Ceph, Libsodium, Pillow, and more updates for Debian

Debian 10763 Published by

Multiple security issues have been found in various Debian packages, including python-django (SQL injection and directory traversal vulnerabilities), pillow (path traversal vulnerability and decompression bomb), python-tornado (XSS and DoS vulnerabilities due to unescaped HTTP headers), ceph (file system compromise and DoS attack), and libsodium (mishandling of elliptic curve points). These issues have been fixed in updated versions of each package. Users are recommended to upgrade their packages to the latest versions to address these security vulnerabilities.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1632-1 ceph security update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1631-1 libsodium security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4462-1] pillow security update
[DLA 4461-1] python-tornado security update
[DLA 4460-1] ceph security update

Debian GNU/Linux 13 (Trixie):
[DSA 6117-1] python-django security update



[SECURITY] [DSA 6117-1] python-django security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6117-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 31, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-django
CVE ID : CVE-2025-13372 CVE-2025-57833 CVE-2025-59681
CVE-2025-59682 CVE-2025-64459 CVE-2025-64460

Multiple security issues were found in Django, a Python web development
framework, which could result in SQL injection, directory traversal
or denial of service.

For the stable distribution (trixie), these problems have been fixed in
version 3:4.2.27-0+deb13u1.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 4462-1] pillow security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4462-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
February 01, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : pillow
Version : 8.1.2+dfsg-0.3+deb11u3
CVE ID : CVE-2021-23437 CVE-2022-24303 CVE-2022-45198

Multiple vulnerabilities have been found in Pillow, an image processing
library for Python.

CVE-2021-23437

The getrgb function is susceptible to a ReDoS.

CVE-2022-24303

A possible path traversal vulnerability allows attackers to delete
files.

CVE-2022-45198

An improper handling of highly compressed GIF data can lead to a
decompression bomb.

For Debian 11 bullseye, these problems have been fixed in version
8.1.2+dfsg-0.3+deb11u3.

We recommend that you upgrade your pillow packages.

For the detailed security status of pillow please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pillow

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4461-1] python-tornado security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4461-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
February 01, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : python-tornado
Version : 6.1.0-1+deb11u3
CVE ID : CVE-2025-67724 CVE-2025-67725 CVE-2025-67726
Debian Bug : 1122660 1122661 1122663

Tornado is a scalable, non-blocking Python web framework and
asynchronous networking library.

CVE-2025-67724

Custom reason phrases can cause multiple vulnerabilities (like XSS,
header injection, ...) due to being used unescaped in HTTP headers.

CVE-2025-67725

A single maliciously crafted HTTP request can cause a possible DoS
due to quadratic performance of repeated header lines.

CVE-2025-67726

An inefficient algorithm when parsing parameters for HTTP header
values can potentially cause a DoS.

For Debian 11 bullseye, these problems have been fixed in version
6.1.0-1+deb11u3.

We recommend that you upgrade your python-tornado packages.

For the detailed security status of python-tornado please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-tornado

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4460-1] ceph security update


- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4460-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
February 01, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : ceph
Version : 14.2.21-1+deb11u2
CVE ID : CVE-2022-0670 CVE-2024-47866
Debian Bug : 1016069 1120797

Ceph is a distributed object, block, and file storage platform.

CVE-2022-0670

A flaw was found in Openstack manilla owning a Ceph File system
"share", which enables the owner to read/write any manilla share
or entire file system. The vulnerability is due to a bug in the
"volumes" plugin in Ceph Manager. This allows an attacker to
compromise confidentiality and integrity of a file system.

CVE-2024-47866

Using the argument `x-amz-copy-source` to put an object and
specifying an empty string as its content leads to the RGW daemon
crashing, resulting in a DoS attack.

For Debian 11 bullseye, these problems have been fixed in version
14.2.21-1+deb11u2.

We recommend that you upgrade your ceph packages.

For the detailed security status of ceph please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ceph

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1632-1 ceph security update


Package : ceph
Version : 10.2.11-2+deb9u4 (stretch), 12.2.11+dfsg1-2.1+deb10u3 (buster)

Related CVEs :
CVE-2024-47866

Ceph is a distributed object, block, and file storage platform. Using the
argument x-amz-copy-source to put an object and specifying an empty string
as its content leads to the RGW daemon crashing, resulting in a DoS attack.


ELA-1632-1 ceph security update



ELA-1631-1 libsodium security update


Package : libsodium
Version : 1.0.17-1+deb10u1 (buster)

Related CVEs :
CVE-2025-69277

It was discovered that the crypto_core_ed25519_is_valid_point()
function of the Sodium cryptography library mishandled checks for
valid elliptic curve points.


ELA-1631-1 libsodium security update


Python, ImageMagick, Xen, and more updates for SUSE Linux

Tiling Shell for GNOME 17.3 released

Windows

Linux

macOS

Community

  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...