Debian has released security updates for several packages to fix vulnerabilities that could lead to denial of service, memory corruption, or arbitrary code execution. The affected packages include glib2.0 (CVE-2025-4373, CVE-2025-7039, CVE-2025-13601, and others), binwalk (CVE-2022-4510), libgd2 (CVE-2021-38115, CVE-2021-40145, and CVE-2021-40812), and node-url-parse (CVE-2022-0639). All of these vulnerabilities have been fixed in the latest versions of the affected packages for Debian GNU/Linux 11 (Bullseye) LTS.

[DLA 4412-1] glib2.0 security update
[DLA 4410-1] binwalk security update
[DLA 4411-1] libgd2 security update
[DLA 4413-1] node-url-parse security update

[SECURITY] [DLA 4412-1] glib2.0 security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4412-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
December 16, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : glib2.0
Version : 2.66.8-1+deb11u7
CVE ID : CVE-2025-4373 CVE-2025-7039 CVE-2025-13601 CVE-2025-14087
CVE-2025-14512
Debian Bug : 1104930 1110640 1121488 1122346 1122347

Multiple issues were found in GLib, a general-purpose, portable utility
library, that could lead to denial of service, memory corruption or
potentially arbitrary code execution if maliciously crafted data is
processed.

For Debian 11 bullseye, these problems have been fixed in version
2.66.8-1+deb11u7.

We recommend that you upgrade your glib2.0 packages.

For the detailed security status of glib2.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/glib2.0

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4410-1] binwalk security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4410-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
December 16, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : binwalk
Version : 2.3.1+dfsg1-1+deb11u1
CVE ID : CVE-2022-4510

A path traversal vulnerability was identified in binwalk. By crafting
a malicious PFS filesystem file, an attacker can get binwalk's PFS
extractor to extract files at arbitrary locations when binwalk is run
in extraction mode (-e option). Remote code execution can be achieved
by building a PFS filesystem that, upon extraction, would extract a
malicious binwalk module into the folder .config/binwalk/plugins.

For Debian 11 bullseye, this problem has been fixed in version
2.3.1+dfsg1-1+deb11u1.

We recommend that you upgrade your binwalk packages.

For the detailed security status of binwalk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/binwalk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4411-1] libgd2 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4411-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
December 16, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libgd2
Version : 2.3.0-2+deb11u1
CVE ID : CVE-2021-38115 CVE-2021-40145 CVE-2021-40812
Debian Bug : 991912

Vulnerabilities were found in libgd2, the GD Graphics Library, which
could lead to Denial of Service via crafted input files.

CVE-2021-38115

Maryam Ebrahimzadeh discovered an out-of-bounds read vulnerability
in read_header_tga(), which may lead to Denial of Service via a
crafted TGA file.

CVE-2021-40145

Maryam Ebrahimzadeh discovered a double free vulnerability in
gdImageGd2Ptr().

CVE-2021-40812

Maryam Ebrahimzadeh discovered out-of-bounds read vulnerabilities,
which may lead to Denial of Service via a crafted BMP or WebP file.

For Debian 11 bullseye, these problems have been fixed in version
2.3.0-2+deb11u1.

We recommend that you upgrade your libgd2 packages.

For the detailed security status of libgd2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libgd2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4413-1] node-url-parse security update

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4413-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
December 16, 2025 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : node-url-parse
Version : 1.5.3-1+deb11u3
CVE ID : CVE-2022-0639

It was found that in node-url-parse, a Node.js module used to parse
URLs, an incorrect conversion of `@` characters in protocol in the
`href` field can lead to lead to failure to properly identify the
hostname, which in turn could result in authorization bypass.

For Debian 11 bullseye, this problem has been fixed in version
1.5.3-1+deb11u3.

We recommend that you upgrade your node-url-parse packages.

For the detailed security status of node-url-parse please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-url-parse

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS