A security update has been released for the SOGo groupware server to fix several cross-site scripting (XSS) vulnerabilities. The issues, identified as CVE-2024-34462 and CVE-2025-63499, allow attackers to inject malicious code through attachment preview and the theme parameter. For Debian 11 users, version 5.0.1-4+deb11u3 of the SOGo package fixes these problems.
[DLA 4434-1] sogo security update
The Debian Project has released Debian GNU/Linux 13.3, also known as "Trixie," as its third point release for the current stable cycle. This update brings newer packages with fixes focused on security holes and serious problems reported by users, but it's not a new version, rather an upgrade of existing packages. Users can easily update their system using an updated Debian mirror or download new installation images, which will be available soon through Debian's usual channels. The release includes general bug fixes in various packages, as well as updates to security-sensitive software like Apache2 and OpenVPN.
The Debian Project has released an update for its "oldstable" distribution, Debian GNU/Linux 12 (Bookworm), which primarily addresses security fixes and patches for various important packages. This point release, Debian 12.13, does not introduce a new version of Bookworm but instead updates the existing software components on users' systems, making it easy to upgrade using an updated Debian mirror. The update includes smaller tweaks and bug fixes across different packages, with a focus on security, particularly for widely used code in Chromium, Firefox-ESR, and OpenSSL.
Debian Security Advisory DSA-6097-1 has been issued to address a security issue in Chromium. This vulnerability, identified as CVE-2026-0628, could potentially lead to the execution of arbitrary code, denial of service, or information disclosure. The problem has been fixed in Chromium packages for both Debian GNU/Linux 12 (Bookworm) and 13 (Trixie), with versions 143.0.7499.192-1deb12u1 and 143.0.7499.192-1deb13u1, respectively.
[DSA 6097-1] chromium security update
Liquorix Linux Kernel 6.18-4 has been released by Steven Barrett, based on the standard Linux Kernel 6.18, and designed to optimize desktop performance for multimedia and gaming workloads. The new kernel includes notable improvements such as Zen Interactive Tuning, which prioritizes responsiveness over power saving, and optimizes I/O and memory management through tweaks to the Block Layer.
Debian has released security updates for two packages: pdfminer and vlc. The pdfminer update, version 20200726-1+deb11u2 for Debian GNU/Linux 11 (Bullseye) LTS, fixes a vulnerability that could allow arbitrary code execution when processing a malicious PDF file. The vlc update, version 3.0.23-0+deb12u1 for Debian GNU/Linux 12 (Bookworm) and 3.0.23-0+deb13u1 for 13 (Trixie), addresses multiple vulnerabilities that could result in denial of service or arbitrary code execution when opening a malformed video file.
[DLA 4374-2] pdfminer security update
[DSA 6096-1] vlc security update
The Debian project has released security updates for two packages. The libsodium library, version 1.0.18-1+deb11u1 For Debian GNU/Linux 11 (Bullseye) LTS, it fixes a vulnerability in the crypto_core_ed25519_is_valid_point() function that mishandled checks for valid elliptic curve points. The foomuuri firewall generator package, version 0.27-2+deb13u1 for Debian GNU/Linux 13 (Trixie), addresses two vulnerabilities that could allow unauthorized users to tamper with the firewall configuration.
[DLA 4435-1] libsodium security update
[DSA 6095-1] foomuuri security update
Debian GNU/Linux has released several updates to address security concerns. The updates include fixes for ImageMagick, GIMP, U-Boot, Adminer, and Ruby-RMagick vulnerabilities. Additionally, a libsodium security update was also made available.
Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1607-1 gimp security update
ELA-1608-1 u-boot security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1606-1 imagemagick security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1604-1 gimp security update
ELA-1605-1 adminer security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4433-1] ruby-rmagick security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6094-1] libsodium security update
A new version of the Liquorix Linux kernel, 6.18-3, has been released by Steven Barrett, which is designed to optimize desktop experiences for multimedia and gaming workloads. This custom-built kernel includes several notable improvements, such as Zen Interactive Tuning, optimized I/O and memory management, and faster responsiveness through tweaks like adjusted CPUFreq control. The Liquorix 6.18-3 also includes additional performance features like high-resolution scheduling, real-time system handling, and support for Budget Fair Queue (BFQ) to manage disk I/O and latency. Users can easily deploy the kernel on Debian, Ubuntu, or Arch Linux by downloading binary builds from the Liquorix website or using a simple installation script.
Debian has issued security updates for several packages, including curl and GIMP. A vulnerability was found in curl that can cause a crash or memory out-of-bounds read, which has been fixed in version 7.74.0-1.3+deb11u16. Meanwhile, multiple vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or arbitrary code execution if malformed files are opened.
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1605-1 adminer security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4432-1] curl security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6093-1] gimp security update
The GIMP security update (ELA-1604-1) addresses multiple file parsing problems that could lead to crashes or arbitrary code execution when opening malicious files. The issues include CVE-2007-3126, which was previously fixed in Debian GNU/Linux 10 (Buster) ELTS and now included in Debian GNU/Linux 9 (Stretch) ELTS, and two other vulnerabilities: CVE-2025-14422, which allows remote attackers to execute arbitrary code through PNM file parsing, and CVE-2025-14425, a JP2 file parsing heap-based buffer overflow vulnerability. These issues can be exploited by visiting malicious pages or opening malicious files, requiring user interaction. The update is available for both stretch (version 2.8.18-1+deb9u7) and buster (version 2.10.8-2+deb10u6).
ELA-1604-1 gimp security update
A security update has been released for the GNU Image Manipulation Program (GIMP) in Debian GNU/Linux 11 (Bullseye) LTS, addressing multiple vulnerabilities that could lead to buffer overflows and arbitrary code execution. The vulnerabilities, identified as CVE-2022-30067, CVE-2025-14422, and CVE-2025-14425, affect GIMP's handling of XCF, PNM, and JP2 files, respectively. These issues can be exploited by an attacker to execute malicious code on a user's system if they visit a malicious page or open a malicious file, requiring user interaction.
[DLA 4431-1] gimp security update
A security update for the net-snmp package has been released to fix a vulnerability that allows an attacker to crash the snmptrapd daemon with a specially crafted packet. The bug is not mitigatable, so the only solution is to ensure the SNMP port is firewalled or upgrade the package. A separate update also addressed a parsing issue on Linux systems 6.7 and above. Additionally, two vulnerabilities were found in the smb4k utility, allowing for local denial of service or privilege escalation, which have been fixed with an updated version of the package.
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1603-1 net-snmp security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4430-1] net-snmp security update
Debian GNU/Linux 13 (Trixie):
[DSA 6092-1] smb4k security update
A security update has been released for the ImageMagick package in Debian GNU/Linux 11 (Bullseye) LTS, which is a popular image processing suite. The update fixes multiple vulnerabilities that were found in ImageMagick, including issues with memory management, integer overflows, and crashes when processing crafted TIFF files or MVG files. The fixed version of ImageMagick is 8:6.9.11.60+dfsg-1.3+deb11u8, which addresses CVEs CVE-2025-65955 to CVE-2025-69204.
[DLA 4429-1] imagemagick security update
Two security updates are available for Debian GNU/Linux 11 (Bullseye) LTS, including one for php-dompdf and another for mediawiki. The php-dompdf update fixes two vulnerabilities: PHAR deserialization and external control of file name bypassing, which can lead to remote code execution. Meanwhile, the MediaWiki update addresses multiple security issues, such as information disclosure, denial of service, and privilege escalation due to various unescaped input handling problems.
[DLA 4427-1] php-dompdf security update
[DLA 4428-1] mediawiki security update
Steven Barrett has released Liquorix Linux kernel 6.18-2, which offers several improvements to optimize desktop performance for multimedia and gaming workloads. The new kernel includes features that help improve how the system responds quickly while still being stable, such as better management of input/output, memory, and CPU speed control.
Debian has released several security updates for Debian GNU/Linux 11 (Bullseye) LTS, including fixes for vulnerabilities in openjpeg2, osslsigncode, and python-django. The most recent update for python-django addresses two issues: SQL injection via the _connector keyword argument and a potential denial-of-service vulnerability in XML serialization. Similar vulnerabilities have also been found in previous versions of Python-Django on Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS.
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1602-1 python-django security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4424-1] openjpeg2 security update
[DLA 4426-1] osslsigncode security update
[DLA 4425-1] python-django security update
Kodi, a media player and entertainment hub, has been updated to fix multiple security vulnerabilities. The issues include a heap buffer overflow vulnerability (CVE-2023-23082) that allows attackers to cause a denial of service, as well as a divide-by-zero issue (CVE-2023-30207) discovered in crafted MP3 files. For Debian GNU/Linux 11 (Bullseye) LTS users, the problems have been fixed in version 2:19.1+dfsg2-2+deb11u2.
[DLA 4423-1] kodi security update
A security update has been released for the pgbouncer package, which is a lightweight connection pooler for PostgreSQL. The update fixes a vulnerability (CVE-2025-12819) that allowed an unauthenticated attacker to execute arbitrary SQL during authentication. The issue was fixed in version 1.15.0-1+deb11u2, and users are recommended to upgrade their pgbouncer packages.
[DLA 4422-1] pgbouncer security update
Debian has released security updates for several packages, including python-urllib3 and rails. The python-urllib3 package, which is used for HTTP requests with thread-safe connection pooling, had vulnerabilities that could lead to denial of service or request forgery, but these issues have been resolved in version 1.26.5-1~exp1+deb11u2. Similarly, the Rails web framework had multiple security issues discovered, including command injection and logging of unescaped ANSI sequences, which were addressed in version 2:6.0.3.7+dfsg-2+deb11u4.
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1601-1 python-urllib3 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4421-1] python-urllib3 security update
[DLA 4416-1] rails security update
