Debian GNU/Linux 8 (Jessie) and 9 (Stretch) Extended LTS:
ELA-1451-1 glibc security update
Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1450-1 krb5 security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1452-1 glibc security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4211-1] roundcube security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5940-1] modsecurity-apache security update
ELA-1452-1 glibc security update
Package : glibc
Version : 2.28-10+deb10u5 (buster)
Related CVEs :
CVE-2025-0395
CVE-2025-4802
Multiple vulnerabilities were discovered in the GNU C Library, the C standard
library implementation used by Debian.
CVE-2024-0395
When the function fails, it does not allocate enough space for the assertion
failure message string and size information, which may lead to a buffer
overflow if the message string size aligns to page size.
CVE-2025-4802
Privilege escalation may be possible in statically compiled setuid binaries
that call dlopen(), due to an untrusted LD_LIBRARY_PATH environment variable
vulnerability. This includes calls to dlopen() internal to glibc itself, made
after user calls to setlocale() or to NSS functions such as getaddrinfo().ELA-1452-1 glibc security update
ELA-1451-1 glibc security update
Package : glibc
Version : 2.19-18+deb8u15 (jessie), 2.24-11+deb9u8 (stretch)
Related CVEs :
CVE-2025-0395
A flaw was found in the implementation of assert() in the GNU C Library, the C
standard library implementation used by Debian. When the function fails, it
does not allocate enough space for the assertion failure message string and
size information, which may lead to a buffer overflow if the message string
size aligns to page size.ELA-1451-1 glibc security update
ELA-1450-1 krb5 security update
Package : krb5
Version : 1.12.1+dfsg-19+deb8u11 (jessie), 1.15-1+deb9u8 (stretch), 1.17-3+deb10u9 (buster)
Related CVEs :
CVE-2025-3576
A vulnerability in the MIT Kerberos implementation
allows GSSAPI-protected messages using RC4-HMAC-MD5
to be spoofed due to weaknesses in the MD5 checksum design.
If RC4 is preferred over stronger encryption types,
an attacker could exploit MD5 collisions to forge message
integrity codes. This may lead to unauthorized
message tampering.
In order to fix CVE-2025-3576, vulnerable cryptographic
algorithms for tickets need to be disabled explicitly
with the new allow_rc4 or allow_des3 variables.
According to the vulnerability report “Kerberos’ RC4-HMAC broken in practice:
spoofing PACs with MD5 collisions”, disabling this cryptographic algorithm
suite may break some older authentication systems, and administrators should
test carefully.
Because of the risk of breaking certain configurations, the
new allow_rc4 or allow_des3 are being treated as having a
default value of ’true’ for updates to older Debian releases.
This leaves the 3DES and RC4 algorithms enabled, but administrators
are strongly encouraged to disable them after verifying
compatibility in their environments.ELA-1450-1 krb5 security update
[SECURITY] [DLA 4211-1] roundcube security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4211-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
June 09, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : roundcube
Version : 1.4.15+dfsg.1-1+deb11u5
CVE ID : CVE-2025-49113
Debian Bug : 1107073
Kirill Firsov discovered that Roundcube, a skinnable AJAX based webmail
solution for IMAP servers, was performing PHP Object deserialization on
unvalidated input, which could lead to remote code execution by an
authenticated attacker.
For Debian 11 bullseye, these problems have been fixed in version
1.4.15+dfsg.1-1+deb11u5.
We recommend that you upgrade your roundcube packages.
For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5940-1] modsecurity-apache security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5940-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 08, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : modsecurity-apache
CVE ID : CVE-2025-47947 CVE-2025-48866
Debian Bug : 1106286 1107196
Several vulnerabilities were discovered in modsecurity-apache, an Apache
module to tighten the Web application security, which may result in
denial of service (high memory consumption).
For the stable distribution (bookworm), these problems have been fixed in
version 2.9.7-1+deb12u1.
We recommend that you upgrade your modsecurity-apache packages.
For the detailed security status of modsecurity-apache please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/modsecurity-apache
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
