Several security updates have been released for various Debian packages, including webkit2gtk, chromium, unbound, and libhtp. The updates address multiple vulnerabilities that could lead to denial of service, information disclosure, or arbitrary code execution.

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1588-1 libhtp security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4394-1] webkit2gtk security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6072-1] chromium security update

Debian GNU/Linux 13 (Trixie):
[DSA 6071-1] unbound security update

[SECURITY] [DLA 4394-1] webkit2gtk security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4394-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
December 04, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : webkit2gtk
Version : 2.50.2-1~deb11u1
CVE ID : CVE-2025-43392 CVE-2025-43425 CVE-2025-43427 CVE-2025-43429
CVE-2025-43430 CVE-2025-43431 CVE-2025-43432 CVE-2025-43434
CVE-2025-43440 CVE-2025-43443

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2025-43392

Tom Van Goethem discovered that a website may exfiltrate image
data cross-origin.

CVE-2025-43425

An anonymous researcher discovered that processing maliciously
crafted web content may lead to an unexpected process crash.

CVE-2025-43427

Gary Kwong and rheza discovered that processing maliciously
crafted web content may lead to an unexpected process crash.

CVE-2025-43429

Google Big Sleep discovered that processing maliciously crafted
web content may lead to an unexpected process crash.

CVE-2025-43430

Google Big Sleep discovered that processing maliciously crafted
web content may lead to an unexpected process crash.

CVE-2025-43431

Google Big Sleep discovered that processing maliciously crafted
web content may lead to memory corruption.

CVE-2025-43432

Hossein Lotfi discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2025-43434

Google Big Sleep discovered that processing maliciously crafted
web content may lead to an unexpected browser crash.

CVE-2025-43440

Nan Wang discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2025-43443

An anonymous researcher discovered that processing maliciously
crafted web content may lead to an unexpected process crash.

For Debian 11 bullseye, these problems have been fixed in version
2.50.2-1~deb11u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6072-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6072-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
December 04, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2025-13630 CVE-2025-13631 CVE-2025-13632 CVE-2025-13633
CVE-2025-13634 CVE-2025-13635 CVE-2025-13636 CVE-2025-13637
CVE-2025-13638 CVE-2025-13639 CVE-2025-13640 CVE-2025-13720
CVE-2025-13721

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 143.0.7499.40-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 143.0.7499.40-1~deb13u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6071-1] unbound security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6071-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 04, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : unbound
CVE ID : CVE-2025-11411

It was discovered that incorrect handling of promiscuous NS RRSets in
Unbound, a validating, recursive, caching DNS resolver, could result in
cache poisoning.

For the stable distribution (trixie), this problem has been fixed in
version 1.22.0-2+deb13u1.

We recommend that you upgrade your unbound packages.

For the detailed security status of unbound please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unbound

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1588-1 libhtp security update

Package : libhtp
Version : 1:0.5.30-1+deb10u1 (buster)

Related CVEs :
CVE-2024-23837
CVE-2024-45797

Multiple cases of denial of service due to excessive CPU time and memory
utilization have been fixed in LibHTP, a parser for the HTTP protocol
mainly used by the network analysis and threat detection software Suricata.

ELA-1588-1 libhtp security update