Several security updates were released for Debian GNU/Linux, including ELA-1555-1 for request-tracker4, which fixed a CSV injection vulnerability. Another update, DSA-6039-1, addressed multiple vulnerabilities in OpenJDK-25, including XML XXE/XEE attacks and incorrect certificate validation. Furthermore, security warnings were given for Tika, Thunderbird, and OpenJDK-11, suggesting that users upgrade to newer versions that fix different security problems, like XML external entity injection attacks and arbitrary code execution.
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1555-1 request-tracker4 security update
ELA-1556-1 openjdk-11 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4349-1] request-tracker4 security update
[DLA 4350-1] tika security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6040-1] thunderbird security update
Debian GNU/Linux 13 (Trixie):
[DSA 6039-1] openjdk-25 security update
Multiple Debian Linux security advisories have been released, addressing vulnerabilities in various packages. The advisories include updates for xrdp, openjdk-17, icedtea-web, python-pip, intel-microcode, openjdk-11, and node-form-data, each addressing specific security issues. These vulnerabilities include potential security threats such as infinite login attempts, XML external entity injection attacks, incorrect certificate validation, and HTTP parameter pollution.
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1553-1 icedtea-web security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1552-1 xrdp security update
ELA-1554-1 node-form-data security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4345-1] openjdk-17 security update
[DLA 4348-1] python-pip security update
[DLA 4347-1] intel-microcode security update
[DLA 4346-1] openjdk-11 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 6038-1] openjdk-17 security update
Steven Barrett has announced the release of Liquorix Linux Kernel 6.17-3, a custom kernel designed to optimize desktop, multimedia, and gaming workloads by leveraging performance capabilities. The kernel boasts several significant enhancements that focus on improving system responsiveness, reducing latency, and maximizing throughput through features such as Zen Interactive Tuning technology and improved scheduling. Additionally, Liquorix kernel 6.17-3 includes extra features like High Resolution Scheduling, Budget Fair Queue, TCP BBR2 Congestion Control, and Compressed Swap to further boost performance and data transfer speed.
A security update has been released for the OpenJDK 21 package in Debian GNU/Linux 13 (Trixie) to fix several vulnerabilities. The vulnerabilities could allow for incorrect string equality checks, XML attacks (XXE/XEE), or incorrect certificate validation.
[SECURITY] [DSA 6037-1] openjdk-21 security update
Debian has released security updates for both Debian GNU/Linux 12 (Bookworm) and 13 (Trixie) for several packages: Chromium, Python-Internetarchive, Tryton-Sao, and BIND. The updates address various vulnerabilities, including arbitrary code execution, cache poisoning, denial of service, and cross-site scripting.
[DSA 6036-1] chromium security update
[DSA 6035-1] python-internetarchive security update
[DSA 6034-1] tryton-sao security update
[DSA 6033-1] bind9 security update
Debian Security Advisories have been released to address multiple vulnerabilities across various packages. The advisories include fixes for gdk-pixbuf, request-tracker4, request-tracker5, raptor2, gimp, and intel-microcode, among others, which could result in security issues such as remote code execution, denial of service, or privilege escalation. Additionally, Extended LTS (ELA) advisories have been released for certain distributions to address similar vulnerabilities in gegl and raptor2 packages.
Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1549-1 gegl security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1551-1 raptor2 security update
ELA-1550-1 gimp security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1548-1 gegl security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4344-1] gdk-pixbuf security update
[DLA 4343-1] raptor2 security update
[DLA 4342-1] gimp security update
[DLA 4341-1] gegl security update
Debian GNU/Linux 12 (Bookworm):
[DSA 6032-1] request-tracker4 security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6031-1] request-tracker5 security update
[DSA 6030-1] intel-microcode security update
Updated Nginx packages have been released for Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS. The first vulnerability (CVE-2024-7347) allows an attacker to terminate Nginx worker memory by sending a specially crafted mp4 file, while the second vulnerability (CVE-2024-33452) enables HTTP request smuggling via a crafted HEAD request. Furthermore, the third vulnerability (CVE-2025-23419) lets an attacker skip the need for client certificate authentication when different server blocks use the same IP address and port by taking advantage of TLS Session Tickets or the SSL session cache. These vulnerabilities affect Nginx versions 1.10.3-1+deb9u9 (Stretch) and 1.14.2-2+deb10u6 (Buster) and require an update to mitigate them.
ELA-1547-1 nginx security update
Debian has issued several security updates to address vulnerabilities in various packages, including ImageMagick (CVE-2025-62171), libphp-adodb (CVE-2025-54119), and Ark (CVE-2024-57966). The ImageMagick update addresses an integer overflow vulnerability that allows for denial-of-service conditions when processing certain BMP files. The libphp-adodb updates address an SQL injection vulnerability that can occur when using the metaColumns(), metaForeignKeys(), or metaIndexes() methods with a crafted table name.
ELA-1545-1 imagemagick security update
[DLA 4340-1] libphp-adodb security update
[DSA 6029-1] ark security update
ELA-1546-1 libphp-adodb security update
Liquorix Linux Kernel 6.17-2 has been released, based on the Linux Kernel 6.17.4, with features designed to optimize desktop, multimedia, and gaming workloads by improving system responsiveness and reducing latency. The kernel includes enhancements such as Zen Interactive Tuning technology, improved scheduling, and optimized Block Layer performance to maximize throughput. Other features include High Resolution Scheduling, Budget Fair Queue disk scheduler, TCP BBR2 Congestion Control, and Compressed Swap with LZ4 compression, all aimed at making the system work better and speeding up data transfer.
A security update has been issued for the ImageMagick package to address an integer overflow vulnerability in its BMP decoder. The vulnerability, tracked as CVE-2025-62171, can be triggered by a malicious 58-byte BMP file and cause a Denial of Service (DoS). Despite the previous fix's claim to resolve the issue, it proved to be incomplete and ineffective. To fix this problem, users are recommended to upgrade their ImageMagick packages to version 8:6.9.11.60+dfsg-1.3+deb11u7 for Debian GNU/Linux 11 (Bullseye) LTS.
[SECURITY] [DLA 4339-1] imagemagick security update
A security update has been released for pgAgent, which affects Debian GNU/Linux 11 (Bullseye) LTS. The issue arises when batch jobs are executed by pgAgent, as it uses an insufficiently seeded random number generator to generate directory names, allowing local attackers to disrupt scheduled tasks. This problem was fixed in version 4.0.0-8+deb11u1 of pgAgent, and users are advised to upgrade their packages. The update fixes a vulnerability known as CVE-2025-0218, which has been assigned Debian Bug number 1092677.
[DLA 4338-1] pgagent security update
A new version of the Liquorix Linux Kernel, 6.17-1, has been released based on the Linux Kernel 6.17 series. This custom kernel is designed to optimize desktop, multimedia, and gaming workloads by improving system responsiveness, reducing latency, and maximizing throughput through various enhancements and tweaks. Important features of the kernel include Zen Interactive Tuning technology, better scheduling, an improved Block Layer, and support for High Resolution Scheduling, Budget Fair Queue, TCP BBR2 Congestion Control, and Compressed Swap.
Multiple Debian security advisories have been issued to address vulnerabilities in various packages, including Firefox ESR (CVE-2025-11708-CVE-2025-11714), Incus (CVE-2025-54286-CVE-2025-54293), sysstat (CVE-2022-39377 and CVE-2023-33204), svgpp (CVE-2021-44960), LXD (CVE-2025-54286-CVE-2025-54293), and the Linux kernel (multiple CVEs). The advisories recommend upgrading to fixed versions of these packages to address the vulnerabilities. The specific affected packages and their corresponding versions are firefox-esr 140.4.0esr-1deb11u1, incus 6.0.4-2+deb13u1, sysstat 12.5.2-2+deb11u1, svgpp 1.3.0+dfsg1-4+deb11u1, lxd 5.0.2-5+deb12u1 and 5.0.2+git20231211.1364ae4-9+deb13u1, and linux-5.10 5.10.244-1deb9u1 and 5.10.244-1~deb10u1.
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1544-1 linux-5.10 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4335-1] firefox-esr security update
[DLA 4336-1] sysstat security update
[DLA 4337-1] svgpp security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6028-1] lxd security update
Debian GNU/Linux 13 (Trixie):
[DSA 6027-1] incus security update
Debian has released several security advisories to address vulnerabilities in various packages. The first advisory, DSA-6026-1 for both Debian GNU/Linux 12 (Bookworm) and 13 (Trixie), fixes a security issue in Chromium (CVE-2025-11756) that could lead to arbitrary code execution or information disclosure. The second advisory, ELA-1543-1 for Debian GNU/Linux 9 (Stritch) and 10 (Buster) ELTS, deals with several security problems in the Linux kernel, which could allow users to gain higher access rights The third advisory, DLA-4334-1 for Debian GNU/Linux 11 (Bullseye) LTS, fixes an authentication bypass vulnerability (CVE-2025-46801) in pgpool2, a connection pool server for PostgreSQL.
[DSA 6026-1] chromium security update
ELA-1543-1 linux-6.1 security update
[DLA 4334-1] pgpool2 security update
Several security updates have been released for Debian GNU/Linux Extended LTS, including updates to the intel-microcode package to mitigate against the Spectre variant 2 vulnerability and updates to the qemu, libxml2, and php-horde-css-parser packages to fix multiple security issues. The QEMU update removes the usage of the C (Credential) flag for the binfmt_misc registration, which could have allowed for privilege escalation when running suid/sgid binaries under qemu-user. Additionally, updates to the libxml2 and php-horde-css-parser packages fix vulnerabilities related to recursion evaluation and remote code execution via crafted input, respectively. Finally, a Firefox ESR update has been released for Debian 11 (Buster) LTS. The Firefox ESR update fixes several security issues that could potentially result in the execution of arbitrary code, memory disclosure, or cross-site scripting.
ELA-18-1 intel-microcode security update
ELA-1540-1 qemu security update
[DSA 6025-1] firefox-esr security update
ELA-1542-1 libxml2 security update
ELA-1541-1 php-horde-css-parser security update
Debian has released several security updates for Debian GNU/Linux 11 (Bullseye) LTS, including DLA-4330-1 for ghostscript, which fixes multiple vulnerabilities that allow for remote code execution or null pointer dereferences. DLA-4332-1 addresses a database update for distro-info-data, adding Ubuntu 26.04 LTS and updating the end-of-life (EoL) date for Bookworm. In contrast to these routine updates, DLA-4331-1 removes the HTTPS Everywhere extension due to security concerns related to outdated rulesets that redirect users to malware sites. Furthermore, DLA-4333-1 fixes a vulnerability in php-horde-css-parser that could allow remote code execution via uncontrolled data input. Finally, a distro-info-data database update is also available for both Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS users.
[DLA 4330-1] ghostscript security update
[DLA 4332-1] distro-info-data database update
[DLA 4331-1] https-everywhere security update
[DLA 4333-1] php-horde-css-parser security update
ELA-1539-1 distro-info-data database update
Liquorix Linux Kernel 6.16-11, based on Linux Kernel 6.16.12, has been released. The kernel features Zen Interactive Tuning technology, scheduling improvements, optimized Block Layer tweaks, and CPUFreq settings adjustments to boost performance and prioritize responsiveness over power consumption. Additionally, it includes extra features such as High Resolution Scheduling, Budget Fair Queue disk scheduler, TCP BBR2 Congestion Control, and Compressed Swap with LZ4 compression for improved data transfer speed and reduced swap storage size. Users can easily install the kernel by running a provided script using curl and bash commands, making it suitable for a wide range of hardware as a drop-in replacement for standard distribution kernels.
Multiple vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service, or information leaks. For Debian GNU/Linux 11 (Bullseye) LTS, these problems have been fixed in versions linux-6.1, 6.1.153-1, and linux-5.10.244-1, which also include additional bug fixes from stable updates. Additionally, security updates for Debian 9, 10, and 11 have been released for the libfcgi package to fix an integer overflow vulnerability that could lead to a heap-based buffer overflow via crafted data to the IPC socket.
[DLA 4328-1] linux-6.1 security update
[DLA 4327-1] linux security update
[DLA 4329-1] libfcgi security update
ELA-1538-1 libfcgi security update
A security update was released for the Ghostscript package to eliminate multiple issues that could lead to denial of service or potentially execute arbitrary code. Ghostscript's processing of malformed document files revealed the problems. For Debian GNU/Linux 12 (Bookworm), the issue is fixed in version 10.0.0dfsg-11+deb12u8, while for Debian GNU/Linux 13 (Trixie), it is fixed in version 10.05.1dfsg-1+deb13u1.
[DSA 6024-1] ghostscript security update
Debian has issued two security advisories: DLA-4326-1 for Asterisk on Debian GNU/Linux 11 (Bullseye) LTS and DSA-6023-1 for Tiff on both Debian GNU/Linux 12 (Bookworm) and 13 (Trixie). The Asterisk advisory (DLA-4326-1) fixes two vulnerabilities, including a local privilege escalation vulnerability in the safe_asterisk script and a lack of session termination that can lead to resource exhaustion. The Tiff advisory (DSA-6023-1) fixes a denial-of-service or potentially arbitrary code execution vulnerability caused by missing input sanitizing in the libtiff library.
[DLA 4326-1] asterisk security update
[DSA 6023-1] tiff security update
