[DLA 4371-1] gst-plugins-base1.0 security update
ELA-1578-1 squid security update
[SECURITY] [DLA 4371-1] gst-plugins-base1.0 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4371-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Jeremy BĂcha
November 14, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : gst-plugins-base1.0
Version : 1.18.4-2+deb11u4
CVE ID : CVE-2025-47806 CVE-2025-47807 CVE-2025-47808
Multiple vulnerabilities were fixed in the subparse plugin of
gst-plugins-base1.0. GStreamer is a popular multimedia framework.
CVE-2025-47806: Fix DoS via stack overflow in subparse plugin
CVE-2025-47807: Fix DoS via null-deref in subparse plugin
CVE-2025-47808: Fix DoS via null-deref in subparse plugin
For Debian 11 bullseye, these problems have been fixed in version
1.18.4-2+deb11u4.
We recommend that you upgrade your gst-plugins-base1.0 packages.
For the detailed security status of gst-plugins-base1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-base1.0
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1578-1 squid security update
Package : squid
Version : 4.13-10+deb11u6~deb10u1 (buster)
Related CVEs :
CVE-2023-5824
CVE-2023-46728
CVE-2025-54574
CVE-2025-59362
CVE-2025-62168
squid a popular proxy server was affected by multiple vulnerabilities.
The changes required to fix all the open vulnerabilities, especially CVE-2025-62168, were too invasive to be backported individually,
and the risk of regressions was too high, due to large amounts of source code that needed to be modified or rewritten,
including some internal C++ library.
A risk analysis was carried out, and it was determined that the best available solution was
to backport the bullseye version of Squid to buster. This decision means that upon installing this update users
of Squid in buster will be moving from a Squid version of 4.6 to 4.13.
To remediate CVE-2025-62168, you should review your Squid configuration and disable the insecure email_err_data setting
if it was previously enabled by an administrator. The CVE-2025-62168 patch disables this configuration by default,
but it does not override existing insecure administrator-defined settings.
CVE-2023-5824:
The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk cache, resulting in a denial of service.
CVE-2023-46728
Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in previous squid version. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent.
Gopher support has been removed.
CVE-2025-54574
Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management.
CVE-2025-59362
Squid through mishandles ASN.1 encoding of long SNMP OIDs. This occurs in asn_build_objid in lib/snmplib/asn1.c.
CVE-2025-62168
Failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication.ELA-1578-1 squid security update
