Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1484-1 dcmtk security update
ELA-1485-1 djvulibre security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4246-1] libowasp-esapi-java security update
[DLA 4245-1] libcommons-fileupload-java security update
[DLA 4244-1] tomcat9 security update
[DLA 4247-1] djvulibre security update
ELA-1484-1 dcmtk security update
Package : dcmtk
Version : 3.6.1~20160216-4.1+deb9u2 (stretch), 3.6.4-2.1+deb10u3 (buster)
Related CVEs :
CVE-2022-2119
CVE-2022-2120
CVE-2025-2357
CVE-2025-25472
CVE-2025-25474
CVE-2025-25475
Multiple vulnerabilities have been fixed in DCMTK, a collection of libraries and applications implementing large parts the DICOM standard for medical images.
CVE-2022-2119
Path traversal vulnerability
CVE-2022-2120
Path traversal vulnerability
CVE-2025-2357
Segfault in JPEG-LS decoder
CVE-2025-25472
DoS with invalid mono images
CVE-2025-25474
Buffer overflow with invalid images
CVE-2025-25475
NULL pointer dereferenceELA-1484-1 dcmtk security update
[SECURITY] [DLA 4246-1] libowasp-esapi-java security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4246-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
July 22, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libowasp-esapi-java
Version : 2.4.0.0-0+deb11u1
CVE ID : CVE-2022-23457 CVE-2022-24891 CVE-2025-5878
Debian Bug : 1010339 1109378
Several security vulnerabilities have been discovered in libowasp-esapi-java,
a Java Enterprise Security API.
CVE-2022-23457:
ESAPI (The OWASP Enterprise Security API) is a free, open source, web
application security control library. Prior to this update the default
implementation of `Validator.getValidDirectoryPath(String, String, File,
boolean)` may incorrectly treat the tested input string as a child of the
specified parent directory. This potentially could allow control-flow
bypass checks to be defeated if an attack can specify the entire string
representing the 'input' path.
CVE-2022-24891:
There is a potential for a cross-site scripting vulnerability in ESAPI
caused by a incorrect regular expression for "onsiteURL" in the
**antisamy-esapi.xml** configuration file that can cause "javascript:" URLs
to fail to be correctly sanitized.
CVE-2025-5878:
This issue affects the interface Encoder.encodeForSQL of the
SQL Injection Defense. An attack leads to an improper neutralization of
special elements. We are not aware of any affected reverse-dependencies in
Debian but if you use ESAPI in a stand-alone project, you should be aware
that the Encoder.encodeForSQL method has been deprecated and will be
removed eventually. In addition the DB2Codec, MySQLCodec and OracleCodec
classes have been deprecated too. We recommend to carefully assess if
your project might be affected by these classes and methods and if you have
to implement additional steps to secure your application. The update does
not automatically protect you from any potential risks.
For Debian 11 bullseye, these problems have been fixed in version
2.4.0.0-0+deb11u1.
We recommend that you upgrade your libowasp-esapi-java packages.
For the detailed security status of libowasp-esapi-java please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libowasp-esapi-java
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4245-1] libcommons-fileupload-java security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4245-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
July 22, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libcommons-fileupload-java
Version : 1.4-1+deb11u1
CVE ID : CVE-2023-24998 CVE-2025-48976
Debian Bug : 1031733 1108120
Two security vulnerabilities have been found in libcommons-fileupload-java,
a Java library that adds robust, high-performance, file upload capability
to your servlets and web applications.
CVE-2023-24998:
Apache Commons FileUpload does not limit the number of request
parts to be processed resulting in the possibility of an attacker
triggering a DoS with a malicious upload or series of uploads. Note that,
like all of the file upload limits, the new configuration option
(FileUploadBase#setFileCountMax) is not enabled by default and must be
explicitly configured.
CVE-2025-48976:
Allocation of resources for multipart headers with insufficient limits
enabled a DoS vulnerability in Apache Commons FileUpload.
For Debian 11 bullseye, these problems have been fixed in version
1.4-1+deb11u1.
We recommend that you upgrade your libcommons-fileupload-java packages.
For the detailed security status of libcommons-fileupload-java please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libcommons-fileupload-java
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4244-1] tomcat9 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4244-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
July 22, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : tomcat9
Version : 9.0.107-0+deb11u1
CVE ID : CVE-2024-34750 CVE-2024-54677 CVE-2025-31650 CVE-2025-31651
CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-49125
CVE-2025-52434 CVE-2025-52520 CVE-2025-53506
Several security vulnerabilities have been found in Tomcat 9, a Java web server
and servlet engine. Most notably the update improves the handling of HTTP/2
connections and corrects various flaws which can lead to uncontrolled resource
consumption and a denial of service.
For Debian 11 bullseye, these problems have been fixed in version
9.0.107-0+deb11u1.
We recommend that you upgrade your tomcat9 packages.
For the detailed security status of tomcat9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4247-1] djvulibre security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4247-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
July 21, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : djvulibre
Version : 3.5.28-2.2~deb11u1
CVE ID : CVE-2021-46310 CVE-2021-46312 CVE-2025-53367
Debian Bug : 1052668 1052669 1108729
Multiple vulnerabilities have been fixed in DjVuLibre,
a library and tools to handle documents in the DjVu format.
CVE-2021-46310
Divide by zero in IW44Image::Map::image()
CVE-2021-46312
Divide by zero in IWBitmap::Encode::init()
CVE-2025-53367
Buffer overflow in MMRDecoder
For Debian 11 bullseye, these problems have been fixed in version
3.5.28-2.2~deb11u1.
We recommend that you upgrade your djvulibre packages.
For the detailed security status of djvulibre please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/djvulibre
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1485-1 djvulibre security update
Package : djvulibre
Version : 3.5.27.1-7+deb9u3 (stretch), 3.5.27.1-10+deb10u2 (buster)
Related CVEs :
CVE-2021-46312
CVE-2025-53367
Multiple vulnerabilities have been fixed in DjVuLibre, a library and tools to handle documents in the DjVu format.
CVE-2021-46312
Divide by zero in IWBitmap::Encode::init()
CVE-2025-53367
Buffer overflow in MMRDecoderELA-1485-1 djvulibre security update
