Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1413-1 mysql-connector-python security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4151-1] golang-github-gorilla-csrf security update
[DLA 4152-1] nodejs security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5913-1] openjdk-17 security update
[DSA 5912-1] thunderbird security update
[DSA 5914-1] chromium security update
[SECURITY] [DLA 4151-1] golang-github-gorilla-csrf security update
- --------------------------------------------------------------------------
Debian LTS Advisory DLA-4151-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
May 01, 2025 https://wiki.debian.org/LTS
- --------------------------------------------------------------------------
Package : golang-github-gorilla-csrf
Version : 1.6.2-2+deb11u1
CVE ID : CVE-2025-24358
Debian Bug : 1103584
The following vulnerability has been discovered in the gorilla/csrf package for Go:
Prior to 1.7.3, gorilla/csrf did not validate the Origin header against
an allowlist. It executed its validation of the Referer header for
cross-origin requests only when it believed the request was being
served over TLS. It determined this by inspecting the r.URL.Scheme
value. However, this value was never populated for "server" requests
per the Go spec, and so this check did not run in practice. This
vulnerability allowed an attacker who has gained XSS on a subdomain
or top level domain to perform authenticated form submissions against
gorilla/csrf protected targets that shared the same top level domain.
For Debian 11 bullseye, this problem has been fixed in version
1.6.2-2+deb11u1.
The following Go packages have been rebuilt in order to fix this
issue:
golang-chroma
golang-github-alecthomas-chroma-dev
golang-github-niklasfasching-go-org-dev
golang-github-yuin-goldmark-highlighting-dev
go-org
hugo
We recommend that you upgrade these packages.
For the detailed security status of golang-github-gorilla-csrf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-github-gorilla-csrf
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5913-1] openjdk-17 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5913-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 01, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openjdk-17
CVE ID : CVE-2025-21587 CVE-2025-30691 CVE-2025-30698
Several vulnerabilities have been discovered in the OpenJDK Java
runtime, which may result in denial of service, information disclosure
or bypass of sandbox restrictions.
For the stable distribution (bookworm), these problems have been fixed in
version 17.0.15+6-1~deb12u1.
We recommend that you upgrade your openjdk-17 packages.
For the detailed security status of openjdk-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-17
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5912-1] thunderbird security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5912-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 01, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : thunderbird
CVE ID : CVE-2025-2830 CVE-2025-3522 CVE-2025-3523 CVE-2025-4083
CVE-2025-4087 CVE-2025-4091 CVE-2025-4093
Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code or information disclosure
For the stable distribution (bookworm), these problems have been fixed in
version 1:128.10.0esr-1~deb12u1.
We recommend that you upgrade your thunderbird packages.
For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5914-1] chromium security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5914-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
May 01, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2025-4050 CVE-2025-4051 CVE-2025-4052 CVE-2025-4096
Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.
For the stable distribution (bookworm), these problems have been fixed in
version 136.0.7103.59-2~deb12u2.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4152-1] nodejs security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4152-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
May 02, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : nodejs
Version : 12.22.12~dfsg-1~deb11u7
CVE ID : CVE-2025-47153
Debian Bug : 922075 1076350
Node.js a popular server side javascript engine was affected by
a vulnerability on 32bits architecture.
Build processes for libuv and Node.js for 32-bit systems,
have an inconsistent off_t size (e.g., building on i386 Debian always uses
_FILE_OFFSET_BITSd for the libuv dynamic library,
but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs),
leading to out-of-bounds access.
Following reverse dependencies were also rebuilt in order to fix the
vulnerability:
node-expat
node-iconv
node-leveldown
node-modern-syslog
node-nodedbi
node-opencv
node-re2
node-sqlite3
node-sass
node-srs
node-websocket
node-zipfile
r-cran-v8
For Debian 11 bullseye, this problem has been fixed in version
12.22.12~dfsg-1~deb11u7.
We recommend that you upgrade your nodejs packages.
For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1413-1 mysql-connector-python security update
Package : mysql-connector-python
Version : 2.1.6-1+deb9u1 (stretch)
Related CVEs :
CVE-2019-2435
CVE-2024-21272
CVE-2025-21548
Multiple vulnerabilities have been discovered in mysql-connector-python, a
Python implementation of the MySQL client/server protocol.
CVE-2019-2435
A vulnerability to man-in-the-middle attacks was discovered in the pure
Python implementation. MySQL clients connecting using TLS have not been
verifying the server name against the server certificate's common
name (CN) and subject alternative names (SANs).
CVE-2024-21272
Malicious strings can be injected when utilizing dictionary-based query
parameterization via the `cursor.execute()` API command and the C-based
implementation of the connector.
CVE-2025-21548
A possible RCE has been detected involving the MySQL Connector/Python
configuration files.ELA-1413-1 mysql-connector-python security update
