Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1470-1 python-django security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1469-1 auto-apt-proxy bugfix update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4224-1] node-send security update
[DLA 4225-1] gdk-pixbuf security update
[DLA 4226-1] dns-root-data DNSSEC trust anchors update
Debian GNU/Linux 12 (Bookworm):
[DSA 5947-1] xorg-server security update
[SECURITY] [DLA 4224-1] node-send security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4224-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
June 23, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : node-send
Version : 0.17.1-2+deb11u1
CVE ID : CVE-2024-43799
Debian Bug : 1081483
Template injection that can lead to XSS has been fixed in node-send,
a Node.js module for streaming files over HTTP.
For Debian 11 bullseye, this problem has been fixed in version
0.17.1-2+deb11u1.
We recommend that you upgrade your node-send packages.
For the detailed security status of node-send please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-send
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1469-1 auto-apt-proxy bugfix update
Package : auto-apt-proxy
Version : 11+deb10u1 (buster)
auto-apt-proxy no longer attempts to look up a network interface name as a hostname and thereby avoids running into a timeout that caused autopkgtests of other packages to fail.ELA-1469-1 auto-apt-proxy bugfix update
[SECURITY] [DLA 4225-1] gdk-pixbuf security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4225-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
June 23, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : gdk-pixbuf
Version : 2.42.2+dfsg-1+deb11u3
CVE ID : CVE-2025-6199
Debian Bug : 1107994
Memory disclosure has been fixed in the GIF LZW Decoder of the
GdkPixbuf image loading library.
For Debian 11 bullseye, this problem has been fixed in version
2.42.2+dfsg-1+deb11u3.
We recommend that you upgrade your gdk-pixbuf packages.
For the detailed security status of gdk-pixbuf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gdk-pixbuf
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4226-1] dns-root-data DNSSEC trust anchors update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4226-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
June 23, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : dns-root-data
Version : 2024071801~deb11u1
Debian Bug : #1076995
The dns-root-data package contains DNS root zone data as published by
IANA to be used as initial source by DNS software. This release adds
the DNSKEY record for the KSK-2024 trust anchor. This new key is
planned for use starting October 2026, and the previous one (KSK-2017)
should be revoked January 2027, leaving time to propagate the new
trust anchor, or roll to it sooner in case of emergency.
For Debian 11 bullseye, this problem has been fixed in version
2024071801~deb11u1.
We recommend that you upgrade your dns-root-data packages.
For the detailed security status of dns-root-data please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dns-root-data
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5947-1] xorg-server security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5947-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 23, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : xorg-server
CVE ID : CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178
CVE-2025-49179 CVE-2025-49180
Nils Emmerich discovered several vulnerabilities in the Xorg X server,
which may result in privilege escalation if the X server is running
privileged.
For the stable distribution (bookworm), these problems have been fixed in
version 2:21.1.7-3+deb12u10.
We recommend that you upgrade your xorg-server packages.
For the detailed security status of xorg-server please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/xorg-server
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1470-1 python-django security update
Package : python-django
Version : 1.7.11-1+deb8u21 (jessie)
Related CVEs :
CVE-2023-43665
A potential denial-of-service vulnerability was uncovered in Django, a popular
Python-based web-development framework.
Following the fix for CVE-2019-14232, the regular expressions used in the
implementation of django.utils.text.Truncatorβs chars() and words()
methods (with html=True) were revised and improved. However, these
regular expressions still exhibited linear backtracking complexity, so
when given a very long, potentially malformed HTML input, the evaluation would
still be slow, leading to a potential denial of service vulnerability.
The chars() and words() methods are used to implement the
truncatechars_html and truncatewords_html template filters, which were thus
also vulnerable.
The input processed by Truncator, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.ELA-1470-1 python-django security update
