Debian 10985 Published by

Debian released three security advisories, targeting critical flaws in the dpkg package manager, the Chromium browser, and the pgextwlist PostgreSQL extension. The dpkg update resolves CVE-2025-6297, which allows attackers to trigger denial of service attacks by exhausting disk quotas through improperly sanitized directory permissions during package extraction. Chromium receives updates to patch vulnerabilities that previously enabled arbitrary code execution, service disruptions, and unauthorized information disclosure, while pgextwlist addresses SQL injection risks stemming from malformed schema and username inputs.

[DLA 4673-1] dpkg security update
[DSA 6384-1] chromium security update
[DSA 6385-1] pgextwlist security update




[SECURITY] [DLA 4673-1] dpkg security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4673-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arnaud Rebillout
July 08, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : dpkg
Version : 1.20.14
CVE ID : CVE-2025-6297
Debian Bug : 1061404 1065575 1107971 1108192

A vulnerability have been discovered in dpkg, the Debian package manager
(dpkg is the low-level tool that actually installs or removes packages).

CVE-2025-6297

It was discovered that dpkg-deb does not properly sanitize directory
permissions when extracting a control member into a temporary
directory, which is documented as being a safe operation even on
untrusted data. This may result in leaving temporary files behind on
cleanup. Given automated and repeated execution of dpkg-deb commands
on adversarial .deb packages or with well compressible files, placed
inside a directory with permissions not allowing removal by a
non-root user, this can end up in a DoS scenario due to causing disk
quota exhaustion or disk full conditions.

Additionally, this version includes some minor security fixes that didn't
receive a CVE number, but were reported on the Debian bug tracker, see
the list of Debian bugs above.

For Debian 11 bullseye, this problem has been fixed in version
1.20.14.

We recommend that you upgrade your dpkg packages.

For the detailed security status of dpkg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dpkg

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 6384-1] chromium security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6384-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
July 08, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : not yet available

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the stable distribution (trixie), this problem has been fixed in
version 150.0.7871.100-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 6385-1] pgextwlist security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6385-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 08, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pgextwlist
CVE ID : CVE-2023-39417

Guillaume Winter discovered that pgextwlist, an extension for PostgreSQL
implementing a whitelist mechanism for PostgreSQL extensions, was
susceptible to SQL injection via crafted schema and user names.

For the stable distribution (trixie), this problem has been fixed in
version 1.19-1+deb13u1.

We recommend that you upgrade your pgextwlist packages.

For the detailed security status of pgextwlist please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pgextwlist

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/