Debian has released security updates for several packages, including libssh, Krita, and Tryton-server. Libssh version 0.9.8-0+deb11u2 fixes multiple vulnerabilities found by Ronald Crane and Philippe Antoine, while Krita version 1:5.1.5+dfsg-2+deb12u1 addresses a buffer overflow issue discovered in its TGA parser. Tryton-server, an application platform, has also been updated to fix several security vulnerabilities that could lead to information disclosure.

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4385-1] libssh security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6065-1] krita security update
[DSA 6064-1] tryton-server security update

[SECURITY] [DLA 4385-1] libssh security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4385-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
November 27, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libssh
Version : 0.9.8-0+deb11u2
CVE ID : CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372
CVE-2025-8114 CVE-2025-8277
Debian Bug : 1108407 1109860 1114859

Several vulnerabilities have been found in libssh, a tiny C SSH library.

CVE-2025-4877

Ronald Crane found that bin_to_base64() could experience an integer
overflow and subsequent under allocation, leading to an out of
bounds write on 32-bit builds.

CVE-2025-4878

Ronald Crane found that privatekey_from_file() used an uninitialized
variable under certain conditions, which could lead to signing
failure, use-after-free or memory corruption.

CVE-2025-5318

Ronald Crane found that sftp_handle() had an incorrect check, which
could lead to an out of bounds read.

CVE-2025-5372

Ronald Crane found that ssh_kdf() returned a success code on
certain failures, which could lead to use of uninitialized
cryptographic keys and failing to encrypt/decrypt following
communication.

CVE-2025-8114

Philippe Antoine found a null pointer dereference issue when libssh
calculates the session id for the key exchange (KEX) process and an
error happens when allocating memory using cryptographic functions,
leading to a crash.

CVE-2025-8277

Francesco Rollo a memory leak during the KEX process when a client
sets the `first_kex_packet_follows` flag in the KEXINIT message and
repeatedly makes incorrect KEX guesses.

For Debian 11 bullseye, these problems have been fixed in version
0.9.8-0+deb11u2.

We recommend that you upgrade your libssh packages.

For the detailed security status of libssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libssh

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6065-1] krita security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6065-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 27, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : krita
CVE ID : CVE-2025-59820

It was discovered that a buffer overflow in the TGA parser of Krita, a
creative application for raster images, could potentially result in the
execution of arbitrary code if malformed images are opened.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1:5.1.5+dfsg-2+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 1:5.2.9+dfsg-1+deb13u1.

We recommend that you upgrade your krita packages.

For the detailed security status of krita please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/krita

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6064-1] tryton-server security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6064-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 27, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tryton-server
CVE ID : not yet available

Several security vulnerabilities were discovered in the server of the
Tryton application platform, which could lead to information disclosure.

For the oldstable distribution (bookworm), this problem has been fixed
in version 6.0.29-2+deb12u4.

For the stable distribution (trixie), this problem has been fixed in
version 7.0.30-1+deb13u1.

We recommend that you upgrade your tryton-server packages.

For the detailed security status of tryton-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tryton-server

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/