Debian GNU/Linux 8 (Jessie), 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1426-1 ghostscript security update
ELA-1425-1 intel-microcode security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1424-1 libraw security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1423-1 dropbear security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4170-1] intel-microcode security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5922-1] firefox-esr security update
[DSA 5923-1] net-tools security update
[SECURITY] [DSA 5922-1] firefox-esr security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5922-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 18, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : firefox-esr
CVE ID : CVE-2025-4920 CVE-2025-4921
Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code.
For the stable distribution (bookworm), these problems have been fixed in
version 128.10.1esr-1~deb12u1.
We recommend that you upgrade your firefox-esr packages.
For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1423-1 dropbear security update
Package : dropbear
Version : 2018.76-5+deb10u3 (buster)
Related CVEs :
CVE-2025-47203
Marcin Nowak discovered that dbclient(1) hostname arguments with a
comma (for multihop) are passed to the shell which could result in
running arbitrary shell commands locally. Such behavior could have
security implications in situations where dbclient(1) is passed
untrusted hostname arguments.
The multihop command is now executed directly (no shell is involved).ELA-1423-1 dropbear security update
ELA-1424-1 libraw security update
Package : libraw
Version : 0.17.2-6+deb9u6 (stretch), 0.19.2-2+deb10u5 (buster)
Related CVEs :
CVE-2025-43961
CVE-2025-43962
CVE-2025-43963
CVE-2025-43964
CVE-2025-43961
Out-of-bounds read in the Fujifilm 0xf00c tag parser. (This issue
did not affect 0.17.2-6+deb9u5 and earlier versions.)
CVE-2025-43962
Out-of-bounds reads for tag 0x412 processing, related to large
w0 or w1 values or the frac and mult calculations.
CVE-2025-43963
phase_one_correct() allows out-of-buffer access because
split_col and split_row values are not checked in 0x041f tag
processing.
CVE-2025-43964
Tag 0x412 processing in phase_one_correct() does not enforce
minimum w0 and w1 values.
ELA-1424-1 libraw security update
[SECURITY] [DSA 5923-1] net-tools security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5923-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 18, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : net-tools
CVE ID : CVE-2025-46836
Debian Bug : 1105806
Mohamed Maatallah discovered a stack-based buffer overflow in the
get_name() function in net-tools, a collection of programs for
controlling the network subsystem of the Linux kernel, which may result
in denial of service (application crash) or potentially the execution of
arbitrary code.
For the stable distribution (bookworm), this problem has been fixed in
version 2.10-0.1+deb12u1.
We recommend that you upgrade your net-tools packages.
For the detailed security status of net-tools please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/net-tools
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4170-1] intel-microcode security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4170-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
May 18, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : intel-microcode
Version : 3.20250512.1~deb11u1
CVE ID : CVE-2024-28956 CVE-2024-43420 CVE-2024-45332 CVE-2025-20012
CVE-2025-20054 CVE-2025-20103 CVE-2025-20623 CVE-2025-24495
Debian Bug : 1105172
Microcode updates has been released for Intel(R) processors, addressing
multiple potential vulnerabilties that may allow denial of service or
information disclosure.
CVE-2024-28956
Exposure of Sensitive Information in Shared Microarchitectural
Structures during Transient Execution for some Intel(R) Processors
may allow an authenticated user to potentially enable information
disclosure via local access.
CVE-2024-43420
Exposure of sensitive information caused by shared
microarchitectural predictor state that influences transient
execution for some Intel Atom(R) processors may allow an
authenticated user to potentially enable information disclosure via
local access.
CVE-2024-45332
Exposure of sensitive information caused by shared
microarchitectural predictor state that influences transient
execution in the indirect branch predictors for some Intel(R)
Processors may allow an authenticated user to potentially enable
information disclosure via local access.
CVE-2025-20012
Incorrect behavior order for some Intel(R) CoreUltra Processors
may allow an unauthenticated user to potentially enable information
disclosure via physical access.
CVE-2025-20054
Uncaught exception in the core management mechanism for some
Intel(R) Processors may allow an authenticated user to potentially
enable denial of service via local access.
CVE-2025-20103
Insufficient resource pool in the core management mechanism for some
Intel(R) Processors may allow an authenticated user to potentially
enable denial of service via local access.
CVE-2025-20623
Exposure of sensitive information caused by shared
microarchitectural predictor state that influences transient
execution for some Intel(R) Core
allow an authenticated user to potentially enable information
disclosure via local access.
CVE-2025-24495
Incorrect initialization of resource in the branch prediction unit
for some Intel(R) Core
user to potentially enable information disclosure via local access.
For Debian 11 bullseye, these problems have been fixed in version
3.20250512.1~deb11u1.
We recommend that you upgrade your intel-microcode packages.
For the detailed security status of intel-microcode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1426-1 ghostscript security update
Package : ghostscript
Version : 9.26a~dfsg-0+deb8u15 (jessie), 9.26a~dfsg-0+deb9u14 (stretch), 9.27~dfsg-2+deb10u11 (buster)
Related CVEs :
CVE-2025-27830
CVE-2025-27831
CVE-2025-27832
CVE-2025-27835
CVE-2025-27836
Multiple vulnerabilities affected ghostscript an interpreter for PostScript and Portable Document Format (PDF)
page description languages.
CVE-2025-27830
Buffer overflow via serialization of DollarBlend
CVE-2025-27831
Unicode decoding overrun
CVE-2025-27832
Integer overflow leading to buffer overflow
CVE-2025-27835
Confusion between bytes and shorts
CVE-2025-27836
Buffer overflow in bj10v deviceELA-1426-1 ghostscript security update
ELA-1425-1 intel-microcode security update
Package : intel-microcode
Version : 3.20250512.1~deb8u1 (jessie), 3.20250512.1~deb9u1 (stretch), 3.20250512.1~deb10u1 (buster)
Related CVEs :
CVE-2024-28956
CVE-2024-43420
CVE-2024-45332
CVE-2025-20012
CVE-2025-20054
CVE-2025-20103
CVE-2025-20623
CVE-2025-24495
Microcode updates have been released for Intel(R) processors, addressing
multiple potential vulnerabilties that may allow denial of service or
information disclosure.
CVE-2024-28956
Exposure of Sensitive Information in Shared Microarchitectural
Structures during Transient Execution for some Intel(R) Processors
may allow an authenticated user to potentially enable information
disclosure via local access.
CVE-2024-43420
Exposure of sensitive information caused by shared
microarchitectural predictor state that influences transient
execution for some Intel Atom(R) processors may allow an
authenticated user to potentially enable information disclosure via
local access.
CVE-2024-45332
Exposure of sensitive information caused by shared
microarchitectural predictor state that influences transient
execution in the indirect branch predictors for some Intel(R)
Processors may allow an authenticated user to potentially enable
information disclosure via local access.
CVE-2025-20012
Incorrect behavior order for some Intel(R) Core
may allow an unauthenticated user to potentially enable information
disclosure via physical access.
CVE-2025-20054
Uncaught exception in the core management mechanism for some
Intel(R) Processors may allow an authenticated user to potentially
enable denial of service via local access.
CVE-2025-20103
Insufficient resource pool in the core management mechanism for some
Intel(R) Processors may allow an authenticated user to potentially
enable denial of service via local access.
CVE-2025-20623
Exposure of sensitive information caused by shared
microarchitectural predictor state that influences transient
execution for some Intel(R) Core
allow an authenticated user to potentially enable information
disclosure via local access.
CVE-2025-24495
Incorrect initialization of resource in the branch prediction unit
for some Intel(R) Core
user to potentially enable information disclosure via local access.ELA-1425-1 intel-microcode security update
