Multiple security updates have been released for Debian GNU/Linux, including fixes for vulnerabilities in FFmpeg, luajit, and Firebird database. The FFmpeg update addresses several CVEs that could lead to denial of service or arbitrary code execution if malformed files are processed. The luajit update resolves multiple issues that could result in denial of service, including type confusion, out-of-bounds reads, and stack-buffer overflows. Additionally, a security update has been released for the Firebird database, which fixes an XDR message parsing NULL pointer dereference issue (CVE-2025-54989).

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1507-1 luajit security update
ELA-1506-1 firebird3.0 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4283-1] luajit security update

Debian GNU/Linux 12 (Bookworm):
[DSA 5985-1] ffmpeg security update

[SECURITY] [DSA 5985-1] ffmpeg security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5985-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 25, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ffmpeg
CVE ID : CVE-2023-49502 CVE-2023-50007 CVE-2023-50008
CVE-2024-31582 CVE-2024-35367 CVE-2024-35368
CVE-2025-0518 CVE-2025-7700 CVE-2025-22919

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

For the oldstable distribution (bookworm), these problems have been fixed
in version 7:5.1.7-0+deb12u1.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4283-1] luajit security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4283-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
August 25, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : luajit
Version : 2.1.0~beta3+dfsg-5.3+deb11u1
CVE ID : CVE-2019-19391 CVE-2020-15890 CVE-2020-24372 CVE-2024-25176
CVE-2024-25177 CVE-2024-25178
Debian Bug : 946053 966148

Multiple vulnerabilities were found in luajit, a just in time compiler
for the Lua programming language, which could lead to denial of service.

CVE-2019-19391

It was discovered that debug.getinfo() has a type confusion issue
that leads to arbitrary memory write or read operations, because
certain cases involving valid stack levels and `>` options are
mishandled.

NOTE: The LuaJIT project owner disputes the vulnerability and states
that the debug library is unsafe by design.

CVE-2020-15890

Yongheng Chen discovered an out-of-bounds read because `__gc`
handler frame traversal is mishandled.

CVE-2020-24372

Yongheng Chen discovered out-of-bounds read in lj_err_run().

CVE-2024-25176

Kutyavin Maxim discovered a stack-buffer-overflow in
lj_strfmt_wfnum().

CVE-2024-25177

Kutyavin Maxim discovered an unsinking of IR_FSTORE for NULL
metatable.

CVE-2024-25178

Kutyavin Maxim discovered an out-of-bounds read in the
stack-overflow handler.

For Debian 11 bullseye, these problems have been fixed in version
2.1.0~beta3+dfsg-5.3+deb11u1.

We recommend that you upgrade your luajit packages.

For the detailed security status of luajit please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/luajit

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1507-1 luajit security update

Package : luajit
Version : 2.1.0~beta3+dfsg-5.1+deb10u1 (buster)

Related CVEs :
CVE-2019-19391
CVE-2020-15890
CVE-2020-24372
CVE-2024-25176
CVE-2024-25177
CVE-2024-25178

CVE-2019-19391

It was discovered that debug.getinfo() has a type confusion issue
that leads to arbitrary memory write or read operations, because
certain cases involving valid stack levels and > options are
mishandled.
Note: The LuaJIT project owner disputes the vulnerability and states
that the debug library is unsafe by design.

CVE-2020-15890

Yongheng Chen discovered an out-of-bounds read because __gc
handler frame traversal is mishandled.

CVE-2020-24372

Yongheng Chen discovered out-of-bounds read in lj_err_run().

CVE-2024-25176

Kutyavin Maxim discovered a stack-buffer-overflow in
lj_strfmt_wfnum().

CVE-2024-25177

Kutyavin Maxim discovered an unsinking of IR_FSTORE for NULL
metatable.

CVE-2024-25178

Kutyavin Maxim discovered an out-of-bounds read in the
stack-overflow handler.

ELA-1507-1 luajit security update

ELA-1506-1 firebird3.0 security update

Package : firebird3.0

Version : 3.0.5.33100.ds4-2+deb10u1 (buster)

Related CVEs :
CVE-2025-54989

An XDR message parsing NULL pointer dereference has been fixed in the Firebird database.

ELA-1506-1 firebird3.0 security update