Researchers have discovered multiple security vulnerabilities in various Debian software packages, such as Firefox and Samba. Updated versions of the software have fixed these vulnerabilities, which could potentially lead to privilege escalation, denial of service, or information leaks. For example, an update for Debian's oldstable distribution fixes multiple security issues in the Mozilla Firefox web browser, while another update fixes a vulnerability in the Samba SMB/CIFS file and print server.

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1613-1 postgresql-9.6 security update

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1614-1 linux-6.1 security update
ELA-1611-1 samba security update

Debvian GNU/Linux 10 (Buster) Extended LTS:
ELA-1612-1 postgresql-11 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4439-1] firefox-esr security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6101-1] firefox-esr security update

[SECURITY] [DSA 6101-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6101-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 15, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2025-14327 CVE-2026-0877 CVE-2026-0878 CVE-2026-0879
CVE-2026-0880 CVE-2026-0882 CVE-2026-0883 CVE-2026-0884
CVE-2026-0885 CVE-2026-0886 CVE-2026-0887 CVE-2026-0890
CVE-2026-0891

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, sandbox escape, information disclosure or spoofing.

For the oldstable distribution (bookworm), these problems have been fixed
in version 140.7.0esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 140.7.0esr-1~deb13u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4439-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4439-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
January 15, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : firefox-esr
Version : 140.7.0esr-1~deb11u1
CVE ID : CVE-2025-14327 CVE-2026-0877 CVE-2026-0878 CVE-2026-0879
CVE-2026-0880 CVE-2026-0882 CVE-2026-0883 CVE-2026-0884
CVE-2026-0885 CVE-2026-0886 CVE-2026-0887 CVE-2026-0890
CVE-2026-0891

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, sandbox escape, information disclosure or spoofing.

For Debian 11 bullseye, these problems have been fixed in version
140.7.0esr-1~deb11u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1613-1 postgresql-9.6 security update

Package : postgresql-9.6
Version : 9.6.24-0+deb9u10 (stretch)

Related CVEs :
CVE-2025-4207
CVE-2025-8713
CVE-2025-8714
CVE-2025-8715
CVE-2025-12818

Multiple vulnerabilities were fixed in PostgreSQL, a popular database.

CVE-2025-4207

Buffer over-read in PostgreSQL GB18030 encoding
validation allows a database input provider to achieve temporary denial of
service on platforms where a 1-byte over-read can elicit process
termination. This affects the database server and also libpq.

CVE-2025-8713

PostgreSQL optimizer statistics allow a user to read
sampled data within a view that the user cannot access. Separately,
statistics allow a user to read sampled data that a row security policy
intended to hide. PostgreSQL maintains statistics for tables by sampling
data available in columns; this data is consulted during the query
planning process. Prior to this release, a user could craft a leaky
operator that bypassed view access control lists (ACLs) and bypassed row
security policies in partitioning or table inheritance hierarchies.
Reachable statistics data notably included histograms and
most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to
close this class of vulnerability, but this gap remained.

CVE-2025-8714

Untrusted data inclusion in pg_dump in PostgreSQL
allows a malicious superuser of the origin server to inject arbitrary code
for restore-time execution as the client operating system account running
psql to restore the dump, via psql meta-commands. pg_dumpall is also
affected. pg_restore is affected when used to generate a plain-format
dump. This is similar to MySQL CVE-2024-21096.

CVE-2025-8715

Improper neutralization of newlines in pg_dump in
PostgreSQL allows a user of the origin server to inject arbitrary code for
restore-time execution as the client operating system account running psql
to restore the dump, via psql meta-commands inside a purpose-crafted
object name. The same attacks can achieve SQL injection as a superuser of
the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also
affected. CVE-2012-0868 had fixed this class of problem, but version 11.20
reintroduced it.

CVE-2025-12818

Integer wraparound in multiple PostgreSQL libpq client
library functions allows an application input provider or network peer to
cause libpq to undersize an allocation and write out-of-bounds by hundreds
of megabytes. This results in a segmentation fault for the application
using libpq.

ELA-1613-1 postgresql-9.6 security update

ELA-1612-1 postgresql-11 security update

Package : postgresql-11
Version : 11.22-0+deb10u6 (buster)

Related CVEs :
CVE-2025-4207
CVE-2025-8713
CVE-2025-8714
CVE-2025-8715
CVE-2025-12817
CVE-2025-12818

Multiple vulnerabilities were fixed in PostgreSQL, a popular database.

CVE-2025-4207

Buffer over-read in PostgreSQL GB18030 encoding
validation allows a database input provider to achieve temporary denial of
service on platforms where a 1-byte over-read can elicit process
termination. This affects the database server and also libpq.

CVE-2025-8713

PostgreSQL optimizer statistics allow a user to read
sampled data within a view that the user cannot access. Separately,
statistics allow a user to read sampled data that a row security policy
intended to hide. PostgreSQL maintains statistics for tables by sampling
data available in columns; this data is consulted during the query
planning process. Prior to this release, a user could craft a leaky
operator that bypassed view access control lists (ACLs) and bypassed row
security policies in partitioning or table inheritance hierarchies.
Reachable statistics data notably included histograms and
most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to
close this class of vulnerability, but this gap remained.

CVE-2025-8714

Untrusted data inclusion in pg_dump in PostgreSQL
allows a malicious superuser of the origin server to inject arbitrary code
for restore-time execution as the client operating system account running
psql to restore the dump, via psql meta-commands. pg_dumpall is also
affected. pg_restore is affected when used to generate a plain-format
dump. This is similar to MySQL CVE-2024-21096.

CVE-2025-8715

Improper neutralization of newlines in pg_dump in
PostgreSQL allows a user of the origin server to inject arbitrary code for
restore-time execution as the client operating system account running psql
to restore the dump, via psql meta-commands inside a purpose-crafted
object name. The same attacks can achieve SQL injection as a superuser of
the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also
affected. CVE-2012-0868 had fixed this class of problem, but version 11.20
reintroduced it.

CVE-2025-12817

Missing authorization in PostgreSQL CREATE STATISTICS
command allows a table owner to achieve denial of service against other
CREATE STATISTICS users by creating in any schema. A later CREATE
STATISTICS for the same name, from a user having the CREATE privilege,
would then fail.

CVE-2025-12818

Integer wraparound in multiple PostgreSQL libpq client
library functions allows an application input provider or network peer to
cause libpq to undersize an allocation and write out-of-bounds by hundreds
of megabytes. This results in a segmentation fault for the application
using libpq.

ELA-1612-1 postgresql-11 security update

ELA-1614-1 linux-6.1 security update

Package : linux-6.1
Version : 6.1.159-1~deb9u1 (stretch), 6.1.159-1~deb10u1 (buster)

Related CVEs :
CVE-2024-47666
CVE-2025-37899
CVE-2025-38057
CVE-2025-38556
CVE-2025-38593
CVE-2025-38678
CVE-2025-39805
CVE-2025-40083
CVE-2025-40211
CVE-2025-40214
CVE-2025-40248
CVE-2025-40252
CVE-2025-40253
CVE-2025-40254
CVE-2025-40257
CVE-2025-40258
CVE-2025-40259
CVE-2025-40261
CVE-2025-40262
CVE-2025-40263
CVE-2025-40264
CVE-2025-40269
CVE-2025-40271
CVE-2025-40272
CVE-2025-40273
CVE-2025-40275
CVE-2025-40277
CVE-2025-40278
CVE-2025-40279
CVE-2025-40280
CVE-2025-40281
CVE-2025-40282
CVE-2025-40283
CVE-2025-40284
CVE-2025-40285
CVE-2025-40286
CVE-2025-40288
CVE-2025-40292
CVE-2025-40293
CVE-2025-40294
CVE-2025-40297
CVE-2025-40301
CVE-2025-40304
CVE-2025-40306
CVE-2025-40308
CVE-2025-40309
CVE-2025-40312
CVE-2025-40313
CVE-2025-40314
CVE-2025-40315
CVE-2025-40317
CVE-2025-40318
CVE-2025-40319
CVE-2025-40321
CVE-2025-40322
CVE-2025-40323
CVE-2025-40324
CVE-2025-40331
CVE-2025-40341
CVE-2025-40342
CVE-2025-40343
CVE-2025-40345
CVE-2025-40360
CVE-2025-40363
CVE-2025-68168
CVE-2025-68171
CVE-2025-68173
CVE-2025-68176
CVE-2025-68177
CVE-2025-68185
CVE-2025-68191
CVE-2025-68192
CVE-2025-68194
CVE-2025-68200
CVE-2025-68204
CVE-2025-68214
CVE-2025-68217
CVE-2025-68218
CVE-2025-68220
CVE-2025-68227
CVE-2025-68229
CVE-2025-68231
CVE-2025-68233
CVE-2025-68237
CVE-2025-68238
CVE-2025-68241
CVE-2025-68244
CVE-2025-68245
CVE-2025-68246
CVE-2025-68282
CVE-2025-68283
CVE-2025-68284
CVE-2025-68285
CVE-2025-68286
CVE-2025-68287
CVE-2025-68288
CVE-2025-68289
CVE-2025-68290
CVE-2025-68295
CVE-2025-68301
CVE-2025-68302
CVE-2025-68303
CVE-2025-68307
CVE-2025-68308
CVE-2025-68310
CVE-2025-68312
CVE-2025-68321
CVE-2025-68327
CVE-2025-68328
CVE-2025-68330
CVE-2025-68331
CVE-2025-68339
CVE-2025-68343
CVE-2025-68734

Several vulnerabilities have been discovered in the Linux kernel that
ay lead to a privilege escalation, denial of service or information
leaks.

ELA-1614-1 linux-6.1 security update

ELA-1611-1 samba security update

Package : samba
Version : 2:4.5.16+dfsg-1+deb9u6 (stretch), 2:4.9.5+dfsg-5+deb10u6 (buster)

Related CVEs :
CVE-2025-9640

A vulnerability was found in Samba, a SMB/CIFS file, print, and login
server for Unix, in the streams_xattr VFS server module, where
uninitialized heap memory could be written into alternate data
streams. An authenticated attacker can read residual memory content
that may include sensitive data.

ELA-1611-1 samba security update