-1560-1 intel-microcode security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1558-1 openssl security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4353-1] xorg-server security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6044-1] xorg-server security update
Debian GNU/Linux 13 (Trixie):
[DSA 6045-1] pdns-recursor security update
Multiple Debian Security Advisories have been released to address various vulnerabilities. The advisories include DSA-6042-1 for webkit2gtk on Debian 12 and 13, which fixes multiple issues, including potential crashes and access to sensor information without user consent; DLA-4352-1 for python-authlib on Debian 11 LTS, a library with vulnerabilities that could allow policy bypass or privilege escalation; and DSA-6043-1 for gimp on Debian 12, the GNU Image Manipulation Program, which has several vulnerabilities that could result in denial of service or arbitrary code execution. Additionally, an Extended LTS Advisory (ELA) has been released to address multiple vulnerabilities in Python-pip on Debian 9 and 10 ELTS, including directory traversal, Unicode separator handling issues, Mercurial VCS URL configuration option injection, and symbolic link checking problems.
[DSA 6042-1] webkit2gtk security update
[DLA 4352-1] python-authlib security update
[DSA 6043-1] gimp security update
ELA-1557-1 python-pip security update
Ondřej Surý has released PHP 8.5.0 RC3, PHP 8.4.14, and PHP 8.3.27 packages for Debian GNU/Linux 11 LTS, 12, and 13. The updates include improvements to core functionality, DOM parsing, FPM performance, Opcache optimization, OpenSSL security, and other areas of functionality. The packages address numerous bugs and fixes issues such as resource closing on shutdown, incorrect namespace checks in the getNamedItemNS() function, and memory leaks triggered by imagefttext() calls.
Debian has issued security updates for two packages, Thunderbird and strongSwan. For Debian 11 GNU/Linux (Bullseye) LTS, the Thunderbird update fixes multiple security issues that could result in arbitrary code execution and is available in version 1:140.4.0esr-1~deb11u1. Meanwhile, the strongSwan update for both Debian GNU/Linux 12 (Bookworm) and 13 (Trixie) fixes a buffer overflow bug in the eap-mschapv2 plugin discovered by Xu Biang, which can cause an integer underflow or heap-based buffer overflow potentially exploitable for remote code execution.
[DLA 4351-1] thunderbird security update
[DSA 6041-1] strongswan security update
Steven Barrett has released two new versions of the Liquorix Linux kernel, based on Linux kernel 6.17.5, which aim to enhance user experience and system performance. The Liquorix kernel has several upgrades, like Zen Interactive Tuning technology, better scheduling, an improved Block Layer, and CPUFreq changes, all meant to make the system more responsive and efficient. Additionally, the kernel includes features such as High Resolution Scheduling, Budget Fair Queue, TCP BBR2 Congestion Control, and Compressed Swap with LZ4 compression, further boosting performance.
Several security updates were released for Debian GNU/Linux, including ELA-1555-1 for request-tracker4, which fixed a CSV injection vulnerability. Another update, DSA-6039-1, addressed multiple vulnerabilities in OpenJDK-25, including XML XXE/XEE attacks and incorrect certificate validation. Furthermore, security warnings were given for Tika, Thunderbird, and OpenJDK-11, suggesting that users upgrade to newer versions that fix different security problems, like XML external entity injection attacks and arbitrary code execution.
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1555-1 request-tracker4 security update
ELA-1556-1 openjdk-11 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4349-1] request-tracker4 security update
[DLA 4350-1] tika security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6040-1] thunderbird security update
Debian GNU/Linux 13 (Trixie):
[DSA 6039-1] openjdk-25 security update
Multiple Debian Linux security advisories have been released, addressing vulnerabilities in various packages. The advisories include updates for xrdp, openjdk-17, icedtea-web, python-pip, intel-microcode, openjdk-11, and node-form-data, each addressing specific security issues. These vulnerabilities include potential security threats such as infinite login attempts, XML external entity injection attacks, incorrect certificate validation, and HTTP parameter pollution.
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1553-1 icedtea-web security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1552-1 xrdp security update
ELA-1554-1 node-form-data security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4345-1] openjdk-17 security update
[DLA 4348-1] python-pip security update
[DLA 4347-1] intel-microcode security update
[DLA 4346-1] openjdk-11 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 6038-1] openjdk-17 security update
Steven Barrett has announced the release of Liquorix Linux Kernel 6.17-3, a custom kernel designed to optimize desktop, multimedia, and gaming workloads by leveraging performance capabilities. The kernel boasts several significant enhancements that focus on improving system responsiveness, reducing latency, and maximizing throughput through features such as Zen Interactive Tuning technology and improved scheduling. Additionally, Liquorix kernel 6.17-3 includes extra features like High Resolution Scheduling, Budget Fair Queue, TCP BBR2 Congestion Control, and Compressed Swap to further boost performance and data transfer speed.
A security update has been released for the OpenJDK 21 package in Debian GNU/Linux 13 (Trixie) to fix several vulnerabilities. The vulnerabilities could allow for incorrect string equality checks, XML attacks (XXE/XEE), or incorrect certificate validation.
[SECURITY] [DSA 6037-1] openjdk-21 security update
Debian has released security updates for both Debian GNU/Linux 12 (Bookworm) and 13 (Trixie) for several packages: Chromium, Python-Internetarchive, Tryton-Sao, and BIND. The updates address various vulnerabilities, including arbitrary code execution, cache poisoning, denial of service, and cross-site scripting.
[DSA 6036-1] chromium security update
[DSA 6035-1] python-internetarchive security update
[DSA 6034-1] tryton-sao security update
[DSA 6033-1] bind9 security update
Debian Security Advisories have been released to address multiple vulnerabilities across various packages. The advisories include fixes for gdk-pixbuf, request-tracker4, request-tracker5, raptor2, gimp, and intel-microcode, among others, which could result in security issues such as remote code execution, denial of service, or privilege escalation. Additionally, Extended LTS (ELA) advisories have been released for certain distributions to address similar vulnerabilities in gegl and raptor2 packages.
Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1549-1 gegl security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1551-1 raptor2 security update
ELA-1550-1 gimp security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1548-1 gegl security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4344-1] gdk-pixbuf security update
[DLA 4343-1] raptor2 security update
[DLA 4342-1] gimp security update
[DLA 4341-1] gegl security update
Debian GNU/Linux 12 (Bookworm):
[DSA 6032-1] request-tracker4 security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6031-1] request-tracker5 security update
[DSA 6030-1] intel-microcode security update
Updated Nginx packages have been released for Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS. The first vulnerability (CVE-2024-7347) allows an attacker to terminate Nginx worker memory by sending a specially crafted mp4 file, while the second vulnerability (CVE-2024-33452) enables HTTP request smuggling via a crafted HEAD request. Furthermore, the third vulnerability (CVE-2025-23419) lets an attacker skip the need for client certificate authentication when different server blocks use the same IP address and port by taking advantage of TLS Session Tickets or the SSL session cache. These vulnerabilities affect Nginx versions 1.10.3-1+deb9u9 (Stretch) and 1.14.2-2+deb10u6 (Buster) and require an update to mitigate them.
ELA-1547-1 nginx security update
Debian has issued several security updates to address vulnerabilities in various packages, including ImageMagick (CVE-2025-62171), libphp-adodb (CVE-2025-54119), and Ark (CVE-2024-57966). The ImageMagick update addresses an integer overflow vulnerability that allows for denial-of-service conditions when processing certain BMP files. The libphp-adodb updates address an SQL injection vulnerability that can occur when using the metaColumns(), metaForeignKeys(), or metaIndexes() methods with a crafted table name.
ELA-1545-1 imagemagick security update
[DLA 4340-1] libphp-adodb security update
[DSA 6029-1] ark security update
ELA-1546-1 libphp-adodb security update
Liquorix Linux Kernel 6.17-2 has been released, based on the Linux Kernel 6.17.4, with features designed to optimize desktop, multimedia, and gaming workloads by improving system responsiveness and reducing latency. The kernel includes enhancements such as Zen Interactive Tuning technology, improved scheduling, and optimized Block Layer performance to maximize throughput. Other features include High Resolution Scheduling, Budget Fair Queue disk scheduler, TCP BBR2 Congestion Control, and Compressed Swap with LZ4 compression, all aimed at making the system work better and speeding up data transfer.
A security update has been issued for the ImageMagick package to address an integer overflow vulnerability in its BMP decoder. The vulnerability, tracked as CVE-2025-62171, can be triggered by a malicious 58-byte BMP file and cause a Denial of Service (DoS). Despite the previous fix's claim to resolve the issue, it proved to be incomplete and ineffective. To fix this problem, users are recommended to upgrade their ImageMagick packages to version 8:6.9.11.60+dfsg-1.3+deb11u7 for Debian GNU/Linux 11 (Bullseye) LTS.
[SECURITY] [DLA 4339-1] imagemagick security update
A security update has been released for pgAgent, which affects Debian GNU/Linux 11 (Bullseye) LTS. The issue arises when batch jobs are executed by pgAgent, as it uses an insufficiently seeded random number generator to generate directory names, allowing local attackers to disrupt scheduled tasks. This problem was fixed in version 4.0.0-8+deb11u1 of pgAgent, and users are advised to upgrade their packages. The update fixes a vulnerability known as CVE-2025-0218, which has been assigned Debian Bug number 1092677.
[DLA 4338-1] pgagent security update
A new version of the Liquorix Linux Kernel, 6.17-1, has been released based on the Linux Kernel 6.17 series. This custom kernel is designed to optimize desktop, multimedia, and gaming workloads by improving system responsiveness, reducing latency, and maximizing throughput through various enhancements and tweaks. Important features of the kernel include Zen Interactive Tuning technology, better scheduling, an improved Block Layer, and support for High Resolution Scheduling, Budget Fair Queue, TCP BBR2 Congestion Control, and Compressed Swap.
Multiple Debian security advisories have been issued to address vulnerabilities in various packages, including Firefox ESR (CVE-2025-11708-CVE-2025-11714), Incus (CVE-2025-54286-CVE-2025-54293), sysstat (CVE-2022-39377 and CVE-2023-33204), svgpp (CVE-2021-44960), LXD (CVE-2025-54286-CVE-2025-54293), and the Linux kernel (multiple CVEs). The advisories recommend upgrading to fixed versions of these packages to address the vulnerabilities. The specific affected packages and their corresponding versions are firefox-esr 140.4.0esr-1deb11u1, incus 6.0.4-2+deb13u1, sysstat 12.5.2-2+deb11u1, svgpp 1.3.0+dfsg1-4+deb11u1, lxd 5.0.2-5+deb12u1 and 5.0.2+git20231211.1364ae4-9+deb13u1, and linux-5.10 5.10.244-1deb9u1 and 5.10.244-1~deb10u1.
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1544-1 linux-5.10 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4335-1] firefox-esr security update
[DLA 4336-1] sysstat security update
[DLA 4337-1] svgpp security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6028-1] lxd security update
Debian GNU/Linux 13 (Trixie):
[DSA 6027-1] incus security update
