Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1575-1 libarchive security update
ELA-1573-1 gimp security update
ELA-1572-1 geographiclib security update
Debian GNU/Linux 10 (Buster) ELTS:
ELA-1574-1 dcmtk security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4369-1] squid security update
[DLA 4368-1] libarchive security update
Debian GNU/Linux 12 (Bookworm):
[DSA 6053-1] linux security update
Debian GNU/Linux 13 (Trixie):
[DSA 6052-1] rust-sudo-rs security update
ELA-1575-1 libarchive security update
Package : libarchive
Version : 3.2.2-2+deb9u6 (stretch), 3.3.3-4+deb10u5 (buster)
Related CVEs :
CVE-2025-5914
CVE-2025-5916
CVE-2025-5917
CVE-2025-5918
Multiple vulnerabilties were fixed in libarchive a multi-format archive and compression library.
CVE-2025-5914
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
CVE-2025-5916
This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive.
CVE-2025-5917
This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation.
CVE-2025-5918
This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.ELA-1575-1 libarchive security update
ELA-1574-1 dcmtk security update
Package : dcmtk
Version : 3.6.4-2.1+deb10u4 (buster)
Related CVEs :
CVE-2020-36855
CVE-2022-4981
CVE-2025-9732
Several vulnerabilities have been fixed in DCMTK, a collection of
libraries and applications implementing large parts of the DICOM standard
for medical images.
CVE-2025-9732
Processing of an invalid DICOM image with a Photometric
Interpretation of "YBR_FULL" and a Planar Configuration of "1" where
the number of pixels stored does not match the expected number of pixels.
This may lead to memory corruption.
CVE-2022-4981
Various issues in the dcmqrscp configuration file parser that could cause
application crashes when reading a malformed configuration file, due to
insufficient checks of the input data.
CVE-2020-36855
Stack-based overflow in the dcmqrscp config parser.ELA-1574-1 dcmtk security update
ELA-1573-1 gimp security update
Package : gimp
Version : 2.8.18-1+deb9u6 (stretch), 2.10.8-2+deb10u5 (buster)
Related CVEs :
CVE-2025-10934
GIMP, the GNU Image Manipulation Program, is vulnerable to a heap-based buffer
overflow when parsing XWD files. This vulnerability allows remote attackers to
execute arbitrary code on affected installations of GIMP and requires the
target to visit a malicious page or open a malicious file.ELA-1573-1 gimp security update
ELA-1572-1 geographiclib security update
Package : geographiclib
Version : 1.46-2+deb9u1 (stretch), 1.49-4+deb10u1 (buster)
Related CVEs :
CVE-2025-60751
Geographiclib is a C++ library to solve geodesic problems. A stack buffer
overflow occurs when the GeoConvert tool receives a crafted input. The
overflow occurs because the program does not properly validate an internal
index, allowing an out-of-bounds write on the stack. An attacker can exploit
this vulnerability to hijack the program’s control flow by overwriting a return
address to point to a libc function and execute arbitrary code.ELA-1572-1 geographiclib security update
[SECURITY] [DLA 4369-1] squid security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4369-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
November 11, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : squid
Version : 4.13-10+deb11u6
CVE ID : CVE-2025-59362 CVE-2025-62168
Debian Bug : 1117048 1118341
Squid a popular proxy server was affected by multiple vulnerabilities
CVE-2025-59362
Squid mishandles ASN.1 encoding of long SNMP OIDs. This occurs in
asn_build_objid in lib/snmplib/asn1.c.
CVE-2025-62168
A failure to redact HTTP authentication credentials in error
handling allows information disclosure. The vulnerability allows a
script to bypass browser security protections and learn the
credentials a trusted client uses to authenticate.
This potentially allows a remote client to identify security tokens
or credentials used internally by a web application using Squid for
backend load balancing. These attacks do not require Squid to
be configured with HTTP authentication
For Debian 11 bullseye, these problems have been fixed in version
4.13-10+deb11u6.
We recommend that you upgrade your squid packages.
For the detailed security status of squid please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/squid
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4368-1] libarchive security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4368-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
November 11, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libarchive
Version : 3.4.3-2+deb11u3
CVE ID : CVE-2025-5914 CVE-2025-5916 CVE-2025-5917 CVE-2025-5918
Debian Bug : 1107621 1107623 1107624 1107626
Multiple vulnerabilties were fixed in libarchive a multi-format archive
and compression library.
CVE-2025-5914
A vulnerability has been identified in the libarchive library,
specifically within the archive_read_format_rar_seek_data() function.
This flaw involves an integer overflow that can ultimately lead to
a double-free condition. Exploiting a double-free vulnerability can
result in memory corruption, enabling an attacker to execute
arbitrary code or cause a denial-of-service condition.
CVE-2025-5916
This flaw involves an integer overflow that can be triggered
when processing a Web Archive (WARC) file that claims to have more
than INT64_MAX - 4 content bytes. An attacker could craft a malicious
WARC archive to induce this overflow, potentially leading to
unpredictable program behavior, memory corruption, or a
denial-of-service condition within applications that process
such archives using libarchive.
CVE-2025-5917
This flaw involves an 'off-by-one' miscalculation when
handling prefixes and suffixes for file names. This can lead to
a 1-byte write overflow. While seemingly small, such an overflow
can corrupt adjacent memory, leading to unpredictable program behavior,
crashes, or in specific circumstances, could be leveraged as
a building block for more sophisticated exploitation.
CVE-2025-5918
This flaw can be triggered when file streams are piped into bsdtar,
potentially allowing for reading past the end of the file.
This out-of-bounds read can lead to unintended consequences,
including unpredictable program behavior, memory corruption,
or a denial-of-service condition.
For Debian 11 bullseye, these problems have been fixed in version
3.4.3-2+deb11u3.
We recommend that you upgrade your libarchive packages.
For the detailed security status of libarchive please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libarchive
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6053-1] linux security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6053-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 11, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2025-21861 CVE-2025-39929 CVE-2025-39931 CVE-2025-39934
CVE-2025-39937 CVE-2025-39938 CVE-2025-39942 CVE-2025-39943
CVE-2025-39944 CVE-2025-39945 CVE-2025-39946 CVE-2025-39949
CVE-2025-39951 CVE-2025-39953 CVE-2025-39955 CVE-2025-39957
CVE-2025-39964 CVE-2025-39967 CVE-2025-39968 CVE-2025-39969
CVE-2025-39970 CVE-2025-39971 CVE-2025-39972 CVE-2025-39973
CVE-2025-39977 CVE-2025-39978 CVE-2025-39980 CVE-2025-39982
CVE-2025-39985 CVE-2025-39986 CVE-2025-39987 CVE-2025-39988
CVE-2025-39993 CVE-2025-39994 CVE-2025-39995 CVE-2025-39996
CVE-2025-39998 CVE-2025-40001 CVE-2025-40006 CVE-2025-40008
CVE-2025-40010 CVE-2025-40011 CVE-2025-40013 CVE-2025-40018
CVE-2025-40019 CVE-2025-40020 CVE-2025-40021 CVE-2025-40022
CVE-2025-40026 CVE-2025-40027 CVE-2025-40029 CVE-2025-40030
CVE-2025-40032 CVE-2025-40035 CVE-2025-40036 CVE-2025-40040
CVE-2025-40042 CVE-2025-40043 CVE-2025-40044 CVE-2025-40048
CVE-2025-40049 CVE-2025-40051 CVE-2025-40053 CVE-2025-40055
CVE-2025-40056 CVE-2025-40060 CVE-2025-40062 CVE-2025-40068
CVE-2025-40070 CVE-2025-40078 CVE-2025-40080 CVE-2025-40081
CVE-2025-40084 CVE-2025-40085 CVE-2025-40087 CVE-2025-40088
CVE-2025-40092 CVE-2025-40093 CVE-2025-40094 CVE-2025-40095
CVE-2025-40096 CVE-2025-40099 CVE-2025-40100 CVE-2025-40103
CVE-2025-40104 CVE-2025-40105 CVE-2025-40106 CVE-2025-40107
CVE-2025-40109
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the oldstable distribution (bookworm), these problems have been fixed
in version 6.1.158-1.
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6052-1] rust-sudo-rs security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6052-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 11, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : rust-sudo-rs
CVE ID : not yet available
Two security issues were discovered in sudo-rs, a Rust-based implemention
of sudo (and su), which could result in the local disclosure of partially
typed passwords or an authentication bypass in some targetpw/rootpw
configurations.
For the stable distribution (trixie), this problem has been fixed in
version 0.2.5-5+deb13u1.
We recommend that you upgrade your rust-sudo-rs packages.
For the detailed security status of rust-sudo-rs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rust-sudo-rs
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
