Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4213-1] curl regression update
[DLA 4215-1] ublock-origin security update
[DLA 4214-1] node-tar-fs security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5941-1] gst-plugins-bad1.0 security update
[DSA 5942-1] chromium security update
[SECURITY] [DLA 4213-1] curl regression update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4213-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Carlos Henrique Lima Melara
June 11, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : curl
Version : 7.74.0-1.3+deb11u15
The initial fix for CVE-2023-27534 in curl made the handling of tilde (~) way
more strict in sftp mode and caused a regression when trying to list the home
directory with s ftp://host/~ which simply would not work. This update fix the
regression.
For Debian 11 bullseye, this problem has been fixed in version
7.74.0-1.3+deb11u15.
We recommend that you upgrade your curl packages.
For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5941-1] gst-plugins-bad1.0 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5941-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 11, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : gst-plugins-bad1.0
CVE ID : CVE-2025-3887
Multiple vulnerabilities were discovered in the H.265 plugin for the
GStreamer media framework, which may result in denial of service or
potentially the execution of arbitrary code if a malformed media file
is opened.
For the stable distribution (bookworm), this problem has been fixed in
version 1.22.0-4+deb12u6.
We recommend that you upgrade your gst-plugins-bad1.0 packages.
For the detailed security status of gst-plugins-bad1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-bad1.0
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5942-1] chromium security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5942-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
June 11, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2025-5958 CVE-2025-5959
Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.
For the stable distribution (bookworm), these problems have been fixed in
version 137.0.7151.103-1~deb12u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4215-1] ublock-origin security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4215-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 12, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : ublock-origin
Version : 1.62.0+dfsg-0+deb11u1
CVE ID : CVE-2025-4215
Debian Bug : 1104635
A flaw was found in ublock-origin, a lightweight and efficient ads, malware,
trackers blocker. A remote attacker could abuse an inefficient regular
expression in ublock-origin's filters to cause a denial-of-service and freeze a
web browser.
For Debian 11 bullseye, this problem has been fixed in version
1.62.0+dfsg-0+deb11u1.
We recommend that you upgrade your ublock-origin packages.
For the detailed security status of ublock-origin please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ublock-origin
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4214-1] node-tar-fs security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4214-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
June 11, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : node-tar-fs
Version : 2.1.3-0+deb11u1
CVE ID : CVE-2024-12905 CVE-2025-48387
Debian Bug : 1101501
Path traversal has been fixed in node-tar-fs, a Node.js module that
provides filesystem-like access to tar files.
CVE-2024-12905
symlink path traversal
CVE-2025-48387
hardlink path traversal
For Debian 11 bullseye, these problems have been fixed in version
2.1.3-0+deb11u1.
We recommend that you upgrade your node-tar-fs packages.
For the detailed security status of node-tar-fs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-tar-fs
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
