Debian has released several security updates for Debian GNU/Linux 11 (Bullseye) LTS, including DLA-4330-1 for ghostscript, which fixes multiple vulnerabilities that allow for remote code execution or null pointer dereferences. DLA-4332-1 addresses a database update for distro-info-data, adding Ubuntu 26.04 LTS and updating the end-of-life (EoL) date for Bookworm. In contrast to these routine updates, DLA-4331-1 removes the HTTPS Everywhere extension due to security concerns related to outdated rulesets that redirect users to malware sites. Furthermore, DLA-4333-1 fixes a vulnerability in php-horde-css-parser that could allow remote code execution via uncontrolled data input. Finally, a distro-info-data database update is also available for both Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS users.

[DLA 4330-1] ghostscript security update
[DLA 4332-1] distro-info-data database update
[DLA 4331-1] https-everywhere security update
[DLA 4333-1] php-horde-css-parser security update
ELA-1539-1 distro-info-data database update

[SECURITY] [DLA 4330-1] ghostscript security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4330-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
October 14, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ghostscript
Version : 9.53.3~dfsg-7+deb11u11
CVE ID : CVE-2025-7462 CVE-2025-59798 CVE-2025-59799

Multiple vulnerabilities were discovered in ghostcript, an interpreter
for the PostScript language and PDF.

CVE-2025-7462

Function pdf_ferror of the file devices/vector/gdevpdf.c of the
component New Output File Open Error Handler. The manipulation
leads to null pointer dereference. It is possible to initiate the
attack remotely.

CVE-2025-59798

A stack-based buffer overflow in pdf_write_cmap in
devices/vector/gdevpdtw.c.

CVE-2025-59799

a stack-based buffer overflow in pdfmark_coerce_dest in
devices/vector/gdevpdfm.c via a large size value.

For Debian 11 bullseye, these problems have been fixed in version
9.53.3~dfsg-7+deb11u11.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4332-1] distro-info-data database update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4332-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Stefano Rivera
October 14, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : distro-info-data
Version : 0.51+deb11u10

This is a routine update of the distro-info-data database for Debian LTS
users.

It updates the EoL date for bookworm and adds Ubuntu 26.04 LTS "Resolute
Raccoon".

For Debian 11 bullseye, this problem has been fixed in version
0.51+deb11u10.

We recommend that you upgrade your distro-info-data packages.

For the detailed security status of distro-info-data please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/distro-info-data

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4331-1] https-everywhere security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4331-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
October 14, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : https-everywhere
Version : 2025.10.14-0+deb11u1
Debian Bug : 1118030 1118045

The Firefox extension HTTPS Everywhere used to enforce encryption over HTTPS in
major web browsers, a feature which has become obsolete because a HTTPS-only
mode is built-in nowadays. Consequently HTTPS Everywhere has been removed from
Debian in 2023.

The extension requires up-to-date https rules which are obtained from the
domain https-rulesets.org. This domain is no longer controlled by the original
upstream developers and registered by a third party now. Requests are
redirected to a known malware site. This poses a severe risk for users of HTTPS
Everywhere.

As a first step to remedy this problem, version 2025.10.14-0+deb11u1 will
completely remove all files associated with HTTPS Everywhere and only install a
README file to raise the awareness for this security problem. The Debian
packages parl-desktop and progress-linux-desktop will no longer depend on
webext-https-everywhere.

The source package https-everywhere and the binary package webext-https-
everywhere will be removed from Debian in a subsequent step.

We recommend to avoid using HTTPS Everywhere and to use web browsers, e.g.
Firefox, which support HTTPS only instead. For more information, please refer
to Debian bugs #1118030 and #1118045.

For Debian 11 bullseye, this problem has been fixed in version
2025.10.14-0+deb11u1.

We recommend that you upgrade your https-everywhere packages.

For the detailed security status of https-everywhere please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/https-everywhere

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4333-1] php-horde-css-parser security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4333-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
October 14, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : php-horde-css-parser
Version : 1.0.11-8+deb11u1
CVE ID : CVE-2020-13756
Debian Bug :

Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data,
possibly leading to remote code execution if the function allSelectors() or
getSelectorsBySpecificity() is called with input from an attacker.

The php-horde-css-parser bundles the Sabberworm PHP CSS Parser code and
is thus also vulnerable.

For Debian 11 bullseye, this problem has been fixed in version
1.0.11-8+deb11u1.

We recommend that you upgrade your php-horde-css-parser packages.

For the detailed security status of php-horde-css-parser please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-horde-css-parser

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1539-1 distro-info-data database update

Package : distro-info-data
Version : 0.41+deb10u2~bpo9+9 (stretch), 0.41+deb10u13 (buster)

This is a routine update of the distro-info-data database for Debian
ELTS users.
It updates the EoL date for bookworm and adds Ubuntu 26.04 LTS “Resolute
Raccoon”.

ELA-1539-1 distro-info-data database update