Several security updates have been released for Debian GNU/Linux Extended LTS, including updates to the intel-microcode package to mitigate against the Spectre variant 2 vulnerability and updates to the qemu, libxml2, and php-horde-css-parser packages to fix multiple security issues. The QEMU update removes the usage of the C (Credential) flag for the binfmt_misc registration, which could have allowed for privilege escalation when running suid/sgid binaries under qemu-user. Additionally, updates to the libxml2 and php-horde-css-parser packages fix vulnerabilities related to recursion evaluation and remote code execution via crafted input, respectively. Finally, a Firefox ESR update has been released for Debian 11 (Buster) LTS. The Firefox ESR update fixes several security issues that could potentially result in the execution of arbitrary code, memory disclosure, or cross-site scripting.

ELA-18-1 intel-microcode security update
ELA-1540-1 qemu security update
[DSA 6025-1] firefox-esr security update
ELA-1542-1 libxml2 security update
ELA-1541-1 php-horde-css-parser security update

ELA-18-1 intel-microcode security update

Package : intel-microcode
Version : 3.20180703.2~bpo8+1~deb7u1

Related CVEs :
CVE-2017-5715
CVE-2018-3639
CVE-2018-3640

This update is required to mitigate against the so called Spectre variant 2 (branch
target injection) vulnerability which requires an update to the processors
microcode, which is non-free.
For instance you can find more information about this topic at
https://meltdownattack.com/
For recent Intel processors, the update is included in the intel-microcode
package from version 3.20180703.2bpo8+1deb7u1. It is available via the
wheezy-lts-kernel repository. For other processors, it may be included in an
update to the system BIOS or UEFI firmware, or in a later update to the
amd64-microcode package.

ELA-18-1 intel-microcode security update

ELA-1540-1 qemu security update

Package : qemu
Version : 1:3.1+dfsg-8+deb10u13 (buster)

Related CVEs :
CVE-2023-3019
CVE-2024-3447

Multiple security issues were found in QEMU, a fast processor
emulator, that could result in denial of service, information leak, or
privilege escalation.
CVE-2023-3019
Use-after-free error in the e1000e NIC emulation.

CVE-2024-3447
Heap-based buffer overflow in SDHCI device emulation.

This update also removes the usage of the C (Credential) flag for the
binfmt_misc registration within the qemu-user-static (and qemu-user-binfmt)
packages, as it allowed for privilege escalation when running a suid/sgid binary
under qemu-user. This means suid/sgid foreign-architecture binaries are not
running with elevated privileges under qemu-user anymore. If you relied on
this behavior of qemu-user in the past (running suid/sgid foreign-arch
binaries), this will require changes to your deployment.
In Debian 10 “buster”, the affected packages are qemu-user-static (and
qemu-user-binfmt).

ELA-1540-1 qemu security update

[SECURITY] [DSA 6025-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6025-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 15, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2025-11708 CVE-2025-11709 CVE-2025-11710
CVE-2025-11711 CVE-2025-11712 CVE-2025-11714
CVE-2025-11715

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, memory disclosure or cross-site scripting.

For the oldstable distribution (bookworm), these problems have been fixed
in version 140.4.0esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 140.4.0esr-1~deb13u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1542-1 libxml2 security update

Package : libxml2
Version : 2.9.4+dfsg1-2.2+deb9u15 (stretch), 2.9.4+dfsg1-7+deb10u13 (buster)

Related CVEs :
CVE-2025-9714

CVE-2025-9714

It was discovered that recursion evaluation in XPath evaluation is
uncontrolled and therefore allows a local attacker to cause a stack
overflow via crafted expressions.

CVE-2025-7425

Sergei Glazunov discovered a heap-use-after-free in xmlFreeID()
caused by atype corruption. While the vulnerability was reported
against libxslt, the XSLT 1.0 processing library, it is now
mitigated in this libxml2 version.

ELA-1542-1 libxml2 security update

ELA-1541-1 php-horde-css-parser security update

Package : php-horde-css-parser
Version : 1.0.11-3+deb10u1 (buster)

Related CVEs :
CVE-2020-13756

Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data,
possibly leading to remote code execution if the function allSelectors() or
getSelectorsBySpecificity() is called with input from an attacker.
The php-horde-css-parser package bundles the Saberworm PHP CSS Parser code
and is thus also vulnerable.

ELA-1541-1 php-horde-css-parser security update