Debian Security Advisories were issued to address several security vulnerabilities. The advisories include updates for packages such as webkit2gtk (multiple CVEs), c-ares (CVE-2025-62408), and roundcube (CVE-2025-68460 and CVE-2025-68461). Additionally, an update was released for the glib2.0 library due to multiple issues that could lead to denial of service or potentially arbitrary code execution (multiple CVEs). Users are recommended to upgrade their packages to address these vulnerabilities and protect against potential attacks.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1597-1 glib2.0 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4414-1] webkit2gtk security update
[DLA 4415-1] roundcube security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6083-1] webkit2gtk security update

Debian GNU/Linux 13 (Trixie):
[DSA 6084-1] c-ares security update

[SECURITY] [DSA 6083-1] webkit2gtk security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6083-1 security@debian.org
https://www.debian.org/security/ Alberto Garcia
December 18, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : webkit2gtk
CVE ID : CVE-2025-14174 CVE-2025-43501 CVE-2025-43529 CVE-2025-43531
CVE-2025-43535 CVE-2025-43536 CVE-2025-43541

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2025-14174

Apple and the Google Threat Analysis Group discovered that
processing maliciously crafted web content may lead to memory
corruption. Apple is aware of a report that this issue may have
been exploited in an extremely sophisticated attack against
specific targeted individuals on versions of iOS before iOS 26.
CVE-2025-43529 was also issued in response to this report.

CVE-2025-43501

Hossein Lotfi discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2025-43529

The Google Threat Analysis Group discovered that processing
maliciously crafted web content may lead to arbitrary code
execution. Apple is aware of a report that this issue may have
been exploited in an extremely sophisticated attack against
specific targeted individuals on versions of iOS before iOS 26.
CVE-2025-14174 was also issued in response to this report.

CVE-2025-43531

Phil Pizlo discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2025-43535

Google Big Sleep / Nan Wang discovered that processing maliciously
crafted web content may lead to an unexpected process crash.

CVE-2025-43536

Nan Wang discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2025-43541

Hossein Lotfi discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

For the oldstable distribution (bookworm), these problems have been fixed
in version 2.50.4-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 2.50.4-1~deb13u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6084-1] c-ares security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6084-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 18, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : c-ares
CVE ID : CVE-2025-62408

It was discovered that c-ares, a library that performs DNS requests and
name resolution asynchronously, does not properly handle termination of
queries which may result in denial of service.

For the stable distribution (trixie), this problem has been fixed in
version 1.34.5-1+deb13u1.

We recommend that you upgrade your c-ares packages.

For the detailed security status of c-ares please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/c-ares

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4414-1] webkit2gtk security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4414-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
December 18, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : webkit2gtk
Version : 2.50.4-1~deb11u1
CVE ID : CVE-2025-14174 CVE-2025-43501 CVE-2025-43529 CVE-2025-43531
CVE-2025-43535 CVE-2025-43536 CVE-2025-43541

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2025-14174

Apple and the Google Threat Analysis Group discovered that
processing maliciously crafted web content may lead to memory
corruption. Apple is aware of a report that this issue may have
been exploited in an extremely sophisticated attack against
specific targeted individuals on versions of iOS before iOS 26.
CVE-2025-43529 was also issued in response to this report.

CVE-2025-43501

Hossein Lotfi discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2025-43529

The Google Threat Analysis Group discovered that processing
maliciously crafted web content may lead to arbitrary code
execution. Apple is aware of a report that this issue may have
been exploited in an extremely sophisticated attack against
specific targeted individuals on versions of iOS before iOS 26.
CVE-2025-14174 was also issued in response to this report.

CVE-2025-43531

Phil Pizlo discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2025-43535

Google Big Sleep / Nan Wang discovered that processing maliciously
crafted web content may lead to an unexpected process crash.

CVE-2025-43536

Nan Wang discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2025-43541

Hossein Lotfi discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

For Debian 11 bullseye, these problems have been fixed in version
2.50.4-1~deb11u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1597-1 glib2.0 security update

Package : glib2.0
Version : 2.50.3-2+deb9u8 (stretch), 2.58.3-2+deb10u9 (buster)

Related CVEs :
CVE-2025-4373
CVE-2025-7039
CVE-2025-13601
CVE-2025-14087
CVE-2025-14512

Multiple issues were found in GLib, a general-purpose, portable utility
library, that could lead to denial of service, memory corruption or
potentially arbitrary code execution if maliciously crafted data is
processed.

ELA-1597-1 glib2.0 security update

[SECURITY] [DLA 4415-1] roundcube security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4415-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
December 18, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : roundcube
Version : 1.4.15+dfsg.1-1+deb11u6
CVE ID : CVE-2025-68460 CVE-2025-68461
Debian Bug : 1122899

Vulnerabilities were discovered in Roundcube, a skinnable AJAX based
webmail solution for IMAP servers, which might lead to privilege
escalation or information disclosure.

CVE-2025-68460

Information disclosure vulnerability in the HTML style sanitizer.

CVE-2025-68461

Cross-Site-Scripting (XSS) vulnerability via SVG's `` tag,
which could allow a remote attacker to load arbitrary JavaScript
code and might lead to privilege escalation or information
disclosure via malicious SVG document.

For Debian 11 bullseye, these problems have been fixed in version
1.4.15+dfsg.1-1+deb11u6.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS