Debian GNU/linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1517-1 python-eventlet security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4305-1] firefox-esr security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6004-1] chromium security update
[DSA 6005-1] jetty9 security update
Debian GNU/Linux 13 (Trixie):
[DSA 6006-1] jetty12 security update
[SECURITY] [DLA 4305-1] firefox-esr security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4305-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
September 19, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : firefox-esr
Version : 140.3.0esr-1~deb11u2
CVE ID : CVE-2025-10527 CVE-2025-10528 CVE-2025-10529 CVE-2025-10532
CVE-2025-10533 CVE-2025-10536 CVE-2025-10537
Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, sandbox escape, information disclosure or bypass of the same-origin
policy.
Debian follows the extended support releases (ESR) of Firefox.
So starting with this update we're now following the 140.x releases.
Between 128.x and 140.x, Firefox has seen a number of feature
updates. For more information please refer to
https://www.firefox.com/en-US/firefox/140.0esr/releasenotes/
For Debian 11 bullseye, these problems have been fixed in version
140.3.0esr-1~deb11u2.
We recommend that you upgrade your firefox-esr packages.
For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6004-1] chromium security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6004-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
September 19, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2025-10500 CVE-2025-10501 CVE-2025-10502 CVE-2025-10585
Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure. Google is aware that an exploit for CVE-2025-10585 exists
in the wild.
For the oldstable distribution (bookworm), these problems have been fixed
in version 140.0.7339.185-1~deb12u1.
For the stable distribution (trixie), these problems have been fixed in
version 140.0.7339.185-1~deb13u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1517-1 python-eventlet security update
Package : python-eventlet
Version : 0.19.0-6+deb9u1 (stretch), 0.20.0-6+deb10u1 (buster)
Related CVEs :
CVE-2025-58068
CVE-2023-40217
A potential HTTP Request Smuggling issue was discovered in python-eventlet, a
concurrent networking library for Python.
This issue was caused by the improper handling of HTTP trailer sections. This
vulnerability could have permitted attackers to bypass front-end security
controls, launch targeted attacks against active site users and/or poison web
caches. This problem has been addressed by dropping trailers, a potentially
breaking change if a backend behind the eventlet.wsgi proxy requires such
trailers.ELA-1517-1 python-eventlet security update
[SECURITY] [DSA 6006-1] jetty12 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6006-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 19, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : jetty12
CVE ID : CVE-2025-5115
This update for Jetty, a Java servlet engine and web server, addresses
a protocol-level vulnerability in HTTP/2 support also referred to as
"MadeYouReset".
For the stable distribution (trixie), this problem has been fixed in
version 12.0.17-3.1~deb13u1.
We recommend that you upgrade your jetty12 packages.
For the detailed security status of jetty12 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jetty12
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6005-1] jetty9 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6005-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 19, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : jetty9
CVE ID : CVE-2025-5115
This update for Jetty, a Java servlet engine and web server, addresses a
protocol-level vulnerability in HTTP/2 support also referred to as
"MadeYouReset".
For the oldstable distribution (bookworm), this problem has been fixed
in version 9.4.57-1.1~deb12u1.
For the stable distribution (trixie), this problem has been fixed in
version 9.4.57-1.1~deb13u1.
We recommend that you upgrade your jetty9 packages.
For the detailed security status of jetty9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jetty9
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
