Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1472-1 xorg-server security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4231-1] firefox-esr security update
[DLA 4232-1] freeradius security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5951-1] icu security update
[SECURITY] [DLA 4231-1] firefox-esr security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4231-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
June 26, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : firefox-esr
Version : 128.12.0esr-1~deb11u1
CVE ID : CVE-2025-6424 CVE-2025-6425 CVE-2025-6429 CVE-2025-6430
Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution
of arbitrary code.
For Debian 11 bullseye, these problems have been fixed in version
128.12.0esr-1~deb11u1.
We recommend that you upgrade your firefox-esr packages.
For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4232-1] freeradius security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4232-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
June 26, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : freeradius
Version : 3.0.21+dfsg-2.2+deb11u2
CVE ID : CVE-2022-41859 CVE-2022-41860 CVE-2022-41861
Several security vulnerabilities have been discovered in freeradius, a
highly configurable RADIUS server.
CVE-2022-41859
The EAP-PWD function compute_password_element() leaks information
about the password which allows an attacker to substantially
reduce the size of an offline dictionary attack.
CVE-2022-41860
When an EAP-SIM supplicant sends an unknown SIM option, the server
will try to look that option up in the internal dictionaries. This
lookup will fail, but the SIM code will not check for that
failure. Instead, it will dereference a NULL pointer, and cause
the server to crash.
CVE-2022-41861
A malicious RADIUS client or home server can send a malformed
abinary attribute which can cause the server to crash. This crash
is not exploitable by end users. Only systems which are in the
RADIUS circle of trust can send these malformed attributes to a
server.
For Debian 11 bullseye, these problems have been fixed in version
3.0.21+dfsg-2.2+deb11u2.
We recommend that you upgrade your freeradius packages.
For the detailed security status of freeradius please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freeradius
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1472-1 xorg-server security update
Package : xorg-server
Version : 2:1.16.4-1+deb8u19 (jessie), 2:1.19.2-1+deb9u22 (stretch), 2:1.20.4-1+deb10u17 (buster)
Related CVEs :
CVE-2025-49175
CVE-2025-49176
CVE-2025-49178
CVE-2025-49179
CVE-2025-49180
Nils Emmerich discovered several vulnerabilities in the Xorg X server,
which may result in privilege escalation if the X server is running
privileged.ELA-1472-1 xorg-server security update
[SECURITY] [DSA 5951-1] icu security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5951-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 26, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : icu
CVE ID : CVE-2025-5222
A buffer overflow was discovered in the International Components for
Unicode (ICU) library.
For the stable distribution (bookworm), this problem has been fixed in
version 72.1-3+deb12u1.
We recommend that you upgrade your icu packages.
For the detailed security status of icu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/icu
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
