Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1592-1 libssh security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1591-1 libssh security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4399-1] webkit2gtk security update
[DLA 4400-1] rear security update
Debian GNU/Linux 12 (Bookworm):
[DSA 6079-1] ffmpeg security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6076-1] libpng1.6 security update
[DSA 6078-1] firefox-esr security update
Debian GNU/Linux 13 (Trixie):
[DSA 6077-1] pdns-recursor security update
[SECURITY] [DLA 4399-1] webkit2gtk security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4399-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
December 10, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : webkit2gtk
Version : 2.50.3-1~deb11u1
CVE ID : CVE-2025-13947 CVE-2025-43421 CVE-2025-43458 CVE-2025-66287
The following vulnerabilities have been discovered in the WebKitGTK
web engine:
CVE-2025-13947
Janet Black discovered that a website may be able to exfiltrate
sensitive system information.
CVE-2025-43421
Nan Wang discovered that processing maliciously crafted web
content may lead to an unexpected process crash.
CVE-2025-43458
Phil Beauvoir discovered that processing maliciously crafted web
content may lead to an unexpected process crash.
CVE-2025-66287
Stanislav Fort discovered that processing maliciously crafted web
content may lead to an unexpected process crash.
For Debian 11 bullseye, these problems have been fixed in version
2.50.3-1~deb11u1.
We recommend that you upgrade your webkit2gtk packages.
For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6077-1] pdns-recursor security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6077-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 10, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : pdns-recursor
CVE ID : CVE-2025-59030
Debian Bug : 1122197
Insufficient validation of incoming notifies over TCP in PDNS Recursor,
a resolving name server, could result in denial of service.
For the stable distribution (trixie), this problem has been fixed in
version 5.2.7-0+deb13u1.
We recommend that you upgrade your pdns-recursor packages.
For the detailed security status of pdns-recursor please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/pdns-recursor
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6076-1] libpng1.6 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6076-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 10, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libpng1.6
CVE ID : CVE-2025-64505 CVE-2025-64506 CVE-2025-64720 CVE-2025-65018
CVE-2025-66293
Debian Bug : 1121216 1121217 1121218 1121219 1121877
Several vulnerabilities were reported in the libpng PNG library, which
could lead to information leaks, denial of service or potentially the
execution of arbitrary code if a specially crafted image is processed.
For the oldstable distribution (bookworm), these problems have been fixed
in version 1.6.39-2+deb12u1.
For the stable distribution (trixie), these problems have been fixed in
version 1.6.48-1+deb13u1.
We recommend that you upgrade your libpng1.6 packages.
For the detailed security status of libpng1.6 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libpng1.6
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1592-1 libssh security update
Package : libssh
Version : 0.7.3-2+deb9u5 (stretch)
Related CVEs :
CVE-2023-6004
CVE-2025-4877
CVE-2025-4878
CVE-2025-5318
CVE-2025-8114
CVE-2025-8277
Several vulnerabilities have been found in libssh, a tiny C SSH library.
CVE-2023-6004
Vinci found a command injection issue in the ProxyCommand and ProxyJump
features.
CVE-2025-4877
Ronald Crane found that bin_to_base64() could experience an integer
overflow and subsequent under allocation, leading to an out of
bounds write on 32-bit builds.
CVE-2025-4878
Ronald Crane found that privatekey_from_file() used an uninitialized
variable under certain conditions, which could lead to signing
failure, use-after-free or memory corruption.
CVE-2025-5318
Ronald Crane found that sftp_handle() had an incorrect check, which
could lead to an out of bounds read.
CVE-2025-8114
Philippe Antoine found a null pointer dereference issue when libssh
calculates the session id for the key exchange (KEX) process and an
error happens when allocating memory using cryptographic functions,
leading to a crash.
CVE-2025-8277
Francesco Rollo a memory leak during the KEX process when a client
sets the `first_kex_packet_follows` flag in the KEXINIT message and
repeatedly makes incorrect KEX guesses.ELA-1592-1 libssh security update
ELA-1591-1 libssh security update
Package : libssh
Version : 0.8.7-1+deb10u4 (buster)
Related CVEs :
CVE-2025-4877
CVE-2025-4878
CVE-2025-5318
CVE-2025-8114
CVE-2025-8277
Several vulnerabilities have been found in libssh, a tiny C SSH library.
CVE-2025-4877
Ronald Crane found that bin_to_base64() could experience an integer
overflow and subsequent under allocation, leading to an out of
bounds write on 32-bit builds.
CVE-2025-4878
Ronald Crane found that privatekey_from_file() used an uninitialized
variable under certain conditions, which could lead to signing
failure, use-after-free or memory corruption.
CVE-2025-5318
Ronald Crane found that sftp_handle() had an incorrect check, which
could lead to an out of bounds read.
CVE-2025-8114
Philippe Antoine found a null pointer dereference issue when libssh
calculates the session id for the key exchange (KEX) process and an
error happens when allocating memory using cryptographic functions,
leading to a crash.
CVE-2025-8277
Francesco Rollo a memory leak during the KEX process when a client
sets the `first_kex_packet_follows` flag in the KEXINIT message and
repeatedly makes incorrect KEX guesses.ELA-1591-1 libssh security update
[SECURITY] [DLA 4400-1] rear security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4400-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
December 10, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : rear
Version : 2.6+dfsg-1+deb11u1
CVE ID : CVE-2024-23301
Debian Bug : 1060747
It has been discovered that Relax-and-Recover (aka ReaR) creates a
world-readable initrd when using GRUB_RESCUE=y. This allows local
attackers to gain access to system secrets otherwise only readable by
root.
For Debian 11 bullseye, this problem has been fixed in version
2.6+dfsg-1+deb11u1.
We recommend that you upgrade your rear packages.
For the detailed security status of rear please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rear
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6079-1] ffmpeg security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6079-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 10, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : ffmpeg
CVE ID : not yet available
Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.
For the oldstable distribution (bookworm), this problem has been fixed
in version 7:5.1.8-0+deb12u1.
We recommend that you upgrade your ffmpeg packages.
For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 6078-1] firefox-esr security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6078-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 10, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : firefox-esr
CVE ID : CVE-2025-14321 CVE-2025-14322 CVE-2025-14323 CVE-2025-14324
CVE-2025-14325 CVE-2025-14328 CVE-2025-14329 CVE-2025-14330
CVE-2025-14331 CVE-2025-14333
Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, sandbox escape, same-origin policy bypass or privilege escalation.
For the oldstable distribution (bookworm), these problems have been fixed
in version 140.6.0esr-1~deb12u1.
For the stable distribution (trixie), these problems have been fixed in
version 140.6.0esr-1~deb13u1.
We recommend that you upgrade your firefox-esr packages.
For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
