Two security updates have been released for Debian GNU/Linux 11 (Bullseye) LTS. The first update addresses vulnerabilities in the GnuTLS library, which may lead to Denial of Service. These issues were fixed in version 3.7.1-5+deb11u9 and users are recommended to upgrade their gnutls28 packages. A second security update has also been released for Firefox ESR, fixing multiple security issues that could potentially result in code execution or other security risks.

[DLA 4492-1] gnutls28 security update
[DSA 6148-1] firefox-esr security update

[SECURITY] [DLA 4492-1] gnutls28 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4492-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
February 25, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : gnutls28
Version : 3.7.1-5+deb11u9
CVE ID : CVE-2025-9820 CVE-2025-14831
Debian Bug : 1121146

Vulnerabilities were found in GnuTLS, a portable library which
implements the Transport Layer Security and Datagram Transport Layer
Security protocols, which may lead to Denial of Service.

CVE-2025-9820

An out-of-bound write issue was discovered when a PKCS#11 token is
initialized with the `gnutls_pkcs11_token_init()` function and it is
passed a token label longer than 32 characters.

CVE-2025-14831

Tim Scheckenbach discovered that verifying specially crafted
malicious certificates containing a large number of name constraints
and subject alternative names (SANs) could lead to resource
exhaustion.

For Debian 11 bullseye, these problems have been fixed in version
3.7.1-5+deb11u9.

We recommend that you upgrade your gnutls28 packages.

For the detailed security status of gnutls28 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gnutls28

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6148-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6148-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 25, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2026-2757 CVE-2026-2758 CVE-2026-2759 CVE-2026-2760
CVE-2026-2761 CVE-2026-2762 CVE-2026-2763 CVE-2026-2764
CVE-2026-2765 CVE-2026-2766 CVE-2026-2767 CVE-2026-2768
CVE-2026-2769 CVE-2026-2770 CVE-2026-2771 CVE-2026-2772
CVE-2026-2773 CVE-2026-2774 CVE-2026-2775 CVE-2026-2777
CVE-2026-2778 CVE-2026-2779 CVE-2026-2780 CVE-2026-2781
CVE-2026-2782 CVE-2026-2783 CVE-2026-2784 CVE-2026-2785
CVE-2026-2786 CVE-2026-2787 CVE-2026-2788 CVE-2026-2789
CVE-2026-2790 CVE-2026-2791 CVE-2026-2792 CVE-2026-2793

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, sandbox escape, bypass of the same-origin policy, information
disclosure or privilege escalation.

For the oldstable distribution (bookworm), these problems have been fixed
in version 140.8.0esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 140.8.0esr-1~deb13u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/