The Debian project has released several security updates to address vulnerabilities in various packages. The first update addresses a vulnerability in the KDE Connect package, which could allow an attacker to impersonate another device. Three other packages, Samba, xrdp, and ImageMagick, also have issues that need to be addressed, with Samba having an information disclosure vulnerability and xrdp having vulnerabilities related to login attempts and memory reads.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1545-1 imagemagick security update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1552-1 xrdp security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4384-1] samba security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6063-1] kdeconnect security update

[SECURITY] [DSA 6063-1] kdeconnect security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6063-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 26, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : kdeconnect
CVE ID : CVE-2025-66270

It was discovered that missing validation of the device ID during
handshakes in KDE Connect, a tool to integrate smart phones to a
desktop, could allow an attacker to impersonate another device.

The oldstable distribution (bookworm) is not affected.

For the stable distribution (trixie), this problem has been fixed in
version 25.04.2-1+deb13u1.

We recommend that you upgrade your kdeconnect packages.

For the detailed security status of kdeconnect please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/kdeconnect

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4384-1] samba security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4384-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Paride Legovini
November 26, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : samba
Version : 2:4.13.13+dfsg-1~deb11u7
CVE ID : CVE-2025-9640

A flaw was found in Samba, in the vfs_streams_xattr module, where uninitialized
heap memory could be written into alternate data streams. This allows an
authenticated user to read residual memory content that may include sensitive
data, resulting in an information disclosure vulnerability.

For Debian 11 bullseye, this problem has been fixed in version
2:4.13.13+dfsg-1~deb11u7.

We recommend that you upgrade your samba packages.

For the detailed security status of samba please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/samba

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1552-1 xrdp security update

Package : xrdp
Version : 0.9.9-1+deb10u4 (buster)

Related CVEs :
CVE-2024-39917
CVE-2023-42822
CVE-2023-40184

Three issues found in xrdp are addressed in this update.
xrdp is an open source remote desktop protocol (RDP) server.
xrdp had a vulnerability that allows attackers to make an infinite number of
login attempts. The number of max login attempts is supposed to be limited by a
configuration parameter MaxLoginRetry in /etc/xrdp/sesman.ini. However,
this mechanism was not effectively working. As a result, xrdp allows an
infinite number of login attempts.
Access to the font glyphs in xrdp_painter.c is not bounds-checked.
Since some of this data is controllable by the user, this can result in an
out-of-bounds read within the xrdp executable. The vulnerability allows an
out-of-bounds read within a potentially privileged process. On non-Debian
platforms, xrdp tends to run as root. Potentially an out-of-bounds write can
follow the out-of-bounds read. There is no denial-of-service impact, provided that
xrdp is running in forking mode.
Improper handling of session establishment errors allows bypassing OS-level
session restrictions. The auth_start_session function can return non-zero (1)
value on, e.g., PAM error which may result in in session restrictions such as
max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) being
bypassed. Users (administrators) that don’t use restrictions by PAM are not
affected.

ELA-1552-1 xrdp security update

ELA-1545-1 imagemagick security update

Package : imagemagick
Version : 8:6.9.7.4+dfsg-11+deb9u23 (stretch), 8:6.9.10.23+dfsg-2.1+deb10u12 (buster)

Related CVEs :
CVE-2025-62171

An integer overflow vulnerability was discovered in the ReadBMP() function
of the BMP decoder within ImageMagick.
Although CVE-2025-57803 was issued to address this flaw,
the proposed fix is incomplete and fails to prevent exploitation in
certain scenarios. Specifically, the patch introduces a BMPOverflowCheck()
function in some code path, but it is invoked only after the overflow
has already occurred—rendering in some case.
This oversight allows a specially crafted 58-byte BMP file to trigger
AddressSanitizer crashes, potentially leading to denial-of-service (DoS) conditions.
This new issue was designated CVE-2025-62171.

ELA-1545-1 imagemagick security update