Two security advisories have been issued for Debian GNU/Linux 11 (Bullseye) LTS. The first advisory, DLA-4305-2, affects the Firefox ESR package and recommends upgrading to version 140.3.1esr-1~deb11u1 to fix connection errors with some sites. The second advisory, DLA-4314-1, affects the Python Internet Archive package and recommends upgrading to version 1.9.9-1+deb11u1 to address a directory traversal vulnerability (CVE-2025-58438) in the File.download() method.

[DLA 4305-2] firefox-esr regression update
[DLA 4314-1] python-internetarchive security update

[SECURITY] [DLA 4305-2] firefox-esr regression update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4305-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
September 29, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : firefox-esr
Version : 140.3.1esr-1~deb11u1

Firefox 140.3.1 has been released, which fixes connection errors with
some sites; if HTTP/3 connections failed, the fallback is now handled
more gracefully.

For Debian 11 bullseye, this problem has been fixed in version
140.3.1esr-1~deb11u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4314-1] python-internetarchive security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4314-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
September 30, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : python-internetarchive
Version : 1.9.9-1+deb11u1
CVE ID : CVE-2025-58438
Debian Bug : 1114635

A vulnerability has been discovered in python-internetarchive, a Python
library and command-line interface for searching, downloading and
uploading content to the Internet Archive.

CVE-2025-58438

A directory traversal (path traversal) vulnerability exists in the
File.download() method due to not properly sanitizing user-supplied
filenames or validating the final download path

For Debian 11 bullseye, this problem has been fixed in version
1.9.9-1+deb11u1.

We recommend that you upgrade your python-internetarchive packages.

For the detailed security status of python-internetarchive please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-internetarchive

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS