Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1489-1 php7.0 security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1488-1 php7.3 security update
ELA-1487-1 libxml2 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4255-1] audiofile security update
[DLA 4257-1] libcaca security update
[DLA 4256-1] libetpan security update
[DLA 4258-1] libfastjson security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5967-1] php8.2 security update
[SECURITY] [DLA 4255-1] audiofile security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4255-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
July 28, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : audiofile
Version : 0.3.6-5+deb11u1
CVE ID : CVE-2019-13147 CVE-2022-24599
The audiofile library allows the processing of audio data to and
from audio files of many common formats (currently AIFF, AIFF-C,
WAVE, NeXT/Sun, BICS, and raw data).
CVE-2019-13147
Audiofile was vulnerable due to an integer overflow.
Bail out early if NeXT audio files include too many channels.
CVE-2022-24599
A memory leak was found due to reading not null
terminated copyright field. Preallocate zeroed memory and
always NUL terminates C strings.
For Debian 11 bullseye, these problems have been fixed in version
0.3.6-5+deb11u1.
We recommend that you upgrade your audiofile packages.
For the detailed security status of audiofile please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/audiofile
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4257-1] libcaca security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4257-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
July 28, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libcaca
Version : 0.99.beta19-2.2+deb11u1
CVE ID : CVE-2021-30498 CVE-2021-30499
Two issues have been found in libcaca, a colour ASCII art library.
Both are related to heap buffer overflow, which might lead to memory
corruption.
For Debian 11 bullseye, these problems have been fixed in version
0.99.beta19-2.2+deb11u1.
We recommend that you upgrade your libcaca packages.
For the detailed security status of libcaca please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libcaca
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4256-1] libetpan security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4256-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
July 28, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libetpan
Version : 1.9.4-3+deb11u1
CVE ID : CVE-2022-4121
It was discovered that there was a potential null pointer dereference
vulnerability in libetpan, an low-level library for handling email.
For Debian 11 bullseye, this problem has been fixed in version
1.9.4-3+deb11u1.
We recommend that you upgrade your libetpan packages.
For the detailed security status of libetpan please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libetpan
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1489-1 php7.0 security update
Package : php7.0
Version : 7.0.33-0+deb9u22 (stretch)
Related CVEs :
CVE-2025-1220
CVE-2025-1735
CVE-2025-6491
CVE-2025-1220
Jihwan Kim discovered that fsockopen() lack validation that the
hostname supplied does not contain null characters, which may lead
to other functions like parse_url() to treat the hostname in an
incorrect way, thereby potentially causing Server Side Request
Forgery.
CVE-2025-1735
It was discovered that pgsql and pdo_pgsql escaping functions do
not check if the underlying quoting functions returned errors, which
may lead to crashes due to null pointer dereferences.
This issue is related to CVE-2025-1094
which was reported to PostgreSQL.
CVE-2025-6491
Ahmed Lekssays discovered that SoapVar instances created with a
fully qualified name larger than 2G could lead to denial of service
due to null pointer dereference.
ELA-1489-1 php7.0 security update
ELA-1488-1 php7.3 security update
Package : php7.3
Version : 7.3.31-1~deb10u11 (buster)
Related CVEs :
CVE-2025-1220
CVE-2025-1735
CVE-2025-6491
CVE-2025-1220
Jihwan Kim discovered that fsockopen() lack validation that the
hostname supplied does not contain null characters, which may lead
to other functions like parse_url() to treat the hostname in an
incorrect way, thereby potentially causing Server Side Request
Forgery.
CVE-2025-1735
It was discovered that pgsql and pdo_pgsql escaping functions do
not check if the underlying quoting functions returned errors, which
may lead to crashes due to null pointer dereferences.
This issue is related to CVE-2025-1094
which was reported to PostgreSQL.
CVE-2025-6491
Ahmed Lekssays discovered that SoapVar instances created with a
fully qualified name larger than 2G could lead to denial of service
due to null pointer dereference.
ELA-1488-1 php7.3 security update
ELA-1487-1 libxml2 security update
Package : libxml2
Version : 2.9.4+dfsg1-2.2+deb9u14 (stretch), 2.9.4+dfsg1-7+deb10u12 (buster)
Related CVEs :
CVE-2024-34459
CVE-2025-6021
CVE-2025-6170
CVE-2025-49794
CVE-2025-49796
CVE-2024-34459
Zhineng Zhong discovered that formatting error messages with xmllint --htmlout could result in a buffer over-read.
CVE-2025-6021
Ahmed Lekssays discovered an integer overflow issue in
xmlBuildQName() which could result in memory corruption or a
denial of service when processing crafted input.
CVE-2025-6170
Ahmed Lekssays discovered a stack-based buffer overflow issue in the
command-parsing logic of the interactive shell in xmllint.
CVE-2025-49794
Nikita Sveshnikov discovered a heap use-after-free issue in the
schematron. When processing XPath expressions in Schematron schema
elements , a pointer to freed memory is
returned and then accessed, leading to undefined behavior or
potential crashes.
CVE-2025-49796
Nikita Sveshnikov discovered a type confusion issue in the
schematron. Processing sch:name elements and accessing namespace
information may lead to leading to memory corruption or undefined
behavior.
ELA-1487-1 libxml2 security update
[SECURITY] [DLA 4258-1] libfastjson security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4258-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
July 28, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libfastjson
Version : 0.99.9-1+deb11u1
CVE ID : CVE-2020-12762
An issue has been found in libfastjson, a fast json library for C.
Due to missing checks, out-of-bounds write might happen when parsing large
JSON files.
For Debian 11 bullseye, this problem has been fixed in version
0.99.9-1+deb11u1.
We recommend that you upgrade your libfastjson packages.
For the detailed security status of libfastjson please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libfastjson
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5967-1] php8.2 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5967-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 28, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : php8.2
CVE ID : CVE-2025-1220 CVE-2025-1735 CVE-2025-6491
Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language which could result in denial of
service or server side request forgery.
For the stable distribution (bookworm), these problems have been fixed in
version 8.2.29-1~deb12u1.
We recommend that you upgrade your php8.2 packages.
For the detailed security status of php8.2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/php8.2
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
